ERM
Enterprise Risk Management (ERM) Project Information and Communications Technology Summary Report to the Audit Committee December 6, 2011 Prepared and Presented: Jeff Hollingsworth Lauren Smith 0 Enterprise Risk Management (ERM) Project Information and Communications Technology ERM Overview 1. Process Overview Overview of ERM ICT Project and Key Activities Completed 17 Risks Selected for Discussion, Assessment and Prioritization 2. Communication of Results 3. Risk Assessment & Prioritization Workshop Results Risk Ranking Process Risks Prioritized According to Risk Ranking ICT Services Enterprise Risk Map Detailed Risk Overviews Risk Action Planning Risk Matrix for Impact and Likelihood 4. Discussion of Next Steps for ICT 5. Discussion Items for Port on ERM 1 Enterprise Risk Management (ERM) Project Information and Communications Technology - Process Overview Focusing on the Most Critical Risks Reviewed selected documents; conducted industry research Interviewed 19 Interviewed 10 Harbor Services representatives to identify key enterprise risks persons, mainly ICT but also 5 Port ICT stakeholders Resulted in over 50 mentions of risk to business objectives Analyzed interview notes to consolidate similar mentions of risk Prepared draft Risk Register which had 17 risks Register contained a definition of risk as well as risk drivers and existing risk mitigation activities Risk matrix to evaluate likelihood and impact Conducted Risk Assessment Workshop Reduced Risks to 16 Developed report Presented to ICT GB and EXEC Risk Assessment & Prioritization Workshop Results Information and Communications Technology - Risks For Assessment # Risk Name # Risk Name 1 Change Management 11 Leadership 2 Complexity and Volume of Systems 12 Natural or Manmade Disasters 3 Contracting 13 Roles and Responsibilities 4 Employee Engagement 14 Security and Compliance 5 Financial Model 15 Staffing 6 ICT Budget 16 Technology Marketplace 7 ICT Business Model 17 Workload 8 ICT Department Leadership 18 9 Internal Processes 19 10 Decentralized Systems 20 Workshop participants assessed each risk on two criteria: The estimated likelihood of a risk's occurrence The estimated impact of a risk's occurrence on ICT's ability to meet its strategic objectives The assessments of Impact and Likelihood are used to develop Risk Maps to focus management attention on the most critical risk risks. 3 RISK ASSESSMENT WORKSHEET INFORMATION AND COMMUNICATIONS TECHNOLOGY LIKELIHOOD IMPACT Score Measure Description Description Financial (US$) Operational Compliance/Security Community Employees CRITICAL CRITICAL CRITICAL CRITICAL CRITICAL Additional expenses in Mission critical systems down in Multiple incidents of non- Sustained (e.g., longer than Loss of or lack of availability of excess of 20% of excess of four hours and/or 25% compliance with security (PCI) three days), multi-media negative key staff and/or skill sets in approved budget of Port staff unable to do their and/or findings by Internal Audit international and national media mission critical systems and/or jobs due to unavailability of department, State Auditor and/or coverage (i.e., top/front page extensive period of time with key ALMOST technology resources and/or loss Federal Investigators of serious story); Multiple parties or groups ICT positions not filled. CERTAIN of critical data. violations with clear indications of represented at public protests Something already Almost breach of protected data, non- and/or comments made during 9 Critical happening on a compliance with PCI, and fraud multiple Commission meetings. Certain and/or fines imposed on Port regular basis. and/or legal judgments imposed against Port and/or shut down of credit card processing and/or cash transfer functions. LIKELY Something already happening on a 7 to 8 regular basis but Likely Major overall temporary in nature. POSSIBLE Something not happening 5 to 6 Possible Moderate currently, but anticipated to happen. UNLIKELY Something not happening but it 3 to 4 Unlikely Minor could in very infrequent cycles. INSIGNIFICANT INSIGNIFICANT INSIGNIFICANT INSIGNIFICANT INSIGNIFICANT RARE No unbudgeted Minimal or no downtime No compliance concerns No media coverage; No No loss of staff or skill Something not Insignificanexpense for mission critical reported from any public comments at a sets. No impact or happening and not 1 to 2 Rare systems channels; no evidence to Commission meeting. delays in filling key ICT anticipated to t happen. support lack of positions. compliance; No fines or legal judgments against the Port. Information and Communications Technology Example of Risk Definition: Complexity and Volume of Systems Risk Definition COMPLEXITY AND VOLUME OF SYSTEMS: Risk that the many applications at the Port create a drain on resources that dilutes attention or focus on more critical projects. Risk Drivers Existing Risk Management Activities Linking organizational assets to applications Want to standardize network gear Linkages between systems increases complexity Architecture board Multiple versions of same application in use throughout Managed at more senior level the org. Tracking hardware warranties, lifespan of operating Vendor provided solutions sometimes increase systems, application lifecycles. complexity Shifting from local admin access to user level Potential for system failure access Staggered timeline of application life cycle overlaid on business needs and evolution of technology Address ICT issues from internal global perspective rather than department/user specific perspective (e.g., what's best for the Port vs. what's best for Dept X) Actually 2000+ separate applications/versions in use at the Port Impacts approach we take to tech investments we make at the Port Risk Assessment & Prioritization Workshop Results Information and Communications Technology - Risk Ranking Process Initial Prioritization Based Upon Assessments of Impact and Likelihood Risk Ranking Matrix Risk Ranking Overview Risk Ranking provides an initial means of prioritizing assessed risks based upon assessments of Impact and Risk Map Likelihood Risk Rankings are used to identify a risk's position on a Critical Risk Map (see chart to left) Risk Ranking Calculation Steps Major Multiply the Impact assessment (on a scale of 1-9 with 9 being the highest impact and 1 being the lowest) and the Likelihood assessment (on a scale of 1-9 with 9 being Impact Moderate the highest likelihood and 1 being the lowest) for each risk Reference the product against a range of values (see Minor table below) Assign one of four risk rankings (Very High, High, Risk Rankings Medium or Low) based upon referenced range Insignificant Risk is ranked if the product of Impact & as Likelihood is VERY HIGH Greater than 49.0 Rare Unlikely Possible Likely Almost Certain HIGH Greater than 27.0, but less than 49.0 Likelihood MEDIUM Greater than 9.0, but less than 27.0 LOW Less than 9.0 6 Information and Communications Technology - Detailed Risk Overview Complexity and Volume of Systems COMPLEXITY AND VOLUME OF SYSTEMS: Risk that the many applications at the Port create a drain on resources that dilutes attention or focus on more critical projects. Risk Score = 49.28 Likelihood Mean Score: 7.50 Almost Certain 3 Risk Map - 3 Likely 6 Critical 2 Possible 0 - 0 Major Unlikely 0 4 - 0 Rare 0 Moderate 0 5 10 15 20 25 Impact Impact Mean Score: 6.57 Minor Critical 0 - 3 Insignificant Major 4 - 5 Moderate 2 - 0 Rare Unlikely Possible Likely Almost Certain Minor 0 - 0 Likelihood Insignificant 0 0 5 10 15 20 25 7 Risk Assessment & Prioritization Workshop Results Information and Communications Technology -Risks Prioritized to Risk Ranking Rank Risk Name Likelihood Impact Risk Ranking 1 Decentralized Systems 8.38 7.85 65.78 2 Internal Port Processes 8.46 7.46 63.11 3 ICT Budget 7.23 6.92 50.03 4 Complexity and Volume of Systems 7.50 6.57 49.28 49.28 5 Leadership 7.15 6.77 48.41 6 Roles and Responsibilities 7.49 6.46 48.19 7 Contracting 7.00 6.79 47.53 8 Change Management/Employee Engagement 7.21 6.07 43.76 9 Staffing 6.54 6.62 43.29 10 Compliance 5.54 7.46 41.33 11 Security 5.07 8.07 40.91 12 Workload 6.54 6.08 39.76 13 Natural or Manmade Disasters 4.23 8.00 33.84 14 Enterprise Technology Strategy 5.71 5.71 32.60 15 ICT Department Leadership 5.54 5.77 31.97 16 Technology Marketplace 6.85 4.54 31.10 8 Risk Assessment & Prioritization Workshop Results Information and Communications Technology Enterprise Risk Map ICT Enterprise Risk Map Rank Risk Name Risk Ranking 1 Decentralized Systems 65.78 2 Internal Port Processes 63.11 3 ICT Budget 50.03 13 11 4 Complexity and Volume of Systems 49.28 1 10 5 Leadership 48.41 2 3 6 Roles and Responsibilities 48.19 7 5 6 4 8 7 Contracting 47.53 12 15 8 9 Change Management/Employee Engagement 43.76 14 9 Staffing 43.29 Impact 16 10 Compliance 41.33 11 Security 40.91 12 Workload 39.76 13 Natural or Manmade Disasters 33.84 14 Enterprise Technology Strategy 32.60 15 ICT Department Leadership 31.97 16 Technology Marketplace 31.10 Likelihood 9 Enterprise Risk Management (ERM) Project Information and Communications Technology Process Next Steps Possible Next Steps for ICT Consideration Assess current mitigation efforts for identified risks or top priority risks Identify which risks are good targets for risk mitigation potential. Evaluate current mitigation efforts. Ask whether mitigation is aligned with risk tolerance thresholds? Determine any budget impacts for risk mitigation For priority risks - create integrated risk mitigation plans Identify sponsor and set timeline Implement mitigation and monitor results Enterprise Risk Management (ERM) Project Information and Communications Technology Port Discussion Next Steps Items General Port Discussion Where does Port take ERM moving forward and what do we do with ERM results? ERM assessment versus performance audit Response to findings Mitigation efforts funding for Who is the audience for reporting ERM findings? Audit Committee versus Commission or both Division finance and budget Establish Roles & Responsibilities and Policies & Procedures What is the merit of establishing an ERM process and identify ERM roles and responsibilities Establish Initial Risk Reporting Framework Should formal reporting tools and approaches for ERM results be created? Define Risk Appetite and Tolerances Recommendation from Last Year's Consultants Formally define the Port's risk appetite and establish a consistent and documented approach to understanding risk drivers, risk management options, and governance for key risks Appendix ICT ERM Project Participants The Port of Seattle representatives who participated in the ICT ERM Project are listed below . Peter Garlock, Chief Information Officer* Matt Breed, Sr. Manager ICT Infrastructure Services Kim Albert, Senior Manager, IT Business Services* Krista Sadler, Manager ICT Project Management Dave Wilson, Chief Technology Officer Brad Jensen, Mgr Security & Pub Safety Tech Information Technology Tony Butler, Senior Manager of Service Delivery* Ed Goodman, Development QA Mgr/Sr. Software IT Lindsay Pulsifer, Manager of Marine Maintenance Mark Coates, Senior Manager Operations Airfield Operations Paul Cocus, Manager of ICT Client Services and Support* Rudy Caluza, Director of Accounting and Procurement Dakota Chamberlain, Seaport Project Manager Lindsay Pulsifer, General Mgr. Seaport Maintenance Devron Knowles, Sr. Network Engineer Harold Federow, ICT Contract Manager and IP Manager Paul Jeyasingh, Systems Engineering Manager Jim Dawson, Manager of Windows Server Engineering Mike Ehl, Director of Airport Operations Mary Gardner, Manager of ICT Disaster Recovery
Limitations of Translatable Documents
PDF files are created with text and images are placed at an exact position on a page of a fixed size.
Web pages are fluid in nature, and the exact positioning of PDF text creates presentation problems.
PDFs that are full page graphics, or scanned pages are generally unable to be made accessible, In these cases, viewing whatever plain text could be extracted is the only alternative.