SlideShare una empresa de Scribd logo

Risk Managers Of The Universe

Jurgen van der Vlugt
Jurgen van der Vlugt

On how the current top-down (command-and-)control approach, and the \'middle-out\' modelling aproach, will and can not work in the end. A new paradigm, bottom-up KISS risk management will be needed.

1 de 43
Risk Managers of the universe Jurgen van der Vlugt Dialogues House, 16 augustus 2012
Introductie
Agenda Risk Management, • Top-down • Middle-out • Bottom-up
Top-down • RM ∆ In control over risico’s • Risico’s ∆ negatieve events • Positieve? risico ↔ rendement • Events: definitie? volledigheid? • In control ∆ geen afwijkingen / correctie • Geen afwijkingen: totale beheersing inputs • Correctie: kosten, schade, positieve resultaten? • Fantasie: Werkelijkheid beheersen
In control?
In control?
Janus Resultaten uit het verleden … toekomst
De Toekomst… • ALLE risicodiscussie is subjectief • Gaat over de toekomst, • De ∆ van onzekerheid • Bestaat alleen in de verbeelding • RM is speculeren over de toekomst • Toch… amechtige pogingen
Overhead Evaluate design & Analysis Monitor & react set-up Operational Risk Problem Management Mgt Incidents ORAP Inherent for analysis Controls Risk indicators risks (Problems) R(S)A (K)ORC KRI Incident (+Audit) (Mgt) (Mgt) Mgt Insu- Near rance Designed, Tuning, Selected for Mandatory misses CLD Mgt efficiency Corrective KRI actions values Incidents Indemnities Process Breach Very, very basically Surprise!
Zoals voorspeld
Middle-out
n:m, feedback, time, continuity
Initiële auditissues Forecast ultimo 2011 1 2 3 4 4 3 5 9 7 8 6 9 Kans Kans 6 2 7 1 Impact Impact • 1 Kans Kansloos • … per? jaar? transactie? nanoseconde? • 1 Impact Kansloos • … Alleen financieel? reputatie, etc.? tijd; vs ingrijpen? • H x H = 25 Kansloos • 3xM=H Kansloos • ’16’ > ’12’ Kansloos • Wie schat ‘H’; hoe en met welk ‘bewijs’?
In particular, for any consistent, effectively generated formal theory that proves certain basic arithmetic truths, there is an arithmetical statement that is true, but not provable in the theory. Kurt Gödel No matter how perfect you try to risk manage, incidents will happen Yours Truly
∫ ( Kansfunctie ×? Impactfunctie ) ∑( Kosten van tegenmaatregelen ) Voor vele series van functies en parameters, impact schattingsranges (…), variabele sets van tegenmaatregelen Inclusief variabele maten van effectiviteit, met vage noties van risk appetites in de achterhoofden van sommigen
Beter modelleren ..?
Resultaat
En dan zijn er nog kosten What was it astronaut John Glenn said went through his mind as he awaited lift-off? "You're thinking you're sitting on top of the most complex machine ever built by man, with a million separate components, all supplied by the lowest bidder."
Ja Maar … 1. Yes we know all that. Nothing’s perfect. 2. The assumptions are reasonable. 3. The assumptions don’t really matter. 4. The assumptions are conservative. 5. You cannot prove the assumptions are wrong. 6. We only do what everyone else does. 7. The decision maker is better off with us than without us. 8. The models are not completely useless. 9. You gotta make the best of the data you’ve got. 10. You need assumptions to make progress. 11. The models deserve the benefit of the doubt. 12. Models and assumptions don’t do any harm so why bother …? © David Freedman (in Nassim Taleb’s Black Swan)
Combinaties Externe data Scenario´s • Relevantie; toepasselijkheid (modereren vs bias) • Resultaten uit het verleden • Te weinig data (?) • Self-reporting !? • Veel (!) te weinig data; kwaliteit • Te weinig data (?) • Self-reporting !? • Kennis, zicht op risico’s • Resultaten uit het verleden • Zuiver en alleen lokaal bruikbaar • Kennis en kunde Interne data • Percepties van risico RSA´s
Tóch blijven proberen…
Bottom-up dan ..? In theory, nothing works, In practice, everything works, and everyone knows why. but no-one knows why. We have in our organisation a combination of theory and practice.
Klein beginnen
Onderaan beginnen
Risico’s van alle tijden
Dus lat niet te hoog verkopen
‘Stress-testen’ • Maar dan goed
Management = risico(Management)
J. R. Galbraith, "Organization Design: An Information Processing View" Interfaces, 4 (1974), 28-36 Summary Galbraith believes that "the greater the uncertainty of the task, the greater the amount of information that must be processed between decision makers during the execution of the task to get a given level of performance". Firms can reduce uncertainty through better planning and coordination, often by rules, hierarchy, or goals. Galbraith states that "the critical limiting factor of an organizational form is the ability to handle the non-routine events that cannot be anticipated or planned for". When the "exceptions" become too prevalent, they overwhelm the hierarchy's ability to process them. Variations in organization design arise from different strategies to increase planning ability and to reduce the number of exceptional events that management must resolve. Galbraith defines a continuity of organizational forms that firms utilize to reduce uncertainty: 1. Creation of Slack Resources. These include extending delivery times, adding more money to the budget, and building inventory (all which have inherent costs). If a firm fails to actively create a higher level strategy to address uncertainty, this strategy will occur by default. 2. Creation of Self-Contained Tasks. One strategy at this level is changing from functional to product groups. 3. Investment in Vertical Integration Systems. Condensing the flow of information by building specialized languages and computer systems can help analysis and decision making. 4. Creation of Lateral Relationships. Moving the decision making power down in the firm to where the information exists can reduce uncertainty at the decision level. There are various strategies of increasing complexity to achieve this: A. Direct contact between managers across groups B. Liaison personnel between groups. C. Task Forces D. Teams E. Cross-group Managers (project managers, program managers, etc.) F. Linked Managers (with power over some cross-group resources) G. Matrix Organization
Combinatie
Combinatie uitwerken
Conclusie • Risk Management op de huidige manier, werkt niet • Gedreven door CYA, angst voor de wereld • RM of the Universe is een fantasie • Idealen bijstellen, via Bottom-up (andere) idealen halen
Work In Progress
That was all. Thank you. Hope you enjoy(ed) the ride
Dank u
Contact details • Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC • Maverisk Consultancy, IS Audit and Advisory services (KPMG, ABN AMRO, Noordbeek, Achmea, ABN AMRO • (IS) Audit, (Info)Security, Y2k, BCM, ERM/ORM • ISSA, NOREA: Various committees • Jvdvlugt@maverisk.nl • LinkedIn, Twitter (etc.etc.) Motivate yourself! www.despair.com/viewall.html

Recomendados

Agile testing isn't risking it! published
Agile testing isn't risking it! publishedAgile testing isn't risking it! published
Agile testing isn't risking it! publishedbram_bronneberg
 
Life test sample size determination based on probability of decisions
Life test sample size determination based on probability of decisionsLife test sample size determination based on probability of decisions
Life test sample size determination based on probability of decisionsASQ Reliability Division
 
Erm
ErmErm
ErmPankaj Kumar Kar
 
Microsoft Power Point Simon Final
Microsoft Power Point Simon FinalMicrosoft Power Point Simon Final
Microsoft Power Point Simon Finalguesta09d518
 
Outages, PostMortems, and Human Error
Outages, PostMortems, and Human ErrorOutages, PostMortems, and Human Error
Outages, PostMortems, and Human ErrorJohn Allspaw
 
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...Nagios
 
Much Data 0.95
Much Data 0.95Much Data 0.95
Much Data 0.95Jurgen van der Vlugt
 
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03Jurgen van der Vlugt
 

Recomendados

Agile testing isn't risking it! published
Agile testing isn't risking it! publishedAgile testing isn't risking it! published
Agile testing isn't risking it! publishedbram_bronneberg
 
Life test sample size determination based on probability of decisions
Life test sample size determination based on probability of decisionsLife test sample size determination based on probability of decisions
Life test sample size determination based on probability of decisionsASQ Reliability Division
 
Erm
ErmErm
ErmPankaj Kumar Kar
 
Microsoft Power Point Simon Final
Microsoft Power Point Simon FinalMicrosoft Power Point Simon Final
Microsoft Power Point Simon Finalguesta09d518
 
Outages, PostMortems, and Human Error
Outages, PostMortems, and Human ErrorOutages, PostMortems, and Human Error
Outages, PostMortems, and Human ErrorJohn Allspaw
 
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...Nagios
 
Much Data 0.95
Much Data 0.95Much Data 0.95
Much Data 0.95Jurgen van der Vlugt
 
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03Jurgen van der Vlugt
 
ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3Jurgen van der Vlugt
 
C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000Henk, van Soest
 
Improving UX through Application Lifecycle Management
Improving UX through Application Lifecycle ManagementImproving UX through Application Lifecycle Management
Improving UX through Application Lifecycle Managementgoodfriday
 
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Rick Thomas, Colonel (Retired)
 
D team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmD team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmMiraj Mhaisuria
 
Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Ira Tobing
 
Tech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects ProductivelyTech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects Productivelyrsnarayanan
 
Risk management using risk+ (v5)
Risk management using risk+ (v5)Risk management using risk+ (v5)
Risk management using risk+ (v5)Glen Alleman
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)bfriday
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
Five risk management rules for the project manager
Five risk management rules for the project managerFive risk management rules for the project manager
Five risk management rules for the project managerJohn Goodpasture
 
Six Sigma Yellow Belt
Six Sigma Yellow BeltSix Sigma Yellow Belt
Six Sigma Yellow BeltSudhakar Selka
 
Applying Knowledge Cory Banks
Applying Knowledge Cory BanksApplying Knowledge Cory Banks
Applying Knowledge Cory BanksCory Banks
 
Empirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsEmpirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsGrigori Melnik
 
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinarrfrederickpmp
 
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinarrfrederickpmp
 
0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinarrfrederick_pmp
 
Successful Dispute Resolution
Successful Dispute ResolutionSuccessful Dispute Resolution
Successful Dispute ResolutionAcumen
 
Pojectmanagementver4
Pojectmanagementver4Pojectmanagementver4
Pojectmanagementver4sami325
 
Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08sanjivshah
 
Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Jurgen van der Vlugt
 
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsIDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsJurgen van der Vlugt
 

Más contenido relacionado

Similar a Risk Managers Of The Universe

C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000Henk, van Soest
 
Improving UX through Application Lifecycle Management
Improving UX through Application Lifecycle ManagementImproving UX through Application Lifecycle Management
Improving UX through Application Lifecycle Managementgoodfriday
 
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Rick Thomas, Colonel (Retired)
 
D team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmD team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmMiraj Mhaisuria
 
Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Ira Tobing
 
Tech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects ProductivelyTech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects Productivelyrsnarayanan
 
Risk management using risk+ (v5)
Risk management using risk+ (v5)Risk management using risk+ (v5)
Risk management using risk+ (v5)Glen Alleman
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)bfriday
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
Five risk management rules for the project manager
Five risk management rules for the project managerFive risk management rules for the project manager
Five risk management rules for the project managerJohn Goodpasture
 
Applying Knowledge Cory Banks
Applying Knowledge Cory BanksApplying Knowledge Cory Banks
Applying Knowledge Cory BanksCory Banks
 
Empirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsEmpirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsGrigori Melnik
 
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinarrfrederickpmp
 
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinarrfrederickpmp
 
0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinarrfrederick_pmp
 
Successful Dispute Resolution
Successful Dispute ResolutionSuccessful Dispute Resolution
Successful Dispute ResolutionAcumen
 
Pojectmanagementver4
Pojectmanagementver4Pojectmanagementver4
Pojectmanagementver4sami325
 
Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08sanjivshah
 

Similar a Risk Managers Of The Universe (20)

ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3
 
C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000
 
Improving UX through Application Lifecycle Management
Improving UX through Application Lifecycle ManagementImproving UX through Application Lifecycle Management
Improving UX through Application Lifecycle Management
 
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1
 
D team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmD team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqm
 
Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]
 
Tech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects ProductivelyTech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects Productively
 
Risk management using risk+ (v5)
Risk management using risk+ (v5)Risk management using risk+ (v5)
Risk management using risk+ (v5)
 
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
 
Five risk management rules for the project manager
Five risk management rules for the project managerFive risk management rules for the project manager
Five risk management rules for the project manager
 
Six Sigma Yellow Belt
Six Sigma Yellow BeltSix Sigma Yellow Belt
Six Sigma Yellow Belt
 
Applying Knowledge Cory Banks
Applying Knowledge Cory BanksApplying Knowledge Cory Banks
Applying Knowledge Cory Banks
 
Empirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsEmpirical Evidence Of Agile Methods
Empirical Evidence Of Agile Methods
 
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
 
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
 
0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar
 
Successful Dispute Resolution
Successful Dispute ResolutionSuccessful Dispute Resolution
Successful Dispute Resolution
 
Pojectmanagementver4
Pojectmanagementver4Pojectmanagementver4
Pojectmanagementver4
 
Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08
 

Más de Jurgen van der Vlugt

Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Jurgen van der Vlugt
 
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsIDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsJurgen van der Vlugt
 
ISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not RailsISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not RailsJurgen van der Vlugt
 
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012Jurgen van der Vlugt
 
Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10Jurgen van der Vlugt
 
Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3Jurgen van der Vlugt
 
Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97Jurgen van der Vlugt
 
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces ITNGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces ITJurgen van der Vlugt
 
VU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdVVU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdVJurgen van der Vlugt
 
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010Jurgen van der Vlugt
 
VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010Jurgen van der Vlugt
 
Saxion Enschedé College Security 2009
Saxion Enschedé College Security 2009Saxion Enschedé College Security 2009
Saxion Enschedé College Security 2009Jurgen van der Vlugt
 
NOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notesNOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notesJurgen van der Vlugt
 
NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010Jurgen van der Vlugt
 
Saxion Enschedé College Security 2010
Saxion Enschedé College Security 2010Saxion Enschedé College Security 2010
Saxion Enschedé College Security 2010Jurgen van der Vlugt
 

Más de Jurgen van der Vlugt (17)

Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3
 
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsIDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
 
ISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not RailsISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not Rails
 
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
 
Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10
 
Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3
 
Down the Blind Alley (PDF)
Down the Blind Alley (PDF)Down the Blind Alley (PDF)
Down the Blind Alley (PDF)
 
Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97
 
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces ITNGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
 
VU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdVVU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdV
 
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
 
VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010
 
Saxion Enschedé College Security 2009
Saxion Enschedé College Security 2009Saxion Enschedé College Security 2009
Saxion Enschedé College Security 2009
 
NOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notesNOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notes
 
NOREA ALV Symposium Advies 2010
NOREA ALV Symposium Advies 2010NOREA ALV Symposium Advies 2010
NOREA ALV Symposium Advies 2010
 
NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010
 
Saxion Enschedé College Security 2010
Saxion Enschedé College Security 2010Saxion Enschedé College Security 2010
Saxion Enschedé College Security 2010
 

Risk Managers Of The Universe

  • 1. Risk Managers of the universe Jurgen van der Vlugt Dialogues House, 16 augustus 2012
  • 3. Agenda Risk Management, • Top-down • Middle-out • Bottom-up
  • 4. Top-down • RM ∆ In control over risico’s • Risico’s ∆ negatieve events • Positieve? risico ↔ rendement • Events: definitie? volledigheid? • In control ∆ geen afwijkingen / correctie • Geen afwijkingen: totale beheersing inputs • Correctie: kosten, schade, positieve resultaten? • Fantasie: Werkelijkheid beheersen
  • 7. Janus Resultaten uit het verleden … toekomst
  • 8. De Toekomst… • ALLE risicodiscussie is subjectief • Gaat over de toekomst, • De ∆ van onzekerheid • Bestaat alleen in de verbeelding • RM is speculeren over de toekomst • Toch… amechtige pogingen
  • 9. Overhead Evaluate design & Analysis Monitor & react set-up Operational Risk Problem Management Mgt Incidents ORAP Inherent for analysis Controls Risk indicators risks (Problems) R(S)A (K)ORC KRI Incident (+Audit) (Mgt) (Mgt) Mgt Insu- Near rance Designed, Tuning, Selected for Mandatory misses CLD Mgt efficiency Corrective KRI actions values Incidents Indemnities Process Breach Very, very basically Surprise!
  • 11.
  • 13. n:m, feedback, time, continuity
  • 14. Initiële auditissues Forecast ultimo 2011 1 2 3 4 4 3 5 9 7 8 6 9 Kans Kans 6 2 7 1 Impact Impact • 1 Kans Kansloos • … per? jaar? transactie? nanoseconde? • 1 Impact Kansloos • … Alleen financieel? reputatie, etc.? tijd; vs ingrijpen? • H x H = 25 Kansloos • 3xM=H Kansloos • ’16’ > ’12’ Kansloos • Wie schat ‘H’; hoe en met welk ‘bewijs’?
  • 15. In particular, for any consistent, effectively generated formal theory that proves certain basic arithmetic truths, there is an arithmetical statement that is true, but not provable in the theory. Kurt Gödel No matter how perfect you try to risk manage, incidents will happen Yours Truly
  • 16. ( Kansfunctie ×? Impactfunctie ) ∑( Kosten van tegenmaatregelen ) Voor vele series van functies en parameters, impact schattingsranges (…), variabele sets van tegenmaatregelen Inclusief variabele maten van effectiviteit, met vage noties van risk appetites in de achterhoofden van sommigen
  • 17.
  • 20.
  • 21. En dan zijn er nog kosten What was it astronaut John Glenn said went through his mind as he awaited lift-off? "You're thinking you're sitting on top of the most complex machine ever built by man, with a million separate components, all supplied by the lowest bidder."
  • 22. Ja Maar … 1. Yes we know all that. Nothing’s perfect. 2. The assumptions are reasonable. 3. The assumptions don’t really matter. 4. The assumptions are conservative. 5. You cannot prove the assumptions are wrong. 6. We only do what everyone else does. 7. The decision maker is better off with us than without us. 8. The models are not completely useless. 9. You gotta make the best of the data you’ve got. 10. You need assumptions to make progress. 11. The models deserve the benefit of the doubt. 12. Models and assumptions don’t do any harm so why bother …? © David Freedman (in Nassim Taleb’s Black Swan)
  • 23. Combinaties Externe data Scenario´s • Relevantie; toepasselijkheid (modereren vs bias) • Resultaten uit het verleden • Te weinig data (?) • Self-reporting !? • Veel (!) te weinig data; kwaliteit • Te weinig data (?) • Self-reporting !? • Kennis, zicht op risico’s • Resultaten uit het verleden • Zuiver en alleen lokaal bruikbaar • Kennis en kunde Interne data • Percepties van risico RSA´s
  • 24.
  • 25.
  • 26.
  • 28. Bottom-up dan ..? In theory, nothing works, In practice, everything works, and everyone knows why. but no-one knows why. We have in our organisation a combination of theory and practice.
  • 32. Dus lat niet te hoog verkopen
  • 35. J. R. Galbraith, "Organization Design: An Information Processing View" Interfaces, 4 (1974), 28-36 Summary Galbraith believes that "the greater the uncertainty of the task, the greater the amount of information that must be processed between decision makers during the execution of the task to get a given level of performance". Firms can reduce uncertainty through better planning and coordination, often by rules, hierarchy, or goals. Galbraith states that "the critical limiting factor of an organizational form is the ability to handle the non-routine events that cannot be anticipated or planned for". When the "exceptions" become too prevalent, they overwhelm the hierarchy's ability to process them. Variations in organization design arise from different strategies to increase planning ability and to reduce the number of exceptional events that management must resolve. Galbraith defines a continuity of organizational forms that firms utilize to reduce uncertainty: 1. Creation of Slack Resources. These include extending delivery times, adding more money to the budget, and building inventory (all which have inherent costs). If a firm fails to actively create a higher level strategy to address uncertainty, this strategy will occur by default. 2. Creation of Self-Contained Tasks. One strategy at this level is changing from functional to product groups. 3. Investment in Vertical Integration Systems. Condensing the flow of information by building specialized languages and computer systems can help analysis and decision making. 4. Creation of Lateral Relationships. Moving the decision making power down in the firm to where the information exists can reduce uncertainty at the decision level. There are various strategies of increasing complexity to achieve this: A. Direct contact between managers across groups B. Liaison personnel between groups. C. Task Forces D. Teams E. Cross-group Managers (project managers, program managers, etc.) F. Linked Managers (with power over some cross-group resources) G. Matrix Organization
  • 38. Conclusie • Risk Management op de huidige manier, werkt niet • Gedreven door CYA, angst voor de wereld • RM of the Universe is een fantasie • Idealen bijstellen, via Bottom-up (andere) idealen halen
  • 40. That was all. Thank you. Hope you enjoy(ed) the ride
  • 41.
  • 43. Contact details • Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC • Maverisk Consultancy, IS Audit and Advisory services (KPMG, ABN AMRO, Noordbeek, Achmea, ABN AMRO • (IS) Audit, (Info)Security, Y2k, BCM, ERM/ORM • ISSA, NOREA: Various committees • Jvdvlugt@maverisk.nl • LinkedIn, Twitter (etc.etc.) Motivate yourself! www.despair.com/viewall.html