Risk Management Insights

I want to join the BLOG

Security Risk Management, Operational Risk, Risk Manager

Exploring the evolving role and scope of operational risk management in today’s dynamic landscape

Guest Blog by Shannon Harris, Senior Research Executive, Center for Financial Professionals

The Protecht Group will be exhibiting at the New Generation Operational Risk Europe Summit in London. Use code: PROTECHT20 to get 20% off the current rate.

In the past decade, the financial industry has rapidly changed and evolved leading to enhanced risk management practices. Operational risk is no different, as new and emerging risks enter the market it is often the strength of people, processes and systems which can enhance effective mitigation and management, but also pose the risk. The role and scope of operational risk is more diverse than ever as many strive for sustainable and long-lasting solutions.

For many individuals working within risk management, they are often faced with the difficult task of staying ahead in a fast-paced industry. 2018 has highlighted the importance of operational risk within financial institutions as regulators placed heightened emphasis on the need for worthwhile risk management practices, and more recently a much larger push for resilience. In addition, risk management is appearing more within the public arena as consumers are displaying an increased demand for security.

Read More

Security Risk Management, information security management

Cyber security – will we ever be safe?

I recently read an article in the @TheEconomist (April 8 edition) entitled The Myth of Cyber Security, a somewhat depressing article on the poor state of cyber security globally. The author discussed numerous reasons behind the current problems:

  • Software complexity and speed of development
  • Users failure to protect themselves
  • The technology industry’s inability to self regulate and accept liability for product flaws

The last point drawing comparisons to the car industry in the early 1960’s. It was not until the government forced their hand on safety did the industry’s attitude change.  The author considered that perhaps additional government intervention could be beneficial to the technology sector.  Examples included increased reporting requirements for companies that are hacked, forced default password changes and legislated timeframes for fixes to "at risk" products.

Read More

Security Risk Management, information security management, ISO 27001

Information Security Risk Management: An Interview with Peter Walker, Protecht Group Chief Information Officer

In this blog post, Peter Walker, Protecht's Chief Information Officer, answers some questions around information security and getting ISO 27001 certified.

Why are you concerned about information security?

I receive notifications of data breaches and information security reports with lessons learned on a daily basis. The number, magnitude and consequences of these incidents continue to rise. As Protecht's CIO, it’s a sobering thought when you are managing other people’s highly sensitive data.

While we have always had information security processes and procedures in place for many years, I recognised the need to do more and to be able to quickly demonstrate to the Protecht Executive Team and external parties that we had in place a robust and effective information security risk management framework in place. As a separate driver, we needed to be able to demonstrate to our Australian Commonwealth Government clients and prospects that we met the very stringent information security management requirements of the Australian Signals Directorate.

Read More

Security Risk Management, Risk Culture

Our Most Popular Risk Management Articles in 2015

Happy New Year! 2016 has arrived and at Protecht we wish to take the opportunity to go back in time and share our most popular blogposts from 2015.

We invite you to enjoy these articles for the first time or reading them again. Just click the article title for the full view.

1. Compliance Risk Management

  • Analysis of the relationship between Compliance Management and Risk Management. Do you think that compliance is a subset of risk management?
  • See the difference between the Management Processes in each standard: ISO 31000 and ISO 19600.
  • Compliance risk management should form an integral part of the overall enterprise risk management (ERM) framework, and risk professionals should consider compliance risk as part of their overall portfolio of risks.

Read More

Security Risk Management, information security management, Risk Management

Cloud Computing- Food for Thought


The move towards cloud computing is exciting for many businesses. Not only are they able to realize cost savings through lesser maintenance of their own IT systems, many cloud tools enable new levels of sharing, collaboration and ease of access, which can transform the way businesses work.

However, wider adoption of cloud computing leads to increased scrutiny, both from users and regulators. The availability, integrity and confidentiality of data remains critical for any business regardless of whether it is stored on site or in the cloud. Thus prior to entering any hosting or cloud arrangement, companies should have a robust process in place to evaluate the service.

Read More

Security Risk Management, Risk Management, Risk Velocity

Risk Velocity - The Third Dimension of Risk?

The primary purpose of risk management is to create and preserve value. Rather than it being a chore or a regulatory demand, risk management should be viewed as central to the organisation and its means of creating a return on capital employed.

Read More

Security Risk Management, information security management

Data risk: a growing risk for companies and great opportunity for hackers

One of the biggest obstacles for organisations is understanding where critical data resides and how it is currently protected. Apart from the production environment, copies of important or sensitive data is also stored in back-ups, data warehouses and test environments.  These environments may be less protected than the production environment.  Data risk is a growing risk for companies and a great opportunity for hackers.

Recently, a well-known travel agency was hacked and almost 1 million customer records were exposed.  Although, the production environment was secure, the test environment which was less secure was also accessible from the internet which facilitated unauthorised access to sensitive customer data. Data Risk Management should therefore focus on the data, as recommended by the international security standard ISO27001:2013.

Read More

Compliance Management, Security Risk Management, Enterprise Risk Management, information security management

Information Risk Management as part of your ERM framework


We hear many times that this is the information age and that data is the new gold.  The “Big Data” trend encapsulates this and focuses our minds on the potentially huge amounts of data our businesses have access to, both internal and external. Data and information is therefore a potentially high value asset but just like a gold mine, it needs to be mined and refined into something valuable and protected. 

Due to the explosion of available information and the ever increasing importance of using this information to provide our business with the information resources it needs to function, information risk management has never been more critical for business.

This article considers information risk management as part of an overall Enterprise Risk Management (ERM) framework.

The starting point for information risk management is to identify all sources of information that is used and managed by the organisation.  This requires the development of an “Information Asset Register”.  This should include such things as:

  1. Information Asset Name
  2. Type:  Electronic / physical
  3. If electronic:  Production, Test or Back-up
  4. Type of storage: Server, laptop, desktop, mobile device, web, USB key, physical (filing cabinet) etc.
  5. Type of information (field descriptors)
  6. Purpose /use of information
  7. Location (geo location)
  8. Number of records
  9. Relevant external obligations over information. Is the information public or private? For government, unclassified / protected etc.
  10. Information / Storage owner
  11. Methods of write access (add, amend, delete)
  12. Methods of read access (web, intranet, print etc.)
  13. Parties with write access
  14. Parties with read access
Read More