ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo

Risk Managers Of The Universe

Jurgen van der Vlugt
Jurgen van der Vlugt

On how the current top-down (command-and-)control approach, and the \'middle-out\' modelling aproach, will and can not work in the end. A new paradigm, bottom-up KISS risk management will be needed.

1 of 43
Risk Managers of the universe Jurgen van der Vlugt Dialogues House, 16 augustus 2012
Introductie
Agenda Risk Management, ? Top-down ? Middle-out ? Bottom-up
Top-down ? RM ? In control over risico¡¯s ? Risico¡¯s ? negatieve events ? Positieve? risico ? rendement ? Events: definitie? volledigheid? ? In control ? geen afwijkingen / correctie ? Geen afwijkingen: totale beheersing inputs ? Correctie: kosten, schade, positieve resultaten? ? Fantasie: Werkelijkheid beheersen
In control?
In control?
Janus Resultaten uit het verleden ¡­ toekomst
De Toekomst¡­ ? ALLE risicodiscussie is subjectief ? Gaat over de toekomst, ? De ? van onzekerheid ? Bestaat alleen in de verbeelding ? RM is speculeren over de toekomst ? Toch¡­ amechtige pogingen
Overhead Evaluate design & Analysis Monitor & react set-up Operational Risk Problem Management Mgt Incidents ORAP Inherent for analysis Controls Risk indicators risks (Problems) R(S)A (K)ORC KRI Incident (+Audit) (Mgt) (Mgt) Mgt Insu- Near rance Designed, Tuning, Selected for Mandatory misses CLD Mgt efficiency Corrective KRI actions values Incidents Indemnities Process Breach Very, very basically Surprise!
Zoals voorspeld
Risk Managers Of The Universe
Middle-out
n:m, feedback, time, continuity
Initi?le auditissues Forecast ultimo 2011 1 2 3 4 4 3 5 9 7 8 6 9 Kans Kans 6 2 7 1 Impact Impact ? 1 Kans Kansloos ? ¡­ per? jaar? transactie? nanoseconde? ? 1 Impact Kansloos ? ¡­ Alleen financieel? reputatie, etc.? tijd; vs ingrijpen? ? H x H = 25 Kansloos ? 3xM=H Kansloos ? ¡¯16¡¯ > ¡¯12¡¯ Kansloos ? Wie schat ¡®H¡¯; hoe en met welk ¡®bewijs¡¯?
In particular, for any consistent, effectively generated formal theory that proves certain basic arithmetic truths, there is an arithmetical statement that is true, but not provable in the theory. Kurt G?del No matter how perfect you try to risk manage, incidents will happen Yours Truly
¡Ò ( Kansfunctie ¡Á? Impactfunctie ) ¡Æ( Kosten van tegenmaatregelen ) Voor vele series van functies en parameters, impact schattingsranges (¡­), variabele sets van tegenmaatregelen Inclusief variabele maten van effectiviteit, met vage noties van risk appetites in de achterhoofden van sommigen
Risk Managers Of The Universe
Beter modelleren ..?
Resultaat
Risk Managers Of The Universe
En dan zijn er nog kosten What was it astronaut John Glenn said went through his mind as he awaited lift-off? "You're thinking you're sitting on top of the most complex machine ever built by man, with a million separate components, all supplied by the lowest bidder."
Ja Maar ¡­ 1. Yes we know all that. Nothing¡¯s perfect. 2. The assumptions are reasonable. 3. The assumptions don¡¯t really matter. 4. The assumptions are conservative. 5. You cannot prove the assumptions are wrong. 6. We only do what everyone else does. 7. The decision maker is better off with us than without us. 8. The models are not completely useless. 9. You gotta make the best of the data you¡¯ve got. 10. You need assumptions to make progress. 11. The models deserve the benefit of the doubt. 12. Models and assumptions don¡¯t do any harm so why bother ¡­? ? David Freedman (in Nassim Taleb¡¯s Black Swan)
Combinaties Externe data Scenario?s ? Relevantie; toepasselijkheid (modereren vs bias) ? Resultaten uit het verleden ? Te weinig data (?) ? Self-reporting !? ? Veel (!) te weinig data; kwaliteit ? Te weinig data (?) ? Self-reporting !? ? Kennis, zicht op risico¡¯s ? Resultaten uit het verleden ? Zuiver en alleen lokaal bruikbaar ? Kennis en kunde Interne data ? Percepties van risico RSA?s
Risk Managers Of The Universe
Risk Managers Of The Universe
Risk Managers Of The Universe
T¨®ch blijven proberen¡­
Bottom-up dan ..? In theory, nothing works, In practice, everything works, and everyone knows why. but no-one knows why. We have in our organisation a combination of theory and practice.
Klein beginnen
Onderaan beginnen
Risico¡¯s van alle tijden
Dus lat niet te hoog verkopen
¡®Stress-testen¡¯ ? Maar dan goed
Management = risico(Management)
J. R. Galbraith, "Organization Design: An Information Processing View" Interfaces, 4 (1974), 28-36 Summary Galbraith believes that "the greater the uncertainty of the task, the greater the amount of information that must be processed between decision makers during the execution of the task to get a given level of performance". Firms can reduce uncertainty through better planning and coordination, often by rules, hierarchy, or goals. Galbraith states that "the critical limiting factor of an organizational form is the ability to handle the non-routine events that cannot be anticipated or planned for". When the "exceptions" become too prevalent, they overwhelm the hierarchy's ability to process them. Variations in organization design arise from different strategies to increase planning ability and to reduce the number of exceptional events that management must resolve. Galbraith defines a continuity of organizational forms that firms utilize to reduce uncertainty: 1. Creation of Slack Resources. These include extending delivery times, adding more money to the budget, and building inventory (all which have inherent costs). If a firm fails to actively create a higher level strategy to address uncertainty, this strategy will occur by default. 2. Creation of Self-Contained Tasks. One strategy at this level is changing from functional to product groups. 3. Investment in Vertical Integration Systems. Condensing the flow of information by building specialized languages and computer systems can help analysis and decision making. 4. Creation of Lateral Relationships. Moving the decision making power down in the firm to where the information exists can reduce uncertainty at the decision level. There are various strategies of increasing complexity to achieve this: A. Direct contact between managers across groups B. Liaison personnel between groups. C. Task Forces D. Teams E. Cross-group Managers (project managers, program managers, etc.) F. Linked Managers (with power over some cross-group resources) G. Matrix Organization
Combinatie
Combinatie uitwerken
Conclusie ? Risk Management op de huidige manier, werkt niet ? Gedreven door CYA, angst voor de wereld ? RM of the Universe is een fantasie ? Idealen bijstellen, via Bottom-up (andere) idealen halen
Work In Progress
That was all. Thank you. Hope you enjoy(ed) the ride
Risk Managers Of The Universe
Dank u
Contact details ? Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC ? Maverisk Consultancy, IS Audit and Advisory services (KPMG, ABN AMRO, Noordbeek, Achmea, ABN AMRO ? (IS) Audit, (Info)Security, Y2k, BCM, ERM/ORM ? ISSA, NOREA: Various committees ? Jvdvlugt@maverisk.nl ? LinkedIn, Twitter (etc.etc.) Motivate yourself! www.despair.com/viewall.html

Recommended

Agile testing isn't risking it! published
Agile testing isn't risking it! publishedAgile testing isn't risking it! published
Agile testing isn't risking it! published
bram_bronneberg
?
Life test sample size determination based on probability of decisions
Life test sample size determination based on probability of decisionsLife test sample size determination based on probability of decisions
Life test sample size determination based on probability of decisions
ASQ Reliability Division
?
Erm
ErmErm
Erm
Pankaj Kumar Kar
?
Microsoft Power Point Simon Final
Microsoft Power Point Simon FinalMicrosoft Power Point Simon Final
Microsoft Power Point Simon Final
guesta09d518
?
Outages, PostMortems, and Human Error
Outages, PostMortems, and Human ErrorOutages, PostMortems, and Human Error
Outages, PostMortems, and Human Error
John Allspaw
?
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios Conference 2012 - Kishore Jalleda - Nagios in the Agile DevOps Continu...
Nagios
?
Much Data 0.95
Much Data 0.95Much Data 0.95
Much Data 0.95
Jurgen van der Vlugt
?
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Wat ruist er door uw data-zee ISACA NL roundtable 2013 06 03
Jurgen van der Vlugt
?
ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3
Jurgen van der Vlugt
?
C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000
Henk, van Soest
?
Improving UX through Application Lifecycle Management
Improving UX through Application Lifecycle ManagementImproving UX through Application Lifecycle Management
Improving UX through Application Lifecycle Management
goodfriday
?
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Rick Thomas, Colonel (Retired)
?
D team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmD team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqm
Miraj Mhaisuria
?
Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]
Ira Tobing
?
Tech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects ProductivelyTech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects Productively
rsnarayanan
?
Risk management using risk+ (v5)
Risk management using risk+ (v5)Risk management using risk+ (v5)
Risk management using risk+ (v5)
Glen Alleman
?
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
?
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
NASAPMC
?
Five risk management rules for the project manager
Five risk management rules for the project managerFive risk management rules for the project manager
Five risk management rules for the project manager
John Goodpasture
?
Six Sigma Yellow Belt
Six Sigma Yellow BeltSix Sigma Yellow Belt
Six Sigma Yellow Belt
Sudhakar Selka
?
Applying Knowledge Cory Banks
Applying Knowledge Cory BanksApplying Knowledge Cory Banks
Applying Knowledge Cory Banks
Cory Banks
?
Empirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsEmpirical Evidence Of Agile Methods
Empirical Evidence Of Agile Methods
Grigori Melnik
?
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
rfrederickpmp
?
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
rfrederickpmp
?
0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar
rfrederick_pmp
?
Successful Dispute Resolution
Successful Dispute ResolutionSuccessful Dispute Resolution
Successful Dispute Resolution
Acumen
?
Pojectmanagementver4
Pojectmanagementver4Pojectmanagementver4
Pojectmanagementver4
sami325
?
Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08
sanjivshah
?
Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3
Jurgen van der Vlugt
?
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsIDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
Jurgen van der Vlugt
?

More Related Content

Similar to Risk Managers Of The Universe (20)

ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3
Jurgen van der Vlugt
?
C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000
Henk, van Soest
?
Improving UX through Application Lifecycle Management
Improving UX through Application Lifecycle ManagementImproving UX through Application Lifecycle Management
Improving UX through Application Lifecycle Management
goodfriday
?
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Rick Thomas, Colonel (Retired)
?
D team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmD team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqm
Miraj Mhaisuria
?
Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]
Ira Tobing
?
Tech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects ProductivelyTech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects Productively
rsnarayanan
?
Risk management using risk+ (v5)
Risk management using risk+ (v5)Risk management using risk+ (v5)
Risk management using risk+ (v5)
Glen Alleman
?
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
?
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
NASAPMC
?
Five risk management rules for the project manager
Five risk management rules for the project managerFive risk management rules for the project manager
Five risk management rules for the project manager
John Goodpasture
?
Six Sigma Yellow Belt
Six Sigma Yellow BeltSix Sigma Yellow Belt
Six Sigma Yellow Belt
Sudhakar Selka
?
Applying Knowledge Cory Banks
Applying Knowledge Cory BanksApplying Knowledge Cory Banks
Applying Knowledge Cory Banks
Cory Banks
?
Empirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsEmpirical Evidence Of Agile Methods
Empirical Evidence Of Agile Methods
Grigori Melnik
?
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
rfrederickpmp
?
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
rfrederickpmp
?
0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar
rfrederick_pmp
?
Successful Dispute Resolution
Successful Dispute ResolutionSuccessful Dispute Resolution
Successful Dispute Resolution
Acumen
?
Pojectmanagementver4
Pojectmanagementver4Pojectmanagementver4
Pojectmanagementver4
sami325
?
Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08
sanjivshah
?
ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3ISSA ORM 2012 June 20 v0.3
ISSA ORM 2012 June 20 v0.3
Jurgen van der Vlugt
?
C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000C:\Fakepath\Activity Project Management Atlas 2000
C:\Fakepath\Activity Project Management Atlas 2000
Henk, van Soest
?
Improving UX through Application Lifecycle Management
Improving UX through Application Lifecycle ManagementImproving UX through Application Lifecycle Management
Improving UX through Application Lifecycle Management
goodfriday
?
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1Securityprojectmanagementtraining 12501208976209-phpapp01-1
Securityprojectmanagementtraining 12501208976209-phpapp01-1
Rick Thomas, Colonel (Retired)
?
D team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqmD team weekly powerpoint presentation spqm
D team weekly powerpoint presentation spqm
Miraj Mhaisuria
?
Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]Mpc mtcp six sigma [compatibility mode]
Mpc mtcp six sigma [compatibility mode]
Ira Tobing
?
Tech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects ProductivelyTech Ed 2009 Practical Tips To Manage Projects Productively
Tech Ed 2009 Practical Tips To Manage Projects Productively
rsnarayanan
?
Risk management using risk+ (v5)
Risk management using risk+ (v5)Risk management using risk+ (v5)
Risk management using risk+ (v5)
Glen Alleman
?
Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)Workshop project risk management (29 june 2012)
Workshop project risk management (29 june 2012)
bfriday
?
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
NASAPMC
?
Five risk management rules for the project manager
Five risk management rules for the project managerFive risk management rules for the project manager
Five risk management rules for the project manager
John Goodpasture
?
Six Sigma Yellow Belt
Six Sigma Yellow BeltSix Sigma Yellow Belt
Six Sigma Yellow Belt
Sudhakar Selka
?
Applying Knowledge Cory Banks
Applying Knowledge Cory BanksApplying Knowledge Cory Banks
Applying Knowledge Cory Banks
Cory Banks
?
Empirical Evidence Of Agile Methods
Empirical Evidence Of Agile MethodsEmpirical Evidence Of Agile Methods
Empirical Evidence Of Agile Methods
Grigori Melnik
?
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
rfrederickpmp
?
0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar0100 01-it-prj planning-webinar
0100 01-it-prj planning-webinar
rfrederickpmp
?
0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar0100 01 It Prj Planning Webinar
0100 01 It Prj Planning Webinar
rfrederick_pmp
?
Successful Dispute Resolution
Successful Dispute ResolutionSuccessful Dispute Resolution
Successful Dispute Resolution
Acumen
?
Pojectmanagementver4
Pojectmanagementver4Pojectmanagementver4
Pojectmanagementver4
sami325
?
Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08Ambe Eng. Case Study 06.06.08
Ambe Eng. Case Study 06.06.08
sanjivshah
?

More from Jurgen van der Vlugt (17)

Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3
Jurgen van der Vlugt
?
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsIDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
Jurgen van der Vlugt
?
ISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not RailsISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not Rails
Jurgen van der Vlugt
?
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
Jurgen van der Vlugt
?
Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10
Jurgen van der Vlugt
?
Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3
Jurgen van der Vlugt
?
Down the Blind Alley (PDF)
Down the Blind Alley (PDF)Down the Blind Alley (PDF)
Down the Blind Alley (PDF)
Jurgen van der Vlugt
?
Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97
Jurgen van der Vlugt
?
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces ITNGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
Jurgen van der Vlugt
?
VU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdVVU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdV
Jurgen van der Vlugt
?
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
Jurgen van der Vlugt
?
VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010
Jurgen van der Vlugt
?
Saxion Ensched¨¦ College Security 2009
Saxion Ensched¨¦ College Security 2009Saxion Ensched¨¦ College Security 2009
Saxion Ensched¨¦ College Security 2009
Jurgen van der Vlugt
?
NOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notesNOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notes
Jurgen van der Vlugt
?
NOREA ALV Symposium Advies 2010
NOREA ALV Symposium Advies 2010NOREA ALV Symposium Advies 2010
NOREA ALV Symposium Advies 2010
Jurgen van der Vlugt
?
NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010
Jurgen van der Vlugt
?
Saxion Ensched¨¦ College Security 2010
Saxion Ensched¨¦ College Security 2010Saxion Ensched¨¦ College Security 2010
Saxion Ensched¨¦ College Security 2010
Jurgen van der Vlugt
?
Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3Permanent open depot rijks in kpmg gebouw v0.3
Permanent open depot rijks in kpmg gebouw v0.3
Jurgen van der Vlugt
?
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto DesignsIDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
IDC Amsterdam 2013 09 12 Smart Security Solutions require Ditto Designs
Jurgen van der Vlugt
?
ISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not RailsISSA NL event 2013 06 06 Limits, Not Rails
ISSA NL event 2013 06 06 Limits, Not Rails
Jurgen van der Vlugt
?
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012ACAM-VDA NOREA Adviesdiensten 21 juni 2012
ACAM-VDA NOREA Adviesdiensten 21 juni 2012
Jurgen van der Vlugt
?
Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10Adviesdiensten Norea Regio Noord 2012 05 10
Adviesdiensten Norea Regio Noord 2012 05 10
Jurgen van der Vlugt
?
Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3Van Plank Misslaan Naar Spijker Op De Kop V0.3
Van Plank Misslaan Naar Spijker Op De Kop V0.3
Jurgen van der Vlugt
?
Down the Blind Alley (PDF)
Down the Blind Alley (PDF)Down the Blind Alley (PDF)
Down the Blind Alley (PDF)
Jurgen van der Vlugt
?
Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97Advies Assurance September 2011 V0.97
Advies Assurance September 2011 V0.97
Jurgen van der Vlugt
?
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces ITNGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
NGI Regio Rdam / Afd IT-A: Stuxnet - Beveiliging en Audit van Proces IT
Jurgen van der Vlugt
?
VU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdVVU Information Risk Management Security Management 2010 JvdV
VU Information Risk Management Security Management 2010 JvdV
Jurgen van der Vlugt
?
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
VU Organisatie van het beroep Reglementering Deel I 21 mei 2010
Jurgen van der Vlugt
?
VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010VU Uitvoering van de audit 28 mei 2010
VU Uitvoering van de audit 28 mei 2010
Jurgen van der Vlugt
?
Saxion Ensched¨¦ College Security 2009
Saxion Ensched¨¦ College Security 2009Saxion Ensched¨¦ College Security 2009
Saxion Ensched¨¦ College Security 2009
Jurgen van der Vlugt
?
NOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notesNOREA Update congres 2007 incl notes
NOREA Update congres 2007 incl notes
Jurgen van der Vlugt
?
NOREA ALV Symposium Advies 2010
NOREA ALV Symposium Advies 2010NOREA ALV Symposium Advies 2010
NOREA ALV Symposium Advies 2010
Jurgen van der Vlugt
?
NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010NOREA Regiosessie Reglementen 2010
NOREA Regiosessie Reglementen 2010
Jurgen van der Vlugt
?
Saxion Ensched¨¦ College Security 2010
Saxion Ensched¨¦ College Security 2010Saxion Ensched¨¦ College Security 2010
Saxion Ensched¨¦ College Security 2010
Jurgen van der Vlugt
?

Risk Managers Of The Universe

  • 1. Risk Managers of the universe Jurgen van der Vlugt Dialogues House, 16 augustus 2012
  • 3. Agenda Risk Management, ? Top-down ? Middle-out ? Bottom-up
  • 4. Top-down ? RM ? In control over risico¡¯s ? Risico¡¯s ? negatieve events ? Positieve? risico ? rendement ? Events: definitie? volledigheid? ? In control ? geen afwijkingen / correctie ? Geen afwijkingen: totale beheersing inputs ? Correctie: kosten, schade, positieve resultaten? ? Fantasie: Werkelijkheid beheersen
  • 7. Janus Resultaten uit het verleden ¡­ toekomst
  • 8. De Toekomst¡­ ? ALLE risicodiscussie is subjectief ? Gaat over de toekomst, ? De ? van onzekerheid ? Bestaat alleen in de verbeelding ? RM is speculeren over de toekomst ? Toch¡­ amechtige pogingen
  • 9. Overhead Evaluate design & Analysis Monitor & react set-up Operational Risk Problem Management Mgt Incidents ORAP Inherent for analysis Controls Risk indicators risks (Problems) R(S)A (K)ORC KRI Incident (+Audit) (Mgt) (Mgt) Mgt Insu- Near rance Designed, Tuning, Selected for Mandatory misses CLD Mgt efficiency Corrective KRI actions values Incidents Indemnities Process Breach Very, very basically Surprise!
  • 13. n:m, feedback, time, continuity
  • 14. Initi?le auditissues Forecast ultimo 2011 1 2 3 4 4 3 5 9 7 8 6 9 Kans Kans 6 2 7 1 Impact Impact ? 1 Kans Kansloos ? ¡­ per? jaar? transactie? nanoseconde? ? 1 Impact Kansloos ? ¡­ Alleen financieel? reputatie, etc.? tijd; vs ingrijpen? ? H x H = 25 Kansloos ? 3xM=H Kansloos ? ¡¯16¡¯ > ¡¯12¡¯ Kansloos ? Wie schat ¡®H¡¯; hoe en met welk ¡®bewijs¡¯?
  • 15. In particular, for any consistent, effectively generated formal theory that proves certain basic arithmetic truths, there is an arithmetical statement that is true, but not provable in the theory. Kurt G?del No matter how perfect you try to risk manage, incidents will happen Yours Truly
  • 16. ¡Ò ( Kansfunctie ¡Á? Impactfunctie ) ¡Æ( Kosten van tegenmaatregelen ) Voor vele series van functies en parameters, impact schattingsranges (¡­), variabele sets van tegenmaatregelen Inclusief variabele maten van effectiviteit, met vage noties van risk appetites in de achterhoofden van sommigen
  • 21. En dan zijn er nog kosten What was it astronaut John Glenn said went through his mind as he awaited lift-off? "You're thinking you're sitting on top of the most complex machine ever built by man, with a million separate components, all supplied by the lowest bidder."
  • 22. Ja Maar ¡­ 1. Yes we know all that. Nothing¡¯s perfect. 2. The assumptions are reasonable. 3. The assumptions don¡¯t really matter. 4. The assumptions are conservative. 5. You cannot prove the assumptions are wrong. 6. We only do what everyone else does. 7. The decision maker is better off with us than without us. 8. The models are not completely useless. 9. You gotta make the best of the data you¡¯ve got. 10. You need assumptions to make progress. 11. The models deserve the benefit of the doubt. 12. Models and assumptions don¡¯t do any harm so why bother ¡­? ? David Freedman (in Nassim Taleb¡¯s Black Swan)
  • 23. Combinaties Externe data Scenario?s ? Relevantie; toepasselijkheid (modereren vs bias) ? Resultaten uit het verleden ? Te weinig data (?) ? Self-reporting !? ? Veel (!) te weinig data; kwaliteit ? Te weinig data (?) ? Self-reporting !? ? Kennis, zicht op risico¡¯s ? Resultaten uit het verleden ? Zuiver en alleen lokaal bruikbaar ? Kennis en kunde Interne data ? Percepties van risico RSA?s
  • 28. Bottom-up dan ..? In theory, nothing works, In practice, everything works, and everyone knows why. but no-one knows why. We have in our organisation a combination of theory and practice.
  • 32. Dus lat niet te hoog verkopen
  • 35. J. R. Galbraith, "Organization Design: An Information Processing View" Interfaces, 4 (1974), 28-36 Summary Galbraith believes that "the greater the uncertainty of the task, the greater the amount of information that must be processed between decision makers during the execution of the task to get a given level of performance". Firms can reduce uncertainty through better planning and coordination, often by rules, hierarchy, or goals. Galbraith states that "the critical limiting factor of an organizational form is the ability to handle the non-routine events that cannot be anticipated or planned for". When the "exceptions" become too prevalent, they overwhelm the hierarchy's ability to process them. Variations in organization design arise from different strategies to increase planning ability and to reduce the number of exceptional events that management must resolve. Galbraith defines a continuity of organizational forms that firms utilize to reduce uncertainty: 1. Creation of Slack Resources. These include extending delivery times, adding more money to the budget, and building inventory (all which have inherent costs). If a firm fails to actively create a higher level strategy to address uncertainty, this strategy will occur by default. 2. Creation of Self-Contained Tasks. One strategy at this level is changing from functional to product groups. 3. Investment in Vertical Integration Systems. Condensing the flow of information by building specialized languages and computer systems can help analysis and decision making. 4. Creation of Lateral Relationships. Moving the decision making power down in the firm to where the information exists can reduce uncertainty at the decision level. There are various strategies of increasing complexity to achieve this: A. Direct contact between managers across groups B. Liaison personnel between groups. C. Task Forces D. Teams E. Cross-group Managers (project managers, program managers, etc.) F. Linked Managers (with power over some cross-group resources) G. Matrix Organization
  • 38. Conclusie ? Risk Management op de huidige manier, werkt niet ? Gedreven door CYA, angst voor de wereld ? RM of the Universe is een fantasie ? Idealen bijstellen, via Bottom-up (andere) idealen halen
  • 40. That was all. Thank you. Hope you enjoy(ed) the ride
  • 43. Contact details ? Jurgen = Ir.drs. J. van der Vlugt RE CISA CRISC ? Maverisk Consultancy, IS Audit and Advisory services (KPMG, ABN AMRO, Noordbeek, Achmea, ABN AMRO ? (IS) Audit, (Info)Security, Y2k, BCM, ERM/ORM ? ISSA, NOREA: Various committees ? Jvdvlugt@maverisk.nl ? LinkedIn, Twitter (etc.etc.) Motivate yourself! www.despair.com/viewall.html
AboutCopyright
? 2025 ºÝºÝߣ