At FAIRCON19, we caught up with Annie Lavoie, Director, IT Risk Management for the Business Development Bank of Canada (BDC), a government-supported financial institution devoted exclusively to funding entrepreneurs. Annie is an auditor who moved into IT risk at BDC within the past three years and is now one of the leaders of the FAIR adoption program on, as she says, "my journey to implement an IT risk management function formally at BDC." Learn about her journey in this video or read the transcript below.
How was FAIR first introduced at BDC?
Actually, this initiative was brought into our organization by my boss, the AVP of Cybersecurity and Internal Controls. He heard of FAIR in his previous life and brought the idea to BDC. It was a discovery for me because I didn't know this methodology or anything about it and as I started learning about it, actually it appealed to me a lot as well, because I finally got answers to a lot of questions I had about risk management: "Why was it not working?" "How can we make this a cost-effective journey as well?".
We started with bringing RiskLens [the FAIR Institute's technical partner] into BDC to provide training to 16 people. We made sure we got representation from each of the IT sub-departments, and we also brought our internal audit as well to sit at the table, and operational risk management people as well. So we all saw at the same time what was the possibilities and what it could bring - we got a lot of traction. As it was for me, people were excited to put into practice. So we've set up a lot of expectations on the part of our stakeholders and we can't keep moving fast enough for them to implement and start doing risk assessments using that methodology.
Has there been any resistance to FAIR adoption?
Even though we've made sure that we on-boarded people, we're still (doing) that qualitative, red-yellow-and-green - it's really anchored in people's minds. And actually once we start doing real analysis, we will get people one at a time that will make sure that we transform the organization to gradually embrace quantification of risk. It's really a culture change, and we're seeing it. Even though we've hooked people, to change the whole organization is going to take time. It's not something that we will be able to do overnight but we're working toward that and I'm sure that as we are doing analysis, they'll embrace risk quantification and they'll let go.
What's helping us is that we've made sure that we have a matrix, even though we have high, medium and low, we still have some amounts of dollars associated to it so we will be able to eventually map our quantification with those heat maps so we will be able to talk the same language.
What's your impression of the FAIR Institute?
It's really great, actually. I didn't know it was such a new institute. I was really surprised to learn that it only started in 2016. The FAIR Institute was really able to mature at a fast pace.
I'm really glad to see what kind of material is available. I really feel that we are backed up by the Institute to be able to get us the tools and the means to be able to implement the FAIR methodology at our organization.
What do you think of the FAIR Conference?
It's really wonderful. It allows us to meet a lot of people who are a bit more advanced in their journey than we are so that we can discuss with them, share our stories, and actually everybody has stepped over the same problems. it allows us to make some contacts and for sure that's going to help us on our journey. So just for the contacts that we've made so far, it's really worth it.
What have you learned at the conference?
There's a lot of stuff that we already knew because we've been working with RiskLens for the past eight months, but just to see that people struggle with the same problems and again - is it something that we need to go through or is there a way to just go around it, or does the organization need to suffer the same kind of pitfalls to be able to mature to change the culture. So maybe that will be my takeaway.