In this video from the 2020 FAIR Conference, Harold Marcenaro, Head of Non-Financial Risk at BCP, Peru’s largest bank, tells how his risk management team supported a wider “digital transformation” initiative to bring the bank closer to customers. “Risk had to be practically pushing its own transformation to enable the banks wider transformation. … or eventually risk would become a blocker,” he says.
The team’s own transformative experience was moving beyond security by framework compliance to quantitative risk management through FAIR™.
Watch the video: Support Your Company’s Digital Transformation during Times of Crisis. A FAIR Institute membership is required – it’s free to qualified professionals. Sign up now.
The video is also available in Spanish: Por qué implementar FAIR para tomar mejores decisiones en la gestión de riesgo cibernético con Harold Marcenaro, Banco de Credito de Peru (BCP)
Harold Marcenaro was awarded the FAIR Champion Award at FAIRCON2020. Read about the FAIR Institute’s Annual Excellence Awards.
Marcenaro shared two documents of value to any team planning its own FAIR program.
A FAIR program mission statement or charter
This document should identify in qualitative terms what the organization intends to achieve and identify specific milestones and timelines for those objectives. It serves as both guidance for the FAIR team and a brief to management to justify the investment of people or resources (BCP engaged the RiskLens platform and consulting services).
BCP articulated five objectives in its charter:
-
Aggregate the bank’s total loss exposure and learn how that breaks out among assets, products, etc.
-
Define a risk appetite.
-
Quantify specific risks and run cost/benefit analysis on mitigations.
-
Understand how investment in enterprise-wide security initiatives would decrease loss exposure.
-
Introduce FAIR-based tools into the decision-making process. “At the end of the day, if decisions aren’t made, any methodology is useless,” Marcenaro said.
Here’s the complete text of the charter
An agile project plan for FAIR quantitative risk management program launch
Following agile project management principles, BCP set up a squad with members from different functions in the bank. The squad worked in two-week iterations (sprints, to use the agile term), with quarterly goals, progressing from training in Q1 through quantifying 10 cyber risk scenarios under RiskLens guidance to support one or two tactical decisions in Q2 to quantifying 10 more on their own in Q3 to quantifying 100 risk scenarios in Q4 to establish FAIR as an ongoing tool for decision making, with a stretch goal of establishing a risk appetite.
Throughout the process, Marcenaro’s team has been building out the “data helpers” on the RiskLens platform to store data for repeated use in answering risk analysis workshop questions. “That’s key to scaling up,” he said.
“We’re very excited about this program and managing cybersecurity as a risk , not as a technical problem,” Harold concluded.
Watch the video: Support Your Company’s Digital Transformation during Times of Crisis. A FAIR Institute membership is required – it’s free to qualified professionals. Sign up now.
The video is also available in Spanish: Por qué implementar FAIR para tomar mejores decisiones en la gestión de riesgo cibernético con Harold Marcenaro, Banco de Credito de Peru (BCP)
>>See more videos from the 2020 FAIR Conference
