Risk Management: Syniverse Data Breach

Please write in accordance with the standards of "Meets or Exceeds Expectations". I will make additional payment if the number of words you write exceeds the number of words I require. This class is very important to me. I hope you can take it seriously and look forward to cooperating with you in the future!
If you have any questions, please feel free to ask.
I will upload the courseware for lectures 1-4 to help you with this work later.

Assignment 1: Risk Identification, Assessment, Response (Action plans) and Monitoring (KRIs) 

Assignment Objective: Learning Outcomes (L1, L2 & L3): Demonstrate your ability to understand, discuss and evaluate COSO Internal Control Framework and COSO ERM Framework principles.  Apply these concepts, terminology, methodology to risk assess real-life risk event. 

Utilize required reading and class material to demonstrate your understanding for Sessions 1,2,3 & 4. Use optional reference material provided in Canvas and research online to risk assess the event.

• Risk Identification (root cause analysis including risk factors- triggers and conditions), 
• Risk Assessment and Measurement (Assess Inherent Risk (Impact x Likelihood with rationale, Assign Control rating (with rationale and map the control weaknesses to COSO Internal Control and/or COSO ERM frameworks) to derive Residual Risk 
• Risk Mitigation and Corrective Action Plans (projects/plans to strengthen specific control weakness identified above  
• Risk Monitoring- Establish KRIs around risk factors identified in root cause analysis above 
  • COSO KRI paper entitled “Developing Key Risk Indicators to Strengthen Enterprise Risk management” provided in Canvas files (see sections on Developing KRIS, Sources & information when developing KRIS and KRI communication & reporting)
  • And other required and optional material provided in syllabus and as class material.

Step by Step Approach and Rubric for Grading: 

Select one real, material risk event of a public company from recent news (within the past 2 years, if possible) 

Note: It cannot be a risk event already discussed in the discussion (Homework) in Canvas. Create a Board report to identify, assess, respond (action plan) and monitoring (KRI) frequency. Students are expected to develop original work. 

The material risk can be non-financial (operational, model, vendor, cyber) or strategic or financial risk (credit, market, liquidity/funding). Please note that Reputational Risk is always a secondary or tertiary knock-on effect, so please do not select it.

Material Risk is a designation that (typically in a particular regulatory context) indicates that a certain risk is of sufficient significance for an organization that it must be managed following certain minimum criteria.  As part of Capital Adequacy Assessment Process, regulated financial institutions must identify and manage all their material risks.

(15 points): Risk Event Selection Process: How to ensure risks is material? For this, determine Inherent Risk to the company: Adapt the Likelihood and Impact rating in Session 2 slides to your company’s size, complexity, and business risk profile. To derive the materiality of the inherent risk, please follow the instructions provided in the class, If you have Qs, please ask us after you have documented your Impact rationale and likelihood rationale in discussion forum. This is the most important step as you don’t want to select a minor incident to report to the Board.

1. Using the Impact x Likelihood scale + rationale for each, determine if the Inherent Risk rating is in Critical/ High range. This is generally the range of material risk, and it is important enough to be mitigated and reported to the board, even if it is well managed/ monitored and the controls are strong. 
2. Make sure you have enough information (news or through research) to perform credible Bow-tie Root Cause analysis.

1. (30 points): Identify the Risk Factors, Risk Conditions & Risk Consequences: For the selected material risk, conduct the root cause via Bow-Tie analysis Diagram using Session 1- Titanic template and include Risk Factors (Blues: Trigger events - root causes; Greens: Conditions - root causes); Risk Event: Red; Consequences: Yellows: Consequences and end event (loss))

(5 points): Describe the risk: Summarize in two sentences. (Describe who, what, when, why and how- root cause).

(10 points): Assign Control rating by identifying at least two controls that in your opinion were absent or weak. This is the Control weakness/ vulnerability/failure that was exploited and most likely contributed to risk materialization.

• Control Effectiveness Rating: Utilize Control Effectiveness Rating provided in Slide 2 and between inherent and Control Matrix (in Blue). This will result in your residual risk rating. 
• Control Rating Rationale + identify at least two controls weaknesses to contributed to risk event materializing. This is the Control weakness/ vulnerability that was exploited or has contributed to the event.
• COSO Internal Control- 17 principles, Sample internal Controls & Summary with Examples (Sessions 1 & 2)
• Revised COSO ERM Framework – 20 Principles (Session 3)

(5 points): Residual Risk Rating with Rationale in case of #1 below.

Depending on when the risk event has taken place, this may include the results of mitigation projects.

1. If the risk event took place 1+ year ago, residual risk may include that some control weaknesses that have already been addressed by management. If that is so, you should clearly explain your rationale. 
2. If the risk event took place within the past few months, it is possible that CAP is still in progress, and is being monitored till the risks are mitigated within appetite. 

(10 points): Establish a minimum of two Corrective Action Plan (projects) + expected completion timelines.

 A plan to correct (reduce/mitigate) an identified control deficiency risk to an acceptable level along with a completion timeline. An action plan can include creating a NEW control or enhance an existing, weak control. These can be projects/plans to strengthen specific control weakness identified above, generally around risk factors (triggers and conditions)  

(5 points): Assign a Risk Owner for Corrective Action Plan (CAP) (accountable person who owns the process where risk materialized). The CAP owner takes actions, monitors, and periodically reports to senior management on the progress made- on a monthly, quarterly basis as needed. 

1. Define what roles and departments should be involved

(10 points): Establish Monitoring (KRIs and or KPIs): 

1. Early warning signals (Cause related KRIs or exposure related KRIs) or 
2. Lagging Indicators (loss related) or performance/action indicator (KPIs). 
3. Provide KRI description, measure, and threshold (in terms of red, yellow, and Green)

1. (5 points): Assign a sub-committee responsible + reporting frequency for monitoring the effectiveness of the mitigation/ CAP for the control deficiencies

1. (5 points) Professional Writing (Written slides)
2. Structure, Development, and Consistency of presentation- Organization, flow, and coherence of ideas. 
3. Risk Identification and supporting Analysis. 
4. Correct use of terminology and concepts taught in class. 
5. Grammatically correct and clear layout of the presentation. 

Cite references in foot notes or end notes.