2014年6月10日星期二

PRMIA Seminar on Enterprise Risk Management

The Professional Risk Managers International Association (PRMIA) established in 2002 by a volunteer group of risk industry professionals, PRMIA's mission is to provide a free and open forum for the promotion of sound risk management standards and practices globally. PRMIA and Department of Management Science, City University of Hong Kong co-organized seminar on Enterprise Risk Management (ERM) on 9 Jun 2014.


The first speaker was Dr. Danny Ha (Chairman & Founder, Academy of Professional Certification (APC)) and his presentation topic was “Privacy Impact Assessment (PIA) and ISO 31000 for ERM”. Dr. Ha quoted ISACA Newsletter (Vol.11: 21 May 2014) that “ERM” and “Information Security and Privacy Program Efforts” were ranked in top ten items of Internal Audit Priorities for 2014.


Dr. Danny Ha introduced Privacy Impact Assessment (PIA) included Personal Identifiable Information (PII), Personal Health Information (PHI), Personal Financial Information (PFI); and IT Audit. The different between Privacy Audit and IT Audit were discussed and their focus comparison was shown as following table.


There were five reasons that organization undertaken a PIA below.
i) Identifying and managing risks
ii) Avoiding unnecessary costs
iii) Inadequate solutions
iv) Avoiding loss of trust and reputation
v) Meeting and exceeding legal requirements
The cyber risks and cybersecurity were mentioned as following diagram.
Then Dr. Ha quoted Prof. Edward Humphreys (Father of ISMS Standard) that the biggest risks were from IoT, Cloud and Big Data.


After that Dr. Danny Ha stated ISO 31000 which like an umbrella to cover different management system standards. Most organizations applying ISO 31000 had inherent reason to bring culture of risk in their business life cycle. Finally, Dr. Ha said PIA, privacy audits were not only becoming more common in response to these risks, but were likely to grow. Business system developers must aware privacy and security controls in business systems acquisition and/or application development methodology. Dr. Ha alerted us that WhatsApp / Facebook privacy problems existed and you had better remove your privacy information away from your mobile.


The second speaker was Ms. May Tsue (Company Secretary and Manager of Accounting and Adminstration Department, CNOOC Insurance Limited) and her presentation named “Captive Insurance and How to Control the Risk in the Group”.


Firstly, Ms. Tsue explained Captive Insurance that provider of insurance for customers of parent company. She said “A bona fid insurance (insurance made or done in an honest and sincere way) or reinsurance company owned by a non-insurance company parent and which insures or reinsures the risk of its parent and/or affiliate companies.”

Board of parent company objectives are “Motivate risk management”, “Save money/cost”, “Capture profit and investment”, “Disciplined self-funding”, “High management awareness”, “Transparency” and “Tax environment”. There were five types of Captive included “Single Parent”, “Group”, “Association”, “Rent-a-Captive” and “Risk Retention Group (RRG)”.


Two typical structure of Captive were indirect business and direct business which were shown as following diagrams.



Ms. Tsue briefed captive insurer formed could have 50% tax deduction on Profit Tax, to build wealth and to retain risk. The costs to setup and run captive insurer was showed as follow diagram.


At the end, Prof. Mike K.P. So (Co-Regional Director Hong Kong, PRMIA) gave closing speech.


Reference:
PRMIA - http://www.prmia.org/
Meeting with Prof. Edward Humphreys (Father of ISMS Standard) - http://qualityalchemist.blogspot.hk/2012/06/meeting-with-prof-edward-humphreys.html


1 則留言:

  1. Thank you for sharing these important messages. Most PIA audits were not in right way and applying correct methods causing higher risks and dangers to our society. ERM ISO 30010 is the world standard for PIA and privacy controls.
    -- Danny Ha, APC

    回覆刪除