



Third Party Risk
Protecting your business from supplier vulnerabilities

Internal Risk and Controls
Customised Control Assurance to meet your Strategy

Regulatory Compliance
Meeting the challenges from today's tough Regulators
Our Products

Third Party Assurance
Process, Tools, Control sets. Tailored for threats specific to each supplier.
The ever increasing use of Outsourcing, Cloud, Third Parties bring benefits but also Risks. Our proven processes and tools can be combined with controls sets from a broad range of Industry Standards...
Read more

Internal Controls Assurance
Process, Tools, Control sets. Tailored for threats specific to your strategy. Controls to satisfy the most vigilant regulators across the globe.
Our team can perform the assessments of Third Parties, examining the key controls and processes and ensuring you have the right level of oversight...
Read more

EU General Data Protection Regulations
Planning, Processes, Profiling and Tracking Tools, tailored to the threats specific to your business, to get you compliant within the pressing timeframe.
GDPR will radically change the way you manage customer data, how you respond to events, and how you communicate with your customers...
Read more

Third Party Assurance Execution
Planning, Process, Profiling and Tracking Tools and Control sets for rapid clarity on residual risk.
Our team can perform the assessments of Third Parties, examining the key controls and processes and ensuring you have the right level of oversight and a clear understanding of what risks you are bearing.
Read more

Information and Cyber Security
Preventing loss of your Confidential data
Data Loss resulting from inadequate or failed internal processes, people and systems, or from external events, is no longer tolerated. Sophisticated DLP tools provide significant protection but do not cover the full breadth of the challenge...
Read more

Risk Management Services
Full Risk Management frameworks or rapid tactical requirements. Experienced risk professionals to solve Technology and Business challenges.
For effective Operational Risk Management, each enterprise must recognise, measure, and control their business risks...
Read more


Please select one or more documents you would like to download:
Please select at least one document and fill out all required fields.
Thank you. Your request has been received and a message with the selected documents attached has been sent to your email address.
If the email doesn't arrive, please check your SPAM folder or contact us directly.
The captcha code entered does not match the characters in the captcha image. Retry.
We are sorry but an error has occurred during the processing of your request (error detail unavailable).
Articles
Software and your Risk Management Culture
The long-term success of your Risk Management uplift programme can depend more on the role you want your software to play than the functions and efficiency it will bring. Open the article
You are what you eat (and the hidden dangers of password reuse)
When it comes to personal information, if you thought you had already given all there is to give to Facebook, take some time to consider your candid use of nutrition and fitness apps, especially in light of the recent MyFitnessPal data breach. Open the article
GDPR - It’s not about the money
We are all doomed come 25th May 2018. All driven by an incremental change to a regulation we have been conveniently ignoring for 20 years. Most of us are not ready for the enforcement date of GDPR, we will all be fined 4% of our annual revenue and our businesses will collapse. Open the article
Show more articles
Swiss GDPR with Jail time
Switzerland is widely recognised for its Banking Secrecy and, while these laws may be the cornerstone for wealth management for some of the richest people in the world, they have been widely criticised across Europe and the US for the lack of fiscal transparency. Open the article
"Only those who will risk going too far can possibly find out how far one can go." – T. S. Eliot
You don't have to look too far to find a list of great quotes about taking risk. These quotes are tossed around at all sorts of business seminars, self-improvement experiences and coaching events. We enjoy them, we use them to motivate ourselves and to push ourselves outside of our comfort zone... Open the article
Do I always need to Fix my issues?
The text books tell us we have 4 T’s when it comes to Risk Control - Transfer, Terminate, Treat, Tolerate. Transfer usually involves some form of Insurance. I understand well the concept of Insurance, and of course there are times when this is the right action. But I can count on one hand the number of times when ‘Transfer’ was an appropriate action... Open the article


Software and your Risk Management Culture

The long-term success of your Risk Management uplift programme can depend more on the role you want your software to play than the functions and efficiency it will bring.
Most boards are now putting pressure on senior executives to increase management involvement in risk oversight. Strong risk management practices are becoming an expected best practice. Senior executives are often seen tackling this demand by better integrating risk management into the day-to-day activities of their organisation and attempting to forge some kind of risk management culture.
The culture programmes usually start well by defining what needs to change, by identifying some measures and assigning champions to drive it. However, it is quickly realised that keeping these activities up to the standard required is like spinning plates. All it takes is for one of the champions to leave the firm, or a temporary change in focus by the organisation, and the whole programme quickly grinds to a halt, leaving a legacy of proposals, processes and guidelines.
A common mistake is the failure to identify the expected behaviours when forming the risk management culture and failure to adopt a rigourous enough approach to transform current behaviours to the target behaviours. McKinsey’s “four building blocks of change”, a popular transformation model, stresses the importance of “reinforcing the change with formal mechanisms” and the criticality of deploying systems that support the new behaviours.
Forming the firm’s risk profile and ensuring all your risks are adequately controlled is a complex business for any organisation. Attempting to manage this on spreadsheets generally adds to the burden and is prone to mistakes when compiling data and reporting. To drive a robust risk management culture, you need role-based software that supports the accountabilities and responsibilities of each, provides the crucial oversight, presents a work-flow so everyone is working in the same way and collates the data in a single repository from which to extract the wisdom.
There are many Enterprise Risk Management tools on the market, many are excellent, and most are very expensive. I believe that too many tools are executive facing and focus on the plethora of charts that are available. But, to form a robust risk management culture, licenses costs need to allow everyone to use the software because, until everyone is aligned to the working and behavioural practices, you do not have a culture.
Speak to us for more ideas and solutions: www.RiiSK.com


You are what you eat (and the hidden dangers of password reuse)

When it comes to personal information, if you thought you had already given all there is to give to Facebook, take some time to consider your candid use of nutrition and fitness apps, especially in light of the recent MyFitnessPal data breach. With 150 million usernames, passwords and email addresses stolen, MFP’s owner, Under-Armour, are recommending customers change passwords on other sites where the same or similar login information is reused.
The details you provide about your eating habits and your exercise routines builds a unique digital footprint of your life. There is a serious risk to your well-being should this data find itself in the wrong hands, especially if you link it to a fitness tracking app. US Military personnel using Strava to track their fitness routines were recently found to have accidentally disclosed enough data to locate their secret military base in Afganistan.
The data you provide to these apps reveal both sensitive and personally identifiable information about you – even if your family no longer recognise “the new slim and fit you”. These patterns could be used to further predict when you are away from home for example, dietary needs can reveal medical conditions and indicate other sites you probably use, and possibly with the same account credentials. Eventually, your whole life is reconstructed from your eating habits.
A recent survey by DigitalGuardian revealed that 61% of respondents reused passwords across multiple sites, generally driven by the difficulty to remember them. With 49% saying they only reused passwords for “non-sensitive” accounts, this uncovers a serious emerging risk. It may start by signing up for a free app with little apparent risk but when they become an integral part of your life, with upgrades to premium requiring credit card payment, links to other apps, and increased functionality with new releases, the threat grows rapidly.
Reducing password reuse is a difficult challenge and results from a fundamental weakness of this authentication mechanism. However, the survey does demonstrate a risk-based decision is being made, mainly around the sensitivity of the accounts. Unfortunately, the importance of reviewing risk frequently is often ignored, in this case a) are these accounts still non-sensitive and b) how many times have I reused these credentials?
Speak to us for some more ideas: www.RiiSK.com


GDPR - It’s not about the money

We are all doomed come 25th May 2018. All driven by an incremental change to a regulation we have been conveniently ignoring for 20 years. Most of us are not ready for the enforcement date of GDPR, we will all be fined 4% of our annual revenue and our businesses will collapse.
However, if we look back at the statistics and high-profile events of just last year we see a different story. The Data Protection Authority (DPA) for the UK, the Information Commissioner’s Office (ICO), freely provide statistics on cases they have investigated and the resulting fines. During 2016, 17,000 were concluded of which only 16 resulted in a fine. The maximum fine was £150,000, not the £500,000 ceiling specified by the current regulation. The Data Protection Authority for Italy, the “Garante”, recently handed out a fine of over €5m when the maximum penalty specified by law is €2.4m. And this is before GDPR is enforced!
By the way, the ICO is ramping up capability and statistics show that they have already concluded as many cases in the first half of 2017 as they did in the whole of 2016. So, start thinking of the probability of you being investigated.
That said, the importance of protecting sensitive personal data remains at the forefront of the public’s mind whether a personal concern, as a business’s operational risk or as a moral obligation. An interesting ICO statistic, from a 2016 survey, indicated that less than a quarter of the population trust companies with their data. Trust is the foundation of a sale. Given that most DPAs now provide Data Subjects with an easy online interface to share their grievances, and the publicity that this may attract, are we seeing an emergent risk to business reputation?
Everyone has a lot of work to do, it seems, and the advised risk-based approach provides the value and the focus needed. As someone who has had the responsibility of protecting personal information in a Swiss Bank, under the threat of a prison term, I can tell you, the road to acceptable risk is long.


Swiss GDPR with Jail time

Switzerland is widely recognised for its Banking Secrecy and, while these laws may be the cornerstone for wealth management for some of the richest people in the world, they have been widely criticised across Europe and the US for the lack of fiscal transparency.
Under continued pressure from foreign entities to revise these laws, it is worth noting that these are based on the fundamental rights of Swiss citizens through Article 13 of the Swiss Constitution:
- Everyone has the right to respect for his private and family life, his home, his correspondence and relations established by post and telecommunications.
- Everyone has the right to be protected against the misuse of data concerning him.
It is also worth noting that the US has no such fundamental protection for its citizens in its Constitution and the UK doesn’t even have a Constitution. It may surprise you to learn that among the few countries protecting a citizen’s right to privacy in a Constitution is China.
However, with the advent of the EU GDPR, Switzerland have realised that the current data privacy laws are not sufficient for today’s data-centric world. In December 2016, the Federal Department of Justice and Police announced a revision with an objective to be in-line with the EU Directives 2016/679 and 680 (1). This will further promote the easy exchange of data between Switzerland and the rest of the EU. No target date has been provided for the completion of the project.
At first glance the sanctions may seem rather paltry at a maximum fine of CHF 500’000 (EUR 440,000). However, it is worth reminding your board that, due to the intricacies of Swiss law, transgressors are at risk of personal criminal prosecution and this may include a prison term. There is further concern for companies processing personal data as Swiss law also dictates that the burden of proof will remain on the Data Controller.
As someone who has had the responsibility of protecting personal information in a Swiss Bank, under the threat of a prison term, I can tell you, the road to acceptable risk is long.


"Only those who will risk going too far can possibly find out how far one can go." – T. S. Eliot

You don't have to look too far to find a list of great quotes about taking risk. These quotes are tossed around at all sorts of business seminars, self-improvement experiences and coaching events. We enjoy them, we use them to motivate ourselves and to push ourselves outside of our comfort zone.
Our awareness of risk often starts with a dare when we are young - we look at the challenge, we sniff the glory, we make a brief assessment of the potential bodily harm and then we jump. Risk permeates everything we do and later in life we learn that assessing risk in pursuit of opportunity is fundamental to a good business strategy and many firms go to great lengths to assess that risk before making the leap. They document the risks, how far they are willing to go, and how to detect when it's all about to go wrong. And they communicate the mission, the performance targets and how the whole organisation can contribute to the success of the firm.
Now, firms seem to have mastered the performance measurement of staff but what about the risks? Considering the many studies about how performance and risk are intrinsically linked, are we seeing the cascade of responsibilities for risk in the same way as the mission is cascaded down across the organisation? Recently, I heard an organisational head say "I don't own the risk, risks should be owned by the risk management team". Is that a good recipe for an integrated risk culture?
We believe that, to ensure continuous assessment of risk, we need to be mindful of the strategic risks, aware of how the actions within our organisational unit affects those risks, and have visibility on how those risks are constantly changing. How will we know “how far one can go” if we don't know how far is "too far"?


Do I always need to Fix my issues?

The text books tell us we have 4 T’s when it comes to Risk Control - Transfer, Terminate, Treat, Tolerate.
Transfer: Usually involves some form of Insurance. I understand well the concept of Insurance, and of course there are times when this is the right action. But I can count on one hand the number of times when ‘Transfer’ was an appropriate action. Years ago, ‘outsourcing’ was seen as a way to transfer the risk, but I think we have all seen the folly of that view, and understand that the ‘impact’ still stays with us even after outsourcing and that we, as Risk Managers, must extend the reach of our Risk assessments to encompass our offshored, outsourced or cloud suppliers.
Terminating: Eliminating an inherently risky process, or one which the ‘treatment’ of the risk is not cost effective. Whilst a very attractive approach, its one which is often overlooked. A holistic view of risk.
Treating: Changing (or controlling) a process to reduce the likelihood of a risk occurring. One can argue that it is also possible to control the impact of the risk. Whilst this is certainly true, I see, too often, optimistic predictions of the reduction of the impact of a risk.
Tolerating: Usually means we have decided to take no action. This may be because of a cost-effective calculation, or the risks are deemed too low to warrant action (implicitly or explicitly that the risk is within appetite). Tolerating often employs some sort of Risk Acceptance or Risk Waiver. I would encourage the use of both within an organisation. All too often we have seen Risks being ‘dropped’ because they don’t warrant Risk Acceptance before a formal Risk Committee. No-one wants to take a trivial risk to the Risk Committee. So why not have a two-tier risk tolerance. A Risk Owner can accept alone, or perhaps with a Risk Manager a lower risk with a simple waiver, leaving more impactful risks to be escalated to the Risk Committee. It is important to continue to monitor these risks until the next review. A change in the risk may warrant a change in approach.
The Leadership Team

Steve Watkins Founder and Director
Steve is the former Global Head of IT Risk and Controls at JPMorgan. Under Steve’s leadership, the bank achieved ‘reference bank’ status for IT Controls with Swiss Regulator FINMA and the first issue-free external audit by Singapore Regulator MAS...
Read more


RiiSK Privacy Policy
What information do we collect?
We collect information from you when you register on our site, fill out a form, or through business contact.
When ordering or registering on our site, as appropriate, you may be asked to enter your name or e-mail address. You may, however, visit our site anonymously.
What do we use your information for?
Any of the information we collect from you may be used in one of the following ways:
- To personalize your experience (your information helps us to better respond to your individual needs)
- To improve our website (we continually strive to improve our website offerings based on the information and feedback we receive from you)
- To improve customer service (your information helps us to more effectively respond to your customer service requests and support needs)
- To send periodic emails
The email address you provide may be used to send you information and updates pertaining to occasional company news, updates, related product or service information etc.
Note: If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email.
- To administer a promotion, survey, contest or other site feature
How do we protect your information?
We implement a variety of security measures to maintain the safety of your personal information.
Do we use cookies?
We do not use cookies.
Do we disclose any information to outside parties?
We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential. We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect ours or others’ rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
Third Party links
Occasionally, at our discretion, we may include or offer third party products or services on our website. These third-party sites have separate and independent privacy policies. We therefore have no responsibility or liability for the content and activities of these linked sites. Nonetheless, we seek to protect the integrity of our site and welcome any feedback about these sites.
Your Consent
By using our site, you consent to our privacy policy.
Changes to our Privacy Policy
All changes to our privacy policy will posted on this page. This policy was last modified on: 09/09/2018
Contact Us
If there are any questions regarding this privacy policy, you may contact us using the information below:
customer.service@riisk.com
RiiSK LTD
77 Braemar Drive
Christchurch
Dorset
BH23 5NP
United Kingdom
RiiSK S.A.
Rue de Lausanne 37
CH 1201 Genève
Switzerland
RiiSK S.A.
rue de Lausanne 37,
CH 1201 Genève
Steve Watkins:
CH +41 79 652 6338
Steve.Watkins @riisk.com
About RiiSK S.A.
RiiSK is a specialist services and software company, with proven approaches for integrating Risk Management into business processes. We deliver agile and cost-effective Strategies, Programs and Software Solutions. Just as the Mission and Objectives are cascaded through the organisation to maximise performance, we strive to achieve the same impact by cascading the Operational Risks that may jeopardise achievement of those goals. By using a risk-based approach to design and implement the appropriate controls at the first-line, we encourage ownership, optimise the control effectiveness and drive cost efficiency. We are based in Geneva and London.
Explore


Send us a message
Please fill out all required fields.
Thank you. Your message has been received and we will get back to you shortly.
The captcha code entered does not match the characters in the captcha image. Retry.
We are sorry but an error occurred while sending your message (error detail unavailable).