Managing risks in a changing IT world: the role of Risk Management
Jasmin Carlson, Risk Manager at Rabobank
A new application to share files digitally. A USB token to unlock your computer. Storing privacy-sensitive information in the cloud. Risk Manager Jasmin Carlson, together with her colleagues, determines what is and is not allowed.
Ensuring that everyone can continue to do their job
“Within Dynamic Risk Management, we proactively assess operational risks, changes within systems and incidents. We look at whether the mitigating measures we have taken are still sufficient. These are measures by which we reduce security risks to a minimum. You can never eliminate risks completely, but you can reduce them to a minimum. Just like you have a lock on your door at home, for example, or a strong password on your computer.”
“We not only assess the risks of applications and systems, but also the external parties we engage with. How good is their security? What is the impact of a change? And how is privacy-sensitive information handled? It is an ongoing process. In the Dynamic Risk Cycle, we identify critical processes and make sure everyone can continue to do their jobs.”
“When the corona crisis started, there was suddenly a great demand for software to meet digitally and to exchange information. We used to use Skype, but it didn’t suffice on this scale. You have to find something else. We assess the risks of alternatives that fit within Rabobank’s policy, such as Zoom and Microsoft Teams. When using these types of cloud services and collaboration software, we advise on setting up 2-factor authentication, for example.”
Just like a doctor
How does Dynamic Risk Management work in practice, we ask Jasmin. “We look at the AIC classification, the Availability, Integrity & Confidentiality. We also do a privacy impact analysis. If it goes into the cloud, then additional research is done by the cloud risk assessment team. When we put something live, we want it to be of real use to us, but we also want it to be secure, so that we are not vulnerable to hackers, for example. Cyber security and privacy are very important, especially at the bank.”
“With new applications, or if there is a major change within certain existing software, we look at the pros and cons. Is the security in order? Are the right controls in place? I’m the contact person and bring all these processes together in a risk assessment. In fact, I am a kind of general practitioner. If I don’t know something exactly, then I refer you to a specialist. In the field of privacy, for example, or security. By consulting with other experts, I also gain new knowledge that I can later use in my ‘diagnoses’.”
From Risk Professional to Risk Manager
“I started working as a Risk Professional in May 2019. In this role you support the Risk Manager in the risk cycle by collecting information and preparing risk analyses. I was given a warm welcome at Rabobank. It’s a very pleasant culture. Everyone is friendly and you can ask anything. That’s the way I was brought up. There are no stupid questions, except the ones you don’t ask.
Collaboration is in Jasmin’s blood. “I played softball at top-level sports. Here, too, you stand strong together as a team. You celebrate your successes together, but you can’t always do everything right. This is what a team sport is all about: you learn to admit your own mistakes, but you also learn how to help each other when something can be done better.”
” Through good coaching, I have been able to take the next step and became a Risk Manager in November 2019. As Risk Manager, you provide the business with advice. It is an interaction. We have a monitoring plan and identify and assess the risks together. That way we know not only which mitigating measures have been effectively implemented, but also which areas need more attention.”
“In addition, I support our current Risk Professionals, so that those who want to progress get the same opportunities that were given to me. This is how it’s done at Rabobank. I think all my colleagues experience it that way. You get the chance to make the most of it. Sometimes you don’t even realize it”, Jasmin says with a smile.
if you don't share it.
“I like to pass on my knowledge. That’s where my top-level sports history comes in. I was about 14 years old when I started playing major league softball, with ladies who were 10 to 15 years older than me. They supported me in every way. Now I am older myself and train our youth. With the right guidance and instructions, they progress immensely. They are all just as eager to learn as the Risk Professionals I coach at Rabobank. That motivates me. After all, knowledge is worth nothing if you don’t share it.”
Creating stories that everyone understands
“To do this work, you have to be, above all, an all-rounder. Someone who is a fast learner, someone who knows a little about every subject and who can make connections. You make the translation between the IT world and non-IT. You don’t just carry out the assessment, but you also have to explain it well. You have to turn it into a story that everyone understands.”
“The work is really diverse. You look at the privacy aspect, the business continuity aspect, risk management, and so on for every application. Every day is different. I can use my expertise in many different activities. Sometimes it’s about communication, as in the case of e-mail traffic, and another time we’re working on the tokens you need to be able to log in at all. I find it very interesting that the IT world is constantly changing and renewing itself. Every day there is something new that you can learn from.”
What does the future hold?
“I’m from the 1990s, when technology was on the rise. Everyone got a computer at home and after school you would play games. My generation is used to making full use of technology. The corona crisis made us work differently and much more efficiently in that area. I think it has brought about an interesting technological improvement.”
“In a very short period of time, we set everything up so that everyone could easily work from home. I think eventually we are going to find a balance between working partly in the office, but mostly at home. Even though you won’t run into each other at the coffee machine anymore, we’ve managed to keep in touch so far. I work from home, but rarely a day goes by without me talking to someone.”