RIKKI SORENSEN - CISA, CISSP
Risk Management Professional
An accomplished assurance and enterprise risk management professional, with over 12 years of experience in multiple risk management domains within the 3 Lines of Defense risk governance model, including; Enterprise Risk Management (ERM), Operational Risk Management (ORM), Internal Audit, Internal Controls and corporate governance and compliance. Experienced in Governance, Risk and Compliance (GRC) frameworks, standards and approaches, I have expertise in the alignment of governance, enterprise risk management and compliance processes to organizational strategy and its risk appetite. Holding various risk and assurance leadership roles, I have found success building relationships in federal, provincial, financial and private organizations, to develop an understanding of business objectives and assess enterprise level risks.
As an effective communicator and an industry subject matter expert, I have been privileged to speak and present at several industry events including being selected as one of IIA North America’s All Star Speakers.
AREAS OF EXPERTISE
■ GRC frameworks and risk management processes and methodologies including Risk and Control Self Assessments, Risk Appetite Frameworks, related tolerances and metrics.
■ Auditing and assurance of corporate risk governance, project and program risk management and performance, internal controls, policy frameworks.
■ Enterprise and Operational Risk Management taxonomies, Crisis Readiness, Business Continuity Management Systems and Cybersecurity Frameworks.
■ Working within a 3 Lines of Defence risk governance model interfacing with management, internal control teams, 2nd line of defence risk management and Internal Audit.
■ Maturity assessments and benchmarking in various operational domains including, enterprise architecture, cyber security, privacy, internal controls, corporate governance.
■ Corporate Risk Governance model and the IIA’s International Professional Practices Framework (IPPF) and relevant guidance.
■ Federal and financial industry regulations including OSFI guidance, TBS Policies and Standards, COSO, Privacy Act, etc.
■ Developing and advising on risk management frameworks, tools and methods to senior leadership.
■ Enterprise architecture and business architecture leveraging business capability modelling and mapping.
Rikki Sorensen - Risk Management Professional
C anada Mortgage and Housing Corporation, Ottawa, ON, 2016 - March 2020 Canada Mortgage and Housing Corporation (CMHC) is Canada’s national housing agency, providing mortgage liquidity, overseeing assisted housing programs and providing housing insight and research. Role – Sr. Manager / Advisor - Internal Audit
Reporting directly to the Chief Audit Executive (CAE), I was responsible for leading a team of senior auditors in executing annual audit plans focused on high risk areas of CMHC operations. Areas of responsibility include performing annual audit planning, consulting with senior leadership, board members and various internal enterprise and operational risk management teams to draft a comprehensive view of all enterprise risks and audit projects. SELECTED ACCOMPLISHMENTS
■ Enhanced CMHC s annual risk based audit planning framework and process, leveraging corporate Risk Appetite Framework, risk tolerances, enterprise risk taxonomies and risk modelling
■ Planned and oversaw the completion of annual enterprise cyber security audits, leveraging applied risk based audit techniques resulting in increased CMHC cyber resilience and reduction in CMHCś overall cyber security risks posture
■ Overseeing audits on risk governance and risk appetite, corporate governance, program implementation, technology strategy and transformation, cyber security, privacy, enterprise architecture and compliance.
■ Planning, coordinating and supervising the conduct of the audit work performed by several teams of auditors and ensuring compliance with professional audit standards.
■ Coaching and mentoring a team of internal audit professionals Raymond Chabot Grant Thornton (RCGT), Ottawa, ON, 2012 - Apr 2016 RCGT is a Quebec based firm who specializes in delivering top-tier assurance, IT audit, cyber security and management consulting and reorganization services for dynamic organizations and public entities. Role – Practice Lead, Audit and Assurance / Cyber Security Lead of a dedicated IT audit and cyber security consulting practice area, guiding the multi-disciplinary team using a focused approach to support client needs in IT risk management, developing IT audit programs and risk assessments, conducting IT, cyber security, data security and IT compliance based audits, developing organizational IT security frameworks and architectures, operational risk management, client security management and business resilience. SELECTED ACCOMPLISHMENTS
■ Developing risk based Audit Plans, Programs and audit roadmaps leveraging IIA guidance on developing Risk Based Audit Plans.
■ Validated and advised on Global Cyber Risk and Security Strategy for a large multinational organization with 130+ global locations.
■ Conducted 3rd party audit and compliance reviews for financial clients.
■ Led complex Technology Transformation Program Audits ($100M+) including, IT strategy, performance management, system and business architecture, business process re-engineering.
■ Designed and implemented IT Security Assurance and Risk management frameworks, standards and performance benchmarking for complex client environments and projects.
■ Led standards-based audits/assessments following ISO 27001/2, NIST, SANS CSC and COBIT Cygnos Consulting, Ottawa, ON, 2009 - 2012
Cygnos is a boutique IT assessment and audit consulting firm specializing in providing audit and assessment services, applied IT, Cyber, information security design, for public and private companies. Role - Senior Cyber and Assurance Consultant
Responsible for providing IT Audit, security assessment and audit advice to management teams and clients. This included leading the conduct of business resilience risk assessments, IT audits and IT security architecture and program reviews for federal, provincial and health care clients. Additional accomplishments include managing the delivery of audits, risk assessments and control assessments in complex technical and operational environments. Rikki Sorensen - Risk Management Professional
PROFESSIONAL EXPERIENCE CONT .
National Capital Commission (NCC), Ottawa, ON 2008 - 2009 Role - Senior Risk and IT Security Consultant / Advisor A Senior Risk and IT Security Specialist and advisor providing IT audit and security advice and conducting risk assessments assessments to improve and support risk management goals and targets. In this role I conducted risk assessments in support of national events, reviewed and supported business continuity management systems, and conducted risk assessments and Privacy Impact Assessments on various technical, physical and operational processes and environments.
PROJECT MANAGEMENT EXPERIENCE
A strategic project manager with strong interpersonal, communication, problem solving and decision making skills. Demonstrated experience leading and motivating teams to drive projects to successful completion.
■ Drafted technical and business audit reports and documentation for clients and stakeholders including executive committees, deputy ministers, network, systems and security engineers and technologist, auditors and privacy professionals
■ Leading on-site meetings, discussing project progress with project authorities, sub-contractors vendors, and stakeholders to identify and resolve any issues/problems impeding smooth workflow or project deadlines
■ Managed project budgets up to $200k and project deadlines leveraging project management and tracking tools and reporting templates
THOUGHT LEADERSHIP AND INDUSTRY ENGAGEMENT
An experienced public speaker and thought leader in risk, audit and assurance practices and methodologies, I have been privileged to engage industry leaders and peers alike. Speaking engagements include;
Institute of Internal Auditors (IIA) North America, All-Star Conference, Florida – Oct 2015
CPA Ontario, Public Sector Day - May 2016, Ottawa Conference and Event Centre - Ottawa
Information Systems Audit and Control Association (ISACA), Ottawa Chapter – January 2015
Institute of Internal Auditors (IIA) of Canada, National Conference, Ottawa - November, 2014
International Association of Privacy Professionals (IAPP), Canada Privacy Symposium, Toronto - May, 2014
Institute of Internal Auditors (IIA) (Management Track) of Canada, Ottawa - May, 2013 INDUSTRY CERTIFICATIONS & TRAINING
Certified Information Systems Security Professional (CISSP)
Certified Information System Auditor (CISA)
RIMS-CRMP prep courses
OSFI Regulations and guidance and advisories including ORM Guidance
LEAN Six Sigma Yellow Belt / Business Process Improvement
Sherwood Applied Business Security Architecture (SABSA)
The Open Group Architecture Framework (TOGAF) Enterprise Architecture
COBIT 5 and various ITAC and Technology Assurance Frameworks EDUCATION
Diploma in Information System Security (ISS) Algonquin College, Ottawa, Ontario
Level IV Certification - Information Technology Management Gold Coast Institute of TAFE, Australia Rikki Sorensen - Risk Management Professional