550 likes | 955 Views
Enterprise IT Governance with COBIT – Part V. RiskIT Framework Dr . Yue “Jeff” Zhang 张跃博士 California State University, Northridge. Outline of the Course. IT governance overview COBIT 4.1 overview COBIT 4.1 framework Val IT RiskIT COBIT Practitioners Guide
E N D
Enterprise IT Governancewith COBIT – Part V RiskIT Framework Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge
Outline of the Course • IT governance overview • COBIT 4.1 overview • COBIT 4.1 framework • Val IT • RiskIT • COBIT Practitioners Guide • Information Security Guide to the Board • COBIT 5
What is risk management? “Is the • identification, • assessment, and • prioritization • of risks (as the effect of uncertainty on objectives, whether positive or negative) followed by • coordinated and economical application of resources to • minimize, • monitor, and • control • the probability and/or impact of unfortunate events • or to maximize the realization of opportunities.” — Wikipedia
Who is a risk manager? • We all manage risk • Life and business are complex; but - • Risk management should be simple • Use risk management approaches to - • Make business simpler • Use the right tool for the job
Risk management tenet • Managing risk to business performance • Against specific objectives • ENABLES businesses to achieve the obj • Changing situations may bring gain or loss • Risk management ENABLES businesses to stay on right track, to seize opportunities • Risk management should improve agility, making it safer to move in a changing environment • “Human immunity” analogy
Why Care About IT-related Risk? • Enterprises are dependent on • automation and integration. • Need to cross IT silos of risk • management. • Important to integrate with existing levels of risk management practices.
Manage and Capitalize on Business Risk • Enterprises achieve return by • taking risks. • Some try to eliminate the very • risks that drive profit. • Guidance was needed on how to manage risk effectively.
Two views ofbusiness-related IT risk • IT is a tool that can be used to enablethe business • To seek better outcomes by reducing risk to the business • Through improving consistency, complying w controls, and reducing errors • IT is a tool that can break, or used inefficiently, or cause harm if misused/exploited maliciously
Risk IT: A Balance Is Essential • Risk and value are two sides of the same coin. • Risk is inherent to all enterprises. • BUT • Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. • COBIT sets good practices for the means of risk management • by providing a set of controls to mitigate IT risk • Risk IT sets good practices for the ends by providing a framework for enterprises to • identify, govern and manage IT risk.
Purpose of Risk IT Framework • The Risk IT framework explains IT risk and enables users to: • Integrate the management of IT risk into the overall ERM, thus allowing the enterprise to make risk-return-aware decisions • Make well-informed decisions about the extent of the risk, and the risk appetite and the risk tolerance of the enterprise • Understand how to respond to the risk • In brief, this framework allows the enterprise to make appropriate risk-aware decisions.
Benefits/Outcomes of Risk IT The benefits of using Risk IT include: • A common language to help communication amongst business IT, risk and audit management • End-to-end guidance on how to manage IT-related risks • A complete risk profile to better understand risk, so as to better utilize enterprise resources • A better understanding of the roles and responsibilities with regard to IT risk management • Alignment with ERM • A better view of IT-related risk and its financial implications • Fewer operational surprises and failures • Increased information quality • Greater stakeholder confidence and reduced regulatory concerns • Innovative applications supporting new business initiatives
What Risk IT Offers • Provides guidance to help executives and management ask the key questions; make better, more informed risk-adjusted decisions and guide their enterprises so risk is managed effectively • Helps save time, cost and effort with tools to address business risks • Integrates the management of IT-related business risks into overall enterprise risk management • Helps leadership understand the enterprise’s risk appetite and risk tolerance • Provides practical guidance driven by the needs of enterprise leadership around the world
Risk IT: Extends Val IT and COBIT Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource.
Covers IT-related Risk Management • Risk IT is not limited to information security. It covers all IT-related risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexibleIT architecture • IT service deliveryproblems
Risk IT is unique Provides a balanced view of an enterprise’s IT-related business risks: • Focus on intersection of business and IT • Unifies silos of IT-related business risk, including value, change, availability, security, project, and recovery • Links with enterprise-wide risk management frameworks (COSO ERM, ISO 31000, etc) • Enables a business activity and process view of IT-related business risk
Key values to YOU Enterprises can use the framework and guide • Easier to assess, align, and improve their risk management activities • Credibility to obtain support for investment in such activities • Benchmark against agreed criteria in maturity and capability • Build a community of support • Operational guidelines
IT risk categories The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT
Guiding Principles of Risk IT • Always connect to enterprise objectives. • Align the management of IT-related business risk with overall enterprise risk management. • Balance the costs and benefits of managing risk. • Promote fair and open communication of IT risk. • Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels. • Understand that this is a continuous process and an important part of daily activities. {Excellent explanation PP 13~14}
Key Risk IT Content: The “What” • Risk management essentials • In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture • In Risk Evaluation: Describing business impact and risk scenarios • In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation • Process model sections that contain: • Descriptions • Input-output tables • RACI (Responsible, Accountable, Consulted, Informed) table • Goals and Metrics Table • Maturity model is provided for each domain
Risk Governance Domain • Risk Governance Essentials: • Responsibility and accountability for risk • Risk appetite and tolerance • Awareness and communication • Risk culture
Risk Evaluation Domain • Risk Evaluation Essentials: • Risk scenarios • Business impact descriptions
Risk Response Domain • Risk Response Essentials: • Key risk indicators (KRIs) • Risk response definition and prioritisation
Risk Governance - Risk Appetite and Tolerance • Risk appetite—The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision) “方向” “取舍” • Risk tolerance—The acceptable variation relative to the achievement of an objective (best measured in the same units as those used to measure the related objective) “限度” “门槛” • http://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf PP. 3~4 • http://www.guycarp.com/portal/extranet/getDoc;JSESSIONIDGCPORTALWCPORTALAPP=2fDLRtXRwqG8cv7fHNMvLr4TCwvWL5YK1TTJqNtsQp4G5RwGndww!-1668854704?vid=1&docId=148121
Risk Appetite (P.17) • Amount of risk an entity is prepared to accept when trying to achieve its objectives. • The enterprise’s objective capacity to absorb loss, • The culture towards risk taking—cautious or aggressive.
Risk Tolerance (PP.17~18) • Tolerable deviation from the level set by the risk appetite and business objectives • Standards require projects to be completed within the estimated budgets and time, but overruns of 10% of budget or 20% of time are tolerated.
Risk Governance – awareness and communication • Benefits of open communication on IT risk: • The executive mgmt’s understanding of actual exposure to IT risk informed IT risk responses • … P.18 • Consequence of poor communication: • A false sense of confidence at the top about actual exposure to IT risk lack of well-understood direction for risk mgmt • … P.18 • Responsibility and accountability: Figure 8, P.19
Risk Communication What to Communicate?
Essentials of risk evaluation(Re Framework, Slide #15) • Describing business impact • Risk scenarios • Can be used to prioritize risks • Heart of risk management • Measurement is important in this domain
Essentials of risk response(Re Framework, Slide #15) • Key risk indicators (KRIs) • Risk response definition and prioritization • Measurement also plays important roles here
Risk response • Risk avoidance • Risk reduction/mitigation • Risk sharing/transfer • Risk acceptance
Risk response - Risk avoidance • Avoidance means exiting the activities or conditions that give rise to risk. Risk avoidance applies when no other risk response is adequate. • This is the case when: • No other cost-effective options can succeed • Risk cannot be shared or transferred • Risk is deemed unacceptable
Risk response - Risk sharing/transfer • Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. • Insurance • outsourcing
Risk response - Risk sharing/transfer • Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. • Insurance • outsourcing
Risk response - Risk acceptance • No action is taken relative to a particular risk, and loss is accepted when/if it occurs. • Different from being ignorant of risk
Risk/Response Definition The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits.
Risk and opportunity • IT can play several roles in the risk- • opportunity relationship (figure 16): • Value enabler – new biz initiatives almost always depend on some involvement of IT • The reverse side of the above applies as well: • Value destruction – some IT events can cause mild to serious disruption to the organization.
RISK IT FRAMEWORK PROCESS MODEL • Detailed Process Descriptions • Process Components • Management Practices • Inputs and Outputs • Management Guidelines • Roles and Responsibilities—RACI Chart • Goals and Metrics • Maturity Models
THE RISK IT FRAMEWORK • P.43; PP.43~44 important • PP. 49~50, similar to 43~44
Risk IT: The “How” • Key contents of The Risk IT Practitioner Guide: • Review of the Risk IT process model • Risk IT to COBIT and Val IT • How to use it: • Define a risk universe and scoping risk management • Risk appetite and risk tolerance • Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture • Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers • Risk scenarios: includes capability risk factors and environmental risk factors • Risk response and prioritisation • A risk analysis workflow: “swim lane” flow chart, including role context • Mitigation of IT risk using COBIT and Val IT • Mappings: Risk IT to other risk management standards and frameworks