750 likes | 1.09k Views
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’. Robert E Stroud CGEIT. VP Service Management & Governance, CA Technologies International Vice President, ISACA. abstract.
E N D
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Robert E Stroud CGEIT VP Service Management & Governance, CA Technologies International Vice President, ISACA
abstract Virtualization and Cloud computing are discussion topics on our lips at moment! Is it hype, reality, fundamental transition or the next paradigm shift? What is clear is that the business understands that it is dependent upon IT, but unfortunately, rather than discuss detail of technical solutions the business wants results and this with cost constraints are changing the role of the Service Manager. The Service Manager in this business climate must support the ability for IT to exhibit flexibility in terms of elasticity or scalability based on the business fluctuations both expected and unexpected. Most importantly these demands must be met at an appropriate cost and service level based on the businesses appetite for risk according to the agreed Service Levels and at the appropriate cost. To meet the requirement for flexibility, scalability, reduction in costs many IT organizations are investing in virtualization, increased use of targeted outsourcing and many organizations investing in Cloud rapidly deliver specific business functionality. The primary misconception in the industry is that all IT will simply go to the Cloud - this is absolute nonsense, at least in the short term, the reality is that most IT organizations will deliver part of their service themselves and partially through third parties. Therefore, the role of the CIO is fundamentally transitioning from one of simply managing operations to managing IT as a service value chain-- a chain that may become more complex over time. IT will weave together and optimize the Service Value Chain to best support various customers to enable business. In this environment the Service Manager will be required to manage an even more complex environment, ensuring legal and organizational compliance whilst providing consistent information on the value IT contributes. This session will detail the emerging industry trends including virtualization, outsourcing and cloud computing and provide guidance for service managers to leverage the intersection of Governance and Service Management to deliver value to the organization. Focus will be placed on leveraging ITIL processes such as supplier management to manage your third parties against service levels whilst insulation the business from the complexity of the service value chain.
Robert E Stroud CGEIT Vice President, Service Management Strategyservice management & governance evangelist • 29 years in Industry Experience • 15+ years banking industry • VP Service Management & ITSM & IT Governance CA • V3 Update reviewer • V3 – ITIL Advisory Group, V3 - Mentor & Reviewer • Executive Board itSMF International Treasurer and Director Audit Standards & compliance • Former Board Member USA itSMF • International Vice President ISACA\ITGI • Former Chair COBIT Steering Committee & chief architect • IT Governance Committee • Contributor to COBIT V4 and V4.1 • Contributor to the Control Objectives for Basel II • Contributor to ITIL\COBIT\ISO17799 Management Overview
Agenda Introduction The ‘Risk IT Framework’ The ‘Risk IT Practitioner Guide’ – Managing Risk in Practice Risk Governance Risk Evaluation Risk Response Wrap-Up
IT Related Risk Management - Summary • Various standards & frameworks available, but either: • Generic Enterprise Risk Management oriented • IT Security oriented • No comprehensive IT Related Risk framework available
IT (Related) Risk Management • Risk and Value are Intertwined • Risk is inherent to any enterprise – uncertainty is part of the DNA of any enterprise • Risk has two faces: protecting against value destruction but also ensuring value creation opportunities are not missed! • Understanding risk and managing it is key for creating and safeguarding value
IT (Related) Risk Management • IT ‘Related’ Risk Management • Covering all IT related risks, not limited to Information Security only! • Late project delivery, compliance issues, misalignment between IT and business, IT service delivery problems, inflexible IT architecture, obsolete IT architecture,… • Covering all Risk Management activities • Risk governance, including Risk Culture etc. • Covering business risks due to IT related activities IT Related risk = materialised business impact because of IT related event
IT (Related) risks ITGI survey 2008, on IT related problems:
Definition of IT Risk: IT Risk Categories
Risk IT Risk IT is a framework based on a set of guiding principles and featuring business processes and management guidelines that confirm these principles The Risk IT framework is to be used to help implement IT governance Organisations that have adopted (or are planning to adopt) CobiT as their IT Governance framework can use Risk IT to enhance risk management.
Purpose of "'Risk IT'" The Risk IT framework explains IT risk and will enable users to: • Integrate the management of IT risk into the overall enterprise risk management of the organisation • Make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance of the enterprise • Understand how to respond to the risk In brief, the framework allows the enterprise to make appropriate risk-adjusted decisions.
Detailed Process Descriptions Process components Managment practices Inputs and outputs Management guidelines Roles and responsibilities – RACI Chart Goals and metrics Maturity models
suppemental tools and materials • The Risk IT Practitioner Guide, is supported by an implementation tool kit, containing the following templates: • Enterprise IT Risk Assessment Form (figure 7) • Risk Communication Flows (figure 14) • Template Risk Register Entry (figure 36) • Generic IT Risk Scenarios (figure 40) • Generic IT Risk Scenarios and Mapped to COBIT and Val IT Processes (figure 41) • Generic IT Risk Scenarios and Environmental Risk Factors (figure 42) • COBIT Controls and Val IT Key Management Practices to Mitigate IT Risk (figure 48)
Definition of ERM business – enterprise risk management (ERM) In business, enterprise risk management (ERM) includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which can involve identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management and internal control. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed.
Definition of IT Risk it risk • IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. It includes both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives as well as uncertainty in the pursuit of opportunities. • IT risk can be categorised in different ways: • IT service delivery risk, associated with the performance and availability of IT services, and which can bring destruction or reduction of value to the enterprise • IT solution delivery/benefit realisation risk, associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes • IT benefit realisation risk, associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives • IT risk always exists, whether or not it is detected or recognised by an organisation
Definition of IT Risk: IT Risk Categories it related business risk
essentials of risk governance Risk Appetite and Tolerance Responsibilities and accountability for IT Risk Management Awareness and Communication Risk Culture
risk appetite and tolerance - definition Risk appetiteThe broad-based amount of risk a company or other entity is willing to accepts in pursuit of its mission (or vision) Risk tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to measure the related objective)
risk appetite Risk appetite is the amount of risk an entity is prepared to accept when trying to achieve its objectives. When considering the risk appetite levels for the enterprise, two major factors are important: The enterprise‘s objectivecapacity to absorb loss The culture towards risk taking – cautious or aggressive
Risk Tolerance Risk tolerance is the tolerable deviation from the level set by the risk appetite definition, e.g., standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.
Awareness and CommunicationBenefits • Contributing to executive management‘s understanding of the actual exposure to IT risk, enabling definition of appropriate and informed risk responses • Awareness amongst all internal stakeholders of the importance of integrating risk and opportunity in their daily duties • Transparency to external stakeholders regarding the actual level of risk managment processes in use
Awareness and CommunicationBad Communication • A false sense of confidence at the top on the degree of actual exposure related to IT, and lack of a well-understood direction for risk management from the top down • Unbalanced communication to the external world on risk, especially in cases of high but managed risk, may lead to an incorrect perception on actual risk by third parties such as clients, investors or regulators • The perception that the enterprise is trying to cover up known risk from stakeholders
Risk CommunicationStakeholders Executive management and board Chief risk officer (CRO) and enterprise risk committee Chief information officer (CIO) Chief financial officer (CFO) Business management and business process owners IT management (including security and service management) Compliance and audit Risk control functions Human resource (HR) External auditors Regulators Investors Insurers All employees
Agenda • Introduction • The ‘Risk IT Framework’ • The ‘Risk IT Practitioner Guide’ – Managing Risk in Practice • Risk Governance • Risk Evaluation • Risk Response • Wrap-Up
Essentials of Risk Evaluation Describing business impact Risk scenarios
Agenda • Introduction • The ‘Risk IT Framework’ • The ‘Risk IT Practitioner Guide’ – Managing Risk in Practice • Risk Governance • Risk Evaluation • Risk Response • Wrap-Up