Applying the Risk Process in the Real World

Mark Thomas  CGEIT, CRISC

MARK THOMAS – CGEIT, CRISC

Areas of expertise

Governance of Enterprise IT (CGEIT)

Enterprise Risk Management (CRISC)

COBIT

ITIL Expert

PRINCE2 Practitioner

Experience

IT Director

VP, IT Operations

Enterprise Program Manager

Governance frameworks consulting

OBJECTIVES Understand the application of COBIT5 risk practices and activities

and how they are being used today.

Select and prioritize scenarios to create a risk register that can be used in multiple enterprise environments.

Link the risk process to industry standards and frameworks to create appropriate and applicable controls.

Agenda

Introduction

Connecting COBIT and Risk

Understanding Risk

Real World Application

Closing and Questions

VALUE CREATION

THE TONE STARTS AT THE TOP

GovernanceEvaluateEvaluate DirectDirect MonitorMonitor

ManagementPlanPlan BuildBuild RunRun MonitorMonitor

EVALUATE stakeholder needs, conditions and options

DIRECT through prioritization and decision making

MONITOR performance, compliance and progress against agreed-on direction and objectives

PLAN, BUILD, RUN and MONITOR activities

Align with the direction set by the governance body to achieve the enterprise objectives

MULTIPLE PERSPECTIVES

AGENDA

Introduction

Connecting COBIT and Risk

Understanding Risk

Real World Application

Closing and Questions

FIRST, SOME DEFINITIONSRisk—the possibility of a situation or event with uncertain frequency and magnitude of loss (or gain) occurring that is associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.

Threat

Vulnerabilities

Risk appetite

Risk tolerance

Risk optimization

Risk hierarchy

TYPES OF RISK

Operational RiskOperational Risk

Portfolio RiskPortfolio Risk

Program RiskProgram Risk

Project RiskProject Risk

Strategic RiskStrategic Risk

CATEGORIES IN ASSESSING RISK

The risk associatedwith an event when no controls are in place.

InherentRisk

InherentRisk

The risk that is associated with an event after controls have been applied.

ResidualRisk

ResidualRisk

Results from the internal control systems’ failure to prevent, detect or correct an incident in a timely manner.

ControlRisk

ControlRisk

Risk that the prescribed controls, substantive testing procedures or monitoring will fail to detect an error that could be material.

DetectionRisk

DetectionRisk

AGENDA

Introduction

Connecting COBIT and Risk

Understanding Risk

Real World Application

Closing and Questions

COBIT

COBIT is the only end to end business framework that offers a holistic and integrated view of the governance of enterprise IT (GEIT). COBIT assists enterprises in many areas, to include:

Maintain high-quality information to support business decisions.

Achieve strategic goals and realize business benefits.

Support compliance with relevant laws, regulations, contractual agreements and policies.

Maintain IT-related risk at an acceptable level.

Optimize the cost of IT services and technology.

COBIT PRINCIPLES

COBIT GOALS CASCADE

Translates stakeholder needs into specific, practical and customized goals.

Allows the definition of priorities for:

Risk scenario analysis, assessment and responses

Implementation

Improvement

Assurance efforts for the governance of enterprise IT

COBIT ENABLERS

COBIT PRODUCT FAMILY

COBIT FOR RISKCOBIT5 for Risk provides guidance on how to manage risk to levels within the enterprise’s risk appetite as well as how to set up the right risk culture for the enterprise.

End-to-end guidance on managing risk with a common approach for assessment and response.

Integrates IT risk management with the overall risk and compliance structures within the enterprise.

Promotion of risk responsibility and its acceptance throughout the enterprise.

DOMAINSGovernance Domain Management Domain

Ensure Risk Optimization Manage Risk

Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimized.

• Evaluate risk management• Direct risk management• Monitor risk management

Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing IT-related enterprise risk.

• Collect data• Analyze risk• Maintain a risk profile• Articulate risk• Define a risk management action

portfolio• Respond to risk

RISK PROFILE

RiskRegister

Risk ActionPlan

Loss Events(historical

and current)

RiskFactors

Independent Assessment

Findings

Resulting from risk analysis, consists of a list of risk scenarios and their associated estimates for impact and frequency.

Includes action items, status, responsible, deadline, etc.

Loss data related to events occurring over the last reporting period(s).

Both contextual risk factors and capability-related risk factors (vulnerabilities).

Result of independent assessments (e.g., audit findings, self-assessments).

RISK SCENARIOS

RISK MAP

A common, very easy and intuitive technique to present risk is the risk map, where risk is plotted on a two-dimensional diagram, with frequency and impact. This representation provides an immediate and complete view on risk and apparent areas for action. Probability

Impa

ct

RISK RESPONSE

This is where you determine which controls best satisfy business needs.

CONTROLS

AGENDA

Introduction

Connecting COBIT and Risk

Understanding Risk

Real World Application

Closing and Questions

COMPANY BACKGROUND

Background Service Provider – North America

Niche market in the real-estate industry

Rapid growth

Owned by a larger holding company

Challenges Holding company security audit

Multiple audit findings

No process for managing risks

Aggressive timeline to ‘become compliant’

Methodology

BUSINESS GOALSMaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

RISK SCENARIOS

MaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

Step 1: Identified 16 generic risk categories

RISK SCENARIOSMaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

RISK SCENARIOS

RISK SCENARIOS

RISK SCENARIOSMaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

Step 3: Determine the scenario short list.

Full list on next slide

RISK REGISERMaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

Top 10 Scenarios

Risk Register

Event Actor Threat Type Asset/Resource Response

There is an overreliance on key IT staff.

Hardware components were configured erroneously.

The database is corrupted, leading to inaccessible data.

IP is lost and/or competitive information is leaked due to key team members leaving the enterprise.

The IT in use is obsolete and cannot satisfy new business requirements (networking, security, database, storage, etc.).

Hardware systems fail and lose availability.

Business does not assume accountability over those IT areas it should, e.g., functional requirements, development priorities, assessing opportunities through new technologies.

There is an intrusion of malware on critical operational servers.

Industrial espionage takes place.

There is a virus attack.

Specific events related to the scenario

Internal, External

MaliciousAccidental

ErrorFailureNatural

External Req.

AcceptTransferShareAvoid

Mitigate

ProcessPeople/Skills

Org. StructurePhysical Inf.

IT Inf.InformationApplications

TOP FOCUS AREAS

Linked results to applicable standards and processes ISO27000

NIST

COBIT5 – not considered a standard, but used to help manage processes

MaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

MAINTAIN REGISTER

Communicate risk register to all appropriate stakeholders.

Continually update scenarios and register to maintain a current profile of risks and responses.

Support the adoption of controls based on the risk register.

MaintainRegister

Top 5 Focus Areas

RiskRegister

RiskScenarios

BusinessGoals

NEXT STEPS Linking different levels of risks into a cascading risk register.

Work with the Board of Directors to articulate risk from a governing body perspective.

Create a risk management function.

Create key risk indicators.

AGENDA

Introduction

Connecting COBIT and Risk

Understanding Risk

Real World Application

Closing and Questions