Presentation on theme: "Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b COBIT 5 for Risk Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge 1."— Presentation transcript:
Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b COBIT 5 for Risk Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge 1
1.IT governance overview 2.Introduction to COBIT COBIT 4.1 framework & Val IT and RiskIT 4.COBIT 5 5.Process Assessment Model 6.COBIT 5 for Risk Outline of the Course 2
What is risk management? “The identification, assessment, and prioritization of risks (as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.” — Wikipedia 4
Who is a risk manager? We all manage risk Life and business are complex; but - Risk management should be simple Use risk management approaches to - Make business simpler Use the right tool for the job 5
Manage and Capitalize on Business Risk Enterprises achieve return by taking risks. Some try to eliminate the very risks that drive profit. Guidance was needed on how to manage risk effectively. 6
Risk management tenet Managing risk to business performance Against specific objectives ENABLES businesses to achieve the obj Changing situations may bring gain or loss Risk management ENABLES businesses to stay on right track, to seize opportunities Risk management should improve agility, making it safer to move in a changing environment “Human immunity” analogy 7
Two views of business-related IT risk IT is a tool that can be used to enable the business To seek better outcomes by reducing risk to the business Through improving consistency, complying w controls, and reducing errors IT is a tool that can break, or used inefficiently, or cause harm if misused/exploited maliciously 8
IT-related Risk in the Risk Hierarchy 9
Covers IT-related Risk Management IT-related business risks cover all IT-related risks, including: Late project delivery Not achieving enough value from IT Compliance Misalignment Obsolete or inflexible IT architecture IT service delivery problems 10
Comparison of RiskIT and COBIT 5 for Risk RiskIT was organized around domains and processes, just as COBIT 4.1 COBIT 5 for Risk is organized around the 5 principles and seven enablers, just as COBIT 5 For every enabler, COBIT 5 for Risk then approaches from Stakeholders (who participate/be impacted) Goals Life cycle Good practices – this is the part that is the “action”/”solution” part 11
Comparison (cont) The second uniqueness of COBIT 5 for Risk is that it organizes the analyses and practices from two perspectives: Risk function Risk management Risk Function can be understood as the principles, polices, processes, org structure, …[do they sound familiar? Yes, they’re the 7 enablers!] that are in place to “strengthen” the org so it is better able to face and handle risks. The “preparedness” of an org against risks 12
Comparison (cont) While Risk Management can be understood as the principles, polices, processes, org structure, …[again, the 7 enablers!] that are being employed to “curb” and “fight” and “redirect” the risks in the case of their happening 13 PerspectiveMed analogy Military analogy Remarks Risk function PreventionReadiness and deterrence 常备 力量，威慑力 Long-term improvement of org’s overall “fitness” against risks Risk mgmtTreatmentBattle plan; tactics 战略战术； 战役计划 Direct handling of risks: analyses/ evaluation, response, recovery
COBIT 5 FOR RISK 1. UNDERSTAND THE DRIVERS, BENEFITS AND TARGET AUDIENCES FROM A RISK PERSPECTIVE 14
Clarification of “Risk” in COBIT 5 for Risk When risk is referenced in COBIT 5 for Risk, it is the current risk. Figure 7 shows how inherent, current and residual risk interrelate. 21
COBIT 5 FOR RISK 2. UNDERSTAND THE COMPONENTS OF RISK ACTIVITIES..22
Key Risk IT Content: The “What” Risk management essentials In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture In Risk Evaluation: Describing business impact and risk scenarios In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Process model sections that contain: Descriptions Input-output tables RACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table Maturity model is provided for each domain 23
Risk IT framework 24 DomainTimeManner Governance “Before”Always Evaluation “During”Periodical Response AfterIn incident Roughly, not exactly; to help w understanding and memory
Risk Governance Domain Risk Governance Essentials: Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk culture 25
Risk Function Perspective. All rights reserved.32 COBIT 5 for Risk identifies all COBIT 5 processes that are required to support the risk function: Key supporting processes– dark pink Other supporting processes – light pink Core risk processes, shown in light blue are also highlighted— these processes support the risk management perspective: EDM03 Ensure risk optimisatio n. APO12 Manage risk.
Risk Function Perspective 33 COBIT 5 for Risk identifies all COBIT 5 processes that are required to support the risk function: Key supporting processes– dark pink Other supporting processes – light pink Core risk processes, shown in light blue are also highlighted—these processes support the risk management perspective: EDM03 Ensure risk optimisation. APO12 Manage risk.
Risk Scenarios 39 Risk scenario’s are a key element of the COBIT 5 risk management process APO12; two approaches are defined: Top-down approach— Use the overall enterprise objectives and consider the most relevant and probable IT risk scenarios impacting these Bottom-up approach— Use a list of generic scenarios to define a set of more relevant and customised scenarios, applied to the individual enterprise
Risk Scenarios 42 When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type + Event). The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state; it can be increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.
Developing risk scenarios work flow 1.Use the list of example generic risk scenarios (Fig 38, P67~; partial reprint in S#46) to define a manageable set of tailored risk scenarios for the enterprise; 2.Perform a validation against the business obj of the entity; 3.Refine the selected scenarios base on the validation; 4.Reduce the number of scenarios to a manageable set (usually at least a few dozen); 5.Keep all the scenarios in a list so they can be re- evaluated. 43
Developing risk scenarios work flow (cont) 6.Once the set of risk scenarios is defined, it can be used for risk analysis, where frequency and impact of the scenarios are assessed. 7.The enterprise can also consider evaluating scenarios that have a chance of occurring – the “stress” testing. In “1” above, risk factors are those conditions that influence the frequency and/or the business impact of risk scenarios. Fig 35, P
Risk Scenarios 45 When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type + Event). The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state; it can be increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.
Risk Scenarios 46 COBIT 5 for Risk provides: 111 risk scenario examples * Across 20 scenario categories
Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission. When considering the risk appetite levels for the enterprise, two major factors are important: 1.The enterprise’s objective capacity to absorb loss, e.g., financial loss, reputation damage 2.The (management) culture or predisposition towards risk taking—cautious or aggressive. What is the amount of loss the enterprise wants to accept to pursue a return? 49
Risk appetite 50 Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be different amongst enterprises
Risk tolerance Risk tolerance is the tolerable deviation from the level set around the risk appetite, which (the deviation) the mgmt. is willing to allow as it pursues the objectives. For example, project overruns of 10 percent of budget or 20 percent of time are tolerated. Risk appetite and risk tolerance go hand in hand. Risk tolerance is defined at the enterprise level and is reflected in policies set by the executives; At tactical levels of the enterprise, exceptions can be tolerated (or different thresholds defined) as long as at the enterprise level the overall exposure does not exceed the set risk appetite. Cases and consequences of “zero tolerance” 51
Brief description of selected key contents P12, Fig 3 – COBIT 5 for Risk overview P20, Fig 9 – Two perspectives on risk P31, Fig 16 – Risk policy examples P35, Fig 18/19 – supporting processes for risk function P42, Fig 26 – Behaviors for risk gov and mgmt. P48, Fig 28 – Info items supporting risk gov & mgmt. P52, Fig 30 – risk-mgmt.-related services P56, Fig 32 – risk mgmt. skill sets 61
Brief description of selected contents (cont) PP 59-63, Risk scenarios PP , Core COBIT 5 risk mgmt. processes PP , , : Using COBIT 5 enablers to manage IT risk scenarios (selected) PP : Comprehensive risk scenario template [Many of the materials in the above will be used for your team project as well as individual project] 62