Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b COBIT 5 for Risk Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge 1.

Similar presentations


Presentation on theme: "Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b COBIT 5 for Risk Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge 1."— Presentation transcript:

1 Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b COBIT 5 for Risk Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge 1

2 1.IT governance overview 2.Introduction to COBIT COBIT 4.1 framework & Val IT and RiskIT 4.COBIT 5 5.Process Assessment Model 6.COBIT 5 for Risk Outline of the Course 2

3 3

4 What is risk management? “The identification, assessment, and prioritization of risks (as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.” — Wikipedia 4

5 Who is a risk manager? We all manage risk Life and business are complex; but -  Risk management should be simple Use risk management approaches to -  Make business simpler Use the right tool for the job 5

6 Manage and Capitalize on Business Risk Enterprises achieve return by taking risks. Some try to eliminate the very risks that drive profit. Guidance was needed on how to manage risk effectively. 6

7 Risk management tenet Managing risk to business performance  Against specific objectives ENABLES businesses to achieve the obj Changing situations may bring gain or loss  Risk management ENABLES businesses to stay on right track, to seize opportunities Risk management should improve agility, making it safer to move in a changing environment  “Human immunity” analogy 7

8 Two views of business-related IT risk IT is a tool that can be used to enable the business  To seek better outcomes by reducing risk to the business  Through improving consistency, complying w controls, and reducing errors IT is a tool that can break, or used inefficiently, or cause harm if misused/exploited maliciously 8

9 IT-related Risk in the Risk Hierarchy 9

10 Covers IT-related Risk Management IT-related business risks cover all IT-related risks, including: Late project delivery Not achieving enough value from IT Compliance Misalignment Obsolete or inflexible IT architecture IT service delivery problems 10

11 Comparison of RiskIT and COBIT 5 for Risk RiskIT was organized around domains and processes, just as COBIT 4.1 COBIT 5 for Risk is organized around the 5 principles and seven enablers, just as COBIT 5  For every enabler, COBIT 5 for Risk then approaches from  Stakeholders (who participate/be impacted)  Goals  Life cycle  Good practices – this is the part that is the “action”/”solution” part 11

12 Comparison (cont) The second uniqueness of COBIT 5 for Risk is that it organizes the analyses and practices from two perspectives:  Risk function  Risk management Risk Function can be understood as  the principles, polices, processes, org structure, …[do they sound familiar? Yes, they’re the 7 enablers!] that are in place to “strengthen” the org so it is better able to face and handle risks.  The “preparedness” of an org against risks 12

13 Comparison (cont) While Risk Management can be understood as  the principles, polices, processes, org structure, …[again, the 7 enablers!] that are being employed to “curb” and “fight” and “redirect” the risks in the case of their happening 13 PerspectiveMed analogy Military analogy Remarks Risk function PreventionReadiness and deterrence 常备 力量,威慑力 Long-term improvement of org’s overall “fitness” against risks Risk mgmtTreatmentBattle plan; tactics 战略战术; 战役计划 Direct handling of risks: analyses/ evaluation, response, recovery

14 COBIT 5 FOR RISK 1. UNDERSTAND THE DRIVERS, BENEFITS AND TARGET AUDIENCES FROM A RISK PERSPECTIVE 14

15 Drivers for Risk To provide: Stakeholders with substantiated and consistent opinions over the current state of risk throughout the enterprise Guidance on how to manage risk to levels within the enterprise’s risk appetite Guidance on how to set up the appropriate risk culture for the enterprise Quantitative risk assessments enabling stakeholders to consider the cost of mitigation and the required resources against the loss exposure The COBIT 5 for Risk professional guide provides: Guidance on how to use the COBIT 5 framework to establish the risk governance and management function(s) for the enterprise Guidance and a structured approach on how to use the COBIT 5 principles to govern and manage IT risk Understanding of the alignment of COBIT 5 for Risk with other relevant standards © 2013 ISACA. All rights reserved.15

16 Benefits of the Guidance End-to-end guidance on how to manage risk A common and sustainable approach for assessment and response A more accurate view of significant current and near-future risk throughout the enterprise — and the impact of this risk on the enterprise Understanding how effective IT risk management optimises value by enabling process effectiveness and efficiency Opportunities for integration of IT risk management with the overall risk and compliance structures w/in the ERM Promotion of risk responsibility and its acceptance throughout the enterprise © 2013 ISACA. All rights reserved.16 Within + / - effect on the achievement of business objectives

17 Target Audiences Risk professionals across the enterprise: ­ Assistance with managing IT risk and incorporating IT risk into ERM Boards and executive management: ­ Understanding of their responsibilities and roles with regard to IT risk management ­ The implications of risk in IT to enterprise strategic objectives ­ How to better optimise IT use for successful strategy execution IT and business management: ­ Understanding of how to identify and manage IT risk and how to communicate IT risk to business decision makers © 2013 ISACA. All rights reserved.17 Enterprise Risk Management

18 Overall Logic of COBIT 5 for Risk 18

19 Overall Logic of COBIT 5 for Risk (cont) 19

20 Overall Logic of COBIT 5 for Risk (cont) 20

21 Clarification of “Risk” in COBIT 5 for Risk When risk is referenced in COBIT 5 for Risk, it is the current risk.  Figure 7 shows how inherent, current and residual risk interrelate. 21

22 COBIT 5 FOR RISK 2. UNDERSTAND THE COMPONENTS OF RISK ACTIVITIES..22

23 Key Risk IT Content: The “What” Risk management essentials In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture In Risk Evaluation: Describing business impact and risk scenarios In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Process model sections that contain:  Descriptions  Input-output tables  RACI (Responsible, Accountable, Consulted, Informed) table  Goals and Metrics Table Maturity model is provided for each domain 23

24 Risk IT framework 24 DomainTimeManner Governance “Before”Always Evaluation “During”Periodical Response AfterIn incident Roughly, not exactly; to help w understanding and memory

25 Risk Governance Domain Risk Governance Essentials:  Responsibility and accountability for risk  Risk appetite and tolerance  Awareness and communication  Risk culture 25

26 Risk Evaluation Domain Risk Evaluation Essentials:  Risk scenarios  Business impact descriptions 26

27 Risk Response Domain Risk Response Essentials:  Key risk indicators (KRIs)  Risk response definition and prioritisation 27

28 Risk Perspectives 28

29 Risk Function Perspective COBIT 5 for Risk provides guidance and describes how each enabler contributes to the overall governance and management of the risk function. For example: Which Processes are required to define and sustain the risk function, govern and manage risk What Information flows are required to govern and manage risk—e.g., risk universe, risk profile The Organisational Structures that are required to govern and manage risk effectively—e.g., enterprise risk committee, risk function What People and Skills should be put in place to establish and operate an effective risk function © 2013 ISACA. All rights reserved.29

30 Risk Function Perspective © 2013 ISACA. All rights reserved.30 COBIT 5 for Risk defines seven risk principles to: Provide a systematic, timely and structured approach to risk management Contribute to consistent, comparable and reliable results The risk principles formalise and standardise policy implementation— both the core IT risk policy and supporting policies— e.g., information security policy, business continuity policy. These policies provide more detailed guidance on how to put principles into practice and how they will influence decision making within an enterprise.

31 Risk Function Perspective (cont) © 2013 ISACA. All rights reserved.31 COBIT 5 for Risk defines seven risk principles to: Provide a systematic, timely and structured approach to risk management Contribute to consistent, comparable and reliable results The risk principles formalise and standardise policy implementation—both the core IT risk policy and supporting policies—e.g., information security policy, business continuity policy. These policies provide more detailed guidance on how to put principles into practice and how they will influence decision making within an enterprise.

32 Risk Function Perspective. All rights reserved.32 COBIT 5 for Risk identifies all COBIT 5 processes that are required to support the risk function: Key supporting processes– dark pink Other supporting processes – light pink Core risk processes, shown in light blue are also highlighted— these processes support the risk management perspective: EDM03 Ensure risk optimisatio n. APO12 Manage risk.

33 Risk Function Perspective 33 COBIT 5 for Risk identifies all COBIT 5 processes that are required to support the risk function: Key supporting processes– dark pink Other supporting processes – light pink Core risk processes, shown in light blue are also highlighted—these processes support the risk management perspective: EDM03 Ensure risk optimisation. APO12 Manage risk.

34 Risk Management Perspective © 2013 ISACA. All rights reserved.34 COBIT 5 for Risk provides specific guidance related to all enablers for the effective management of risk: The core Risk Management process(es) used to implement effective and efficient risk management for the enterprise to support stakeholder value Risk Scenarios, i.e., the key information item needed to identify, analyse and respond to risk; risk scenarios are the concrete, tangible and assessable representation of risk How COBIT 5 enablers can be used to respond to unacceptable risk scenarios

35 Risk Perspectives © 2013 ISACA. All rights reserved.35

36 Risk Perspectives (cont) 36

37 COBIT 5 FOR RISK 3. UNDERSTAND HOW TO USE RISK SCENARIOS FOR GEIT. 37

38 Risk Scenarios Definition “A risk scenario is a description of a possible event that, when occurring, will have an uncertain impact on the achievement of the enterprise’s objectives. The impact can be positive or negative.” © 2013 ISACA. All rights reserved.38

39 Risk Scenarios 39 Risk scenario’s are a key element of the COBIT 5 risk management process APO12; two approaches are defined:  Top-down approach— Use the overall enterprise objectives and consider the most relevant and probable IT risk scenarios impacting these  Bottom-up approach— Use a list of generic scenarios to define a set of more relevant and customised scenarios, applied to the individual enterprise

40 Risk Scenarios (cont) © 2013 ISACA. All rights reserved.40 Risk scenario’s are a key element of the COBIT 5 risk management process APO12; two approaches are defined:  Top-down approach—Use the overall enterprise objectives and consider the most relevant and probable IT risk scenarios impacting these  Bottom-up approach—Use a list of generic scenarios to define a SUBset of more relevant and customised scenarios, applied to the individual enterprise

41 Risk Scenarios Top-down and Bottom-up — Both approaches are complementary and should be used simultaneously. Risk scenarios must be relevant and linked to real business risk. Specific risk items for each enterprise and critical business requirements need to be considered in the enterprise risk scenarios. COBIT 5 for Risk provides a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios. © 2013 ISACA. All rights reserved.41

42 Risk Scenarios 42 When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type + Event). The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state; it can be increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.

43 Developing risk scenarios work flow 1.Use the list of example generic risk scenarios (Fig 38, P67~; partial reprint in S#46) to define a manageable set of tailored risk scenarios for the enterprise; 2.Perform a validation against the business obj of the entity; 3.Refine the selected scenarios base on the validation; 4.Reduce the number of scenarios to a manageable set (usually at least a few dozen); 5.Keep all the scenarios in a list so they can be re- evaluated. 43

44 Developing risk scenarios work flow (cont) 6.Once the set of risk scenarios is defined, it can be used for risk analysis, where frequency and impact of the scenarios are assessed. 7.The enterprise can also consider evaluating scenarios that have a chance of occurring – the “stress” testing. In “1” above, risk factors are those conditions that influence the frequency and/or the business impact of risk scenarios.  Fig 35, P

45 Risk Scenarios 45 When a risk scenario materialises, a loss event occurs.  The loss event has been triggered by a threat event (Threat type + Event).  The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state;  it can be increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.

46 Risk Scenarios 46 COBIT 5 for Risk provides:  111 risk scenario examples * Across 20 scenario categories

47 Risk Response Planned actions to bring risk in line with the risk appetite for the enterprise: A response needs to be defined such that as much future residual risk as possible (current risk with the risk response defined and implemented) falls within accepted limits. When risk analysis has shown that risk is not aligned with the defined risk appetite & tolerance levels, a response is required. © 2013 ISACA. All rights reserved.47

48 Risk Capacity Risk Appetite — The broad-based amount of risk in different aspects that an enterprise is willing to accept in pursuit of its mission Risk Tolerance — The acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives Risk Capacity — The cumulative loss an enterprise can tolerate without risking its continued existence. As such, it differs from risk appetite, which is more on how much risk is desirable. © 2013 ISACA. All rights reserved.48

49 Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission.  When considering the risk appetite levels for the enterprise, two major factors are important: 1.The enterprise’s objective capacity to absorb loss, e.g., financial loss, reputation damage 2.The (management) culture or predisposition towards risk taking—cautious or aggressive. What is the amount of loss the enterprise wants to accept to pursue a return? 49

50 Risk appetite 50 Risk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk. Risk appetite can and will be different amongst enterprises

51 Risk tolerance Risk tolerance is the tolerable deviation from the level set around the risk appetite, which (the deviation) the mgmt. is willing to allow as it pursues the objectives.  For example, project overruns of 10 percent of budget or 20 percent of time are tolerated. Risk appetite and risk tolerance go hand in hand. Risk tolerance is defined at the enterprise level and is reflected in policies set by the executives; At tactical levels of the enterprise, exceptions can be tolerated (or different thresholds defined) as long as at the enterprise level the overall exposure does not exceed the set risk appetite.  Cases and consequences of “zero tolerance” 51

52 Risk Capacity Left diagram — A relatively sustainable situation  Risk appetite is lower than risk capacity  Actual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity Right diagram — An unsustainable situation  Risk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss  As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. This usually represents unsustainable situations © 2013 ISACA. All rights reserved.52

53 Risk Response (cont) This response can be any of the four possible responses:  avoid,  mitigate,  share/transfer,  accept. Risk response evaluation is not a one-time effort—it is part of the risk management process cycle. © 2013 ISACA. All rights reserved.53

54 Risk Mitigation COBIT 5 for Risk provides a number of examples on how the COBIT 5 enablers can be used to respond to risk scenarios. Risk mitigation is equivalent to implementing a number of IT controls. In COBIT 5 terms, IT controls can be any enabler, e.g., putting in place an organisational structure, putting in place certain governance or management practices or activities. For each of the 20 risk scenario categories, potential mitigating actions relating to all seven COBIT 5 enablers are provided, with a reference, title and description for each enabler that can help to mitigate the risk. © 2013 ISACA. All rights reserved.54

55 © 2013 ISACA. All rights reserved.55

56 © 2013 ISACA. All rights reserved.56

57 Risk response workflow 57

58 Risk response workflow (cont) Two dimensions for prioritization: current risk level, and benefit/cost ratio 58

59 Risk Culture 59

60 IMPORTANT REPRINTS FROM COBIT 5 FOR RISK © 2013 ISACA. All rights reserved.60 I have selectively reprint some forty pages from COBIT 5 for Risk. This section will briefly introduce the contents of those pages. The selected contents are very practical and can be and should be used in risk analysis.

61 Brief description of selected key contents P12, Fig 3 – COBIT 5 for Risk overview P20, Fig 9 – Two perspectives on risk P31, Fig 16 – Risk policy examples P35, Fig 18/19 – supporting processes for risk function P42, Fig 26 – Behaviors for risk gov and mgmt. P48, Fig 28 – Info items supporting risk gov & mgmt. P52, Fig 30 – risk-mgmt.-related services P56, Fig 32 – risk mgmt. skill sets 61

62 Brief description of selected contents (cont) PP 59-63, Risk scenarios PP , Core COBIT 5 risk mgmt. processes PP , , : Using COBIT 5 enablers to manage IT risk scenarios (selected) PP : Comprehensive risk scenario template [Many of the materials in the above will be used for your team project as well as individual project] 62

63 COBIT 5 FOR RISK 4. UNDERSTAND HOW COBIT 5 FOR RISK RELATES TO AND ALIGNS WITH OTHER STANDARDS © 2013 ISACA. All rights reserved.63 For information only; not required

64 Alignment COBIT 5 for Risk — much like COBIT 5 itself — is an umbrella approach for the provisioning of risk management activities. COBIT 5 for Risk is positioned in context with the following risk-related standards:  ISO 31000:2009 – Risk Management  ISO 27005:2011 – Information security risk management  COSO Enterprise Risk Management ISO 31000:2009 – Risk Management  COBIT 5 for Risk addresses all ISO principles, through the:  COBIT 5 for Risk principles and enablers themselves  Enabler models  In addition, the framework and process model aspects are covered in greater detail by the COBIT 5 for Risk process model.  All elements are included in COBIT 5 for Risk and are often expanded on or elaborated in greater detail, specifically for IT risk management. © 2013 ISACA. All rights reserved.64

65 Alignment ISO 27005:2011 – Information security risk management  COBIT 5 for Risk addresses all of the components described within ISO Some of the elements are structured or named differently.  COBIT 5 for Risk takes a broader view on IT risk management compared with ISO which is focused on the management of security related risk.  There is a stronger emphasis in COBIT 5 for Risk on processes and practices to ensure the alignment with business objectives, the acceptance throughout the organisation and the completeness of the scope, amongst other factors. COSO Enterprise Risk Management  COBIT 5 for Risk addresses all of the components defined in COSO ERM.  Although COBIT 5 for Risk focuses less on control, it provides linkages to enablers—management practices in the COBIT 5 framework.  The essentials with regards to both control and general risk management as defined in COSO ERM are present in COBIT 5 for Risk, either through the:  Principles themselves and the framework’s conceptual design  Process model and additional guidance provided in the framework © 2013 ISACA. All rights reserved.65


Download ppt "Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b COBIT 5 for Risk Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge 1."

Similar presentations


Ads by Google