4What is risk management? “Theidentification,assessment, andprioritizationof risks (as the effect of uncertainty on objectives, whether positive or negative) followed bycoordinated and economical application of resources tominimize,monitor, andcontrolthe probability and/or impact of unfortunate eventsor to maximize the realization of opportunities.”— WikipediaAction: Ask what is risk management?Review the definition of risk management and come to a common understanding.Discuss the typical strategies to manage risk.
5Who is a risk manager? We all manage risk Life and business are complex; but -Risk management should be simpleUse risk management approaches to -Make business simplerUse the right tool for the job
6Manage and Capitalize on Business Risk Enterprises achieve return bytaking risks.Some try to eliminate the very risks that drive profit.Guidance was needed on how to manage risk effectively.
7Risk management tenet Managing risk to business performance Against specific objectivesENABLES businesses to achieve the objChanging situations may bring gain or lossRisk management ENABLES businesses to stay on right track, to seize opportunitiesRisk management should improve agility, making it safer to move in a changing environment“Human immunity” analogy
8Two views of business-related IT risk IT is a tool that can be used to enable the businessTo seek better outcomes by reducing risk to the businessThrough improving consistency, complying w controls, and reducing errorsIT is a tool that can break, or used inefficiently, or cause harm if misused/exploited maliciously
10Covers IT-related Risk Management IT-related business risks cover all IT-related risks, including:Late project deliveryNot achieving enough value from ITComplianceMisalignmentObsolete or inflexible IT architectureIT service delivery problems
11Comparison of RiskIT and COBIT 5 for Risk RiskIT was organized around domains and processes, just as COBIT 4.1COBIT 5 for Risk is organized around the 5 principles and seven enablers, just as COBIT 5For every enabler, COBIT 5 for Risk then approaches fromStakeholders (who participate/be impacted)GoalsLife cycleGood practices – this is the part that is the “action”/”solution” part
12Comparison (cont)The second uniqueness of COBIT 5 for Risk is that it organizes the analyses and practices from two perspectives:Risk functionRisk managementRisk Function can be understood asthe principles, polices, processes, org structure, …[do they sound familiar? Yes, they’re the 7 enablers!] that are in place to “strengthen” the org so it is better able to face and handle risks.The “preparedness” of an org against risks
13Comparison (cont) While Risk Management can be understood as the principles, polices, processes, org structure, …[again, the 7 enablers!] that are being employed to “curb” and “fight” and “redirect” the risks in the case of their happeningPerspectiveMed analogyMilitary analogyRemarksRisk functionPreventionReadiness and deterrence 常备力量，威慑力Long-term improvement of org’s overall “fitness” against risksRisk mgmtTreatmentBattle plan; tactics 战略战术；战役计划Direct handling of risks: analyses/ evaluation, response, recovery
14COBIT 5 for Risk 1. Understand the drivers, benefits and target audiences from a risk perspective 14
21Clarification of “Risk” in COBIT 5 for Risk When risk is referenced in COBIT 5 for Risk, it is the current risk.Figure 7 shows how inherent, current and residual risk interrelate.
22COBIT 5 for Risk 2. Understand the components of risk activities. . 22
23Key Risk IT Content: The “What” Risk management essentialsIn Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk cultureIn Risk Evaluation: Describing business impact and risk scenariosIn Risk Response: Key risk indicators (KRI) and risk response definition and prioritisationProcess model sections that contain:DescriptionsInput-output tablesRACI (Responsible, Accountable, Consulted, Informed) tableGoals and Metrics TableMaturity model is provided for each domain
24Roughly, not exactly; to help w understanding and memory Risk IT frameworkDomainTimeMannerGovernance“Before”AlwaysEvaluation“During”PeriodicalResponseAfterIn incidentRoughly, not exactly; to help w understanding and memory
25Risk Governance Domain Risk Governance Essentials:Responsibility and accountability for riskRisk appetite and toleranceAwareness and communicationRisk culture
32Risk Function Perspective COBIT 5 for Risk identifies all COBIT 5 processes that are required to support the risk function:Key supporting processes– dark pinkOther supporting processes – light pinkCore risk processes, shown in light blue are also highlighted—these processes support the risk management perspective:EDM03 Ensure risk optimisation.APO12 Manage risk.. All rights reserved. 32
33Risk Function Perspective COBIT 5 for Risk identifies all COBIT 5 processes that are required to support the risk function:Key supporting processes– dark pinkOther supporting processes – light pinkCore risk processes, shown in light blue are also highlighted—these processes support the risk management perspective:EDM03 Ensure risk optimisation.APO12 Manage risk.33
39Risk ScenariosRisk scenario’s are a key element of the COBIT 5 risk management process APO12; two approaches are defined:Top-down approach—Use the overall enterprise objectives and consider the most relevant and probable IT risk scenarios impacting theseBottom-up approach—Use a list of generic scenarios to define a set of more relevant and customised scenarios, applied to the individual enterprise39
42Risk ScenariosWhen a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type + Event). The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state; it can be increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.42
43Developing risk scenarios work flow Use the list of example generic risk scenarios (Fig 38, P67~; partial reprint in S#46) to define a manageable set of tailored risk scenarios for the enterprise;Perform a validation against the business obj of the entity;Refine the selected scenarios base on the validation;Reduce the number of scenarios to a manageable set (usually at least a few dozen);Keep all the scenarios in a list so they can be re-evaluated.
44Developing risk scenarios work flow (cont) Once the set of risk scenarios is defined, it can be used for risk analysis, where frequency and impact of the scenarios are assessed.The enterprise can also consider evaluating scenarios that have a chance of occurring – the “stress” testing.In “1” above, risk factors are those conditions that influence the frequency and/or the business impact of risk scenarios. Fig 35, P. 61
45Risk Scenarios When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type + Event).The frequency of the threat event is influenced by a vulnerability.The vulnerability is usually a state;it can be increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.45
46Risk Scenarios COBIT 5 for Risk provides: 111 risk scenario examples * Across 20 scenario categories46
49Risk appetiteThe amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission.When considering the risk appetite levels for the enterprise, two major factors are important:The enterprise’s objective capacity to absorb loss, e.g., financial loss, reputation damageThe (management) culture or predisposition towards risk taking—cautious or aggressive. What is the amount of loss the enterprise wants to accept to pursue a return?
50Risk appetiteRisk appetite can be defined in practice in terms of combinations of frequency and magnitude of a risk.Risk appetite can and will bedifferent amongst enterprises
51Risk toleranceRisk tolerance is the tolerable deviation from the level set around the risk appetite, which (the deviation) the mgmt. is willing to allow as it pursues the objectives.For example, project overruns of 10 percent of budget or 20 percent of time are tolerated.Risk appetite and risk tolerance go hand in hand.Risk tolerance is defined at the enterprise level and is reflected in policies set by the executives;At tactical levels of the enterprise, exceptions can be tolerated (or different thresholds defined) as long as at the enterprise level the overall exposure does not exceed the set risk appetite.Cases and consequences of “zero tolerance”
61Brief description of selected key contents P12, Fig 3 – COBIT 5 for Risk overviewP20, Fig 9 – Two perspectives on riskP31, Fig 16 – Risk policy examplesP35, Fig 18/19 – supporting processes for risk functionP42, Fig 26 – Behaviors for risk gov and mgmt.P48, Fig 28 – Info items supporting risk gov & mgmt.P52, Fig 30 – risk-mgmt.-related servicesP56, Fig 32 – risk mgmt. skill sets
62Brief description of selected contents (cont) PP 59-63, Risk scenariosPP , Core COBIT 5 risk mgmt. processesPP , , : Using COBIT 5 enablers to manage IT risk scenarios (selected)PP : Comprehensive risk scenario template[Many of the materials in the above will be used for your team project as well as individual project]