Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Historical view it was a low-key activity focused on delivering projects and keeping applications up & running Today’s view much broader & complex recognized as integral part of technology-based work 19-2

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Can harm constituencies both within outside companies Damage corporate reputations Dampens organization’s ability to compete 19-3

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 19-4 Legal/HazardsThird RegulatoryParties External Risk Operations Information Systems Development People Controls Processes Culture Governance Internal Risk ENTERPRISE RISK

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Third parties Partners Software vendors & service providers Suppliers & customers Hazards Disasters & pandemics Geopolitical upheavals Legal & regulatory issues Failure to adhere to the laws & regulations 19-5

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Information risks Privacy & quality Accuracy & protection People risks ( Poorly designed business process Failure to adapt business processes Cultural risks Risk aversion and Lack of risk awareness Control Ineffective controls). Governance Ineffective structure, roles 19-6

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Viruses Hackers Organized crime Industrial spies Terrorists 19-7

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 1. Focus on what’s important : RM is not about anticipating all risks It’s to reduce significant risks to manageable level RM should not be about saying “no” to a risk It’s how to say “yes” building a more agile enterprise 19-8

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 2. Expect image to change over time: RM actions should be continuous, iterative & structured Mandatory risk assessment implemented at different key stages Ongoing reviews & process of evaluation need to be adapted 19-9

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 3. View risk from multiple levels & perspectives: RM assessments need to include root cause and multifaceted analyses Organizations need to assess risk trends and develop strategies for dealing with them 19-10

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Goal of a risk management framework (RMF) Ensure the right risks addressed At the right levels RMF guides Development of risk policies and Integrates appropriate risk standards and processes into existing practices

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Risk category Policies and standards Risk type Risk ownership Risk mitigation Risk reporting and monitoring

© 2012 Pearson Education, Inc. Publishing as Prentice Hall General area of risk involved (e.g., criminal, operations, third party) It includes the general principles for guiding risk decisions Principles identify any standards applied to each risk category Identify & label risks with generic name & definition (ideally linked to a business impact) Assign each risk an owner, either IT or the business Owners & stakeholders need clear responsibilities & accountabilities Major risks can be owned by committees Associate risk to controls, practices & tools addressing it effectively RFM provides consistent, effective & appropriate risk management Risk metrics reported in understandable way to organization Risk monitoring ongoing to evaluate possible changes

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Look beyond technical risk Develop a common language of risk Simplify the presentation Right size Standardize the technology base Rehearse Clarify roles & responsibilities Automate where appropriate Educate & communicate

© 2012 Pearson Education, Inc. Publishing as Prentice Hall IT risk involves many types of business risks Therefore should be managed holistically Integrated risk management framework helps organizations understand risk and make better decisions associated with it 19-15