Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise IT Governance with COBIT – Part V

Published byDustin Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "Enterprise IT Governance with COBIT – Part V"— Presentation transcript:

1 Enterprise IT Governance with COBIT – Part V
RiskIT Framework Dr. Yue “Jeff” Zhang 张跃博士 California State University, Northridge

2 Outline of the Course IT governance overview COBIT 4.1 overview
COBIT 4.1 framework Val IT RiskIT COBIT Practitioners Guide Information Security Guide to the Board COBIT 5

3 What is risk management?
“Is the identification, assessment, and prioritization of risks (as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.” — Wikipedia Action: Ask what is risk management? Review the definition of risk management and come to a common understanding. Discuss the typical strategies to manage risk.

4 Who is a risk manager? We all manage risk
Life and business are complex; but - Risk management should be simple Use risk management approaches to - Make business simpler Use the right tool for the job

5 Risk management tenet Managing risk to business performance
Against specific objectives ENABLES businesses to achieve the obj Changing situations may bring gain or loss Risk management ENABLES businesses to stay on right track, to seize opportunities Risk management should improve agility, making it safer to move in a changing environment “Human immunity” analogy

6 Why Care About IT-related Risk?
Enterprises are dependent on automation and integration. Need to cross IT silos of risk management. Important to integrate with existing levels of risk management practices.

7 Manage and Capitalize on Business Risk
Enterprises achieve return by taking risks. Some try to eliminate the very risks that drive profit. Guidance was needed on how to manage risk effectively.

8 Two views of business-related IT risk
IT is a tool that can be used to enable the business To seek better outcomes by reducing risk to the business Through improving consistency, complying w controls, and reducing errors IT is a tool that can break, or used inefficiently, or cause harm if misused/exploited maliciously

9 IT Risk in the Risk Hierarchy

10 Risk IT: A Balance Is Essential
Risk and value are two sides of the same coin. Risk is inherent to all enterprises. BUT Enterprises need to ensure that opportunities for value creation are not missed by trying to eliminate all risk. COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk Risk IT sets good practices for the ends by providing a framework for enterprises to identify, govern and manage IT risk.

11 Purpose of Risk IT Framework
The Risk IT framework explains IT risk and enables users to: Integrate the management of IT risk into the overall ERM, thus allowing the enterprise to make risk-return-aware decisions Make well-informed decisions about the extent of the risk, and the risk appetite and the risk tolerance of the enterprise Understand how to respond to the risk In brief, this framework allows the enterprise to make appropriate risk-aware decisions.

12 Benefits/Outcomes of Risk IT
The benefits of using Risk IT include: A common language to help communication amongst business IT, risk and audit management End-to-end guidance on how to manage IT-related risks A complete risk profile to better understand risk, so as to better utilize enterprise resources A better understanding of the roles and responsibilities with regard to IT risk management Alignment with ERM A better view of IT-related risk and its financial implications Fewer operational surprises and failures Increased information quality Greater stakeholder confidence and reduced regulatory concerns Innovative applications supporting new business initiatives

13 What Risk IT Offers Provides guidance to help executives and management ask the key questions; make better, more informed risk-adjusted decisions and guide their enterprises so risk is managed effectively Helps save time, cost and effort with tools to address business risks Integrates the management of IT-related business risks into overall enterprise risk management Helps leadership understand the enterprise’s risk appetite and risk tolerance Provides practical guidance driven by the needs of enterprise leadership around the world

14 Risk IT: Extends Val IT and COBIT
Risk IT complements and extends COBIT and Val IT to make a more complete IT governance guidance resource.

15 Covers IT-related Risk Management
Risk IT is not limited to information security. It covers all IT-related risks, including: Late project delivery Not achieving enough value from IT Compliance Misalignment Obsolete or inflexible IT architecture IT service delivery problems

16 Risk IT is unique Provides a balanced view of an enterprise’s IT-related business risks: Focus on intersection of business and IT Unifies silos of IT-related business risk, including value, change, availability, security, project, and recovery Links with enterprise-wide risk management frameworks (COSO ERM, ISO 31000, etc) Enables a business activity and process view of IT-related business risk

17 Key values to YOU Enterprises can use the framework and guide
Easier to assess, align, and improve their risk management activities Credibility to obtain support for investment in such activities Benchmark against agreed criteria in maturity and capability Build a community of support Operational guidelines

18 IT risk categories The business risk associated with
the use, ownership, operation, involvement, influence and adoption of IT

19 Risk IT principles

20 Guiding Principles of Risk IT
Always connect to enterprise objectives. Align the management of IT-related business risk with overall enterprise risk management. Balance the costs and benefits of managing risk. Promote fair and open communication of IT risk. Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels. Understand that this is a continuous process and an important part of daily activities. {Excellent explanation PP 13~14}

21 Key Risk IT Content: The “What”
Risk management essentials In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture In Risk Evaluation: Describing business impact and risk scenarios In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Process model sections that contain: Descriptions Input-output tables RACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table Maturity model is provided for each domain

22 Risk IT framework

23 Risk Governance Domain
Risk Governance Essentials: Responsibility and accountability for risk Risk appetite and tolerance Awareness and communication Risk culture

24 Risk Evaluation Domain
Risk Evaluation Essentials: Risk scenarios Business impact descriptions

25 Risk Response Domain Risk Response Essentials:
Key risk indicators (KRIs) Risk response definition and prioritisation

26 Risk Governance - Risk Appetite and Tolerance
Risk appetite—The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision) “方向” “取舍” Risk tolerance—The acceptable variation relative to the achievement of an objective (best measured in the same units as those used to measure the related objective) “限度” “门槛” PP. 3~4

27 Risk Appetite (P.17) Amount of risk an entity is prepared to accept when trying to achieve its objectives. The enterprise’s objective capacity to absorb loss, The culture towards risk taking—cautious or aggressive.

28 Risk Tolerance (PP.17~18) Tolerable deviation from the level set by the risk appetite and business objectives Standards require projects to be completed within the estimated budgets and time, but overruns of 10% of budget or 20% of time are tolerated.

29 Risk Governance – awareness and communication
Benefits of open communication on IT risk: The executive mgmt’s understanding of actual exposure to IT risk  informed IT risk responses … P.18 Consequence of poor communication: A false sense of confidence at the top about actual exposure to IT risk  lack of well-understood direction for risk mgmt Responsibility and accountability: Figure 8, P.19

30 Risk Communication What to Communicate?

31 Risk Culture

32 Essentials of risk evaluation (Re Framework, Slide #15)
Describing business impact Risk scenarios Can be used to prioritize risks Heart of risk management Measurement is important in this domain

33 Risk Evaluation – business impact

34 Risk Evaluation – risk scenarios (PP.25~26)

35 Essentials of risk response (Re Framework, Slide #15)
Key risk indicators (KRIs) Risk response definition and prioritization Measurement also plays important roles here

36 Risk response Risk avoidance Risk reduction/mitigation
Risk sharing/transfer Risk acceptance

37 Risk response - Risk avoidance
Avoidance means exiting the activities or conditions that give rise to risk. Risk avoidance applies when no other risk response is adequate. This is the case when: No other cost-effective options can succeed Risk cannot be shared or transferred Risk is deemed unacceptable

38 Risk response - Risk sharing/transfer
Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Insurance outsourcing

39 Risk response - Risk sharing/transfer
Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Insurance outsourcing

40 Risk response - Risk acceptance
No action is taken relative to a particular risk, and loss is accepted when/if it occurs. Different from being ignorant of risk

41 Risk/Response Definition
The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise after due risk analysis. In other words, a response needs to be defined such that future residual risk (=current risk with the risk response defined and implemented) is as much as possible (usually depending on budgets available) within risk tolerance limits.

42 Risk and opportunity

43 Risk and opportunity IT can play several roles in the risk-
opportunity relationship (figure 16): Value enabler – new biz initiatives almost always depend on some involvement of IT The reverse side of the above applies as well: Value destruction – some IT events can cause mild to serious disruption to the organization.

44 Risk IT Framework Process Model

45 RISK IT FRAMEWORK PROCESS MODEL
Detailed Process Descriptions Process Components Management Practices Inputs and Outputs Management Guidelines Roles and Responsibilities—RACI Chart Goals and Metrics Maturity Models

46 THE RISK IT FRAMEWORK P.43; PP.43~44 important
PP. 49~50, similar to 43~44

47 Risk IT: The “How” Key contents of The Risk IT Practitioner Guide:
Review of the Risk IT process model Risk IT to COBIT and Val IT How to use it: Define a risk universe and scoping risk management Risk appetite and risk tolerance Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers Risk scenarios: includes capability risk factors and environmental risk factors Risk response and prioritisation A risk analysis workflow: “swim lane” flow chart, including role context Mitigation of IT risk using COBIT and Val IT Mappings: Risk IT to other risk management standards and frameworks

Download ppt "Enterprise IT Governance with COBIT – Part V"

Similar presentations

©2009 ISACA/ITGI. All rights reserved.. ISACA At-a-Glance Founded in 1969; non-profit, independent association that helps members achieve greater trust.

©2009 ISACA/ITGI. All rights reserved.. ISACA At-a-Glance Founded in 1969; non-profit, independent association that helps members achieve greater trust.
Audit Committee Risk Management Training September 2010 John Allsop Marcus Richards.

Audit Committee Risk Management Training September 2010 John Allsop Marcus Richards.
ISACA Guidance and Practices Committee

ISACA Guidance and Practices Committee
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b

Enterprise IT Governance and Risk Mgmt with COBIT – Part VI-b
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Systemise your compliance management Peter Scott Consulting www.peterscottconsult.co.uk.

Systemise your compliance management Peter Scott Consulting
©2013 CliftonLarsonAllen LLP cliftonlarsonallen.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business.

©2013 CliftonLarsonAllen LLP cliftonlarsonallen.com See CLA PowerPoint User Guide for instructions to insert an image or change the icon on the business.
Opportunities & Implications for Turkish Organisations & Projects

Opportunities & Implications for Turkish Organisations & Projects
Enterprise Architecture

Enterprise Architecture
COBIT® 5 for Risk Introduction

COBIT® 5 for Risk Introduction

Similar presentations

Ads by Google