applying riskrisk--basedbased techniques and tools to...
TRANSCRIPT
![Page 1: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/1.jpg)
Technology Risk ManagementTechnology Risk Management
Applying RiskApplying Risk--based Techniquesbased Techniquesand Tools to Provide Higher Leveland Tools to Provide Higher Level
of Assurance Over IT Environmentsof Assurance Over IT Environments
by Phil Leifermann, by Phil Leifermann, MBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEMBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEManaging Director, Insight ConsultingManaging Director, Insight Consulting
![Page 2: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/2.jpg)
Technology Risk ManagementTechnology Risk ManagementTechnology Risk ManagementTechnology Risk Management
Insight Consulting2
![Page 3: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/3.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting3
§ Stakeholder needs
§ Enterprise wide
§ Single integrated framework
§ Holistic approach
§ Governance vs. management
![Page 4: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/4.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting4
Strategy
Execution
![Page 5: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/5.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting5
Strategy
Execution
Policy
Procedures
Systems
People
![Page 6: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/6.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting6
Strategy
Execution
Policy
Procedures
Systems
People
Risk
![Page 7: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/7.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting7
Strategy
Execution
Policy
Procedures
Systems
People
Risk
Control Control
![Page 8: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/8.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting8
Strategy
Execution
Policy
Procedures
Systems
PeopleAssurance
![Page 9: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/9.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting9
What is assurance ?
• Certainty
• Confidence
• Freedom from doubt
• Guarantee
• Warranty
![Page 10: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/10.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting10
Strategy
![Page 11: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/11.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting11
Strategy
Infrastructure DataPeople Applications Facilities
![Page 12: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/12.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting12
Strategy
Information
Infrastructure DataPeople Applications Facilities
![Page 13: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/13.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting13
Strategy
Information
Infrastructure DataPeople Facilities Applications
Risks
![Page 14: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/14.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting14
Strategy
Information
Infrastructure DataPeople Facilities Applications
Risks
Controls
![Page 15: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/15.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting15
Challenges:
§ How do we plan audits of technology ?
§ How do we conduct audits of technology ?
![Page 16: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/16.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting16
Challenges:
§How do we plan audits of technology ?
§ How do we conduct audits of technology ?
![Page 17: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/17.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting17
A B C
H I J
D E F G
![Page 18: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/18.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting18
§ Define audit universe
§ Conduct risk assessment
§ Select audits
§ Determine strategy for audits
![Page 19: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/19.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting19
Define Audit Universe
• Identify all auditable entities
• This becomes audit universe, i.e. all entities
which might be audited
![Page 20: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/20.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting20
A B C
H I J
D E F G
Define Audit Universe (cont.) Auditable Entities
![Page 21: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/21.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting21
A B C
H I J
D E F G
Define Audit Universe (cont.) Auditable Entities
Audit Universe
![Page 22: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/22.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting22
Risk Assessment
• Determine risk factors
• Determine weightings
• Assign scores
• Calculate risk scores
• Assign risk levels
![Page 23: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/23.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting23
Risk Assessment (cont.)
Risk Factors
• Determine risk factors:
ü Factor A : Financial Risk
ü Factor B : Operational Risk
ü Factor C : Reputational Risk
![Page 24: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/24.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting24
Risk Assessment (cont.)
Weightings
• For each risk factor, determine weighting:
ü Financial Risk : 50%
ü Operational Risk : 25%
ü Reputational Risk : 25%
![Page 25: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/25.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting25
Risk Assessment (cont.)
Scores
• For each risk factor, assign scores:
ü Financial Risk : 8/10
ü Operational Risk : 10/10
ü Reputational Risk : 5/10
![Page 26: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/26.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting26
Risk Assessment (cont.)
Risk Levels
• Multiple weightings and scores
• Calculate totals
• Add totals
• Calculate grand total
![Page 27: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/27.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting27
Risk Assessment (cont.)
Risk Factors Weightings Scores Totals
• Financial Risk 0.5 8 4
• Operational Risk 0.25 10 2.5
• Reputational Risk 0.25 3 0.75
Grand Total 7.25
![Page 28: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/28.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting28
Risk Assessment (cont.)
Risk Levels
• Convert grand total to risk level:
ü High risk : 6.5- 10
ü Medium risk : 3.5 – 6.5
ü Low risk : 1 – 3.5
![Page 29: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/29.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting29
Risk Assessment (cont.)
Risk Factors Weightings Scores Totals
• Financial Risk 0.5 8 4
• Operational Risk 0.25 10 2.5
• Reputational Risk 0.25 3 0.75
Grand Total 7.25
High Medium Low
Risk Levels
![Page 30: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/30.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting30
A B C
H I J
D E F G
Risk Assessment (cont.)
Audit Universe
![Page 31: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/31.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting31
High Risk Medium Risk Low Risk
A
J
D
G
B
H
F
C
I
E
Risk Assessment (cont.)
![Page 32: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/32.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting32
Challenges:
§ How do we plan audits of technology ?
§How do we conduct audits of technology ?
![Page 33: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/33.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting33
§ For each auditable entity, identify risks that might affect this auditable entity
§ Assess these risks
§ Measure level of inherent risk
RiskIdentification
![Page 34: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/34.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting34
§ Impact rating (i.e. 1 - 5)
§ Probability rating (i.e. 1 - 5)
§ Risk = impact x probability
- e.g. 4 x 3 = 12
![Page 35: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/35.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting35
Level ofInherent
RiskRisk Appetite
Reject
![Page 36: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/36.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting36
§ For these risks, assess controls that prevent, detect, correct and escalate these risks
§ Measure level of controlled risk
RiskAssessment
RiskIdentification
![Page 37: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/37.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting37
Level ofControlled
Risk
Level ofInherent
Risk
Reject
Risk Appetite
![Page 38: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/38.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting38
§ If level of controlled risk exceeds “risk appetite”, design action plans to further reduce level of risk
§ Measure level of residual risk
RiskAssessment
RiskMitigation
RiskIdentification
![Page 39: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/39.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting39
Level ofControlled
Risk
Level ofInherent
Risk
Level ofResidual
Risk
Accept
Risk Appetite
![Page 40: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/40.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting40
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
![Page 41: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/41.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting41
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Manage
![Page 42: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/42.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting42
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Contingency
Plan
![Page 43: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/43.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting43
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Housekeeping
![Page 44: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/44.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting44
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Monitor
![Page 45: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/45.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting45
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
A
A
Inherent Risk
Residual Risk
Controls
![Page 46: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/46.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting46
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
![Page 47: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/47.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting47
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
IncreaseResources
![Page 48: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/48.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting48
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Assess
Controls
![Page 49: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/49.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting49
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Not
Applicable
![Page 50: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/50.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting50
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Decrease
Resources
![Page 51: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/51.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting51
1stLin
e of Defen
ce
RiskManagement
InternalAuditManagement
![Page 52: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/52.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting52
2n
dLin
e of Defen
ce
1stLin
e of Defen
ce
RiskManagement
InternalAuditManagement
![Page 53: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/53.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting53
RiskManagement
InternalAuditManagement
2n
dLin
e of Defen
ce
1stLin
e of Defen
ce
3rd
Line of D
efence
![Page 54: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/54.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting54
RiskManagement
InternalAuditManagement
§ Management (with assistance from risk management) are responsible for designing, implementing and maintain controls
Control
![Page 55: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/55.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting55
RiskManagement
InternalAuditManagement
§ Internal audit (with assistance from risk management) are responsible for ensuring controls are effectively and efficiently designed, implemented and maintained
ControlAssurance
![Page 56: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/56.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting56
RiskManagement
InternalAuditManagement
Operate Support Validate
![Page 57: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/57.jpg)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting57
![Page 58: Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques](https://reader033.vdocuments.site/reader033/viewer/2022041510/5e276012c021ca5a5431004c/html5/thumbnails/58.jpg)
Further InformationFurther InformationFurther InformationFurther Information
Insight Consulting58
§ Phil Leifermann
§ President Director, Insight Consulting
§ Phone: +62 21 250-6696
§ Fax: +62 21 250-6697
§ Email: [email protected]