Managing IT Risk:The ISACA Risk IT Framework
Charalampos (Haris)Brilakis, CISA
ISACA Athens Chapter BoD / Education Committee ChairSr. Manager, Internal Audit, Eurobank (Greece)
“…All technology should be assumed guiltyuntil proven innocent…” ‐‐ David Brower, environmentalist
1st ISACA Day, Sofia15 October 2015
What is your role in managing risk?
Do you:1. Own and manage risks ? (eg. Business & IT Mgmt)2. Oversee risks ? (eg. Security, Risk Mgmt, Compliance) 3. Provide independent assurance? (Internal Audit)
2Harry Brilakis | ISACA Athens Chapter
• ISACA’s Risk IT Framework
• IT Risk basics
• Risk Governance Domain
• Risk Evaluation Domain
• Risk Response Domain
• Process Flow & Key Points to remember
Agenda
3Harry Brilakis | ISACA Athens Chapter
Risk Management Frameworks & Risk IT
4Harry Brilakis | ISACA Athens Chapter
Standards and frameworks are available, but are either too: • Generic enterprise risk management oriented (COSO ERM)• IT security oriented
The Risk IT Framework fills the gap.• Complete and Stand‐alone framework• Integrates with other RM frameworks already implemented• Complements ValIT and COBIT 4.1• Guidance available to ISACA Members
The scope of the Risk IT framework is also fully covered within the scope of the COBIT 5 framework.
Key content of the Risk IT framework includes:Risk management essentials
In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT riskmanagement, awareness and communication, and risk culture
In Risk Evaluation: Describing business impact and risk scenariosIn Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation
Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.)
Process model sections that contain:DescriptionsInput‐output tablesRACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table
Maturity model is provided for each domainAppendices
Reference materialsHigh‐level comparison of Risk IT to other risk management
frameworks and standardsGlossary
Available as a free download to all: www.isaca.org/riskit
“What” to do to manage IT risk?
Harry Brilakis | ISACA Athens Chapter 5
Key contents of The Risk IT Practitioner Guide:
• Review of the Risk IT process model• Risk IT to COBIT and Val IT• How to use it:
1. Define a risk universe and scoping risk management2. Risk appetite and risk tolerance3. Risk awareness, communication and reporting: includes key risk indicators,
risk profiles, risk aggregation and risk culture4. Express and describe risk: guidance on business context, frequency, impact,
COBIT business goals, risk maps, risk registers5. Risk scenarios: includes capability risk factors and environmental risk factors6. Risk response and prioritisation7. A risk analysis workflow: “swim lane” flow chart, including role context8. Mitigation of IT risk using COBIT and Val IT
• Mappings: Risk IT to other risk management standards and frameworks
• Glossary
Available as a free download to ISACA Members
Guide on “How” to implement it
6Harry Brilakis | ISACA Athens Chapter
Benefits of adopting the Risk IT Framework :• Guidance on how to manage IT‐related risks• A common and sustainable approach for IT risk assessment
and response• A better view of IT‐related risk and its financial implications• A better understanding of the roles and responsibilities with
regard to IT risk management• A common language to help communication amongst
business, IT, risk and audit management• Opportunities for integration of IT risk management with the
overall risk and compliance structures within the enterprise• Alignment with ERM
Benefits
Harry Brilakis | ISACA Athens Chapter 7
Who can benefit from ISACA’s RiskIT Framework?
• Boards and executive management who need to set direction and monitor risk at the enterprise level
• Managers of IT and business departments, who need to define risk management process
• Risk management professionals who need specific IT risk guidance
• External stakeholders
Harry Brilakis | ISACA Athens Chapter 8
• The Risk IT Framework
• IT Risk basics
• Risk Governance Domain
• Risk Evaluation Domain
• Risk Response Domain
• Process Flow & Key Points to remember
Agenda
9Harry Brilakis | ISACA Athens Chapter
Which of the following entail IT risk?
Harry Brilakis | ISACA Athens Chapter 10
Business objectives
1. Improve customer service scores [xx]% in every branch by year‐end
2. Reduce customer wait time in line to [xx] minutes
3. By the end of the year decrease administration expenses by [xx]%.
4. Introduce a mobile application for expanding our service to younger customers
5. Timely produce accurate customer monthly billing statement
6. Adapt to the new tax law / comply with new regulation of …
Generic IT risks
1. IT Project budget overrun or new application development failure, delaying business initiatives
2. Dependency and use of end‐user computing and ad hoc solutions for important information needs
3. Intentional or unintentional software modification leading to wrong data or fraudulent actions
4. Systems cannot handle increased transaction volumes
5. Virus attack6. Data corruption7. Lack of new technology IT skills
What is IT risk?
IT risk is business risk• specifically, the business risk associated with the use,
ownership, operation, involvement, influence and adoption of IT within an enterprise.Risk and opportunity relationship also holds for IT risk
Business management is the most important stakeholder• Determines what IT needs to do to support the business• IT risk is not purely a technical issue.
11Harry Brilakis | ISACA Athens Chapter
IT risk in the Risk Hierarchy
IT risk is a component of the overall risk universe of the enterprise
Harry Brilakis | ISACA Athens Chapter 12
IT risk is not limited to information security, but covers all IT‐related risks. For example: IT service interruptions, business efficiency, late project delivery
• Always connect to business objectives.• Align the management of IT‐related business risk with overall
ERM (if implemented).• Establish the right tone from the top while defining and
enforcing personal accountability for operating within acceptable and well‐defined tolerance levels.
The Risk IT Principles
• Are a continuous process and part of daily activities.
• Balance the costs and benefits of managing IT risk.
• Promote fair and open communication of IT risk.
Harry Brilakis | ISACA Athens Chapter 13
Risk Governance DomainEnsure that IT risk management practices are embedded in the enterprise
Risk Evaluation DomainEnsure that IT‐related risks and opportunities are identified, analysed and presented in business terms
Risk Response DomainEnsure that IT‐related risk issues, opportunities and events are addressed in a cost‐effective manner and in line with business priorities
The three Domains
Harry Brilakis | ISACA Athens Chapter 14
• The Risk IT Framework
• IT Risk basics (definitions, principles)
• Risk Governance Domain
• Risk Evaluation Domain
• Risk Response Domain
• Process Flow & Key Points to remember
Agenda
16Harry Brilakis | ISACA Athens Chapter
Domain’s basic concepts include:
Responsibility and accountability for IT riskAwareness and communicationRisk appetite and tolerance, risk capacityRisk culture
Risk Governance Domain
Harry Brilakis | ISACA Athens Chapter 17
Assign Responsibilities and Accountability for IT risk• Stakeholders are across the enterprise, not just IT• Guidance is provided (RACI charts)
Promote risk awareness via risk communication• Risks are well understood and known, IT risk issues are identifiable,
and the enterprise recognises and uses the means to manage them.What to communicate:
• Risk strategy, policies and procedures, awareness training • Risk management process maturity• Risk profile, KRIs, events and loss data, root causes of loss events
To whom:Executive Management, Board, CRO, CIO, CFO, Business Management, IT Management, Risk control, Compliance, Audit, HR, staff…
Risk Governance Domain
Harry Brilakis | ISACA Athens Chapter 18
Risk AppetiteThe broad‐based amount of risk a company or other entity is willing to accept when trying to achieve its objectives• Measured in terms of frequency and magnitude of a risk
Risk Governance Domain
Harry Brilakis | ISACA Athens Chapter 19
What is the amount of loss the enterprise wants to accept to pursue a return?
Risk ToleranceThe acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives• Often measured in the same units as those used to measure the related
objective.• At lower levels of the enterprise exceptions can be tolerated as long as at
the overall exposure (at enterprise level) does not exceed the set risk appetite
Risk Capacity The cumulative loss an enterprise can withstand without risking its continued existence. • It differs from risk appetite, which is more about how much risk is
desirable.
Risk Governance Domain
Harry Brilakis | ISACA Athens Chapter 20
Risk Governance Domain
Risk Appetite and Risk Capacity
Left diagram—A relatively sustainable situationRisk appetite is lower than risk capacityActual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity
Right diagram—An unsustainable situationRisk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss. As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. 21
Risk culture• A setting in which components of risk are discussedopenly, and acceptable levels of risk are understood andmaintained.
Risk Governance Domain
Harry Brilakis | ISACA Athens Chapter 22
• The Risk IT Framework
• IT Risk basics (definitions, principles)
• Risk Governance Domain (establish, define)
• Risk Evaluation Domain
• Risk Response Domain
• Process Flow & Key Points to remember
Agenda
23Harry Brilakis | ISACA Athens Chapter
Domain’s basic concepts include:
Risk scenariosBusiness impact descriptions
Risk Evaluation Domain Essentials
24Harry Brilakis | ISACA Athens Chapter
IT Risk scenariosa description of a possible IT‐related event that when/if it occurs can lead to a business impact.Components: Actor, Threat Type, Event, Asset/Resource, Time
Risk Evaluation Domain Essentials
25Harry Brilakis| ISACA Athens Chapter
NOTE: Risk Scenarios are key elements of the COBIT 5 risk management process APO12
Example of generic IT risk scenarios
Risk Evaluation Domain Essentials
Harry Brilakis| ISACA Athens Chapter 26
Eg. Damage of critical server / regular software malfunction of critical application software
IT Risk scenarios… (cont)
• IT Risk scenarios can be created, with a combination of • Top‐down from business objectives to probable IT risk scenarios• Bottom‐up from generic IT scenarios
• Both approaches are complementary and should be used simultaneously.
• The Risk IT Practitioner & COBIT 5 for Risk provide a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios.
Risk Evaluation Domain Essentials
27Harry Brilakis| ISACA Athens Chapter
IT Risk scenarios… (cont)
Risk Evaluation Domain Essentials
28Harry Brilakis| ISACA Athens Chapter
Risk factors: factors that influence the frequency and/or business impact of risk scenarios
Related to enterprises’• environment • capabilities
Business impact descriptions• IT risk should be expressed in unambiguous and
clear, business‐relevant terms.• RiskIT Framework does not prescribe any single method
• IT risk scenarios should be linked to ultimate business impact
Risk Evaluation Domain Essentials
29Harry Brilakis| ISACA Athens Chapter
• The Risk IT Framework
• IT Risk basics (definitions, principles)
• Risk Governance Domain (establish, define)
• Risk Evaluation Domain (assess)
• Risk Response Domain
• Process Flow & Key Points to remember
Agenda
30Harry Brilakis | ISACA Athens Chapter
Domain’s basic concepts include:
Key risk indicators (KRIs)Risk response definition and prioritisation
Risk Response Domain Essentials
31Harry Brilakis | ISACA Athens Chapter
Key risk indicators (KRIs)Metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.
Risk Response Domain Essentials
32Harry Brilakis | ISACA Athens Chapter
Risk response definition and prioritisationBring risk in line with the defined risk appetite for the enterprise after risk analysis.
a response needs to be defined such that future residual risk (current risk with the risk response defined and implemented) is, as much as possible (usually depending on budgets available), within risk tolerance limits.
Risk Response Domain Essentials
33Harry Brilakis | ISACA Athens Chapter
Responses to risk:• Risk Avoidance: exiting the activities or conditions that give rise to risk.• Risk Reduction/Mitigation: action is taken to detect the risk, followed
by action to reduce the frequency and/or impact of a risk.
• Risk Sharing/Transfer: reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing.
• Risk Acceptance: no action is taken relative to a particular risk, and loss is accepted when/if it occurs.
IT risk should be accepted only by business management (and business process owners) in collaboration with and supported by IT, and acceptance should be communicated to senior management and the board.
Risk Response Domain Essentials
Harry Brilakis | ISACA Athens Chapter 34
Risk response selection• Cost of response (eg. insurance)• Importance of risk• Capability to implement response• Effectiveness of the response• Efficiency of the response
Risk response prioritisation• QuickWin: Efficient and effective
response on high risk• BC: Expensive/difficult responses to
high risks or efficient and effective on lower risk
• Defer: Costly response to lower risk
Risk Response Domain Essentials
35Harry Brilakis | ISACA Athens Chapter
• The Risk IT Framework
• IT Risk basics (definitions, principles)
• Risk Governance Domain (establish, define)
• Risk Evaluation Domain (assess)
• Risk Response Domain (act)
• Process Flow & Key Points to remember
Agenda
36Harry Brilakis | ISACA Athens Chapter
1. Define a risk universe and scoping risk management2. Risk appetite and risk tolerance3. Risk awareness, communication and reporting: includes key
risk indicators, risk profiles, risk aggregation and risk culture4. Express and describe risk: guidance on business context,
frequency, impact, COBIT business goals, risk maps, risk registers
5. Risk scenarios: includes capability risk factors and environmental risk factors
6. Risk response and prioritization7. A risk analysis workflow: “swim lane” flow chart, including role
context8. Mitigation of IT risk using COBIT and Val IT
Risk IT Process Model
Harry Brilakis | ISACA Athens Chapter 37
ISACA Risk IT complements other Risk frameworksCan/should be adapted to the organisation
IT risk is business riskBusiness management is the most important stakeholderShould be expressed in business termsContains both opportunities for benefit and threats for success
Responsibilities of the “three lines of defense” Own/Manage, Oversee, Assure
Risk culture, communication and awareness around IT’s role in risk and opportunity
Key Points
38Harry Brilakis | ISACA Athens Chapter