managing it risk: the isaca risk it framework -...

Managing IT Risk:The ISACA Risk IT Framework

Charalampos (Haris)Brilakis, CISA

ISACA Athens Chapter BoD / Education Committee ChairSr. Manager, Internal Audit, Eurobank (Greece)

“…All technology should be assumed guiltyuntil proven innocent…” ‐‐ David Brower, environmentalist

1st ISACA Day, Sofia15 October 2015

What is your role in managing risk?

Do you:1. Own and manage risks ? (eg. Business & IT Mgmt)2. Oversee risks ? (eg. Security, Risk Mgmt, Compliance) 3. Provide independent assurance? (Internal Audit)

2Harry Brilakis | ISACA Athens Chapter

• ISACA’s Risk IT Framework

• IT Risk basics

• Risk Governance Domain

• Risk Evaluation Domain

• Risk Response Domain

• Process Flow & Key Points to remember

Agenda


Risk Management Frameworks & Risk IT


Standards and frameworks are available, but are either too: • Generic enterprise risk management oriented (COSO ERM)• IT security oriented

The Risk IT Framework fills the gap.• Complete and Stand‐alone framework• Integrates with other RM frameworks already implemented• Complements ValIT and COBIT 4.1• Guidance available to ISACA Members

The scope of the Risk IT framework is also fully covered within the scope of the COBIT 5 framework.

Key content of the Risk IT framework includes:Risk management essentials

In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT riskmanagement, awareness and communication, and risk culture

In Risk Evaluation: Describing business impact and risk scenariosIn Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation

Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.)

Process model sections that contain:DescriptionsInput‐output tablesRACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table

Maturity model is provided for each domainAppendices

Reference materialsHigh‐level comparison of Risk IT to other risk management

frameworks and standardsGlossary

Available as a free download to all: www.isaca.org/riskit

“What” to do to manage IT risk?

Harry Brilakis | ISACA Athens Chapter 5

Key contents of The Risk IT Practitioner Guide:

• Review of the Risk IT process model• Risk IT to COBIT and Val IT• How to use it:

1. Define a risk universe and scoping risk management2. Risk appetite and risk tolerance3. Risk awareness, communication and reporting: includes key risk indicators,

risk profiles, risk aggregation and risk culture4. Express and describe risk: guidance on business context, frequency, impact,

COBIT business goals, risk maps, risk registers5. Risk scenarios: includes capability risk factors and environmental risk factors6. Risk response and prioritisation7. A risk analysis workflow: “swim lane” flow chart, including role context8. Mitigation of IT risk using COBIT and Val IT

• Mappings: Risk IT to other risk management standards and frameworks

• Glossary

Available as a free download to ISACA Members

Guide on “How” to implement it


Benefits of adopting the Risk IT Framework :• Guidance on how to manage IT‐related risks• A common and sustainable approach for IT risk assessment

and response• A better view of IT‐related risk and its financial implications• A better understanding of the roles and responsibilities with

regard to IT risk management• A common language to help communication amongst

business, IT, risk and audit management• Opportunities for integration of IT risk management with the

overall risk and compliance structures within the enterprise• Alignment with ERM

Benefits


Who can benefit from ISACA’s RiskIT Framework?

• Boards and executive management who need to set direction and monitor risk at the enterprise level

• Managers of IT and business departments, who need to define risk management process

• Risk management professionals who need specific IT risk guidance

• External stakeholders


• The Risk IT Framework

• IT Risk basics





Agenda


Which of the following entail IT risk?


Business objectives

1. Improve customer service scores [xx]% in every branch by year‐end

2. Reduce customer wait time in line to [xx] minutes

3. By the end of the year decrease administration expenses by [xx]%.

4. Introduce a mobile application for expanding our service to younger customers

5. Timely produce accurate customer monthly billing statement

6. Adapt to the new tax law / comply with new regulation of …

Generic IT risks

1. IT Project budget overrun or new application development failure, delaying business initiatives

2. Dependency and use of end‐user computing and ad hoc solutions for important information needs

3. Intentional or unintentional software modification leading to wrong data or fraudulent actions

4. Systems cannot handle increased transaction volumes

5. Virus attack6. Data corruption7. Lack of new technology IT skills

What is IT risk?

IT risk is business risk• specifically, the business risk associated with the use,

ownership, operation, involvement, influence and adoption of IT within an enterprise.Risk and opportunity relationship also holds for IT risk

Business management is the most important stakeholder• Determines what IT needs to do to support the business• IT risk is not purely a technical issue.


IT risk in the Risk Hierarchy

IT risk is a component of the overall risk universe of the enterprise


IT risk is not limited to information security, but covers all IT‐related risks. For example: IT service interruptions, business efficiency, late project delivery

• Always connect to business objectives.• Align the management of IT‐related business risk with overall

ERM (if implemented).• Establish the right tone from the top while defining and

enforcing personal accountability for operating within acceptable and well‐defined tolerance levels.

The Risk IT Principles

• Are a continuous process and part of daily activities.

• Balance the costs and benefits of managing IT risk.

• Promote fair and open communication of IT risk.


Risk Governance DomainEnsure that IT risk management practices are embedded in the enterprise

Risk Evaluation DomainEnsure that IT‐related risks and opportunities are identified, analysed and presented in business terms

Risk Response DomainEnsure that IT‐related risk issues, opportunities and events are addressed in a cost‐effective manner and in line with business priorities

The three Domains


The RiskIT Process Model



• IT Risk basics (definitions, principles)





Agenda


Domain’s basic concepts include:

Responsibility and accountability for IT riskAwareness and communicationRisk appetite and tolerance, risk capacityRisk culture

Risk Governance Domain


Assign Responsibilities and Accountability for IT risk• Stakeholders are across the enterprise, not just IT• Guidance is provided (RACI charts)

Promote risk awareness via risk communication• Risks are well understood and known, IT risk issues are identifiable,

and the enterprise recognises and uses the means to manage them.What to communicate:

• Risk strategy, policies and procedures, awareness training • Risk management process maturity• Risk profile, KRIs, events and loss data, root causes of loss events

To whom:Executive Management, Board, CRO, CIO, CFO, Business Management, IT Management, Risk control, Compliance, Audit, HR, staff…



Risk AppetiteThe broad‐based amount of risk a company or other entity is willing to accept when trying to achieve its objectives• Measured in terms of frequency and magnitude of a risk



What is the amount of loss the enterprise wants to accept to pursue a return?

Risk ToleranceThe acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives• Often measured in the same units as those used to measure the related

objective.• At lower levels of the enterprise exceptions can be tolerated as long as at

the overall exposure (at enterprise level) does not exceed the set risk appetite

Risk Capacity The cumulative loss an enterprise can withstand without risking its continued existence. • It differs from risk appetite, which is more about how much risk is

desirable.




Risk Appetite and Risk Capacity

Left diagram—A relatively sustainable situationRisk appetite is lower than risk capacityActual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity

Right diagram—An unsustainable situationRisk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss. As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. 21

Risk culture• A setting in which components of risk are discussedopenly, and acceptable levels of risk are understood andmaintained.





• Risk Governance Domain (establish, define)




Agenda



Risk scenariosBusiness impact descriptions

Risk Evaluation Domain Essentials


IT Risk scenariosa description of a possible IT‐related event that when/if it occurs can lead to a business impact.Components: Actor, Threat Type, Event, Asset/Resource, Time


25Harry Brilakis| ISACA Athens Chapter

NOTE: Risk Scenarios are key elements of the COBIT 5 risk management process APO12

Example of generic IT risk scenarios


Harry Brilakis| ISACA Athens Chapter 26

Eg. Damage of critical server / regular software malfunction of critical application software

IT Risk scenarios… (cont)

• IT Risk scenarios can be created, with a combination of • Top‐down from business objectives to probable IT risk scenarios• Bottom‐up from generic IT scenarios

• Both approaches are complementary and should be used simultaneously.

• The Risk IT Practitioner & COBIT 5 for Risk provide a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios.



IT Risk scenarios… (cont)



Risk factors: factors that influence the frequency and/or business impact of risk scenarios

Related to enterprises’• environment • capabilities

Business impact descriptions• IT risk should be expressed in unambiguous and

clear, business‐relevant terms.• RiskIT Framework does not prescribe any single method

• IT risk scenarios should be linked to ultimate business impact






• Risk Evaluation Domain (assess)



Agenda



Key risk indicators (KRIs)Risk response definition and prioritisation

Risk Response Domain Essentials


Key risk indicators (KRIs)Metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.



Risk response definition and prioritisationBring risk in line with the defined risk appetite for the enterprise after risk analysis.

a response needs to be defined such that future residual risk (current risk with the risk response defined and implemented) is, as much as possible (usually depending on budgets available), within risk tolerance limits.



Responses to risk:• Risk Avoidance: exiting the activities or conditions that give rise to risk.• Risk Reduction/Mitigation: action is taken to detect the risk, followed

by action to reduce the frequency and/or impact of a risk.

• Risk Sharing/Transfer: reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing.

• Risk Acceptance: no action is taken relative to a particular risk, and loss is accepted when/if it occurs.

IT risk should be accepted only by business management (and business process owners) in collaboration with and supported by IT, and acceptance should be communicated to senior management and the board.



Risk response selection• Cost of response (eg. insurance)• Importance of risk• Capability to implement response• Effectiveness of the response• Efficiency of the response

Risk response prioritisation• QuickWin: Efficient and effective

response on high risk• BC: Expensive/difficult responses to

high risks or efficient and effective on lower risk

• Defer: Costly response to lower risk






• Risk Evaluation Domain (assess)

• Risk Response Domain (act)


Agenda


1. Define a risk universe and scoping risk management2. Risk appetite and risk tolerance3. Risk awareness, communication and reporting: includes key

risk indicators, risk profiles, risk aggregation and risk culture4. Express and describe risk: guidance on business context,

frequency, impact, COBIT business goals, risk maps, risk registers

5. Risk scenarios: includes capability risk factors and environmental risk factors

6. Risk response and prioritization7. A risk analysis workflow: “swim lane” flow chart, including role

context8. Mitigation of IT risk using COBIT and Val IT

Risk IT Process Model


ISACA Risk IT complements other Risk frameworksCan/should be adapted to the organisation

IT risk is business riskBusiness management is the most important stakeholderShould be expressed in business termsContains both opportunities for benefit and threats for success

Responsibilities of the “three lines of defense” Own/Manage, Oversee, Assure

Risk culture, communication and awareness around IT’s role in risk and opportunity

Key Points


39

Thank you!Charalampos (Harry) Brilakis, CISAharry.bril {at} gmail.com

ISACA Athens ChapterMassalias 22106‐80 AthensInfo {at} isaca.gr

managing it risk: the isaca risk it framework -...

Documents