COBIT 5 for Risk - California State University, Northridge

Enterprise IT Governance and
Risk Mgmt with COBIT – Part VI-b
COBIT 5 for Risk
Dr. Yue “Jeff” Zhang 张跃博士
California State University, Northridge
1
Outline of the Course
1. IT governance overview
2. Introduction to COBIT 4.1
3. COBIT 4.1 framework
& Val IT and RiskIT
4. COBIT 5
5. Process Assessment Model
6. COBIT 5 for Risk
2
3
What is risk management?
“The
• identification,
• assessment, and
• prioritization
• of risks (as the effect of uncertainty on objectives,
whether positive or negative) followed by
• coordinated and economical application of resources
to
• minimize,
• monitor, and
• control
• the probability and/or impact of unfortunate events
• or to maximize the realization of opportunities.”
— Wikipedia
4
Who is a risk manager?
• We all manage risk
• Life and business are complex; but Risk management should be simple
• Use risk management approaches to Make business simpler
• Use the right tool for the job
5
Manage and Capitalize on Business Risk
• Enterprises achieve return by
taking risks.
• Some try to eliminate the very
risks that drive profit.
• Guidance was needed on how to manage risk
effectively.
6
Risk management tenet
• Managing risk to business performance
Against specific objectives
• ENABLES businesses to achieve the obj
• Changing situations may bring gain or loss
Risk management ENABLES businesses to stay
on right track, to seize opportunities
• Risk management should improve agility,
making it safer to move in a changing
environment
“Human immunity” analogy
7
Two views of business-related IT risk
• IT is a tool that can be used to enable the
business
To seek better outcomes by reducing risk to
the business
Through improving consistency, complying w
controls, and reducing errors
• IT is a tool that can break, or used
inefficiently, or cause harm if
misused/exploited maliciously
8
IT-related Risk in the Risk Hierarchy
9
Covers IT-related Risk Management
•IT-related business risks cover all IT-related risks,
including:
• Late project delivery
• Not achieving
enough value
from IT
• Compliance
• Misalignment
• Obsolete or
inflexible
IT architecture
• IT service delivery
problems
10
Comparison of RiskIT and COBIT 5 for Risk
• RiskIT was organized around domains and
processes, just as COBIT 4.1
• COBIT 5 for Risk is organized around the 5
principles and seven enablers, just as COBIT 5
For every enabler, COBIT 5 for Risk then
approaches from
 Stakeholders (who participate/be impacted)
 Goals
 Life cycle
 Good practices – this is the part that is the
“action”/”solution” part
11
Comparison (cont)
• The second uniqueness of COBIT 5 for Risk is
that it organizes the analyses and practices
from two perspectives:
Risk function
Risk management
• Risk Function can be understood as
the principles, polices, processes, org structure,
…[do they sound familiar? Yes, they’re the 7
enablers!] that are in place to “strengthen” the org
so it is better able to face and handle risks.
The “preparedness” of an org against risks
12
Comparison (cont)
• While Risk Management can be understood as
the principles, polices, processes, org structure,
…[again, the 7 enablers!] that are being employed to
“curb” and “fight” and “redirect” the risks in the case of
their happening
Perspective
Med
analogy
Military
analogy
Risk
function
Prevention Readiness and
deterrence 常备
力量,威慑力
Risk mgmt
Treatment
Remarks
Long-term improvement of org’s
overall “fitness” against risks
Battle plan;
Direct handling of risks: analyses/
tactics 战略战术;evaluation, response, recovery
战役计划
13
COBIT 5 FOR RISK
1. UNDERSTAND THE DRIVERS,
BENEFITS AND
TARGET AUDIENCES
FROM A RISK PERSPECTIVE
14
Drivers for Risk
To provide:
•Stakeholders with
substantiated and consistent
opinions over the current state
of risk throughout the
enterprise
•Guidance on how to manage
risk to levels within the
enterprise’s risk appetite
•Guidance on how to set up the
appropriate risk culture for the
enterprise
•Quantitative risk assessments
enabling stakeholders to
consider the cost of mitigation
and the required resources
against the loss exposure
© 2013 ISACA.
The COBIT 5 for Risk
professional guide
provides:
• Guidance on how to use the
COBIT 5 framework to
establish the risk governance
and management function(s)
for the enterprise
• Guidance and a structured
approach on how to use the
COBIT 5 principles to
govern and manage IT risk
• Understanding of the
alignment of COBIT 5 for
Risk with other relevant
standards
All rights reserved.
15
Benefits of the Guidance
+ / - effect on the achievement
of business objectives
• End-to-end guidance on how to manage risk
• A common and sustainable approach for assessment and
response
• A more accurate view of significant current and near-future
risk throughout the enterprise—and the impact of this risk on
the enterprise
• Understanding how effective IT risk management optimises
value by enabling process effectiveness and efficiency
• Opportunities for integration of IT risk management with the
overall risk and compliance structures w/in the ERM
• Promotion of risk responsibility and its acceptance
Within
throughout the enterprise
© 2013 ISACA.
All rights reserved.
16
Target Audiences
• Risk professionals across the enterprise:
- Assistance with managing IT risk and incorporating IT risk
into ERM
Enterprise Risk Management
• Boards and executive management:
- Understanding of their responsibilities and roles with regard
to IT risk management
- The implications of risk in IT to enterprise strategic
objectives
- How to better optimise IT use for successful strategy
execution
• IT and business management:
- Understanding of how to identify and manage IT risk and
how to communicate IT risk to business decision makers
© 2013 ISACA.
All rights reserved.
17
Overall Logic of COBIT 5 for Risk
18
Overall Logic of COBIT 5 for Risk (cont)
19
Overall Logic of COBIT 5 for Risk (cont)
20
Clarification of “Risk” in COBIT 5 for Risk
• When risk is referenced in COBIT 5 for Risk, it is
the current risk.
Figure 7 shows how inherent, current and residual risk
interrelate.
21
COBIT 5 FOR RISK
2. UNDERSTAND
THE COMPONENTS OF
RISK ACTIVITIES.
.
22
Key Risk IT Content: The “What”
Risk management essentials
• In Risk Governance: Risk appetite and tolerance,
responsibilities and accountability for IT risk management,
awareness and communication, and risk culture
• In Risk Evaluation: Describing business impact and risk
scenarios
• In Risk Response: Key risk indicators (KRI) and risk
response definition and prioritisation
• Process model sections that contain:




Descriptions
Input-output tables
RACI (Responsible, Accountable, Consulted, Informed) table
Goals and Metrics Table
• Maturity model is provided for each domain
23
Risk IT framework
Domain
Time
Manner
Governance
“Before”
Always
Evaluation
“During”
Periodical
Response
After
In incident
Roughly, not
exactly; to help w
understanding and
memory
24
Risk Governance Domain
• Risk Governance Essentials:
Responsibility and accountability for risk
Risk appetite and tolerance
Awareness and communication
Risk culture
25
Risk Evaluation Domain
• Risk Evaluation Essentials:
Risk scenarios
Business impact descriptions
26
Risk Response Domain
• Risk Response Essentials:
Key risk indicators (KRIs)
Risk response definition and prioritisation
27
Risk Perspectives
28
Risk Function Perspective
COBIT 5 for Risk provides guidance and
describes how each enabler contributes to
the overall governance and management
of the risk function. For example:
•Which Processes are required to define
and sustain the risk function, govern and
manage risk
•What Information flows are required to
govern and manage risk—e.g., risk
universe, risk profile
•The Organisational Structures that are
required to govern and manage risk
effectively—e.g., enterprise risk
committee, risk function
•What People and Skills should be put in
place to establish and operate an effective
risk function
© 2013 ISACA.
All rights reserved.
29
Risk Function Perspective
COBIT 5 for Risk defines
seven risk principles to:
 Provide a systematic,
timely and structured
approach to risk
management
 Contribute to consistent,
comparable and
reliable results
The risk principles
formalise and standardise
policy implementation—
both the core IT risk policy
and supporting policies—
e.g., information security
policy, business continuity
policy.
These policies provide more
detailed guidance on how to
put principles into practice
and how they will influence
decision making within an
enterprise.
© 2013 ISACA.
All rights reserved.
30
Risk Function Perspective (cont)
COBIT 5 for Risk defines seven risk principles to:
 Provide a systematic, timely and structured
approach to risk management
 Contribute to consistent, comparable and
reliable results
The risk principles formalise and standardise
policy implementation—both the core IT risk
policy and supporting policies—e.g., information
security policy, business continuity policy.
These policies provide more detailed guidance on
how to put principles into practice and how they
will influence decision making within an
enterprise.
© 2013 ISACA.
All rights reserved.
31
Risk Function Perspective
COBIT 5 for
Risk identifies
all COBIT 5
processes that
are required to
support the risk
function:
 Key
supporting
processes–
dark pink
 Other
supporting
processes –
light pink
Core risk
processes,
shown in light
blue are also
highlighted—
these processes
support the risk
management
perspective:
 EDM03
Ensure risk
optimisatio
n.
 APO12
Manage
risk.
.
All rights reserved.
32
Risk Function Perspective
COBIT 5 for Risk identifies all COBIT 5 processes that are required to
support the risk function:
 Key supporting processes– dark pink
 Other supporting processes – light pink
Core risk processes, shown in light blue are also highlighted—these
processes support the risk management perspective:
 EDM03 Ensure risk optimisation.
 APO12 Manage risk.
33
Risk Management Perspective
COBIT 5 for Risk provides specific guidance related to all enablers for the effective
management of risk:
•The core Risk Management process(es) used to implement effective and efficient risk
management for the enterprise to support stakeholder value
•Risk Scenarios, i.e., the key information item needed to identify, analyse and respond to
risk; risk scenarios are the concrete, tangible and assessable representation of risk
•How COBIT 5 enablers can be used to respond to unacceptable risk scenarios
© 2013 ISACA.
All rights reserved.
34
Risk Perspectives
© 2013 ISACA.
All rights reserved.
35
Risk Perspectives (cont)
36
COBIT 5 FOR RISK
3. UNDERSTAND HOW TO USE
RISK SCENARIOS FOR GEIT.
37
Risk Scenarios
Definition
“A risk scenario is a description of a possible event
that, when occurring, will have an uncertain impact
on the achievement of the enterprise’s objectives.
The impact can be positive or negative.”
© 2013 ISACA.
All rights reserved.
38
Risk Scenarios
Risk scenario’s
are a key element
of the COBIT 5
risk management
process APO12;
two approaches
are defined:
 Top-down
approach—
Use the
overall
enterprise
objectives
and consider
the most
relevant and
probable IT
risk scenarios
impacting
these
 Bottom-up
approach—
Use a list of
generic
scenarios to
define a set of
more relevant
and
customised
scenarios,
applied to the
individual
enterprise
39
Risk Scenarios (cont)
Risk scenario’s are a key element of the
COBIT 5 risk management process APO12;
two approaches are defined:
Top-down approach—Use the overall
enterprise objectives and consider the most
relevant and probable IT risk scenarios
impacting these
Bottom-up approach—Use a list of
generic scenarios to define a SUBset of
more relevant and customised scenarios,
applied to the individual enterprise
© 2013 ISACA.
All rights reserved.
40
Risk Scenarios
• Top-down and Bottom-up — Both approaches are
complementary and should be used simultaneously.
• Risk scenarios must be relevant and linked to real
business risk.
• Specific risk items for each enterprise and critical
business requirements need to be considered in the
enterprise risk scenarios.
• COBIT 5 for Risk provides a comprehensive set of
generic risk scenarios. These should be used as a
reference to reduce the chance of overlooking
major/common risk scenarios.
© 2013 ISACA.
All rights reserved.
41
Risk Scenarios
When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type +
Event). The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state; it can be
increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.
42
Developing risk scenarios work flow
1. Use the list of example generic risk scenarios (Fig
38, P67~; partial reprint in S#46) to define a
manageable set of tailored risk scenarios for the
enterprise;
2. Perform a validation against the business obj of
the entity;
3. Refine the selected scenarios base on the
validation;
4. Reduce the number of scenarios to a
manageable set (usually at least a few dozen);
5. Keep all the scenarios in a list so they can be reevaluated.
43
Developing risk scenarios work flow (cont)
6. Once the set of risk scenarios is defined, it can
be used for risk analysis, where frequency and
impact of the scenarios are assessed.
7. The enterprise can also consider evaluating
scenarios that have a chance of occurring –
the “stress” testing.
• In “1” above, risk factors are those conditions
that influence the frequency and/or the business
impact of risk scenarios.  Fig 35, P. 61
44
Risk Scenarios
• When a risk scenario materialises, a loss event
occurs.
The loss event has been triggered by a threat event (Threat
type + Event).
The frequency of the threat event is influenced by a vulnerability.
• The vulnerability is usually a state;
it can be increased/ decreased by vulnerability events, e.g.,
controls strength or by the threat strength.
45
Risk Scenarios
COBIT 5 for Risk provides:
 111 risk scenario examples * Across 20 scenario categories
46
Risk Response
Planned actions to bring risk in line with the risk
appetite for the enterprise:
• A response needs to be defined such that as much
future residual risk as possible (current risk with
the risk response defined and implemented) falls
within accepted limits.
• When risk analysis has shown that risk is not
aligned with the defined risk appetite & tolerance
levels, a response is required.
© 2013 ISACA.
All rights reserved.
47
Risk Capacity
• Risk Appetite—The broad-based amount of risk in
different aspects that an enterprise is willing to
accept in pursuit of its mission
• Risk Tolerance—The acceptable level of variation
that management is willing to allow for any
particular risk as it pursues objectives
• Risk Capacity—The cumulative loss an enterprise
can tolerate without risking its continued existence.
As such, it differs from risk appetite, which is more
on how much risk is desirable.
© 2013 ISACA.
All rights reserved.
48
Risk appetite
• The amount of risk, on a broad level, an
entity is willing to accept in pursuit of its
mission.
When considering the risk appetite levels for the
enterprise, two major factors are important:
1. The enterprise’s objective capacity to absorb
loss, e.g., financial loss, reputation damage
2. The (management) culture or predisposition
towards risk taking—cautious or aggressive.
What is the amount of loss the enterprise
wants to accept to pursue a return?
49
Risk appetite
Risk appetite
can be
defined in
practice in
terms of
combinations
of frequency
and magnitude
of a risk.
Risk appetite
can and will be
different
amongst
enterprises
50
Risk tolerance
• Risk tolerance is the tolerable deviation from the
level set around the risk appetite, which (the
deviation) the mgmt. is willing to allow as it pursues
the objectives.
For example, project overruns of 10 percent of budget or
20 percent of time are tolerated.
• Risk appetite and risk tolerance go hand in hand.
• Risk tolerance is defined at the enterprise level and
is reflected in policies set by the executives;
• At tactical levels of the enterprise, exceptions can be
tolerated (or different thresholds defined) as long as
at the enterprise level the overall exposure does not
exceed the set risk appetite.
Cases and consequences of “zero tolerance”
51
Risk Capacity
• Left diagram—A relatively sustainable situation
 Risk appetite is lower than risk capacity
 Actual risk exceeds risk appetite in a number of situations, but always remains
below the risk capacity
• Right diagram—An unsustainable situation
 Risk appetite is defined at a level beyond risk capacity; this means that
management is prepared to accept risk well over its capacity to absorb loss
 As a result, actual risk routinely exceeds risk capacity even when staying
almost always below the risk appetite level. This usually represents
unsustainable situations
© 2013 ISACA.
All rights reserved.
52
Risk Response (cont)
• This response can be any of the four possible
responses:
avoid,
mitigate,
share/transfer,
accept.
• Risk response evaluation is not a one-time
effort—it is part of the risk management
process cycle.
© 2013 ISACA.
All rights reserved.
53
Risk Mitigation
• COBIT 5 for Risk provides a number of examples on how
the COBIT 5 enablers can be used to respond to risk
scenarios.
• Risk mitigation is equivalent to implementing a number of
IT controls.
• In COBIT 5 terms, IT controls can be any enabler, e.g.,
putting in place an organisational structure, putting in place
certain governance or management practices or activities.
• For each of the 20 risk scenario categories, potential
mitigating actions relating to all seven COBIT 5 enablers
are provided, with a reference, title and description for each
enabler that can help to mitigate the risk.
© 2013 ISACA.
All rights reserved.
54
© 2013 ISACA.
All rights reserved.
55
© 2013 ISACA.
All rights reserved.
56
Risk response workflow
57
Risk response workflow (cont)
• Two dimensions for prioritization: current risk
level, and benefit/cost ratio
58
Risk Culture
59
IMPORTANT REPRINTS
FROM COBIT 5 FOR RISK
I have selectively reprint some forty pages
from COBIT 5 for Risk. This section will briefly
introduce the contents of those pages. The
selected contents are very practical and can
be and should be used in risk analysis.
© 2013 ISACA.
All rights reserved.
60
Brief description of selected key contents
•
•
•
•
•
•
•
•
P12, Fig 3 – COBIT 5 for Risk overview
P20, Fig 9 – Two perspectives on risk
P31, Fig 16 – Risk policy examples
P35, Fig 18/19 – supporting processes for risk
function
P42, Fig 26 – Behaviors for risk gov and mgmt.
P48, Fig 28 – Info items supporting risk gov &
mgmt.
P52, Fig 30 – risk-mgmt.-related services
P56, Fig 32 – risk mgmt. skill sets
61
Brief description of selected contents (cont)
• PP 59-63, Risk scenarios
• PP 195-204, Core COBIT 5 risk mgmt. processes
• PP 206-209, 222-223, 235-236: Using COBIT 5
enablers to manage IT risk scenarios (selected)
• PP 243-244: Comprehensive risk scenario
template
• [Many of the materials in the above will be used
for your team project as well as individual project]
62
COBIT 5 FOR RISK
For
information
only; not
required
© 2013 ISACA.
4. UNDERSTAND
HOW COBIT 5 FOR RISK
RELATES TO AND ALIGNS
WITH OTHER STANDARDS
All rights reserved.
63
Alignment
• COBIT 5 for Risk—much like COBIT 5 itself—is an umbrella approach
for the provisioning of risk management activities.
• COBIT 5 for Risk is positioned in context with the following risk-related
standards:
 ISO 31000:2009 – Risk Management
 ISO 27005:2011 – Information security risk management
 COSO Enterprise Risk Management
• ISO 31000:2009 – Risk Management
 COBIT 5 for Risk addresses all ISO 31000 principles, through the:
 COBIT 5 for Risk principles and enablers themselves
 Enabler models
 In addition, the framework and process model aspects are covered in
greater detail by the COBIT 5 for Risk process model.
 All elements are included in COBIT 5 for Risk and are often expanded on
or elaborated in greater detail, specifically for IT risk management.
© 2013 ISACA.
All rights reserved.
64
Alignment
• ISO 27005:2011 – Information security risk management
 COBIT 5 for Risk addresses all of the components described within ISO
27005. Some of the elements are structured or named differently.
 COBIT 5 for Risk takes a broader view on IT risk management compared
with ISO 27005 which is focused on the management of security related risk.
 There is a stronger emphasis in COBIT 5 for Risk on processes and
practices to ensure the alignment with business objectives, the acceptance
throughout the organisation and the completeness of the scope, amongst
other factors.
• COSO Enterprise Risk Management
 COBIT 5 for Risk addresses all of the components defined in COSO ERM.
 Although COBIT 5 for Risk focuses less on control, it provides linkages to
enablers—management practices in the COBIT 5 framework.
 The essentials with regards to both control and general risk
management as defined in COSO ERM are present in COBIT 5 for Risk,
either through the:
 Principles themselves and the framework’s conceptual design
 Process model and additional guidance provided in the framework
© 2013 ISACA.
All rights reserved.
65