Académique Documents
Professionnel Documents
Culture Documents
RiskGovernance
RiskGovernance
Week#1 CRISCExamPrep
BillPankey
TunitasGroup
Agenda
About
Course
CRISCExam
Me
You
CommonRiskView
RiskGovernance
EnterpriseFoundations
IntegratedManagement
RiskManagementFrameworks
Standards
Process
Practice
2
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
Accenture2011
RiskManagement
Survey
TopChallenges*
*http://goo.gl/FVdo9
Course
Perspective
ISACAStartingPosition
IT riskisbusiness risk
Affectonbusinessstrategy
Valuecreation/opportunity
Preservationofassetvalue
Tangible&Intangible
Variousinformationsecurityrisks,projectrisks,
operationalrisksarenotnecessarilyITrisks.
ITriskmanagementrequiresrelevanceandalignment
ITriskmorethanjustinformationsecurityrisk
e.g.,notachievingbusinessvalue,servicedelivery
problems,inflexiblearchitecture
4
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
ISACAStartingPosition
ISACA2009
BenefitEnablementRisk:
LostopportunitytouseITtoimprovetheeffectivenessorefficiencyofneworexisting
businessprocess.
Program/ProjectDeliveryRisk:
ServiceDeliveryRisk
Failuretodeliverbusinessvalueinprojectsorprogram
PerformanceerrorsinthedeliveryofITservices.Informationsecurityerrors.
Course
Perspective
ISACAStartingPosition
ITRiskmustbemanagedasanenterpriserisk
Reflecttheenterpriseriskappetiteandculture
Consolidatewithotherriskacrossorganization
Acquirebusinesssignoffoncontrolenvironment
=>ITriskmanagement
mustadapttotheERM
context
WhatifERMisimmature
ornonexistent?
6
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
ISACAStartingPosition
Course
Perspective
EffectiveITRiskManagement:
Providestoneatthetop
Assignspersonalaccountability
Providesaccurateinformationintimelyfashion
Minimizeimpactofcontrolsconsistentwithcost
andbenefit
Promotescontinuousimprovement
Arethereworkarounds?
7
CRISCExamPrep
ClassLectures
Tonight
1sessionforeachCRISCdomain
RiskIdentification&Assessment
RiskResponse
RiskMonitoring
ControlDesign&Implementation
ControlMonitoring
1sessionforexamstrategy
2+hours
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
WizIQ
Slides
Chat
Usechattoask/answer/discusstopics
AnnGeyerandChrisSublett willparticipate
Voiceoptions
SampleTestQuestions
9
PracticeQuestion
WhichofthefollowingisthebestmeasureofIT
RiskManagementsuccess?
ExtraordinaryITrelatedexpense
#ofthreatsmitigated
Completenessofcontrolcatalog
Lowresidualriskscore
10
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
CRISCExam
120questions
forcedchoicequestion
Selectsinglebest|leastbadanswer
nodeductionforincorrectanswers
4hours
FirewallbetweenCRISCTestEnhancement
CommitteeandISACAstudymaterial\ education
activity
8/9CISA;6/9CISM;4/9CGEIT
JackJones(FAIRinventor)committeechair
11
AboutYou
Experiencedprofessionalsw/diverseriskmanagement
responsibilities
50%
xIndustrySector
30%
xManagementArea
12
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
Agenda
About
Course
CRISCExam
Me
You
CommonRiskView
RiskGovernance
EnterpriseFoundations
IntegratedManagement
RiskManagementFrameworks
Standards
Process
Practice
13
ANoteonLanguage
Muddledrisklexicon
Manycompetingandsometimesconflictingdefinitions
Precisioninlanguageisdesirablebutitcanbe
exclusionary
Risk referstothelikelihood(orfrequency)and
magnitudeoflossthatexistsfromacombinationof
asset(s),threat(s)andcontrolconditions. Asaderived
value,itcannottakeapluralform(i.e.,risks). From
ISACACRISCpages
GoalisofITriskmanagementistheachievementof
businessobjectives
Adapttothelanguageusedbythebusiness
organization
ButforCRISCtesttakers,caution iswarranted.
14
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
Board
Perspective
RiskGovernance
Riskaccompaniesthebusinessstrategy
Boardresponsibilityistoensurethatriskiscommensurate
withreward
Howdoesitaccomplishthis?
10Bestpracticesforriskgovernance*
1.Understandthecompanyskeydrivers of
success.
2.Assesstheriskinthecompanysstrategy.
3.Definetheriskoversightroleofthefull
boardanditsstandingcommittees
4.Considerwhetherthecompanys risk
managementsystemincludingpeopleand
processesisappropriateandhassufficient
resources.
5.Workwithmanagementtounderstand
andagreeonthetypes(andformat)ofrisk
information theboardrequires.
6.Encourageadynamicandconstructiverisk
dialogue betweenmanagement&board,
7.Closelymonitor thepotentialrisksinthe
company'sculture anditsincentivestructure.
8.Monitorcriticalalignmentsofstrategy,
risk,controls,compliance,incentives,and
people.
9.Consideremergingandinterrelatedrisks:
Whatsaroundthenextcorner?
10.Periodicallyassesstheboardsrisk
oversightprocesses:Dotheyenablethe
boardtoachieveitsriskoversightobjectives?
*NationalAssociationofCorporateDirectorsRiskGovernance:BalancingRisk&Reward
Board
Perspective
15
RiskGovernanceFocus
16
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
WhatisRisk?
Differentanswerswillaffectriskmanagement
objectives&practices
Volatilityofoutcome
Varianceaboutanexpectedoutcome(e.g.,asinfinance)
Expectedoutcome
Anticipatedaverageloss(e.g.,asininformationsecurity)
Potentialpositiveornegativeoutcome
PMIBOKandISACA
Undefinedinlaw®ulation
ofcourse,theconundrumisexacerbatedbyaplethoraof
measurementmethods
17
WhatisRisk?
Twoessentialaspects:uncertainty&loss
OxfordDictionary: Thepossibility that
somethingunpleasantorunwelcomewillhappen.
Countertoalternativedefinitionsthatwillroutinely
beencountered
Riskhastoincludepossibilityofloss
Riskhasonlylosses.Gainsareopportunities.
Riskisnotsynonymouswithvolatility
Riskisvectorvalued,nottheproductofprobability
andoutcome
Assumption ofriskneutralityconflictswiththeintendedsupportfor
organizationriskpreferencesandappetite.
18
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
10
WhatisRiskManagement
Enterpriseriskmanagementis*:
aprocess,appliedacrosstheenterprise,designedtoidentifypotential
eventsthatmayaffecttheentity,andmanagerisktobewithinitsrisk
appetite,toprovidereasonableassuranceregardingtheachievementof
entityobjectives.
4categoriesofobjectives:
Strategic.Highlevelgoals,mission
Operations.Resourceoptimization
Reporting.Reliabilityofmanagementinformation
Compliance.Satisfactionoflawsandregulation
*COSO,EnterpriseRiskManagement IntegratedFramework
19
COSOGovernanceConcepts
Internalenvironment
Tone,riskmanagementphilosophy,appetite&
tolerance
Objectivesetting
Riskmanagementprocess,roles&responsibilities
Monitoring
Ongoingmanagement
reporting&adjustment
20
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
11
RiskPhilosophy
Notatermofartwelldefinedinstandards
Generally,theorganizationalattitudetowardrisk
Perceivevalueorriskmanagement:mitigation,
avoidance,etc.
Expressedthoughacollectionofriskrelated
attributes(e.g.,appetiteandtolerance)
21
Internal
Environment
RiskAppetite
Boundariesofriskacceptance
amountofrisk,onabroadlevel,anentityiswillingtoacceptin
pursuitofvalue.Itreflectstheentitysriskmanagementphilosophy,
andinturninfluencestheentityscultureandoperatingstyle
effectivelyestablishestheenterprisemitigationpolicy
Determinedby:
Objectiveabilitytoabsorbloss
Managementphilosophy&culture
Externalinfluences
Lawsandregulation
Customerexpectation
Changesovertime
22
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
12
EXAMPLE
RiskAppetite
RiskMap
Appetite=>riskpolicy
Really
UnAcceptable
impactmagnitude
UnAcceptable
Acceptable
Opportunity
ReallyUnacceptable:far
beyondnormalriskappetite;
respondimmediately.
Unacceptable:abovenormal
riskappetite;additional
mitigationwithintime
boundaries.
Acceptable:Nospecialaction
beyondmaintainingcurrent
control
Opportunity:Verylowrisk,
costsavingorother
opportunitygainedfrom
relaxingcontrolorassuming
morerisk
probability
23
EXAMPLE
Really
UnacceptableRisk
HealthcareSentinelEvents
Eventsthatshouldneveroccurinahospital,e.g.:
Wrongsidesurgery.Wrongpatientsurgery.
Patientdeathordisabilityduetocontaminateddrugs,devices,biologics
Patientdeathordisabilityduetomedicationerror
Patentsuicide
Largebreachesofconfidentialpatientdata
Triggerimmediateresponseprocess
Formalrootcauseanalysis
Mandatorycorrectiveactionplan
Mandatoryreportingtooversightagencies(forsome)
ITriskmanagementrelevance
MapITeventsupontosentinelevents
LittleorNoappetite(unacceptableorreallyunacceptable)for
informationsystemeventsthatcouldresultinasentinelevent
24
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
13
RiskTolerance
Lessuseful,perhaps
Risktolerancesrelatetotheentitysobjectives.Risk
toleranceistheacceptablelevelofvariationrelativeto
achievementofaspecificobjective,andoftenisbest
measuredinthesameunitsasthoseusedtomeasurethe
relatedobjective.
Forexample,measuresofshortfallthatthe
organizationwillsatisfice.
25
PracticeQuestion
Anorganizationthatrecentlysuffereda
catastrophiclossshould:
A.
B.
C.
D.
Changethelevelofacceptablerisk
Changethelevelofunacceptablerisk
Reevaluateprobabilities
Reevaluateimpact
26
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
14
Awareness&Communication
Transparencydoesnotmeantheunmanaged
communicationof:
Riskstrategy/appetite
Actuallevelofrisk
Riskmanagementprocessandissues
Supportriskawaredecisions
Seektoavoid
Overconfidence
Perceptionthattheorganizationishiding
somethingfromstakeholders(internalorexternal)
Perceptionthatriskisnotwellmanaged
27
ObjectiveSetting
RiskManagementRoles
Board
Establishcommonriskview/riskappetite
CEO
Managerisk
RiskOfficer
Collectdataandreport
businessmonarchy
BusinessManagement
Riskawaredecisions
Analyzerisk
Maintainriskprofile
ITManagement
Supportallriskmanagementactivityinasecondaryrole
BusinessProcessOwner
Reacttoevents
ControlFunctions
Supportallriskmanagementactivity
HR
Communicatecommonriskview
Audit
Communicatecommonriskview
Reacttoevents
28
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
15
29
ObjectiveSetting
RiskITProcessModel
Riskacceptance is
managedasarisk
governanceactivity
2009ISACA
29
RiskITArtifacts
2008ITGI
30
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
16
RiskIT
Governance
Domain
CommonRiskView
2009ISACA
Note:
RiskAssessment
RiskAnalysis
DevelopITriskmanagementframework
DeterminehowtointegrateITriskintostrategicplans
ClassifyITriskfactors,eventsandpotentialimpact
Defineriskratingscalesandcontrolcategories
DetermineITrisktoleranceandapettite
Embedexistingenterprisewideriskmanagementprinciplesandviews
31
BusinessRelevanceofITEvent
32
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
17
BusinessRelevantCategoriesfor
ExpressingtheImpactofAdverseEvents
Extendedinformationcriteria(COBIT)
Efficacy
Efficiency
Confidentiality
Integrity
Availability
Reliability
Compliance
Internal
ShareValue
Profit
Revenue
CostofCapital
CompetitiveAdvantage
Legal
Reputation
Marketshare
Customersatisfaction
CustomerService
Strategic
Operations
Reporting
Compliance
Regulatory
Compliance
Growth
Customer
Productivity
Responsecost
Replacement
COSOERM
ExtendedBalancedScorecard
Financial
FactorAnalysisofInformationRisk(FAIR)
Competitive
advantage
Reputation
HealthcareProvider*
PatientCare
Logistics
Reputation
RegulatoryCompliance
Financial/
Billing
Westermans 4As
Agility
Accuracy
RiskIT
Governance
Domain
Access
Availability
33
IntegratewithERM
EnsureappropriatebusinessinvolvementinITriskcommittees
EnsureITinvolvementinenterprisebusinessriskcommittee
CoordinateITincidentresponseplanswithbusinessresponseplans
Harmonizeriskcategories,methods,scales,etc withERMmethods
34
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
18
RiskIT
Governance
Domain
RiskAwareDecisions
SellthebusinessvalueofITriskanalysisdataandresultstobusiness
decisionmakers
Reviewanalysisresultswithbusinessownerstoensurecoordinated
response(businessandIT)
Obtainbusinesssignoffofresidualrisk.
35
RiskIT
GovernanceMetrics
Awickedproblem
Needtoassumethatriskisappropriately
analyzedandassessed,inorderto
determinethatitsisappropriately
managed.However,anindicationofpoor
riskmanagementismisunderstoodor
poorlyassessedrisk.
ISACAITriskgovernancemetric
Recoursetoenterprise[business]risk
metrics.Presumablymoreobjective($$$)
Presumesgrandexperiment(strategicuse
ofITornot)
CorrelateenterpriseandITriskmeasures
36
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
19
Agenda
About
Course
CRISCExam
Me
You
CommonRiskView
RiskGovernance
EnterpriseFoundations
IntegratedManagement
RiskManagementFrameworks
Standards
Process
Practice
37
ERMFrameworks
COSOERM
SpecialstatusduestospecificmentioninSarbanesOxleylaw.
Oftenimprecise,i.e.doesnotdefinerisk
Difficulttounderstand?
ISO31000RiskManagementFramework($$)
BasedonAS/NZ4360(freefordownload)
Proceduralframeworkforidentificationanalysisand
treatmentofgenericrisk
Intendedtoharmonizeriskmanagementprocesses,
supportexistingstandards(e.g.ISO27005)
Riskdefinedaseffectofuncertaintyofobjectives
38
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
20
NISTRMF
NISTRiskManagementFrameworkthatis
replacingNISTC&Aprocesses(SP80037)
Interesting(ornot)features:
Alloftheninformationaboutbusinessobjectivesandimpacts,
encapsulatedintheclassification ofinformationandsystems
Controlsselectedonbasisofclassificationanddeployment
environment
Controleffectivenessisassessedbeforesystemsareauthorizedto
maintainorprocessclassifieddata
Designedformanaginginformationsecurity
CouldbeadaptedtoITriskgenerally(???)
39
RiskITPractitionerGuide
CloselyalignedwithRiskIT
AGuidewithoutpretention
tobeastandard,setof
heuristics
Recommendedforconcrete,
actionableadvice,e.g.
riskscenarioconstruction
riskmaps
FreedownloadforISACA
membersfromISACA.org.
$115otherwise
40
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
21
PracticeQuestion
41
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.