Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’

Description
IT risk is receiving growing attention from executive management, risk managers and regulators to indentify and correctly manage risk in the operational environment. This pressure requires the implementation of an effective risk management process. ISACA recently delivered the RISK IT Framework to assist IT too effectively identify risk and how to develop processes to accept or mitigate risk. When leveraged in conjunction with the COBIT® Framework which provides the generally accepted control framework, the RISK IT Framework will deliver an effective enterprise risk management solution. This session will demonstrate how to establish effective enterprise risk management of IT including implementation and operational issues using ISACA’s new ‘Risk IT Practitioner Guide’.

Please download to get full document.

View again

of 52
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information
Category:

Technology

Publish on:

Views: 7 | Pages: 52

Extension: PDF | Download: 0

Share
Transcript
  • 1. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Robert E Stroud CGEIT VP Service Management & Governance, CA Technologies International Vice President, ISACA
  • 2. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Robert E Stroud CGEIT international VP, ISACA service management & governance evangelist CA — 29 years in Industry Experience — 15+ years banking industry — VP Service Management & ITSM & IT Governance CA — International Vice President ISACAITGI — Former Chair COBIT Steering Committee & chief architect — IT Governance Committee — Contributor to COBIT V4 and V4.1 — Contributor to the Control Objectives for Basel II — Contributor to ITILCOBITISO17799 Management Overview — ITIL v3 Update Management Board and Reviewer — ITIL v3 ITIL Advisory Group, Mentor & Reviewer — Author ITIL Business Perspective Volume 2 — Executive Board itSMF International Treasurer and Director Audit Standards & compliance — Former Board Member USA itSMF 2
  • 3. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Important Information on the content within…. —The Risk IT Framework and The Risk IT Practitioner Guide including select text and figures featured within this presentation are the property of ISACA. Copyright © 2005 - 2009 ISACA. All rights reserved. —ISACA, ITGI and COBIT are registered trademarks of ISACA. Val IT and Risk IT are trademarks of ISACA. —This presentation is presented with the permission of ISACA. 3
  • 4. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Abstract —IT risk is receiving growing attention from executive management, risk managers and regulators to indentify and correctly manage risk in the operational environment. This pressure requires the implementation of an effective risk management process. ISACA recently delivered the RISK IT Framework to assist IT too effectively identify risk and how to develop processes to accept or mitigate risk. —When leveraged in conjunction with the COBIT® Framework which provides the generally accepted control framework, the RISK IT Framework will deliver an effective enterprise risk management solution. —This session will demonstrate how to establish effective enterprise risk management of IT including implementation and operational issues using ISACA’s new ‘Risk IT Practitioner Guide’. 4
  • 5. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Agenda —Introduction —The ‘Risk IT Framework’ —The ‘Risk IT Practitioner Guide’ – Managing Risk in Practice —Risk Governance —Risk Evaluation —Risk Response —Summary
  • 6. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk and value are intertwined! —Risk has 2 sides − Value preservation − Value creation IT related risk = materialised business impact because of IT related event
  • 7. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud IT (Related) risks ITGI survey 2008, on IT related problems:
  • 8. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud it related risk management - summary —Various standards & frameworks available, but either: − Generic Enterprise Risk Management oriented − IT Security oriented —No comprehensive IT Related Risk framework available 8
  • 9. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk it principles
  • 10. The “Risk IT Framework”
  • 11. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Risk IT —Risk IT is a framework based on a set of guiding principles and featuring business processes and management guidelines that confirm these principles —The Risk IT framework is to be used to help implement IT governance —Organisations that have adopted (or are planning to adopt) CobiT as their IT Governance framework can use Risk IT to enhance risk management.
  • 12. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Purpose of "'Risk IT'" The Risk IT framework explains IT risk and will enable users to: − Integrate the management of IT risk into the overall enterprise risk management of the organisation − Make well-informed decisions about the extent of the risk, the risk appetite and the risk tolerance of the enterprise − Understand how to respond to the risk In brief, the framework allows the enterprise to make appropriate risk-adjusted decisions.
  • 13. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud The Risk IT Framework
  • 14. ‘Risk IT Practitioner Guide’ – managing risk in practice
  • 15. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Risk IT practitioner guide
  • 16. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud suppemental tools and materials — The Risk IT Practitioner Guide, is supported by an implementation tool kit, containing the following templates: − Enterprise IT Risk Assessment Form (figure 7) − Risk Communication Flows (figure 14) − Template Risk Register Entry (figure 36) − Generic IT Risk Scenarios (figure 40) − Generic IT Risk Scenarios and Mapped to COBIT and Val IT Processes (figure 41) − Generic IT Risk Scenarios and Environmental Risk Factors (figure 42) − COBIT Controls and Val IT Key Management Practices to Mitigate IT Risk (figure 48)
  • 17. risk governance 17
  • 18. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk governance
  • 19. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud business – enterprise risk management (ERM) —Enterprise risk management (ERM) includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. —ERM provides a framework for risk management —By identifying and proactively addressing risks and opportunities, business enterprises protect and create value —ERM can also be described as a risk-based approach to managing an enterprise
  • 20. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud the definition of it risk —IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. —IT risk consists of IT-related events that could potentially impact the business. —IT risk always exists, whether or not it is detected or recognised by an organisation
  • 21. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud it related business risk
  • 22. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud it risk in the risk hierarchy
  • 23. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud essentials of risk governance —Risk Appetite and Tolerance —Responsibilities and accountability for IT Risk Management —Awareness and Communication —Risk Culture
  • 24. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk appetite and tolerance - definition —Risk appetite The broad-based amount of risk a company or other entity is willing to accepts in pursuit of its mission (or vision) —Risk tolerance The acceptable variation relative to the achievement of an objective (and often is best measured in the same units as those used to measure the related objective)
  • 25. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk appetite —Risk appetite is the amount of risk an entity is prepared to accept when trying to achieve its objectives. When considering the risk appetite levels for the enterprise, two major factors are important: —The enterprise‘s objective capacity to absorb loss —The culture towards risk taking – cautious or aggressive
  • 26. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk appetite - examples
  • 27. Virtualization and the Cloud - The Death of ITIL? Or the Opportunity of a Lifetime? Copyright © 2010 CA Robert.Stroud@ca.com Blog: www.ca.com/blogs/stroud risk tolerance Risk tolerance is the tolerable deviation from the level set by the risk appetite definition, e.g., standards require projects to be completed within the estimated budgets and time, but overruns of 10 percent of budget or 20 percent of time are tolerated.
  • 28. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud responsibilities and accountability for it risk managment
  • 29. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud awareness and communication benefits —Executive management‘s understand the actual exposure to IT risk, enabling definition of appropriate and informed risk responses —Awareness amongst all internal stakeholders of the importance of integrating risk and opportunity in their daily duties —Transparency to external stakeholders regarding the actual level of risk managment processes in use
  • 30. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Implications of poor communications —False sense of confidence at the top on the degree of actual exposure related to IT —Unbalanced communication to the external world on risk, especially in cases of high but managed risk, may lead to an incorrect perception on actual risk by third parties such as clients, investors or regulators —Perception that the enterprise is trying to cover up known risk from stakeholders
  • 31. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud what to communicate
  • 32. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Risk Culture
  • 33. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Risk Evaluation
  • 34. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud business impact
  • 35. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud it risk scenario development
  • 36. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk factors
  • 37. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk scenarios
  • 38. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud example scenario list
  • 39. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk evaluation
  • 40. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud key risk indicators (KRIs) 40
  • 41. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk response options 41
  • 42. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk response options and influences 42
  • 43. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud parameter for risk response selection 43
  • 44. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk response prioritisation 44
  • 45. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud risk response & prioritisation 45
  • 46. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Risk and Opportunity 46
  • 47. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud CobiT, Val IT & Risk IT 47
  • 48. summary
  • 49. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud summary —Risk IT saves time, cost and effort by providing a clear method to focus on IT-related business risks —Risk IT provides the guidance to help executives and management ask the key questions —Risk IT allows organizations to make better risk-adjusted decisions —Risk IT allows organizations to manage their enterprises risk is managed more effectively
  • 50. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud summary —Risk and value are two sides of the same coin —Risk is inherent to all enterprises —Balance must be struck that avoids value destruction and ensures that opportunities for value creation are not missed
  • 51. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Copyright © 2010 CA Robert.Stroud@ca.com Blog:www.ca.com/blogs/stroud Thank you Contact details: Robert E Stroud CGEIT Email: Robert.Stroud@ca.com Tel: (631) 880 2544 BLOG: www.ca.com/blogs/stroud Twitter: www.twitter.comRobertEStroud 51
  • 52. Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’ Robert E Stroud CGEIT VP Service Management & Governance, CA Technologies International Vice President, ISACA
  • Related Search
    Similar documents
    View more...
    We Need Your Support
    Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

    Thanks to everyone for your continued support.

    No, Thanks