Managing IT Risk: The ISACA Risk IT Framework Charalampos (Haris)Brilakis, CISA ISACA Athens Chapter BoD / Education Committee Chair Sr. Manager, Internal Audit, Eurobank (Greece) 1 st ISACA Day, Sofia 15 October 2015 All technology should be assumed guilty until proven innocent David Brower, environmentalist
What is your role in managing risk? Do you: 1. Own and manage risks? (eg. Business & IT Mgmt) 2. Oversee risks? (eg. Security, Risk Mgmt, Compliance) 3. Provide independent assurance? (Internal Audit) Harry Brilakis ISACA Athens Chapter 2
Agenda ISACA s Risk IT Framework IT Risk basics Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 3
Risk Management Frameworks & Risk IT Standards and frameworks are available, but are either too: Generic enterprise risk management oriented (COSO ERM) IT security oriented The Risk IT Framework fills the gap. Complete and Stand alone framework Integrates with other RM frameworks already implemented Complements ValIT and COBIT 4.1 Guidance available to ISACA Members The scope of the Risk IT framework is also fully covered within the scope of the COBIT 5 framework. Harry Brilakis ISACA Athens Chapter 4
What to do to manage IT risk? Key content of the Risk IT framework includes: Risk management essentials In Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture In Risk Evaluation: Describing business impact and risk scenarios In Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Section on how Risk IT extends and enhances COBIT and Val IT (Note: Risk IT does not require the use of COBIT or Val IT.) Process model sections that contain: Descriptions Input output tables RACI (Responsible, Accountable, Consulted, Informed) table Goals and Metrics Table Maturity model is provided for each domain Appendices Reference materials High level comparison of Risk IT to other risk management frameworks and standards Glossary Available as a free download to all: www.isaca.org/riskit Harry Brilakis ISACA Athens Chapter 5
Guide on How to implement it Key contents of The Risk IT Practitioner Guide: Review of the Risk IT process model Risk IT to COBIT and Val IT How to use it: 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritisation 7. A risk analysis workflow: swim lane flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT Mappings: Risk IT to other risk management standards and frameworks Glossary Available as a free download to ISACA Members Harry Brilakis ISACA Athens Chapter 6
Benefits Benefits of adopting the Risk IT Framework : Guidance on how to manage IT related risks A common and sustainable approach for IT risk assessment and response A better view of IT related risk and its financial implications A better understanding of the roles and responsibilities with regard to IT risk management A common language to help communication amongst business, IT, risk and audit management Opportunities for integration of IT risk management with the overall risk and compliance structures within the enterprise Alignment with ERM Harry Brilakis ISACA Athens Chapter 7
Who can benefit from ISACA s RiskIT Framework? Boards and executive management who need to set direction and monitor risk at the enterprise level Managers of IT and business departments, who need to define risk management process Risk management professionals who need specific IT risk guidance External stakeholders Harry Brilakis ISACA Athens Chapter 8
Agenda The Risk IT Framework IT Risk basics Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 9
Which of the following entail IT risk? Business objectives Generic IT risks 1. Improve customer service scores [xx]% in every branch by year end 2. Reduce customer wait time in line to [xx] minutes 3. By the end of the year decrease administration expenses by [xx]%. 4. Introduce a mobile application for expanding our service to younger customers 5. Timely produce accurate customer monthly billing statement 6. Adapt to the new tax law / comply with new regulation of 1. IT Project budget overrun or new application development failure, delaying business initiatives 2. Dependency and use of end user computing and ad hoc solutions for important information needs 3. Intentional or unintentional software modification leading to wrong data or fraudulent actions 4. Systems cannot handle increased transaction volumes 5. Virus attack 6. Data corruption 7. Lack of new technology IT skills Harry Brilakis ISACA Athens Chapter 10
What is IT risk? IT risk is business risk specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. Risk and opportunity relationship also holds for IT risk Business management is the most important stakeholder Determines what IT needs to do to support the business IT risk is not purely a technical issue. Harry Brilakis ISACA Athens Chapter 11
IT risk in the Risk Hierarchy IT risk is a component of the overall risk universe of the enterprise IT risk is not limited to information security, but covers all ITrelated risks. For example: IT service interruptions, business efficiency, late project delivery Harry Brilakis ISACA Athens Chapter 12
The Risk IT Principles Always connect to business objectives. Align the management of IT related business risk with overall ERM (if implemented). Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well defined tolerance levels. Are a continuous process and part of daily activities. Balance the costs and benefits of managing IT risk. Promote fair and open communication of IT risk. Harry Brilakis ISACA Athens Chapter 13
The three Domains Risk Governance Domain Ensure that IT risk management practices are embedded in the enterprise Risk Evaluation Domain Ensure that IT related risks and opportunities are identified, analysed and presented in business terms Risk Response Domain Ensure that IT related risk issues, opportunities and events are addressed in a cost effective manner and in line with business priorities Harry Brilakis ISACA Athens Chapter 14
The RiskIT Process Model Harry Brilakis ISACA Athens Chapter 15
Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 16
Risk Governance Domain Domain s basic concepts include: Responsibility and accountability for IT risk Awareness and communication Risk appetite and tolerance, risk capacity Risk culture Harry Brilakis ISACA Athens Chapter 17
Risk Governance Domain Assign Responsibilities and Accountability for IT risk Stakeholders are across the enterprise, not just IT Guidance is provided (RACI charts) Promote risk awareness via risk communication Risks are well understood and known, IT risk issues are identifiable, and the enterprise recognises and uses the means to manage them. What to communicate: Risk strategy, policies and procedures, awareness training Risk management process maturity Risk profile, KRIs, events and loss data, root causes of loss events To whom: Executive Management, Board, CRO, CIO, CFO, Business Management, IT Management, Risk control, Compliance, Audit, HR, staff Harry Brilakis ISACA Athens Chapter 18
Risk Governance Domain Risk Appetite The broad based amount of risk a company or other entity is willing to accept when trying to achieve its objectives Measured in terms of frequency and magnitude of a risk What is the amount of loss the enterprise wants to accept to pursue a return? Harry Brilakis ISACA Athens Chapter 19
Risk Governance Domain Risk Tolerance The acceptable level of variation that management is willing to allow for any particular risk as it pursues objectives Often measured in the same units as those used to measure the related objective. At lower levels of the enterprise exceptions can be tolerated as long as at the overall exposure (at enterprise level) does not exceed the set risk appetite Risk Capacity The cumulative loss an enterprise can withstand without risking its continued existence. It differs from risk appetite, which is more about how much risk is desirable. Harry Brilakis ISACA Athens Chapter 20
Risk Governance Domain Risk Appetite and Risk Capacity Left diagram A relatively sustainable situation Risk appetite is lower than risk capacity Actual risk exceeds risk appetite in a number of situations, but always remains below the risk capacity Right diagram An unsustainable situation Risk appetite is defined at a level beyond risk capacity; this means that management is prepared to accept risk well over its capacity to absorb loss. As a result, actual risk routinely exceeds risk capacity even when staying almost always below the risk appetite level. 21
Risk Governance Domain 9 Risk culture A setting in which components of risk are discussed openly, and acceptable levels of risk are understood and maintained. Harry Brilakis ISACA Athens Chapter 22
Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 23
Risk Evaluation Domain Essentials Domain s basic concepts include: Risk scenarios Business impact descriptions Harry Brilakis ISACA Athens Chapter 24
Risk Evaluation Domain Essentials IT Risk scenarios a description of a possible IT related event that when/if it occurs can lead to a business impact. Components: Actor, Threat Type, Event, Asset/Resource, Time NOTE: Risk Scenarios are key elements of the COBIT 5 risk management process APO12 Harry Brilakis ISACA Athens Chapter 25
Risk Evaluation Domain Essentials Example of generic IT risk scenarios Eg. Damage of critical server / regular software malfunction of critical application software Harry Brilakis ISACA Athens Chapter 26
Risk Evaluation Domain Essentials IT Risk scenarios (cont) IT Risk scenarios can be created, with a combination of Top down from business objectives to probable IT risk scenarios Bottom up from generic IT scenarios Both approaches are complementary and should be used simultaneously. The Risk IT Practitioner & COBIT 5 for Risk provide a comprehensive set of generic risk scenarios. These should be used as a reference to reduce the chance of overlooking major/common risk scenarios. Harry Brilakis ISACA Athens Chapter 27
Risk Evaluation Domain Essentials IT Risk scenarios (cont) Risk factors: factors that influence the frequency and/or business impact of risk scenarios Related to enterprises environment capabilities Harry Brilakis ISACA Athens Chapter 28
Risk Evaluation Domain Essentials Business impact descriptions IT risk should be expressed in unambiguous and clear, business relevant terms. RiskIT Framework does not prescribe any single method IT risk scenarios should be linked to ultimate business impact Harry Brilakis ISACA Athens Chapter 29
Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain (assess) Risk Response Domain Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 30
Risk Response Domain Essentials Domain s basic concepts include: Key risk indicators (KRIs) Risk response definition and prioritisation Harry Brilakis ISACA Athens Chapter 31
Risk Response Domain Essentials Key risk indicators (KRIs) Metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite. Harry Brilakis ISACA Athens Chapter 32
Risk Response Domain Essentials Risk response definition and prioritisation Bring risk in line with the defined risk appetite for the enterprise after risk analysis. a response needs to be defined such that future residual risk (current risk with the risk response defined and implemented) is, as much as possible (usually depending on budgets available), within risk tolerance limits. Harry Brilakis ISACA Athens Chapter 33
Risk Response Domain Essentials Responses to risk: Risk Avoidance: exiting the activities or conditions that give rise to risk. Risk Reduction/Mitigation: action is taken to detect the risk, followed by action to reduce the frequency and/or impact of a risk. Risk Sharing/Transfer: reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common techniques include insurance and outsourcing. Risk Acceptance: no action is taken relative to a particular risk, and loss is accepted when/if it occurs. IT risk should be accepted only by business management (and business process owners) in collaboration with and supported by IT, and acceptance should be communicated to senior management and the board. Harry Brilakis ISACA Athens Chapter 34
Risk Response Domain Essentials Risk response selection Cost of response (eg. insurance) Importance of risk Capability to implement response Effectiveness of the response Efficiency of the response Risk response prioritisation QuickWin: Efficient and effective response on high risk BC: Expensive/difficult responses to high risks or efficient and effective on lower risk Defer: Costly response to lower risk Harry Brilakis ISACA Athens Chapter 35
Agenda The Risk IT Framework IT Risk basics (definitions, principles) Risk Governance Domain (establish, define) Risk Evaluation Domain (assess) Risk Response Domain (act) Process Flow & Key Points to remember Harry Brilakis ISACA Athens Chapter 36
Risk IT Process Model 1. Define a risk universe and scoping risk management 2. Risk appetite and risk tolerance 3. Risk awareness, communication and reporting: includes key risk indicators, risk profiles, risk aggregation and risk culture 4. Express and describe risk: guidance on business context, frequency, impact, COBIT business goals, risk maps, risk registers 5. Risk scenarios: includes capability risk factors and environmental risk factors 6. Risk response and prioritization 7. A risk analysis workflow: swim lane flow chart, including role context 8. Mitigation of IT risk using COBIT and Val IT Harry Brilakis ISACA Athens Chapter 37
Key Points ISACA Risk IT complements other Risk frameworks Can/should be adapted to the organisation IT risk is business risk Business management is the most important stakeholder Should be expressed in business terms Contains both opportunities for benefit and threats for success Responsibilities of the three lines of defense Own/Manage, Oversee, Assure Risk culture, communication and awareness around IT s role in risk and opportunity Harry Brilakis ISACA Athens Chapter 38
Thank you! Charalampos (Harry) Brilakis, CISA harry.bril {at} gmail.com ISACA Athens Chapter Massalias 22 106 80 Athens Info {at} isaca.gr 39