Risk Assessment Worksheet
advertisement
IT Governance Risk Assessment Worksheet This table was developed through a series of discussion with the various business and IT stakeholders. It represents an assessment of the various risk events that may occur if current issues are left unaddressed. It employs the risks assessment framework adopted by the Enterprise Risks Management initiative, where each risk is assessed from both an impact and likelihood perspective. The approach to collecting these risks was not overly scientific, but attempts to provide an overall view of the risks in relation to each other. The root causes of these risks are often shared, so that focus on certain risks will clearly help reduce other risks. The intent of this exercise was to identify the key risks that constitute ongoing threat to the University, so that we can mobilize management and staff attention to identifying and taken action towards risk mitigation. The Mitigation Strategies column here identifies only a few suggestions. Others will clearly be identified as each risk is, in turn, assessed and addressed. Risk Event 1. Failure to Comply with Research agency requirements Impact of Risk Extreme Major Loss of Funding Inability to meet strategic goals Potential Executive Action Collateral impact to faculty – attract and retain – and student growth Impact to University reputation 2. Failure to meet committed student growth needs (2400 by 2010 – with incremental increases each term) – loss of new and existing students Supporting Symptoms Likelihood of Occurrence Access Controls Very High – have also had 1 small project that Reporting got shut down and Capabilities recent CFI monitoring Data Quality report was Timeliness/Currency unsatisfactory of Information 6 months to ensure significant visible progress to address TriCouncil Audit issues and have a strong plan in place for those that aren’t addressed User/Systems High/Extreme Very High Interface - Student Loss of associated Have already had frustration with funding– access, several critical events useability and tuition and Will review admissions timeliness of performance envelope data in September to response for student - increasing determine how many admin. processes incrementally over students have gone admissions, student time elsewhere awards, registration Will be perceived as Inability to meet etc. strategic goals issues in next Data/system Admissions cycle in 5 Impact to University Enterprise Administrative Systems Risk Assessment Version 2 Mitigation Strategies Some steps have been taken - Reorg/rebuild and retrain staff - Get extra resources Need to look at E2E work flows and supporting systems - Need to identify, communicate and track what system improvements have been made to address these issues Should ensure that supporting systems are defined with appropriate useability, availability and security characteristics to support the administrative needs of researchers. Need to have marked improvements by December to support next admissions process Supporting systems should provide the analytical and reporting capabilities in a timely fashion to support the admissions process 2/13/2016 Page 1 Risk Event Impact of Risk reputation Collateral impacts to research, donations, etc. Potential Executive Action Likelihood of Occurrence months Mitigation Strategies Limited power capacity Systems / infrastructure stability and support issues Level of Data/systems integration –Eg. HR with Parking, Cont. Ed, Campus Rec. , etc. Medium (if we take Systems / some actions to infrastructure mitigate the impact of stability and support a failure) Data/systems integration – Employee retention parking, cont. ed, Impact to University Enterprise Administrative Systems Risk Assessment Version 2 3. (revised) Failure to support key business processes due to systems outages and support issues (operational risks) 3 (old). Inability to pay staff due to system issues Supporting Symptoms Integration Workflow Issues – Causing delays due to manual effort/ workload for staff Data Quality High Potential loss of revenue, penalties, loss of customer sat., etc. depending on the nature of the failure (Eg. Payroll failure may result in late penalties from Revenue Canada of @ $200K per day if late Student and Employee retention Impact to University reputation Each business process would need to assess the appropriate mitigation strategies and to define manual or communication mitigation plans to provide some peace of mind Establish Service Availability and Recovery Plan for each services to document response procedures Harden IT infrastructure in line with the service criticality as established in the Service Availability and Recovery Plans. Improve systems monitoring capability to provide early identification of issues Establish on-call process to ensure that support staff and escalation channel are in place in case of outage An overarching Capacity and Availability Plan would help define the investments required to meet current and evolving availability needs Need to define manual or High communication mitigation plans to Have had some near provide some peace of mind misses Establish Service Availability and Existence of 5 pays a Recovery Plan month increases likelihood of Determine what Job Scheduling 2/13/2016 Page 2 Very High Have had some near misses As systems are added, with existing staff, and insufficient maintenance, and sustaining of currency of infrastructure, the risk increases Multiple instances of poor documentation, single (or limited) points of staff dependency, and insufficient off-hours arrangements still exist Risk Event 4. Poor data – quality, timeliness and integration between systems Impact of Risk reputation Compliance with and potential late penalties from Revenue Canada (@ $200K per day if late) Extreme Decisions resulting in tactical and strategic errors - eg. admissions numbers Over/under expenditures - eg. researchers and units Lack of a unified view of activity with partners and donors 5. External bodies take action against the University due to inaccurate external reporting Extreme Loss of funding or related penalties Impact to University reputation Supporting Symptoms Campus Rec, etc. Likelihood of Occurrence occurrence Risk is particularly high with the 2 back-to-back pays at the end of the month Very High – this is happening today in many areas where units do not have accurate information to make decisions - Student Awards, trust accounts, unit decisions, partner/donor activities Very Low Reports will get done – perhaps late, with some inaccuracies and/or with much manual effort Key aspects of this risk will be High addressed by addressing more critical some issues have been risks raised repeatedly there is some progress being made in some 2/13/2016 Page 3 Data Quality Timeliness/currency issues Data/systems integration – synchronization is often done manually – eg. Raiser’s Edge and Peoplesoft Limited reporting Capabilities Availability and access to critical business systems Reporting Capabilities Data Quality Data/systems integration Timeliness/currency issues (to a lesser degree as most reporting has some lag period) Access Controls Data Quality Medium Impact to University reputation Potential for Executive Action Enterprise Administrative Systems Risk Assessment Version 2 6. Failure to address Provincial Auditor requirements – Mitigation Strategies product can do to ensure jobs run smoothly Establish on-call process to ensure that support staff and escalation channel are in place in case of outage Some of this will be addressed by focusing on other priority areas Key aspects of this risk will be addressed by addressing more critical risks Risk Event Financial and Research Management Impact of Risk Impacts our ability to and associated costs of getting Crime Insurance for the University Supporting Symptoms Likelihood of Occurrence areas, not in others, 7. Reduced donations due to our inability to provide required donor reporting. 8. Loss of Faculty due to frustration with administrative systems/processes 9. Loss of Staff due to frustration with administrative systems/processes High Funding impact Impact to University reputation Collateral loss of students due to loss of scholarships and program/facility funding Medium Reduced quality of programs Increased recruitment costs and challenges Loss of associated research Impact on student satisfaction Impact to University reputation Medium Reduced staff productivity Increased recruitment costs and challenges Increased business exposures Impact on student satisfaction Data Quality Reporting Capabilities Timeliness/ responsiveness Mitigation Strategies Medium Will increase over time as we are unable to provide sufficient donor reporting User/Systems Interface Workflow issues Data/systems integration Data Quality Timeliness/Currency of Information Low Likely decreasing for now as people are adjusting This is only one of multiple reasons for why people may leave Low There was likely some of this during initial implementation Likely decreasing for now as people are adjusting This is only one of multiple reasons for User/Systems Interface Workflow issues Data/systems integration Data Quality Timeliness/Currency of Information Enterprise Administrative Systems Risk Assessment Version 2 2/13/2016 Manual efforts to ensure that donor information is provided Key aspects of this risk will be addressed by addressing more critical risks Business process education – offer and ensure participation Admin support for infrequently used processes Key aspects of this risk will be addressed by addressing more critical risks Business process education – offer and ensure participation Admin support for infrequently used processes Page 4 Risk Event Impact of Risk Collateral impact on data quality and timeliness 10. Loss of Medium Researchers due Reduced research to frustration with productivity administrative Loss of research systems/processes dollars Inability to meet strategic goals – research growth Impact on academic quality and collateral losses Impact to University reputation 11. Lost Extreme opportunities due Significant drain on to poor overall resources in all units administrative and faculties to deal efficiency with operational issues is detrimental to focusing on more strategic and valueadding activities 12. Units and High faculties create Increased costs – one duplicate time and ongoing information Reduced productivity systems due to integration issues Impact to University reputation Collateral impacts to reporting capabilities Supporting Symptoms Likelihood of Occurrence why people may leave User/Systems Interface Workflow issues Data/systems integration Data Quality Timeliness/Currency of Information Systems Interface Workflow issues Poor systems integration Data Quality Reporting Capabilities Timeliness/Currency of Information Data Quality Timeliness/Currency of information Reporting capabilities Workflow issues Data/systems Integration User/Systems Interface Enterprise Administrative Systems Risk Assessment Version 2 Low Likely decreasing for now as people are adjusting This is only one of multiple reasons for why people may leave Mitigation Strategies Key aspects of this risk will be addressed by addressing more critical risks Business process education – offer and ensure participation Admin support for infrequently used processes Very High This is happening in all units and faculties today Providing interim administrative staffing options to offload low-value tasks Focus on areas that will have significant work reducing impact in critical areas Very High This is already happening with expectation of much more as issues remain unaddressed and units/faculties push to meet strategic goals Effective Governance Increase analytical and architectural capabilities 2/13/2016 Page 5 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies 13. System misuse and fraud due to ineffective system transactional authorization controls High Lost funds and overexpenditure Impact to University reputation Compliance with laws and conditions of funding agencies and donors FOIP issues High Inability to meet strategic goals and associated funding implications: - Student growth - Research Growth - Student experience - Improved quality of teaching and learning - Capital program Impact to University reputation Extreme Potential loss of revenue, penalties, loss of customer sat., 14. Inability to support growth in demand for new and existing IT services – infrastructure focus 15. Inability to restore University systems in the event of a major Access Controls Reporting capabilities Data Quality Lack of power and associated environmental systems available to data centre Limited infrastructure capacity Lack of currency in applications and infrastructure limits ability to respond to new requests Limited power capacity Systems / infrastructure Enterprise Administrative Systems Risk Assessment Version 2 High There have already been a couple of incidents resulting in terminations Unsure how many instances may be occurring, but the potential is there to be abused Extreme Power and many infrastructure elements are currently at or very close to capacity Limited funding available for infrastructure investments Capacity growth for existing services could use up all available capacity Limited metrics exist to support ongoing continuous improvement/ resource optimization Low U of C not significantly vulnerable to most disaster scenarios, but Need to establish metric capability Access and authorization process and systems improvement Improved policies and communication Limited near-term mitigations are available without funding - Need to investigate alternative sourcing strategy to off-load near term power demand and/or rationalize servers where possible to reduce existing loads - Little opportunity exists to address processing capacity issues without turning other services off or down Longer term - Power expansion project has been approved for summer 08 implementation - Need to have plans, with supporting funding, in place to expand capacity in line with demand. A Capacity and Availability Plan would help to address this. Continue with work on IT Disaster Recovery Plans in conjunction with the Enterprise Risk Management initiatives 2/13/2016 Page 6 Risk Event IT disaster Impact of Risk etc. depending on the scope, timing and length of the associated outage. Student and Employee retention Impact to University reputation Supporting Symptoms Likelihood of Occurrence stability and support the likelihood of some issues types of disasters (eg. pandemic, power Level of outage, terrorist/activist Data/systems event) are increasing integration –Eg. HR with Parking, Cont. Infrastructure is not Ed, Campus Rec. , designed for high etc. resilience and sustain dollars are insufficient Insufficient to keep infrastructure at documentation for peak maintenance key systems Multiple instances of poor documentation and single (or limited) points of staff dependency still exist Mitigation Strategies Service Availability and Recovery Plans support that initiative Hardening of infrastructure and creation of redundancies help to improve the situation Implementing on-call policies will help ensure that people will be responsive in case of actual disaster 16. Inability to retain/attract necessary skill sets - staff capacity/capabilit y High Impacts ability to support technology and systems in support of functional needs of the University Impacts ability to address the other risks Significantly compromises both ability and latency to respond to evolving information technology needs of the University Staff retention Workload issues Funding issues Limited staff capacity and capability to assess, design, build and support the services and supporting infrastructure Single points of staff dependency Inability to deliver on significant initiatives due to skills limitations in key areas Stress Staff in wrong roles Unfilled roles Enterprise Administrative Systems Risk Assessment Version 2 Extreme There is a lack of sufficient resourcing in key skill areas Increasing staff departures Unable to attract key roles Compensation review Can reallocate staff resources to a limited degree to focus on key priorities Need to attract, contract or grow required human resource capacity/capability - Hire consultants where needed - Provide mentoring 2/13/2016 Page 7 Risk Event Impact of Risk 17. Unwanted media attention as a result of Security Breach - Student, Financial, Medical, or Personal data compromise Eg. Lost/Stolen Laptop Website defacement Critical Business systems becoming unavailable or untrustworthy High Impact to University reputation Potential loss of revenue, penalties, loss of customer sat., etc. depending on the scope, timing and severity of the incident Potential inability to meet strategic goals Potential Executive Action Compliance with laws and conditions of funding agencies and donors FOIP issues Supporting Symptoms Project latency Likelihood of Occurrence Mitigation Strategies Implement and maintain administrative, technical and physical safeguards: Identity Management Encryption technology Vulnerability Assessments Security & privacy training IDS/penetration testing Weak Access controls Security controls not properly implemented No security awareness training for facility or staff Security metrics not clearly defined Security Incident identification and response procedures not clearly defined Confidentiality Integrity Availability High 18 incidents of “computer equipment theft since 2005” Laptop theft generally on the rise (CHR example) 2007 CSI/FBI computer crime survey estimates cost of confidential data compromise at $6,073,150 (494 institutions 11% educational) Implicit Risk – Lack of single (or manageable) accountability to ensure that these risks are addressed collectively with an enterprise focus to provide effective mitigation. Enterprise Administrative Systems Risk Assessment Version 2 2/13/2016 Page 8
