Add to collection(s) Add to saved
  1. Business
  2. Management

SPM for Canada June 2 2010

Establishing Effective ERM
of IT: Implementation and
Operational Issues of the
New ‘Risk IT Framework’
Robert E Stroud CGEIT
VP Service Management & Governance, CA Technologies
International Vice President, ISACA
Robert E Stroud CGEIT
international VP, ISACA
service management & governance evangelist CA
—
29 years in Industry Experience
—
15+ years banking industry
—
VP Service Management & ITSM & IT Governance CA
—
International Vice President ISACA\ITGI
—
Former Chair COBIT Steering Committee & chief architect
—
IT Governance Committee
—
Contributor to COBIT V4 and V4.1
—
Contributor to the Control Objectives for Basel II
—
Contributor to ITIL\COBIT\ISO17799 Management Overview
—
ITIL v3 Update Management Board and Reviewer
—
ITIL v3 ITIL Advisory Group, Mentor & Reviewer
—
Author ITIL Business Perspective Volume 2
—
Executive Board itSMF International Treasurer and Director
Audit Standards & compliance
—
Former Board Member USA itSMF
2
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Important Information on the content within….
— The Risk IT Framework and The Risk IT Practitioner
Guide including select text and figures featured within
this presentation are the property of ISACA.
Copyright © 2009 ISACA. All rights reserved.
— ISACA, ITGI and COBIT are registered trademarks of
ISACA. Val IT and Risk IT are trademarks of ISACA.
— This presentation is presented with the permission of
ISACA.
3
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Agenda
— Introduction
— The ‘Risk IT Framework’
— The ‘Risk IT Practitioner Guide’ –
Managing Risk in Practice
— Risk Governance
— Risk Evaluation
— Risk Response
— Summary
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk and value are intertwined!
— Risk has 2 sides
− Value preservation
− Value creation
IT related risk = materialised business impact because of IT related
event
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
IT (Related) risks
ITGI survey 2008, on IT related problems:
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
it related risk management - summary
— Various standards & frameworks available, but either:
− Generic Enterprise Risk Management oriented
− IT Security oriented
— No comprehensive
IT Related Risk
framework available
7
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk it principles
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
The “Risk IT Framework”
Risk IT
— Risk IT is a framework based on a
set of guiding principles and
featuring business processes and
management guidelines that confirm
these principles
— The Risk IT framework is to be used
to help implement IT governance
— Organisations that have adopted (or
are planning to adopt) CobiT as their
IT Governance framework can use
Risk IT to enhance risk management.
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Purpose of "'Risk IT'"
The Risk IT framework explains IT risk and
will enable users to:
− Integrate the management of IT risk into the
overall enterprise risk management of the
organisation
− Make well-informed decisions about the extent of the
risk, the risk appetite and the risk tolerance of the
enterprise
− Understand how to respond to the risk
In brief, the framework allows the enterprise to
make appropriate risk-adjusted decisions.
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
The Risk IT Framework
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
‘Risk IT Practitioner Guide’ – managing
risk in practice
Risk IT practitioner guide
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
suppemental tools and materials
— The Risk IT Practitioner Guide, is supported by an
implementation tool kit, containing the following templates:
− Enterprise IT Risk Assessment Form (figure 7)
− Risk Communication Flows (figure 14)
− Template Risk Register Entry (figure 36)
− Generic IT Risk Scenarios (figure 40)
− Generic IT Risk Scenarios and Mapped to COBIT and Val IT
Processes (figure 41)
− Generic IT Risk Scenarios and Environmental Risk Factors (figure 42)
− COBIT Controls and Val IT Key Management Practices to Mitigate IT
Risk (figure 48)
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk governance
16
risk governance
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
business – enterprise risk management (ERM)
— Enterprise risk management (ERM) includes the methods
and processes used by organizations to manage risks
and seize opportunities related to the achievement of
their objectives.
— ERM provides a framework for risk management
— By identifying and proactively addressing risks and
opportunities, business enterprises
protect and create value
— ERM can also be described as a
risk-based approach to managing
an enterprise
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
the definition of it risk
— IT risk is the business risk associated with the use,
ownership, operation, involvement, influence and
adoption of IT within an enterprise.
— IT risk consists of IT-related events that could potentially
impact the business.
— IT risk always exists, whether
or not it is detected or
recognised by an
organisation
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
it related business risk
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
it risk in the risk hierarchy
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
essentials of risk governance
— Risk Appetite and Tolerance
— Responsibilities and accountability for
IT Risk Management
— Awareness and Communication
— Risk Culture
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk appetite and tolerance - definition
— Risk appetite
The broad-based amount of risk a company
or other entity is willing to accepts in
pursuit of its mission (or vision)
— Risk tolerance
The acceptable variation relative to the achievement of
an objective (and often is best measured in the same
units as those used to measure the related objective)
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk appetite
— Risk appetite is the amount of risk an entity is prepared to
accept when trying to achieve its objectives. When
considering the risk appetite levels for the enterprise, two
major factors are important:
— The enterprise‘s objective
capacity to absorb loss
— The culture towards risk
taking – cautious or
aggressive
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk appetite - examples
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk tolerance
Risk tolerance is the tolerable deviation from the level set by the risk
appetite definition, e.g., standards require projects to be completed within
the estimated budgets and time, but overruns of 10 percent of budget or 20
percent of time are tolerated.
Virtualization and the Cloud - The Death of ITIL? Or the Opportunity of a Lifetime?
CA Robert.Stroud@ca.com
Copyright © 2010
Blog: www.ca.com/blogs/stroud
responsibilities and accountability for it risk
managment
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
awareness and communication benefits
— Executive management‘s understand the actual exposure
to IT risk, enabling definition of appropriate and informed
risk responses
— Awareness amongst all internal stakeholders of the
importance of integrating risk and opportunity in their
daily duties
— Transparency to external stakeholders regarding the
actual level of risk managment processes in use
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Implications of poor communications
— False sense of confidence at the top on the degree of
actual exposure related to IT
— Unbalanced communication to the external world on risk,
especially in cases of high but managed risk, may lead to
an incorrect perception on actual risk by third parties
such as clients, investors
or regulators
— Perception that the
enterprise is trying to
cover up known risk
from stakeholders
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
what to communicate
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Risk Culture
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Risk Evaluation
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
business impact
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
it risk scenario development
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk factors
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk scenarios
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
example scenario list
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk evaluation
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
key risk indicators (KRIs)
39
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk response options
40
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk response options and influences
41
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
parameter for risk response selection
42
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk response prioritisation
43
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
risk response & prioritisation
44
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Risk and Opportunity
45
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
CobiT, Val IT & Risk IT
46
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
summary
summary
— Risk IT saves time, cost and effort by providing a clear
method to focus on IT-related business risks
— Risk IT provides the guidance to help executives and
management ask the key questions
— Risk IT allows organizations to make better risk-adjusted
decisions
— Risk IT allows organizations
to manage their enterprises
risk is managed more
effectively
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
summary
— Risk and value are two sides of the same coin
— Risk is inherent to all enterprises
— Balance must be struck that avoids value destruction and
ensures that
opportunities for value
creation are not missed
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Thank you
Contact details:
Robert E Stroud CGEIT
Email: Robert.Stroud@ca.com
Tel:
(631) 880 2544
BLOG: www.ca.com/blogs/stroud
Twitter: www.twitter.com\RobertEStroud
50
Establishing Effective ERM of IT: Implementation and Operational Issues of the New ‘Risk IT Framework’
Copyright © 2010 CA
Robert.Stroud@ca.com
Blog:www.ca.com/blogs/stroud
Establishing Effective ERM
of IT: Implementation and
Operational Issues of the
New ‘Risk IT Framework’
Robert E Stroud CGEIT
VP Service Management & Governance, CA Technologies
International Vice President, ISACA
Related documents
Tennessee, Obion County, Court Clerk Minutes 1850
Tennessee, Obion County, Court Clerk Minutes 1850
Howard Stroud Bio and Past Awardees to 2015
Howard Stroud Bio and Past Awardees to 2015
Blog Marketing
Blog Marketing
Policy on Promoting Independence
Policy on Promoting Independence
'Awakening My OSB Memories'
'Awakening My OSB Memories'
Op/Eds and Blogs
Op/Eds and Blogs
Dear Parent & Student This year`s Bandit theme is `Ecology`. If you
Dear Parent & Student This year`s Bandit theme is `Ecology`. If you
Download