Crisc Governance

CRISCEXAMPREP#1
RiskGovernance
RiskGovernance
Week#1 CRISCExamPrep
BillPankey
TunitasGroup
Agenda
About
Course
CRISCExam
Me
You
CommonRiskView
RiskGovernance
EnterpriseFoundations
IntegratedManagement
RiskManagementFrameworks
Standards
Process
Practice
2
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
CRISCEXAMPREP#1
RiskGovernance
Accenture2011
RiskManagement
Survey
TopChallenges*
*http://goo.gl/FVdo9
Course
Perspective
ISACAStartingPosition
IT riskisbusiness risk
Affectonbusinessstrategy
Valuecreation/opportunity
Preservationofassetvalue
Tangible&Intangible
Variousinformationsecurityrisks,projectrisks,
operationalrisksarenotnecessarilyITrisks.
ITriskmanagementrequiresrelevanceandalignment
ITriskmorethanjustinformationsecurityrisk
e.g.,notachievingbusinessvalue,servicedelivery
problems,inflexiblearchitecture
4
CRISCEXAMPREP#1
RiskGovernance
ISACA2009
BenefitEnablementRisk:
LostopportunitytouseITtoimprovetheeffectivenessorefficiencyofneworexisting
businessprocess.
Program/ProjectDeliveryRisk:
ServiceDeliveryRisk
Failuretodeliverbusinessvalueinprojectsorprogram
PerformanceerrorsinthedeliveryofITservices.Informationsecurityerrors.
Course
Perspective
ITRiskmustbemanagedasanenterpriserisk
Reflecttheenterpriseriskappetiteandculture
Consolidatewithotherriskacrossorganization
Acquirebusinesssignoffoncontrolenvironment
=>ITriskmanagement
mustadapttotheERM
context
WhatifERMisimmature
ornonexistent?
6
CRISCEXAMPREP#1
RiskGovernance
Course
Perspective
EffectiveITRiskManagement:
Providestoneatthetop
Assignspersonalaccountability
Providesaccurateinformationintimelyfashion
Minimizeimpactofcontrolsconsistentwithcost
andbenefit
Promotescontinuousimprovement
Arethereworkarounds?
7
CRISCExamPrep
ClassLectures
Tonight
1sessionforeachCRISCdomain
RiskIdentification&Assessment
RiskResponse
RiskMonitoring
ControlDesign&Implementation
ControlMonitoring
1sessionforexamstrategy
2+hours
CRISCEXAMPREP#1
RiskGovernance
WizIQ
Slides
Chat
Usechattoask/answer/discusstopics
AnnGeyerandChrisSublett willparticipate
Voiceoptions
SampleTestQuestions
9
PracticeQuestion
WhichofthefollowingisthebestmeasureofIT
RiskManagementsuccess?
ExtraordinaryITrelatedexpense
#ofthreatsmitigated
Completenessofcontrolcatalog
Lowresidualriskscore
10
CRISCEXAMPREP#1
RiskGovernance
CRISCExam
120questions
forcedchoicequestion
Selectsinglebest|leastbadanswer
nodeductionforincorrectanswers
4hours
FirewallbetweenCRISCTestEnhancement
CommitteeandISACAstudymaterial\ education
activity
8/9CISA;6/9CISM;4/9CGEIT
JackJones(FAIRinventor)committeechair
11
AboutYou
Experiencedprofessionalsw/diverseriskmanagement
responsibilities
50%
xIndustrySector
30%
xManagementArea
12
CRISCEXAMPREP#1
RiskGovernance
Agenda
About
Course
CRISCExam
Me
You
CommonRiskView
RiskGovernance
Standards
Process
Practice
13
ANoteonLanguage
Muddledrisklexicon
Manycompetingandsometimesconflictingdefinitions
Precisioninlanguageisdesirablebutitcanbe
exclusionary
Risk referstothelikelihood(orfrequency)and
magnitudeoflossthatexistsfromacombinationof
asset(s),threat(s)andcontrolconditions. Asaderived
value,itcannottakeapluralform(i.e.,risks). From
ISACACRISCpages
GoalisofITriskmanagementistheachievementof
businessobjectives
Adapttothelanguageusedbythebusiness
organization
ButforCRISCtesttakers,caution iswarranted.
14
CRISCEXAMPREP#1
RiskGovernance
Board
Perspective
RiskGovernance
Riskaccompaniesthebusinessstrategy
Boardresponsibilityistoensurethatriskiscommensurate
withreward
Howdoesitaccomplishthis?
10Bestpracticesforriskgovernance*
1.Understandthecompanyskeydrivers of
success.
2.Assesstheriskinthecompanysstrategy.
3.Definetheriskoversightroleofthefull
boardanditsstandingcommittees
4.Considerwhetherthecompanys risk
managementsystemincludingpeopleand
processesisappropriateandhassufficient
resources.
5.Workwithmanagementtounderstand
andagreeonthetypes(andformat)ofrisk
information theboardrequires.
6.Encourageadynamicandconstructiverisk
dialogue betweenmanagement&board,
7.Closelymonitor thepotentialrisksinthe
company'sculture anditsincentivestructure.
8.Monitorcriticalalignmentsofstrategy,
risk,controls,compliance,incentives,and
people.
9.Consideremergingandinterrelatedrisks:
Whatsaroundthenextcorner?
10.Periodicallyassesstheboardsrisk
oversightprocesses:Dotheyenablethe
boardtoachieveitsriskoversightobjectives?
*NationalAssociationofCorporateDirectorsRiskGovernance:BalancingRisk&Reward
Board
Perspective
15
RiskGovernanceFocus
16
CRISCEXAMPREP#1
RiskGovernance
WhatisRisk?
Differentanswerswillaffectriskmanagement
objectives&practices
Volatilityofoutcome
Varianceaboutanexpectedoutcome(e.g.,asinfinance)
Expectedoutcome
Anticipatedaverageloss(e.g.,asininformationsecurity)
Potentialpositiveornegativeoutcome
PMIBOKandISACA
Undefinedinlaw&regulation
ofcourse,theconundrumisexacerbatedbyaplethoraof
measurementmethods
17
WhatisRisk?
Twoessentialaspects:uncertainty&loss
OxfordDictionary: Thepossibility that
somethingunpleasantorunwelcomewillhappen.
Countertoalternativedefinitionsthatwillroutinely
beencountered
Riskhastoincludepossibilityofloss
Riskhasonlylosses.Gainsareopportunities.
Riskisnotsynonymouswithvolatility
Riskisvectorvalued,nottheproductofprobability
andoutcome
Assumption ofriskneutralityconflictswiththeintendedsupportfor
organizationriskpreferencesandappetite.
18
CRISCEXAMPREP#1
RiskGovernance
10
WhatisRiskManagement
Enterpriseriskmanagementis*:
aprocess,appliedacrosstheenterprise,designedtoidentifypotential
eventsthatmayaffecttheentity,andmanagerisktobewithinitsrisk
appetite,toprovidereasonableassuranceregardingtheachievementof
entityobjectives.
4categoriesofobjectives:
Strategic.Highlevelgoals,mission
Operations.Resourceoptimization
Reporting.Reliabilityofmanagementinformation
Compliance.Satisfactionoflawsandregulation
*COSO,EnterpriseRiskManagement IntegratedFramework
19
COSOGovernanceConcepts
Internalenvironment
Tone,riskmanagementphilosophy,appetite&
tolerance
Objectivesetting
Riskmanagementprocess,roles&responsibilities
Monitoring
Ongoingmanagement
reporting&adjustment
20
CRISCEXAMPREP#1
RiskGovernance
11
RiskPhilosophy
Notatermofartwelldefinedinstandards
Generally,theorganizationalattitudetowardrisk
Perceivevalueorriskmanagement:mitigation,
avoidance,etc.
Expressedthoughacollectionofriskrelated
attributes(e.g.,appetiteandtolerance)
21
Internal
Environment
RiskAppetite
Boundariesofriskacceptance
amountofrisk,onabroadlevel,anentityiswillingtoacceptin
pursuitofvalue.Itreflectstheentitysriskmanagementphilosophy,
andinturninfluencestheentityscultureandoperatingstyle
effectivelyestablishestheenterprisemitigationpolicy
Determinedby:
Objectiveabilitytoabsorbloss
Managementphilosophy&culture
Externalinfluences
Lawsandregulation
Customerexpectation
Changesovertime
22
CRISCEXAMPREP#1
RiskGovernance
12
EXAMPLE
RiskAppetite
RiskMap
Appetite=>riskpolicy
Really
UnAcceptable
impactmagnitude
UnAcceptable
Acceptable
Opportunity
ReallyUnacceptable:far
beyondnormalriskappetite;
respondimmediately.
Unacceptable:abovenormal
riskappetite;additional
mitigationwithintime
boundaries.
Acceptable:Nospecialaction
beyondmaintainingcurrent
control
Opportunity:Verylowrisk,
costsavingorother
opportunitygainedfrom
relaxingcontrolorassuming
morerisk
probability
23
EXAMPLE
Really
UnacceptableRisk
HealthcareSentinelEvents
Eventsthatshouldneveroccurinahospital,e.g.:
Wrongsidesurgery.Wrongpatientsurgery.
Patientdeathordisabilityduetocontaminateddrugs,devices,biologics
Patientdeathordisabilityduetomedicationerror
Patentsuicide
Largebreachesofconfidentialpatientdata
Triggerimmediateresponseprocess
Formalrootcauseanalysis
Mandatorycorrectiveactionplan
Mandatoryreportingtooversightagencies(forsome)
ITriskmanagementrelevance
MapITeventsupontosentinelevents
LittleorNoappetite(unacceptableorreallyunacceptable)for
informationsystemeventsthatcouldresultinasentinelevent
24
CRISCEXAMPREP#1
RiskGovernance
13
RiskTolerance
Lessuseful,perhaps
Risktolerancesrelatetotheentitysobjectives.Risk
toleranceistheacceptablelevelofvariationrelativeto
achievementofaspecificobjective,andoftenisbest
measuredinthesameunitsasthoseusedtomeasurethe
relatedobjective.
Forexample,measuresofshortfallthatthe
organizationwillsatisfice.
25
PracticeQuestion
Anorganizationthatrecentlysuffereda
catastrophiclossshould:
A.
B.
C.
D.
Changethelevelofacceptablerisk
Changethelevelofunacceptablerisk
Reevaluateprobabilities
Reevaluateimpact
26
CRISCEXAMPREP#1
RiskGovernance
14
Awareness&Communication
Transparencydoesnotmeantheunmanaged
communicationof:
Riskstrategy/appetite
Actuallevelofrisk
Riskmanagementprocessandissues
Supportriskawaredecisions
Seektoavoid
Overconfidence
Perceptionthattheorganizationishiding
somethingfromstakeholders(internalorexternal)
Perceptionthatriskisnotwellmanaged
27
ObjectiveSetting
RiskManagementRoles
Board
Establishcommonriskview/riskappetite
CEO
Managerisk
RiskOfficer
Collectdataandreport
businessmonarchy
BusinessManagement
Riskawaredecisions
Analyzerisk
Maintainriskprofile
ITManagement
Supportallriskmanagementactivityinasecondaryrole
BusinessProcessOwner
Reacttoevents
ControlFunctions
Supportallriskmanagementactivity
HR
Communicatecommonriskview
Audit
Communicatecommonriskview
Reacttoevents
28
CRISCEXAMPREP#1
RiskGovernance
15
29
ObjectiveSetting
RiskITProcessModel
Riskacceptance is
managedasarisk
governanceactivity
2009ISACA
29
RiskITArtifacts
2008ITGI
30
CRISCEXAMPREP#1
RiskGovernance
16
RiskIT
Governance
Domain
CommonRiskView
2009ISACA
Note:
RiskAssessment
RiskAnalysis
DevelopITriskmanagementframework
DeterminehowtointegrateITriskintostrategicplans
ClassifyITriskfactors,eventsandpotentialimpact
Defineriskratingscalesandcontrolcategories
DetermineITrisktoleranceandapettite
Embedexistingenterprisewideriskmanagementprinciplesandviews
31
BusinessRelevanceofITEvent
32
CRISCEXAMPREP#1
RiskGovernance
17
BusinessRelevantCategoriesfor
ExpressingtheImpactofAdverseEvents
Extendedinformationcriteria(COBIT)
Efficacy
Efficiency
Confidentiality
Integrity
Availability
Reliability
Compliance
Internal
ShareValue
Profit
Revenue
CostofCapital
CompetitiveAdvantage
Legal
Reputation
Marketshare
Customersatisfaction
CustomerService
Strategic
Operations
Reporting
Compliance
Regulatory
Compliance
Growth
Customer
Productivity
Responsecost
Replacement
COSOERM
ExtendedBalancedScorecard
Financial
FactorAnalysisofInformationRisk(FAIR)
Competitive
advantage
Reputation
HealthcareProvider*
PatientCare
Logistics
Reputation
RegulatoryCompliance
Financial/
Billing
Westermans 4As
Agility
Accuracy
RiskIT
Governance
Domain
Access
Availability
33
IntegratewithERM
EnsureappropriatebusinessinvolvementinITriskcommittees
EnsureITinvolvementinenterprisebusinessriskcommittee
CoordinateITincidentresponseplanswithbusinessresponseplans
Harmonizeriskcategories,methods,scales,etc withERMmethods
34
CRISCEXAMPREP#1
RiskGovernance
18
RiskIT
Governance
Domain
RiskAwareDecisions
SellthebusinessvalueofITriskanalysisdataandresultstobusiness
decisionmakers
Reviewanalysisresultswithbusinessownerstoensurecoordinated
response(businessandIT)
Obtainbusinesssignoffofresidualrisk.
35
RiskIT
GovernanceMetrics
Awickedproblem
Needtoassumethatriskisappropriately
analyzedandassessed,inorderto
determinethatitsisappropriately
managed.However,anindicationofpoor
riskmanagementismisunderstoodor
poorlyassessedrisk.
ISACAITriskgovernancemetric
Recoursetoenterprise[business]risk
metrics.Presumablymoreobjective($$$)
Presumesgrandexperiment(strategicuse
ofITornot)
CorrelateenterpriseandITriskmeasures
36
CRISCEXAMPREP#1
RiskGovernance
19
Agenda
About
Course
CRISCExam
Me
You
CommonRiskView
RiskGovernance
Standards
Process
Practice
37
ERMFrameworks
COSOERM
SpecialstatusduestospecificmentioninSarbanesOxleylaw.
Oftenimprecise,i.e.doesnotdefinerisk
Difficulttounderstand?
ISO31000RiskManagementFramework($$)
BasedonAS/NZ4360(freefordownload)
Proceduralframeworkforidentificationanalysisand
treatmentofgenericrisk
Intendedtoharmonizeriskmanagementprocesses,
supportexistingstandards(e.g.ISO27005)
Riskdefinedaseffectofuncertaintyofobjectives
38
CRISCEXAMPREP#1
RiskGovernance
20
NISTRMF
NISTRiskManagementFrameworkthatis
replacingNISTC&Aprocesses(SP80037)
Interesting(ornot)features:
Alloftheninformationaboutbusinessobjectivesandimpacts,
encapsulatedintheclassification ofinformationandsystems
Controlsselectedonbasisofclassificationanddeployment
environment
Controleffectivenessisassessedbeforesystemsareauthorizedto
maintainorprocessclassifieddata
Designedformanaginginformationsecurity
CouldbeadaptedtoITriskgenerally(???)
39
RiskITPractitionerGuide
CloselyalignedwithRiskIT
AGuidewithoutpretention
tobeastandard,setof
heuristics
Recommendedforconcrete,
actionableadvice,e.g.
riskscenarioconstruction
riskmaps
FreedownloadforISACA
membersfromISACA.org.
$115otherwise
40
CRISCEXAMPREP#1
RiskGovernance
21
PracticeQuestion
41

Crisc Governance

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Crisc Governance

Caricato da

Copyright:

Formati disponibili

CRISCEXAMPREP#1

Potrebbero piacerti anche