Lecture 6: Risk Frameworks

ISO 31000 Series

Risk mgmt process 5 activities

Communication and consultation

Establishing the context

Risk Assessment

Risk Treatment

Monitoring and review

Objective

More confident and rigorous basis for decision making and planning

Better identification of opp and threats

Gaining value from uncertainty and variabiltiy

ISACA RiskIT Framework

3 Domains

Risk Governance

Risk Evaluation

Risk Response

risk mgmt embedded in ent

Risk identified, analysed and presented

Address risk in cost effective manner

CoBIT 5 Risk Scenario

Risk Scenario: Description of possible event that if occurs = uncertain impact on ent obj

Contains:

Actor (Internal - staff /External - biz partner, competitor)

Threat Type (Malicious, accidental, error, failure, nature, ext req)

Event (disclosure, interruption, modification, theft, destruction, ineffective design, ineffective execution, rules and reg, inappropriate use

Asset affected by risk event (people and skills, org structure, process, infra, IT infra, information, applications)

Time (if relevant to scenario) - duration, timing occurance, detection, time lag

Benefits:

Provide tool to facilitate communication

Enhance risk mgmt effort

Provide realistic view of risk

Risk Response Options using RiskIT

Step 1: Risk Analysis

Step 2: Risk Response

Step 3: Risk Prioritisation

Step 4: Risk Action Plan

Estimate freq and magnitude of IT risk scenarios

Initial steps of risk mgmt:

Analyse value of assets to biz

Identify threats to assets

Evaluate how vul each asset is to those threats

Acceptable risk = no follow up but documented

Factors considered as input of response selection:

Cost of response to reduce risk within tolerance level

Impt of risk

Capability to implement responses

Effectiveness of response

Efficiency of response

Options:

  1. Avoid
  1. Reduce/Mitigate
  1. Share/Transfer
  1. Accept

Eliminate risk by not performing activities associated w risk

Only chosen when other options not feasible

Bring down risk level to acceptable tolerance

Implement best prac/controls

Most desirable and realistic option

Share risk w other entities

Gains also shared

Transferred through outsourcing

Only can be accepted by snr mgmt

Need document risk w proper auth

Document for acct and audit trails

Resource limitation = cannot respond to all risk at once

Priority 1: Quick Wins - high efficiency to addr high risk level

Priority 2: Business case - opt requiring further consideration best studied w biz case

Priority 3: Deter - low priority opt as addr low priority risk w high cost

^
|Biz case|Quick wins
|Defer |Biz case
__>

Output of framework = Risk Action plan

To be executed as proj or program

If eff deployed, risk exceeding tolerance can be responded to

Risk Frameworks

Risk Aggregation

Various risk combined w multiplied effect

Cascading Risk

Risk at higher level can be inherited at lower level