Crisc Governance

7/26/2019 Crisc Governance

1/21

CRISC EXAMPREP#1

RiskGovernance

Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby

participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress

writtenauthorization.

RiskGovernanceWeek#1 CRISCExamPrep

BillPankey

TunitasGroup

2

AgendaAbout

Course CRISCExam Me You

CommonRiskView

EnterpriseFoundations

IntegratedManagement

RiskManagement

Frameworks

Standards

Process

Practice

RiskGovernance


2/21

CRISC EXAMPREP#1

RiskGovernance




3

TopChallenges*

*http://goo.gl/FVdo9

Accenture2011

RiskManagement

Survey

4

ISACA

Starting

PositionITriskisbusiness risk

Affectonbusinessstrategy

Valuecreation/opportunity

Preservationofassetvalue

Tangible&Intangible

Variousinformationsecurityrisks,projectrisks,

operationalrisks

are

not

necessarily

ITrisks.

ITriskmanagementrequiresrelevanceandalignment

ITriskmorethanjustinformationsecurityrisk

e.g.,notachievingbusinessvalue, servicedeliveryproblems,inflexiblearchitecture

Course

Perspective


3/21

CRISC EXAMPREP#1

RiskGovernance




5

ISACAStartingPosition

BenefitEnablementRisk: LostopportunitytouseITtoimprovetheeffectiveness orefficiencyofneworexisting

businessprocess.

Program/Project

Delivery

Risk:

Failuretodeliverbusinessvalueinprojectsorprogram

ServiceDeliveryRisk Performanceerrorsin thedeliveryofITservices. Informationsecurityerrors.

ISACA2009

6

ISACA

Starting

PositionITRiskmustbemanagedasanenterpriserisk

Reflecttheenterpriseriskappetiteandculture

Consolidatewithotherriskacrossorganization

Acquirebusinesssignoffoncontrolenvironment

Course

Perspective

=>ITriskmanagement

mustadapttotheERM

context

WhatifERMisimmature

ornonexistent?


4/21

CRISC EXAMPREP#1

RiskGovernance




7

ISACAStartingPosition

EffectiveITRiskManagement:

Providestoneatthetop

Assignspersonalaccountability

Providesaccurateinformationintimelyfashion

Minimizeimpactofcontrolsconsistentwithcost

andbenefit

Promotes

continuous

improvement

Course

Perspective

Arethereworkarounds?

8

CRISC

Exam

PrepClassLectures

Tonight

1sessionforeachCRISCdomain RiskIdentification&Assessment

RiskResponse

RiskMonitoring

ControlDesign&Implementation

ControlMonitoring

1

session

for

exam

strategy2+hours


5/21

CRISC EXAMPREP#1

RiskGovernance




9

WizIQ

Slides

Chat

Usechattoask/answer/discusstopics

AnnGeyerandChrisSublett willparticipate

Voiceoptions

SampleTestQuestions

10

Practice

QuestionWhichofthefollowingisthebestmeasureofIT

RiskManagementsuccess?

ExtraordinaryITrelatedexpense

#ofthreatsmitigated

Completenessofcontrolcatalog

Lowresidualriskscore


6/21

CRISC EXAMPREP#1

RiskGovernance




11

CRISCExam

120questions

forcedchoicequestion Selectsinglebest|leastbadanswer

nodeductionforincorrectanswers

4hours

FirewallbetweenCRISCTestEnhancementCommitteeandISACAstudymaterial\ educationactivity

8/9CISA;

6/9

CISM;

4/9

CGEIT

JackJones(FAIRinventor)committeechair

12

About

YouExperiencedprofessionalsw/diverseriskmanagement

responsibilities

50%

30%

xIndustrySector

xManagement

Area


7/21

CRISC EXAMPREP#1

RiskGovernance




13

Agenda

About


CommonRiskView



RiskManagementFrameworks

Standards Process

Practice

RiskGovernance

14

A

Note

on

LanguageMuddledrisklexicon

Manycompetingandsometimesconflictingdefinitions

Precisioninlanguageisdesirablebutitcanbeexclusionary

Riskreferstothelikelihood(orfrequency)andmagnitudeoflossthatexistsfromacombinationofasset(s),threat(s)andcontrolconditions. Asaderivedvalue,itcannottakeapluralform(i.e.,risks). FromISACA

CRISC

pages

GoalisofITrisk

management

isthe

achievement

of

businessobjectives Adapttothelanguageusedbythebusiness

organization

ButforCRISCtesttakers,caution iswarranted.


8/21

CRISC EXAMPREP#1

RiskGovernance




15

RiskGovernance

Riskaccompanies

the

business

strategy

Boardresponsibilityistoensurethatriskiscommensurate

withreward

Howdoesitaccomplishthis?

10Bestpracticesforriskgovernance*

Board

Perspective

1.Understandthecompanyskeydriversof

success.

2.Assesstheriskinthecompanys strategy.

3.Definetheriskoversightroleofthefull

boardanditsstandingcommittees

4.Considerwhetherthecompanys risk

managementsystemincludingpeopleand

processesisappropriate

and

has

sufficient

resources.

5.Workwithmanagementtounderstand

andagreeonthetypes(andformat)ofrisk

informationtheboardrequires.

6.Encourageadynamicandconstructiverisk

dialoguebetweenmanagement&board,

7.Closelymonitorthepotentialrisksinthe

company'sculture anditsincentivestructure.

8.Monitorcriticalalignmentsofstrategy,

risk,controls,compliance,incentives,and

people.

9.Consider

emerging

and

interrelated

risks:

Whatsaroundthenextcorner?

10.Periodicallyassesstheboardsrisk

oversight processes:Dotheyenablethe

boardtoachieveitsriskoversightobjectives?

*NationalAssociationofCorporateDirectors RiskGovernance:BalancingRisk&Reward

16

Risk

Governance

Focus

Board

Perspective


9/21

CRISC EXAMPREP#1

RiskGovernance




17

WhatisRisk?

Differentanswers

will

affect

risk

management

objectives&practices Volatilityofoutcome

Varianceaboutanexpectedoutcome(e.g.,asinfinance)

Expectedoutcome

Anticipatedaverageloss(e.g.,asininformationsecurity)

Potentialpositiveornegativeoutcome

PMIBOKandISACA

Undefinedinlaw&regulation

ofcourse,theconundrumisexacerbatedbyaplethoraof

measurementmethods

18

What

is

Risk?Twoessentialaspects:uncertainty&loss

OxfordDictionary: Thepossibility thatsomethingunpleasantorunwelcomewillhappen.

Countertoalternativedefinitionsthatwillroutinelybeencountered

Riskhastoincludepossibilityofloss

Riskhasonlylosses. Gainsareopportunities.

Riskisnotsynonymouswithvolatility

Riskisvectorvalued,nottheproductofprobabilityandoutcome

Assumptionofriskneutralityconflictswiththeintendedsupportfororganizationriskpreferencesandappetite.


10/21

CRISC EXAMPREP#1

RiskGovernance




19

WhatisRiskManagement

Enterprise

risk

management

is*:aprocess,appliedacrosstheenterprise,designedtoidentifypotential

eventsthatmayaffecttheentity,andmanagerisktobewithinitsrisk

appetite,toprovidereasonableassuranceregardingtheachievementof

entityobjectives.

4

categories

of

objectives: Strategic. Highlevelgoals,mission

Operations. Resourceoptimization

Reporting. Reliabilityofmanagementinformation

Compliance.

Satisfactionoflaws

and

regulation

*COSO,EnterpriseRiskManagement IntegratedFramework

20

COSO

Governance

Concepts Internalenvironment

Tone,riskmanagementphilosophy,appetite&

tolerance

ObjectivesettingRiskmanagementprocess,roles&responsibilities

MonitoringOngoingmanagement

reporting&adjustment


11/21

CRISC EXAMPREP#1

RiskGovernance




21

RiskPhilosophy

Notaterm

ofart

well

defined

instandards

Generally,theorganizationalattitudetowardrisk

Perceivevalueorriskmanagement:mitigation,

avoidance,etc.

Expressedthoughacollectionofriskrelated

attributes(e.g.,appetiteandtolerance)

22

Risk

AppetiteBoundariesofriskacceptance

amountofrisk,onabroadlevel,anentityiswillingtoacceptinpursuitofvalue.Itreflectstheentitysriskmanagementphilosophy,

andinturninfluencestheentityscultureandoperatingstyle

effectivelyestablishestheenterprisemitigationpolicy

Determinedby: Objectiveabilitytoabsorbloss

Managementphilosophy&culture

Externalinfluences Laws

and

regulation

Customerexpectation

Changesovertime

Internal

Environment


12/21

CRISC EXAMPREP#1

RiskGovernance




23

RiskMap

impactmagnitude

probability

Really

UnAcceptable

UnAcceptable

Acceptable

Opportunity

ReallyUnacceptable:far

beyondnormalriskappetite;

respondimmediately.

Unacceptable:abovenormal

riskappetite;additional

mitigationwithintime

boundaries.

Acceptable:Nospecialaction

beyondmaintainingcurrent

control

Opportunity:Verylowrisk,

costsavingorother

opportunitygained

from

relaxingcontrolorassuming

morerisk

Appetite=>

risk

policy

EXAMPLE

RiskAppetite

24

Healthcare

Sentinel

EventsEventsthatshouldneveroccurinahospital,e.g.:

Wrongsidesurgery. Wrongpatientsurgery.

Patientdeathordisabilityduetocontaminateddrugs,devices,biologics

Patientdeathordisabilityduetomedicationerror

Patentsuicide

Largebreachesofconfidentialpatientdata

Triggerimmediateresponseprocess Formalrootcauseanalysis

Mandatorycorrectiveactionplan

Mandatoryreportingtooversightagencies(forsome)

ITriskmanagementrelevance MapITeventsupontosentinelevents

LittleorNoappetite(unacceptableorreallyunacceptable)forinformationsystemeventsthatcouldresultinasentinelevent

EXAMPLE

Really

Unacceptable

Risk


13/21

CRISC EXAMPREP#1

RiskGovernance




25

RiskTolerance

Lessuseful,

perhaps

Risktolerancesrelatetotheentitysobjectives.Risk

tolerance

is

the

acceptable

level

of

variation

relative

to

achievementofaspecificobjective,andoftenisbest

measuredinthesameunitsasthoseusedtomeasurethe

relatedobjective.

Forexample,measuresofshortfallthatthe

organizationwillsatisfice.

26

Practice

QuestionAnorganizationthatrecentlysuffereda

catastrophiclossshould:

A. Changethelevelofacceptablerisk

B. Changethelevelofunacceptablerisk

C. Reevaluateprobabilities

D. Reevaluateimpact


14/21

CRISC EXAMPREP#1

RiskGovernance




27

Awareness&Communication

Transparencydoes

not

mean

the

unmanaged

communicationof:

Riskstrategy/appetite

Actuallevelofrisk

Riskmanagementprocessandissues

Supportriskawaredecisions

Seektoavoid

Overconfidence

Perceptionthat

the

organization

ishiding

somethingfromstakeholders(internalorexternal)

Perceptionthatriskisnotwellmanaged

?

28

Risk

Management

RolesBoard

Establishcommonriskview/riskappetite

CEOManagerisk

RiskOfficerCollectdataandreport

BusinessManagementRiskawaredecisions

Analyzerisk

Maintainriskprofile

ITManagementSupportallriskmanagementactivityinasecondaryrole

BusinessProcessOwner

React

to

eventsControlFunctions

Supportallriskmanagementactivity

HRCommunicatecommonriskview

AuditCommunicatecommonriskview

Reacttoevents

businessmonarchy

ObjectiveSetting


15/21

CRISC EXAMPREP#1

RiskGovernance




29

RiskITProcessModel29

ObjectiveSetting

2009ISACA

Riskacceptanceis

managedasarisk

governanceactivity

30

Risk

IT

Artifacts

2008ITGI


16/21

CRISC EXAMPREP#1

RiskGovernance




31

CommonRiskView

DevelopITriskmanagementframework DeterminehowtointegrateITriskintostrategicplans

ClassifyITriskfactors,eventsandpotentialimpact

Defineriskratingscalesandcontrolcategories

DetermineITrisktoleranceandapettite

Embedexistingenterprisewideriskmanagementprinciplesandviews

RiskIT

Governance

Domain

2009ISACA

Note:

RiskAssessment

RiskAnalysis

32

Business

Relevance

of

IT

Event


17/21

CRISC EXAMPREP#1

RiskGovernance




33

BusinessRelevantCategoriesfor

ExpressingtheImpactofAdverseEvents

Extendedinformationcriteria(COBIT)

Efficacy

Efficiency

Confidentiality

Integrity

FactorAnalysisofInformationRisk(FAIR)

Productivity

Responsecost

Replacement

Availability

Reliability

Compliance

ExtendedBalancedScorecard Financial

ShareValue

Profit

Revenue

CostofCapital

Customer

Marketshare

Customersatisfaction

Customer

Service

Internal Regulatory

Compliance

Growth Competitive

advantage

Reputation

CompetitiveAdvantage

Legal

Reputation

COSOERM

Strategic

Operations

Reporting

Compliance

Westermans 4As

Agility

Accuracy

Access

Availability

HealthcareProvider*

PatientCare

Logistics

Reputation

RegulatoryCompliance

Financial/

Billing

34

Integrate

with

ERM

Ensureappropriate

business

involvement

inITrisk

committees

EnsureITinvolvementinenterprisebusinessriskcommittee

CoordinateITincidentresponseplanswithbusinessresponseplans

Harmonizeriskcategories,methods,scales,etc withERMmethods

RiskIT

Governance

Domain


18/21

CRISC EXAMPREP#1

RiskGovernance




35

RiskAwareDecisions

SellthebusinessvalueofITriskanalysisdataandresultstobusinessdecisionmakers

Reviewanalysis

results

with

business

owners

toensure

coordinated

response(businessandIT)

Obtainbusinesssignoffofresidualrisk.

RiskIT

Governance

Domain

36

Governance

MetricsAwickedproblem

Needtoassumethatriskisappropriately

analyzedandassessed,inorderto

determinethatitsisappropriately

managed. However,anindicationofpoor

riskmanagementismisunderstoodor

poorlyassessedrisk.

ISACAITriskgovernancemetric

Recoursetoenterprise[business]risk

metrics.

Presumablymore

objective

($$$)

Presumesgrandexperiment(strategicuse

ofITornot)

CorrelateenterpriseandITriskmeasures

RiskIT


19/21

CRISC EXAMPREP#1

RiskGovernance




37

Agenda

About


CommonRiskView



RiskManagementFrameworks

Standards Process

Practice

RiskGovernance

38

ERM

FrameworksCOSOERM

SpecialstatusduestospecificmentioninSarbanesOxleylaw.

Oftenimprecise,i.e.doesnotdefinerisk

Difficulttounderstand?

ISO31000RiskManagementFramework($$)

BasedonAS/NZ4360(freefordownload)

Proceduralframeworkforidentificationanalysisand

treatmentofgeneric

risk

Intendedtoharmonizeriskmanagementprocesses,supportexistingstandards(e.g.ISO27005)

Riskdefinedaseffectofuncertaintyofobjectives


20/21

CRISC EXAMPREP#1

RiskGovernance




39

NISTRMF

NISTRisk

Management

Framework

that

is

replacingNISTC&A processes(SP80037)

Interesting(ornot)features: Alloftheninformationaboutbusinessobjectivesandimpacts,

encapsulatedintheclassification ofinformationandsystems

Controlsselectedonbasisofclassification anddeployment

environment

Controleffectivenessisassessedbeforesystemsareauthorizedto

maintainorprocessclassifieddata

Designedfor

managing

information

security

CouldbeadaptedtoITriskgenerally(???)

40

Risk

IT

Practitioner

GuideCloselyalignedwithRiskIT

AGuidewithoutpretentiontobeastandard,setofheuristics

Recommendedforconcrete,actionableadvice,e.g.

riskscenarioconstruction

risk

maps

FreedownloadforISACAmembersfromISACA.org.

$115otherwise


21/21

CRISC EXAMPREP#1

RiskGovernance



41

PracticeQuestion

Documents

Crisc Governance