1
Drawing on CobiT for the implementation of an
Enterprise Risk Management Framework
December 2008
Presenter: Clive E. Waugh, CISSP C/EH
A CobiT Case Study
Risk Management Framework Objectives
CobiT provided guidance with essential framework elements:
y
Governance
y
Strategic Alignment
y
Business Focus
y
Control Objectives
y
Establishment of Risk Appetite
y
Assessment and Management of Risks
3
CobiT Case Study
The framework in
The framework in
practice
The framework in practice:
4 Domains
CobiT Framework is comprised of 4 Domains, 34 Processes, 200 Control Objectives
Plan and Organize Processes
PO1 – Define a Strategic IT Plan
PO2 – Define the Information Architecture
PO4 – Define Organization and Relationships
PO6 – Communicate Management Aims and Direction
PO9 – Assess and Manage IT Risks
PO10 – Manage Projects
Acquire and Implement Process
AI2 – Acquire and Maintain Application Software
Deliver and Support Processes
DS2 – Manage Third-party Services
DS4 – Ensure Continuous Service
DS5 – Ensure Systems Security
Monitor and Evaluate Processes
ME1 – Monitor and Evaluate IT Performance
ME2 – Monitor and Evaluate Internal Control
5
The framework in practice:
Plan & Organize
Plan and Organize process description:
PO1 – Define a Strategic IT Plan
PO1.2 – Business-IT Alignment – Strategic Alignment
PO2 – Define the Information Architecture
PO2.2 – Data Classification Scheme
PO4 – Define the Organization & Relationships
PO4.8 – Responsibility for Risks, Security & Compliance
PO4.15 – Relationships
PO6 – Communicate Management Aims & Direction
PO6.2 – Enterprise IT Risk and Control Framework – Risk Management Framework
Plan and Organize process description continued:
PO9 – Assess and Manage IT Risks
PO9.1 – IT Risk Management Framework
PO9.2 – Establishment of Risk Context
PO9.3 – Event Identification
PO9.4 – Risk Assessment
PO9.5 – Risk Response
PO9.6 – Maintenance & Monitoring of a Risk Action Plan
PO10 – Manage Projects
PO10.3 – Project Management Approach
PO10.4 – Stakeholder Commitment
PO10.9 – Project Risk Management
The framework in practice:
Plan & Organize
7
The framework in practice:
Acquire & Implement
Acquire and Implement process description:
AI2 – Acquire and Maintain Application Software
The framework in practice:
Deliver & Support
Deliver and Support process description:
DS2 – Manage Third-party Services
DS2.3 – Supplier Risk Management – Vendor Assessments
DS4 – Ensure Continuous Service
DS4.2 – IT Continuity Plans – BIA & Risk Assessment
DS5 – Ensure Systems Security
DS5.5 – Security Testing, Surveillance & Monitoring – Regular Vulnerability Assessments
9
The framework in practice:
Monitor & Evaluate
Monitor and Evaluate process description:
ME1 – Monitor & Evaluate IT Performance
ME1.5 – Board and Executive Reporting
ME1.6 – Remedial Actions
ME2 – Monitor & Evaluate Internal Control
ME2.3 – Control Exceptions
ME2.4 – Control Self-assessment
ME2.5 – Assurance of Internal Control
ME2.6 – Internal Control at Third Parties
ME2.7 – Remedial Actions
ME4 – Provide IT Governance
ME4.1 – Establishment of an IT Governance Framework
ME4.2 – Strategic Alignment
The framework in practice:
RM Functions
Four main Risk Management Functions:
y
Risk Cataloging
y
Risk Reporting
y
Remediation Planning
11
Risk Cataloging – Process Flow
External audit Security Internal audit Customer Other Critical High Medium Low Initial Risk Assmt. Group and Segment Leaders Risk Mgmt Dept leaders Group Leaders (SMT) Immediately address risk Confirms Details As Documented Risk Repository Queued Immediate Weekly Prioritization Documented, prioritized risks Senior BU Leaders
Risk Cataloging - Overview of Prioritization
Standards
Risk Prioritization Sessions
are conducted on a weekly basis
Risk Prioritization Committee
membership consists of Risk Management Dept management staff
Risk Prioritization Standards
are as follows:1) Risks are first ranked into quadrants as follows (definitions on subsequent slides):
a) Critical
b) High
c) Medium
d) Low
2) Risks within High and Medium quadrants are then force ranked by business unit, from highest risk to lowest.
13
Risk Cataloging – Risk Management Dept Role
Risk Management Department’s role in Cataloging risk:
1) Escalates Critical risks immediately
2) Queues non-Critical risks for review by Ops-Security mgt during
regular prioritization sessions
3) Captures risk data including description, impact, likelihood, BU ownership, priority, ranking
4) Proposes strategies for the remediation of immediate risk, and of root
cause
5) Educates Business Unit and requests confirmation of risk details as
Risk Cataloging – Business Unit Role
Business Unit’s role in cataloging risk:
Both the Business Unit Manager and designated Risk Management Coordinator for the BU are:
1) Informed of new risks by RM department as they are cataloged 2) Reviews and acknowledges documented risk details.
15
Risk Reporting – Process Flow
BU Mgr And Coordinator Risk Mgmt Dept Understands Risk
Top Risks / Metrics
Risk Mgt Cmmte
Understands Risk Changes in status / nature of risk
Top Risks / Metrics Reports
Actionable Data
Board Understands
Risk Top Risks / Metrics
Risk Reporting – Risk Management Dept Role
Risk Management Department’s role in the risk reporting process:
1) Briefs BU to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
2) Collects status of BU risk management activity.
3) Briefs Risk Management Committee regularly to ensure an effective understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
4) Briefs IFID Board of Directors regularly to ensure an effective
understanding of the impact and likelihood of failures associated with highest risk items, along with planned remediation strategies.
17
Risk Reporting – Business Unit Role
Business Unit’s role in the risk reporting process:
1) Obtains an understanding of the impact and likelihood of failures
associated with highest risk items, along with proposed remediation strategies. of highest-risk items for use in BU remediation planning efforts (discussed later).
2) Provides changes in status or nature of risk to Risk Management
Risk Reporting – Business Unit Coordinator Defined
Theme: Each business unit that owns risk drives risk management activity as directed by the business unit manager.
Accomplished by a coordinator within the business unit, as assigned by business unit management.
Responsibilities:
1) Receives the same risk briefings that are delivered to the business unit manager and to the Risk Management Committee.
2) Reports changes in status or nature of risk to Risk Management Department.
3) Provides quarterly plans for remediation of risk, as committed to by
the business unit manager.
19
Risk Reporting – Risk Management Committee Role
Risk Management Committee’s role in the risk reporting process:
1) Obtains an understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies, for use in monitoring and directing BU risk management efforts (discussed later).
Remediation Planning – Process Flow
BU Mgr And Coordinator Risk Mgmt Dept Understands risk and bus.priorities, proposes
plans Ensure impact/likelihood understood
Risk Mgt Cmmte
Balance risk vs. business priorities Consults
with BU
Understands risk and bus.
priorities, approves
21
Remediation Planning – Risk Management
Dept Role
Risk Management Department’s role in the remediation
planning process:
1) Supports business unit as needed to ensure an effective
understanding of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
Remediation Planning – Business Unit Role
Business unit’s role in the remediation planning process:
1) Balances the potential for loss associated with highest known risk items against other known business priorities in an effort to help
protect against anticipated loss.
2) Develops and proposes roadmap plan to Risk Management
Committee for approval, using a standard format that clearly reflects intended progress against known risks.
23
Remediation Planning – Risk Mgt Committee
Role
Risk Management Committee’s role in the remediation planning
process:
1) Consults with Risk Mgt Dept to ensure an effective understanding
of the impact and likelihood of failures associated with highest risk items, along with proposed remediation strategies.
2) Balances the potential for loss associated with highest known risk
items against other known business priorities in an effort to protect against anticipated loss.
3) Reviews and approves proposed roadmap plans that clearly reflect intended progress against known risks.
Risk Acceptance Handling – Process Flow
Balance risk vs. business priorities
BU Representative Develop and deliver proposal for acceptance of risk Risk Mgt Dept Recommends either acceptance or remediation BU chain of command Approves or rejects proposal for acceptance Risk Mgt Cmmtte Approves or rejects proposal for acceptance 1 2 3
25
Risk Acceptance – Risk Management Dept
Role
Risk Management Department’s role in the risk acceptance
process:
1) Reviews proposal for acceptance of risk as presented by the business
unit that owns the risk.
2) Ensures effective representation of the nature of the risk, including
impact and likelihood of related failures.
3) Provides recommendation for either acceptance or remediation of risk for review by the business unit chain of command, and by the Risk
Management Committee.
4) Supports Business Unit in escalating through the business unit chain
of command, and in presentation to the Risk Management Committee.
Risk Acceptance – Business Unit Role
Business Unit’s role in the risk acceptance process:
1) Develops proposal for acceptance of risk for review by the Risk
Management Department.
2) Escalates proposal for acceptance of risk, including recommendation
from the Risk Management Department, through the business unit chain of command. (Uses standard / consistent format)
3) Presents proposal, to the Risk Management Committee. (Uses standard / consistent format)
27
Risk Acceptance – Risk Management Committee Role
Risk Management Committee’s role in the risk acceptance
process:
1) Reviews proposal for acceptance of risk as presented by the business unit and Risk Management Department. (Uses standard / consistent format)
29
~ Charter ~
Enterprise Risk Management
Enterprise Risk Management Mission Statement
Deliver for our end users secure, always-available service and support in a cost effective manner that builds confidence.
Responsibility
Responsibilities include, but are not limited to, the following activities:
Contributes to the strategic direction of offerings to customers
Defining and publishing security policy requirements
Implementation and maintenance of security infrastructure
Administering access and privilege
Security oversight of system and application development
Security testing of the enterprise infrastructure
Performing vendor and partner security assessments
Identifying, prioritizing, managing the status of known risks issues
Authority
The Enterprise Risk Management Operations team is authorized to:
Publish enterprise-level security policy requirements, and enforce
Obtain the necessary assistance of personnel from related Business Units
The Risk Management and Security department’s authority extends to all risks
The Framework in practice – Documentation
Procedures Documentation:
SOP: Risk Reporting – Risk Management Committee Briefing and Decision Making
SOP: Division President Briefing and Decision Making
SOP: Escalation of Issues and Exceptions
SOP: Business Impact Analysis (BIA)
SOP: Asset Vulnerability Identification
SOP: Risk Prioritization, Ranking and Approval
SOP: Risk Inventory Maintenance
SOP: Risk Treatment Planning
31
