Embed Size (px)
Citation preview
Managing IT-Based Risk
Chapter 19
19-1© 2012 Pearson Education, Inc. Publishing as Prentice Hall
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
The Job of Managing IT-Based Risk
Historical view – it was a low-key activity focused on delivering projects and keeping applications up and running.
Today’s view – it has become much broader and complex, and it is recognized as an integral part of any technology-based work.
19-2
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
IT Risk Incidents…(Hunter and Westerman 2007)
Harm constituencies both within and outside companies.
Damage corporate reputations.
Dampens an organization’s ability to compete.
19-3
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Holistic View of IT-Based Risk
19-4
CRIMINALINTERFERENCE
Legal/ HazardsThird
RegulatoryParties
External Risk
Operations Information Systems Development
People Controls Processes Culture
Governance
Internal Risk
ENTERPRISERISK
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
External Risks Come From:
Third parties (i.e., partners, software vendors, service providers, suppliers, customers).
Hazards (i.e., disasters, pandemics, geopolitical upheavals).
Legal and regulatory issues (i.e., failure to adhere to the laws and regulations).
19-5
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Internal Risks Come From:
Information risks (i.e., privacy, quality, accuracy, and protection).People risks (i.e., poorly designed business process, failure to adapt business processes).Cultural risks (i.e., risk aversion and lack or risk awareness).Control (i.e., ineffective controls).Governance (i.e., ineffective structure, roles).
19-6
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Criminal Risks Come From:
Viruses
Hackers
Organized crime
Industrial spies
Terrorists
19-7
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
The Portrait of Effective Holistic Risk Management (RM)
1. Focus on what’s important :
• RM is not about anticipating all risks but about attempting to reduce significant risks to a manageable level (Austing and Darby 2003).
• RM should not be about saying “no” to a risk, but how to say “yes” – thereby building a more agile enterprise (Caldwell
and Mogul 2006).19-8
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
The Portrait of Effective Holistic Risk Management (RM) Continued
2. Expect the image to change over time:
• RM actions should be continuous, iterative, and structured.
• Mandatory risk assessment should be implemented at different key stages.
• Ongoing reviews and process of evaluation need to be adapted (Coles and
Moulton 2003).
19-9
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
The Portrait of Effective Holistic Risk Management (RM) Continued
3. View risk from multiple levels and perspectives:
• RM assessments need to include root cause and multifaceted analyses.
• Organizations need to assess risk trends and develop strategies for dealing with them.
19-10
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Risk Management Framework
19-11
The goal of a risk management framework (RMF) is to ensure that the right risks are being addresses at the right levels.
The RMF guides the development of risk policies and integrates appropriate risk standards and processes into existing practices (e.g., the SDLC).
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework Includes:
19-12
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework: Risk Category
19-13
The general area of enterprise risk involved (e.g., criminal, operations, third party, etc.).
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework: Policies and standards
19-14
It includes the general principles for guiding risk decisions.
The principles identify any standards that should apply to each risk category (i.e., SAI Global is an international standard).
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework: Risk Type
19-15
Each risk should be identified and labeled with a generic name and definition, ideally linked to a business impact.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework: Risk Ownership
19-16
Each type of risk should have an owner, either in IT or in the business.
Owners and stakeholders should have clear responsibilities and accountabilities.
Major risks can be owned by committees (i.e., enterprise risk committee or risk review council).
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework: Risk Mitigation
19-17
Each type of risk should be associated with controls, practices, and tools for addressing it effectively.
The goal of the framework is to provide means by which risks can be managed consistently, effectively, and appropriately.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
A Basic Risk Management Framework: Risk Reporting and Monitoring
19-18
Risk metrics should be reported in a way the organization understands (e.g., high, medium, low).
Risk monitoring is an ongoing process because levels and types of risks are changing continually.
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Actions to Improve Risk Management Capabilities
19-19
Look beyond technical riskDevelop a common language of riskSimplify the presentationRight sizeStandardize the technology baseRehearseClarify roles and responsibilitiesAutomate where appropriateEducate and communicate
© 2012 Pearson Education, Inc. Publishing as Prentice Hall
Conclusion
IT risk is involved in many types of business risks and therefore should be managed holistically.
An integrated risk management framework helps organizations understand risk and make better decisions associated with it.
19-20
© 2012 Pearson Education, Inc. Publishing as Prentice Hall 19-21
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall
