Upload
mahendrasing2
View
271
Download
8
Embed Size (px)
Citation preview
7/26/2019 Crisc Governance
1/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
RiskGovernanceWeek#1 CRISCExamPrep
BillPankey
TunitasGroup
2
AgendaAbout
Course CRISCExam Me You
CommonRiskView
EnterpriseFoundations
IntegratedManagement
RiskManagement
Frameworks
Standards
Process
Practice
RiskGovernance
7/26/2019 Crisc Governance
2/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
3
TopChallenges*
*http://goo.gl/FVdo9
Accenture2011
RiskManagement
Survey
4
ISACA
Starting
PositionITriskisbusiness risk
Affectonbusinessstrategy
Valuecreation/opportunity
Preservationofassetvalue
Tangible&Intangible
Variousinformationsecurityrisks,projectrisks,
operationalrisks
are
not
necessarily
ITrisks.
ITriskmanagementrequiresrelevanceandalignment
ITriskmorethanjustinformationsecurityrisk
e.g.,notachievingbusinessvalue, servicedeliveryproblems,inflexiblearchitecture
Course
Perspective
7/26/2019 Crisc Governance
3/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
5
ISACAStartingPosition
BenefitEnablementRisk: LostopportunitytouseITtoimprovetheeffectiveness orefficiencyofneworexisting
businessprocess.
Program/Project
Delivery
Risk:
Failuretodeliverbusinessvalueinprojectsorprogram
ServiceDeliveryRisk Performanceerrorsin thedeliveryofITservices. Informationsecurityerrors.
ISACA2009
6
ISACA
Starting
PositionITRiskmustbemanagedasanenterpriserisk
Reflecttheenterpriseriskappetiteandculture
Consolidatewithotherriskacrossorganization
Acquirebusinesssignoffoncontrolenvironment
Course
Perspective
=>ITriskmanagement
mustadapttotheERM
context
WhatifERMisimmature
ornonexistent?
7/26/2019 Crisc Governance
4/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
7
ISACAStartingPosition
EffectiveITRiskManagement:
Providestoneatthetop
Assignspersonalaccountability
Providesaccurateinformationintimelyfashion
Minimizeimpactofcontrolsconsistentwithcost
andbenefit
Promotes
continuous
improvement
Course
Perspective
Arethereworkarounds?
8
CRISC
Exam
PrepClassLectures
Tonight
1sessionforeachCRISCdomain RiskIdentification&Assessment
RiskResponse
RiskMonitoring
ControlDesign&Implementation
ControlMonitoring
1
session
for
exam
strategy2+hours
7/26/2019 Crisc Governance
5/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
9
WizIQ
Slides
Chat
Usechattoask/answer/discusstopics
AnnGeyerandChrisSublett willparticipate
Voiceoptions
SampleTestQuestions
10
Practice
QuestionWhichofthefollowingisthebestmeasureofIT
RiskManagementsuccess?
ExtraordinaryITrelatedexpense
#ofthreatsmitigated
Completenessofcontrolcatalog
Lowresidualriskscore
7/26/2019 Crisc Governance
6/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
11
CRISCExam
120questions
forcedchoicequestion Selectsinglebest|leastbadanswer
nodeductionforincorrectanswers
4hours
FirewallbetweenCRISCTestEnhancementCommitteeandISACAstudymaterial\ educationactivity
8/9CISA;
6/9
CISM;
4/9
CGEIT
JackJones(FAIRinventor)committeechair
12
About
YouExperiencedprofessionalsw/diverseriskmanagement
responsibilities
50%
30%
xIndustrySector
xManagement
Area
7/26/2019 Crisc Governance
7/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
13
Agenda
About
Course CRISCExam Me You
CommonRiskView
EnterpriseFoundations
IntegratedManagement
RiskManagementFrameworks
Standards Process
Practice
RiskGovernance
14
A
Note
on
LanguageMuddledrisklexicon
Manycompetingandsometimesconflictingdefinitions
Precisioninlanguageisdesirablebutitcanbeexclusionary
Riskreferstothelikelihood(orfrequency)andmagnitudeoflossthatexistsfromacombinationofasset(s),threat(s)andcontrolconditions. Asaderivedvalue,itcannottakeapluralform(i.e.,risks). FromISACA
CRISC
pages
GoalisofITrisk
management
isthe
achievement
of
businessobjectives Adapttothelanguageusedbythebusiness
organization
ButforCRISCtesttakers,caution iswarranted.
7/26/2019 Crisc Governance
8/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
15
RiskGovernance
Riskaccompanies
the
business
strategy
Boardresponsibilityistoensurethatriskiscommensurate
withreward
Howdoesitaccomplishthis?
10Bestpracticesforriskgovernance*
Board
Perspective
1.Understandthecompanyskeydriversof
success.
2.Assesstheriskinthecompanys strategy.
3.Definetheriskoversightroleofthefull
boardanditsstandingcommittees
4.Considerwhetherthecompanys risk
managementsystemincludingpeopleand
processesisappropriate
and
has
sufficient
resources.
5.Workwithmanagementtounderstand
andagreeonthetypes(andformat)ofrisk
informationtheboardrequires.
6.Encourageadynamicandconstructiverisk
dialoguebetweenmanagement&board,
7.Closelymonitorthepotentialrisksinthe
company'sculture anditsincentivestructure.
8.Monitorcriticalalignmentsofstrategy,
risk,controls,compliance,incentives,and
people.
9.Consider
emerging
and
interrelated
risks:
Whatsaroundthenextcorner?
10.Periodicallyassesstheboardsrisk
oversight processes:Dotheyenablethe
boardtoachieveitsriskoversightobjectives?
*NationalAssociationofCorporateDirectors RiskGovernance:BalancingRisk&Reward
16
Risk
Governance
Focus
Board
Perspective
7/26/2019 Crisc Governance
9/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
17
WhatisRisk?
Differentanswers
will
affect
risk
management
objectives&practices Volatilityofoutcome
Varianceaboutanexpectedoutcome(e.g.,asinfinance)
Expectedoutcome
Anticipatedaverageloss(e.g.,asininformationsecurity)
Potentialpositiveornegativeoutcome
PMIBOKandISACA
Undefinedinlaw®ulation
ofcourse,theconundrumisexacerbatedbyaplethoraof
measurementmethods
18
What
is
Risk?Twoessentialaspects:uncertainty&loss
OxfordDictionary: Thepossibility thatsomethingunpleasantorunwelcomewillhappen.
Countertoalternativedefinitionsthatwillroutinelybeencountered
Riskhastoincludepossibilityofloss
Riskhasonlylosses. Gainsareopportunities.
Riskisnotsynonymouswithvolatility
Riskisvectorvalued,nottheproductofprobabilityandoutcome
Assumptionofriskneutralityconflictswiththeintendedsupportfororganizationriskpreferencesandappetite.
7/26/2019 Crisc Governance
10/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
19
WhatisRiskManagement
Enterprise
risk
management
is*:aprocess,appliedacrosstheenterprise,designedtoidentifypotential
eventsthatmayaffecttheentity,andmanagerisktobewithinitsrisk
appetite,toprovidereasonableassuranceregardingtheachievementof
entityobjectives.
4
categories
of
objectives: Strategic. Highlevelgoals,mission
Operations. Resourceoptimization
Reporting. Reliabilityofmanagementinformation
Compliance.
Satisfactionoflaws
and
regulation
*COSO,EnterpriseRiskManagement IntegratedFramework
20
COSO
Governance
Concepts Internalenvironment
Tone,riskmanagementphilosophy,appetite&
tolerance
ObjectivesettingRiskmanagementprocess,roles&responsibilities
MonitoringOngoingmanagement
reporting&adjustment
7/26/2019 Crisc Governance
11/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
21
RiskPhilosophy
Notaterm
ofart
well
defined
instandards
Generally,theorganizationalattitudetowardrisk
Perceivevalueorriskmanagement:mitigation,
avoidance,etc.
Expressedthoughacollectionofriskrelated
attributes(e.g.,appetiteandtolerance)
22
Risk
AppetiteBoundariesofriskacceptance
amountofrisk,onabroadlevel,anentityiswillingtoacceptinpursuitofvalue.Itreflectstheentitysriskmanagementphilosophy,
andinturninfluencestheentityscultureandoperatingstyle
effectivelyestablishestheenterprisemitigationpolicy
Determinedby: Objectiveabilitytoabsorbloss
Managementphilosophy&culture
Externalinfluences Laws
and
regulation
Customerexpectation
Changesovertime
Internal
Environment
7/26/2019 Crisc Governance
12/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
23
RiskMap
impactmagnitude
probability
Really
UnAcceptable
UnAcceptable
Acceptable
Opportunity
ReallyUnacceptable:far
beyondnormalriskappetite;
respondimmediately.
Unacceptable:abovenormal
riskappetite;additional
mitigationwithintime
boundaries.
Acceptable:Nospecialaction
beyondmaintainingcurrent
control
Opportunity:Verylowrisk,
costsavingorother
opportunitygained
from
relaxingcontrolorassuming
morerisk
Appetite=>
risk
policy
EXAMPLE
RiskAppetite
24
Healthcare
Sentinel
EventsEventsthatshouldneveroccurinahospital,e.g.:
Wrongsidesurgery. Wrongpatientsurgery.
Patientdeathordisabilityduetocontaminateddrugs,devices,biologics
Patientdeathordisabilityduetomedicationerror
Patentsuicide
Largebreachesofconfidentialpatientdata
Triggerimmediateresponseprocess Formalrootcauseanalysis
Mandatorycorrectiveactionplan
Mandatoryreportingtooversightagencies(forsome)
ITriskmanagementrelevance MapITeventsupontosentinelevents
LittleorNoappetite(unacceptableorreallyunacceptable)forinformationsystemeventsthatcouldresultinasentinelevent
EXAMPLE
Really
Unacceptable
Risk
7/26/2019 Crisc Governance
13/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
25
RiskTolerance
Lessuseful,
perhaps
Risktolerancesrelatetotheentitysobjectives.Risk
tolerance
is
the
acceptable
level
of
variation
relative
to
achievementofaspecificobjective,andoftenisbest
measuredinthesameunitsasthoseusedtomeasurethe
relatedobjective.
Forexample,measuresofshortfallthatthe
organizationwillsatisfice.
26
Practice
QuestionAnorganizationthatrecentlysuffereda
catastrophiclossshould:
A. Changethelevelofacceptablerisk
B. Changethelevelofunacceptablerisk
C. Reevaluateprobabilities
D. Reevaluateimpact
7/26/2019 Crisc Governance
14/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
27
Awareness&Communication
Transparencydoes
not
mean
the
unmanaged
communicationof:
Riskstrategy/appetite
Actuallevelofrisk
Riskmanagementprocessandissues
Supportriskawaredecisions
Seektoavoid
Overconfidence
Perceptionthat
the
organization
ishiding
somethingfromstakeholders(internalorexternal)
Perceptionthatriskisnotwellmanaged
?
28
Risk
Management
RolesBoard
Establishcommonriskview/riskappetite
CEOManagerisk
RiskOfficerCollectdataandreport
BusinessManagementRiskawaredecisions
Analyzerisk
Maintainriskprofile
ITManagementSupportallriskmanagementactivityinasecondaryrole
BusinessProcessOwner
React
to
eventsControlFunctions
Supportallriskmanagementactivity
HRCommunicatecommonriskview
AuditCommunicatecommonriskview
Reacttoevents
businessmonarchy
ObjectiveSetting
7/26/2019 Crisc Governance
15/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
29
RiskITProcessModel29
ObjectiveSetting
2009ISACA
Riskacceptanceis
managedasarisk
governanceactivity
30
Risk
IT
Artifacts
2008ITGI
7/26/2019 Crisc Governance
16/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
31
CommonRiskView
DevelopITriskmanagementframework DeterminehowtointegrateITriskintostrategicplans
ClassifyITriskfactors,eventsandpotentialimpact
Defineriskratingscalesandcontrolcategories
DetermineITrisktoleranceandapettite
Embedexistingenterprisewideriskmanagementprinciplesandviews
RiskIT
Governance
Domain
2009ISACA
Note:
RiskAssessment
RiskAnalysis
32
Business
Relevance
of
IT
Event
7/26/2019 Crisc Governance
17/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
33
BusinessRelevantCategoriesfor
ExpressingtheImpactofAdverseEvents
Extendedinformationcriteria(COBIT)
Efficacy
Efficiency
Confidentiality
Integrity
FactorAnalysisofInformationRisk(FAIR)
Productivity
Responsecost
Replacement
Availability
Reliability
Compliance
ExtendedBalancedScorecard Financial
ShareValue
Profit
Revenue
CostofCapital
Customer
Marketshare
Customersatisfaction
Customer
Service
Internal Regulatory
Compliance
Growth Competitive
advantage
Reputation
CompetitiveAdvantage
Legal
Reputation
COSOERM
Strategic
Operations
Reporting
Compliance
Westermans 4As
Agility
Accuracy
Access
Availability
HealthcareProvider*
PatientCare
Logistics
Reputation
RegulatoryCompliance
Financial/
Billing
34
Integrate
with
ERM
Ensureappropriate
business
involvement
inITrisk
committees
EnsureITinvolvementinenterprisebusinessriskcommittee
CoordinateITincidentresponseplanswithbusinessresponseplans
Harmonizeriskcategories,methods,scales,etc withERMmethods
RiskIT
Governance
Domain
7/26/2019 Crisc Governance
18/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
35
RiskAwareDecisions
SellthebusinessvalueofITriskanalysisdataandresultstobusinessdecisionmakers
Reviewanalysis
results
with
business
owners
toensure
coordinated
response(businessandIT)
Obtainbusinesssignoffofresidualrisk.
RiskIT
Governance
Domain
36
Governance
MetricsAwickedproblem
Needtoassumethatriskisappropriately
analyzedandassessed,inorderto
determinethatitsisappropriately
managed. However,anindicationofpoor
riskmanagementismisunderstoodor
poorlyassessedrisk.
ISACAITriskgovernancemetric
Recoursetoenterprise[business]risk
metrics.
Presumablymore
objective
($$$)
Presumesgrandexperiment(strategicuse
ofITornot)
CorrelateenterpriseandITriskmeasures
RiskIT
7/26/2019 Crisc Governance
19/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
37
Agenda
About
Course CRISCExam Me You
CommonRiskView
EnterpriseFoundations
IntegratedManagement
RiskManagementFrameworks
Standards Process
Practice
RiskGovernance
38
ERM
FrameworksCOSOERM
SpecialstatusduestospecificmentioninSarbanesOxleylaw.
Oftenimprecise,i.e.doesnotdefinerisk
Difficulttounderstand?
ISO31000RiskManagementFramework($$)
BasedonAS/NZ4360(freefordownload)
Proceduralframeworkforidentificationanalysisand
treatmentofgeneric
risk
Intendedtoharmonizeriskmanagementprocesses,supportexistingstandards(e.g.ISO27005)
Riskdefinedaseffectofuncertaintyofobjectives
7/26/2019 Crisc Governance
20/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
writtenauthorization.
39
NISTRMF
NISTRisk
Management
Framework
that
is
replacingNISTC&A processes(SP80037)
Interesting(ornot)features: Alloftheninformationaboutbusinessobjectivesandimpacts,
encapsulatedintheclassification ofinformationandsystems
Controlsselectedonbasisofclassification anddeployment
environment
Controleffectivenessisassessedbeforesystemsareauthorizedto
maintainorprocessclassifieddata
Designedfor
managing
information
security
CouldbeadaptedtoITriskgenerally(???)
40
Risk
IT
Practitioner
GuideCloselyalignedwithRiskIT
AGuidewithoutpretentiontobeastandard,setofheuristics
Recommendedforconcrete,actionableadvice,e.g.
riskscenarioconstruction
risk
maps
FreedownloadforISACAmembersfromISACA.org.
$115otherwise
7/26/2019 Crisc Governance
21/21
CRISC EXAMPREP#1
RiskGovernance
Copyright2011TunitasGroup. Allrightsreserved.Thispresentationmaterialmaybeusedsolelyby
participantsintheTunitasGroupCRISCExamPreparationClass. Nootheruseispermittedwithoutexpress
41
PracticeQuestion