HCI-ITIL Video

Hendershott Consulting IncRisk analysisVersion 1 July 1, 2010

Web Presence: www.hci-itil.comEmail: len.hendershott@rogers.comService Design Section 4.5 Service Continuity Management

Continuity Management

Service Design Section 4.5 Service Continuity Management

Service Design Section 4.5 Service Continuity Management

Risk Analysis (RA)Service Design Section 4.5 Service Continuity Management

Risk Analysis (RA)

4Service Design Section 4.5 Service Continuity ManagementEvery Risk is a Future Event

We are all familiar with typical risk management processes. The fundamental notion is that we identify risks, we assess their probability of occurrence, and we assess the consequence of occurrence. Then we put a risk management plan in place that is designed to eliminate, or alleviate the impact of, the serious risk events. Every risk is necessarily a future event, and only when the risk event actually happens is the risk transformed into a problem. The better we are at identifying risks and understanding the underlying basis of our risks, the better we can manage the risks.

Critical Success Factor (CSF) Analysis for DoD Risk Management, CSFMore Than Making a List, D R . JA M E S D O B B I N S5Service Design Section 4.5 Service Continuity ManagementWe are all familiar with typical risk management processes.

The fundamental notion is that we identify risks, we assess their probability of occurrence, and we assess the consequence of occurrence.

Then we put a risk management plan in place that is designed to eliminate, or alleviate the impact of, the serious risk events.

Every risk is necessarily a future event, and only when the risk event actually happens is the risk transformed into a problem.

The better we are at identifying risks and understanding the underlying basis of our risks, the better we can manage the risks.

James Dobbins, Critical Success Factor (CSF) Analysis for DoD Risk ManagementCSFMore Than Making a ListEvery Risk is a Future EventWe are all familiar with typical risk management processes. The fundamental notion is that we identify risks, we assess their probability of occurrence, and we assess the consequence of occurrence. Then we put a risk management plan in place that is designed to eliminate, or alleviate the impact of, the serious risk events. Every risk is necessarily a future event, and only when the risk event actually happens is the risk transformed into a problem. The better we are at identifying risks and understanding the underlying basis of our risks, the better we can manage the risks.

Critical Success Factor (CSF) Analysis for DoD Risk Management, CSFMore Than Making a List, D R . JA M E S D O B B I N S6Service Design Section 4.5 Service Continuity ManagementRisk Analysis (RA)

Risk Analysis provides basic input for continuity and recovery strategies, plans and responses.

Risk is a function of the likelihood of a given threat-source exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Risk Analysis provides basic input for continuity and recovery strategies, plans and responses. This slide depicts Risk Analysis as building upon the Business Impact Analysis within a Stage 1 undertaking leading to a controlled and refined BCM strategy, culture and organization typifying a highly mature organization.

Risk refers to the uncertainty that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization's objectives.7

Service Design Section 4.5 Service Continuity ManagementISO 31000:2009A family of standards relating to risk management codified by the International Organization for Standardization that provides generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization.

The definitive guide for Risk Management is now ISO 31000, released in 2009. It is intended to be a family of standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2009 is to provide principles and generic guidelines on risk management.

8Service Design Section 4.5 Service Continuity ManagementRisk Management

ISO31000 describes a Risk Management process as depicted in this slide.9Service Design Section 4.5 Service Continuity ManagementRisk Management5.2 Communications5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

Risk ProfileISO31000 describes a Risk Management process as depicted in this slide.105.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

Risk Management Policy Process Guide Plans Risk Registers Issue Logs. Risk ProfileRisk Principles

One of the key elements, and a pre-cursor, to creating a Risk Profile are the principles governing the organizations boundaries in approaching risk management. An organization's approach to these principles needs to be agreed and defined within :

Risk Management PoliciesA Process Guide Plans Risk Registers Issue Logs.

115.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

Risk ProfileCorporate Risk Profile

An organization's risk profile identifies key risk areas that cut across the organization (functions, programs, systems) as well as individual events, activities or projects that could significantly influence the overall management priorities, performance, and realization of organizational objectives.

Factors relevant to the development of an organization's risk profile includethe overall management framework; governance and accountability structures; values and ethics; operational work environment; the current risk tolerances of various stakeholders; individual and corporate risk management culture and tolerances; existing risk management expertise and practices; human resources capacity; level of transparency required; and local and corporate policies, procedures and processes.

125.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

the overall management frameworkgovernance and accountability structuresvalues and ethicsoperational work environmentcurrent risk tolerances of stakeholdersindividual and corporate risk management culture and tolerancesexisting risk management expertise and practiceshuman resources capacitylevel of transparency requiredlocal and corporate policies, procedures and processes.Risk ProfileCorporate Risk ProfileAn organization's risk profile identifies key risk areas that cut across the organization (functions, programs, systems) as well as individual events, activities or projects that could significantly influence the overall management priorities, performance, and realization of organizational objectives.

Factors relevant to the development of an organization's risk profile includethe overall management framework; governance and accountability structures; values and ethics; operational work environment; the current risk tolerances of various stakeholders; individual and corporate risk management culture and tolerances; existing risk management expertise and practices; human resources capacity; level of transparency required; and local and corporate policies, procedures and processes.

13Service Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

Embue culture in which everybody is a risk managerPlace responsibility for driving risk management high in the organizationOpen communication is necessary for risk management to succeedUse teams to manage risksCommunicate risk management performance.Risk Communications & ConsultationRisk Profile

5.2 CommunicationsCommunications and stakeholder consultation are key supporting processes for Risk Management. Key things to remember in creating communication and consultation channels include..

Embue culture in which everybody is a risk managerPlace responsibility for driving risk management high in the organizationOpen communication is necessary for risk management to succeed. Without open communication risk management cannot be "everybody's business". Managers require direct communication channels up, down and across their business units to help identify risks and take appropriate actions. Information must be sharedInformal and formal teams are a mechanism that many organizations use to manage risks. Teaming brings together various risk attitudes and brings fresh thinking to issues and solutions. It also focuses diverse disciplines on common objectives.A handful of organizations report to management and stakeholders/shareholders on risks and risk management performance. The reports might concentrate on the units' top ten risks and how they are managed.14Service Design Section 4.5 Service Continuity ManagementRisk Context5.2 CommunicationsRisk Profile5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

5.3 Context SettingIdentification of risk in a selected domain of interestPlanning the remainder of the processMapping out the social scope of risk management, the identity and objectives of stakeholders and the basis upon which risks and constraints will be evaluatedDefining a framework for the activity and an agenda for identificationDeveloping an analysis of risks involved in the processMitigation or Solution of risks using available technological, human and organizational resources.ISO 3100 directs the organization to define the context in which Risk Management will operate. This involves:

Identification of risk in a selected domain of interestPlanning the remainder of the process.Mapping out the social scope of risk management, the identity and objectives of stakeholders and the basis upon which risks and constraints will be evaluated, Defining a framework for the activity and an agenda for identification.Developing an analysis of risks involved in the process.Mitigation or Solution of risks using available technological, human and organizational resources.

155.3 Context SettingService Design Section 4.5 Service Continuity ManagementRisk Register5.2 CommunicationsRisk Profile5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

An important contextual element is the Risk Register. The objective of risk registration is to display the profiled risks in a structured format,. A table can be used to facilitate the assessment and analysis. By considering the consequence and probability of each of the risks set out in the table, it should be possible to prioritize the key risks that need to be analyzed in more detail. Identification of the risks associated with business activities and decision-making processes associated with them may be categorized as strategic, project/tactical, operational, etc.

Scope of Risk: Qualitative description of the events, their size, type, number and dependenciesNature of Risk: Eg., strategic, operational, financial, knowledge or complianceStakeholders: Stakeholders and their expectationsRisk Appetite: Loss potential and financial impact of risk, Value at risk, Probability and size of potential losses/gains, Objective(s) for control of the risk and desired level of performanceRisk Treatment & Control Mechanisms: Primary means by which the risk is currently managed, the Levels of confidence in existing control and the Identification of protocols for monitoring and reviewPotential Action for Improvement: Recommendations to reduce riskStrategy and Policy Developments: Identification of function responsible for developing strategy and policy

165.3 Context SettingService Design Section 4.5 Service Continuity ManagementRisk Register5.2 CommunicationsRisk Profile5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

Scope of RiskNature of RiskStakeholdersRisk AppetiteRisk Treatment & Control MechanismsPotential Action for ImprovementStrategy and Policy DevelopmentsAn important contextual element is the Risk Register. The objective of risk registration is to display the profiled risks in a structured format,. A table can be used to facilitate the assessment and analysis. By considering the consequence and probability of each of the risks set out in the table, it should be possible to prioritize the key risks that need to be analyzed in more detail. Identification of the risks associated with business activities and decision-making processes associated with them may be categorized as strategic, project/tactical, operational, etc.

Scope of Risk: Qualitative description of the events, their size, type, number and dependenciesNature of Risk: Eg., strategic, operational, financial, knowledge or complianceStakeholders: Stakeholders and their expectationsRisk Appetite: Loss potential and financial impact of risk, Value at risk, Probability and size of potential losses/gains, Objective(s) for control of the risk and desired level of performanceRisk Treatment & Control Mechanisms: Primary means by which the risk is currently managed, the Levels of confidence in existing control and the Identification of protocols for monitoring and reviewPotential Action for Improvement: Recommendations to reduce riskStrategy and Policy Developments: Identification of function responsible for developing strategy and policy

175.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4.2 Identification5.4 Risk Assessment

Risk AssessmentRisk Profile

Risks must be assessed as to their potential severity of loss and to the probability of occurrence.The central processes in ISO31000 deal with the assessment of the risk threat or opportunity. Risks must then be assessed as to their potential severity of loss and for their probability of occurrence. These quantities can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical to make the best educated guesses possible in order to properly prioritize the implementation of the risk management plan.

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the consequences (impact) is often quite difficult for immaterial assets. 185.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk IdentificationRisk ProfileRisks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.5.4.2 IdentificationSource Analysis: Risk sources may be internal or external to the system that is the target of risk management.Problem Analysis: Risks are related to identified threats.

Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the source of problems, or with the problem itself.

Source Analysis inspects the sources of risk. They may be internal or external to the system that is the target of risk management. Examples include project stakeholders, company employees or the weather over an airport.

With the central focus on problems Risks are matched with identified threats. For example: the threat of losing money, the threat of abuse of privacy information or the threat of accidents and casualties. The threats are associated with entities, such as shareholders, customers and government bodies.

19

Service Design Section 4.5 Service Continuity ManagementObjectives-basedScenario-basedTaxonomy-basedRisk ListsRisk chartingCommon Risk Identification Methods

There are a number of identification methods commonly used

With Objectives-based risk identification the objectives of the organization are used as a starting poit. Any event that may endanger achieving an objective, partly or completely is identified as risk.

In Scenario-based risk identification different scenarios are created representing alternative ways to achieve an objective. Any event that triggers an undesired scenario alternative is identified as risk.

With Taxonomy-based risk identification risk sources are decomposed into classifications. Based on the taxonomy and knowledge of best practices, a questionnaire is compiled and distributed. The answers to the questions reveal risks.

Common risk Lists: can be compiled or obtained, building upon the experiences of other in a field. Each risk in the list can be checked for application to a particular situation.

Lastly, with Risk charting: the above methods are combined, Threats to those resources Modifying Factors that may increase or decrease the risk and consequences are to be avoided. A matrix under the headings of the Modifying Factors enables a variety of approaches to be used. One can begin with resources and consider the threats they are exposed to and the consequences of each. Alternatively one can start with the threats and examine which resources they would affect, or one can begin with the consequences and determine which combination of threats and resources would be involved to bring them about.205.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk AnalysisRisk ProfileA combination of the impact of loss rating and the vulnerability rating can be used to evaluate the potential risk to the facility from a given threat.5.4.2 Identification

Risk Analysis combines the impact of loss rating, frequently determined through a Business Impact Analysis, and the vulnerability rating to evaluate the potential risk to the facility from a given threat.

The result is a table or grid that combines the two key risk determinations of the severity of the event and its liklihood to produce a single measure for use in prioritization.21

Service Design Section 4.5 Service Continuity ManagementComposite Risk Indexx=The impact of the risk event is assessed using a measure (eg., 0 to 5, where 0 and 5 represent the minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses))The probability of occurrence is also assessed using a scale (eg., 0 to 5, where 0 represents a zero probability of the risk event actually occurring while 5 represents a 100% probability of occurrence (ie., certainty)).Impact of Risk eventProbability of Occurrence

Composite Risk IndexA typical measure is a Composite Risk Index

The impact of the risk event is assessed using a scale such as 0 to 5, or Extremely High-Low where 0 or Low represent the minimum and 5 or High denote the maximum possible impact of an occurrence of a risk (usually in terms of financial losses).

The probability of occurrence is likewise assessed on a scale from 0 to 5 or Extremely High to Low, where 0 or Low represents a zero probability of the risk event actually occurring while 5 or Extremely High represents a 100% probability of occurrence.

225.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.5 Risk Treatment5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk EvaluationRisk Profile5.4.2 IdentificationControls that could mitigate or eliminate the identified risks, as appropriate to the organizations operations, are identified. The goal of the recommended Controls is to reduce the level of risk to the IT system and its data to an acceptable level. Factors to be considered: Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation Organizational policy Operational impact Safety and reliability.

During Risk Evaluation, Controls that could mitigate or eliminate the identified risks, as to the organizations operations, are identified. The goal of the recommended controls is to reduce the level of risk appropriate to the IT system and its data to an acceptable level.

Factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks include: Effectiveness of recommended options (e.g., system compatibility) Legislation and regulation Organizational policy Operational impact Safety and reliability.

Not all possible recommended controls can be implemented to reduce loss. To determine which ones are required and appropriate for a specific organization, a cost-benefit analysis should be conducted for the proposed recommended controls, to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk. In addition, the operational impact (such as the effect on system performance) and feasibility (such as the technical requirements or user acceptance) of introducing the recommended option should be evaluated carefully. 235.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk TreatmentRisk ProfilePrioritization and implementation of the appropriate risk-reducing controls recommended from the Risk Assessment process. 5.4.2 Identification5.5 Risk Treatment

Risk Treatment involves the Prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process.

Because the elimination of all risk is usually impractical or close to impossible, it is the responsibility of senior management and functional and business managers to use the most appropriate controls to decrease mission risk to an acceptable level, with minimal adverse impact on the organizations resources and mission. 245.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Common Risk TreatmentsRisk Profile5.4.2 Identification5.5 Risk TreatmentAvoidance (eliminate, withdraw from or not become involved)Reduction (optimize - mitigate)Sharing (transfer - outsource or insure)Retention (accept and budget)

Common risk treatments include the following four tactics:

Risk avoidance includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the Legal liability that comes with it. Another would be not be flying in order to not take the risk that the airplane were to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits.

Risk reduction involves reducing the severity of the loss or the likelihood of the loss from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire. This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire suppression systems may mitigate that risk, but the cost may be prohibitive as a strategy

Acknowledging that risks can be positive or negative, optimising risks means finding a balance between negative risk and the benefit of the operation or activity; and between risk reduction and effort applied. Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at managing or reducing risks.

Risk sharing is "sharing with another party the burden of loss or the benefit of gain, from a risk, and the measures to reduce a risk.

The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can transfer a risk to a third party through insurance or outsourcing. In common usage, the purchase of an insurance contract is often described as a "transfer of risk" even though, technically speaking, the buyer of the contract generally retains legal responsibility for the losses "transferred.

Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining the risk for the group, but spreading it over the whole group involves transfer among individual members of the group. This is different from traditional insurance, in that no premium is exchanged between members of the group up front, but instead losses are assessed to all members of the group.

Risk retention involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance falls in this category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default. This includes risks that are so large or catastrophic that they either cannot be insured against or the premiums would be infeasible. War is an example since most property and risks are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it would hinder the goals of the organization too much.255.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk Mitigation StrategyRisk Profile5.4.2 Identification5.5 Risk Treatment

This diagram illustrates the common thought process involved in a treating risk. The threat source is identified and the organization assessed as vulnerable. In this example An attackers costs are deemed relevant in assessing the risk since it is assumed that Attackers require a pay-off incentive before initiating the threat. If the attackers costs are less than their gains then the financial costs of mitigation for the organization are appraised. Only if the loss to the organization is greater than the costs of initiating action is the Risk consider Unacceptable.265.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk Mitigation StrategyRisk Profile5.4.2 Identification5.5 Risk Treatment

Organizations can analyze the extent of the risk reduction generated by the new or enhanced controls in terms of the reduced threat likelihood or impact, the two parameters that define the mitigated level of risk to the organizational mission.

Implementation of new or enhanced controls can mitigate risk by one of three primary methods...

Eliminating some of the systems vulnerabilities (flaws and weakness), thereby reducing the number of possible threat-source/vulnerability pairs. Adding a targeted control to reduce the capacity and motivation of a threat-source Reducing the magnitude of the adverse impact (for example, limiting the extent of a vulnerability or modifying the nature of the relationship between the IT system and the organizations mission).

The risk remaining after the implementation of new or enhanced controls is the residual risk.

275.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Common Risk OptionsRisk Profile5.4.2 Identification5.5 Risk TreatmentRe-design business process with adequate built-in risk control and containment measuresPeriodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measuresTransfer the riskAvoid risks (e.g. by closing down a particular high-risk business area)

Risk mitigation measures often fall into one of four generic risk options:

Design a new business process with adequate built-in risk control and containment measures from the start.Periodically re-assess risks that are accepted in ongoing processes as a normal feature of business operations and modify mitigation measures.Transfer risks to an external agency such as an insurance company, orAvoid risks altogether perhaps by closing down a particular high-risk business area

285.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.6 Risk Monitoring5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk Treatment PlanRisk Profile5.4.2 Identification5.5 Risk TreatmentApproval by appropriate management levelPropose applicable and effective security controls for managing the risks

Risk recommendation should be considered together in a Risk Treatment Plan that documents the decisions about how each of the identified risks should be handled and considers the interdependencies amongst risks and their treatments.

Risk mitigation needs to be approved by the appropriate level of management. For instance, a risk concerning the image of the organization should have top management decision behind it whereas IT management would have the authority to decide on computer virus risks.

The risk management plan should propose applicable and effective security controls for managing the risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and implementing antivirus software. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions.

295.2 CommunicationsService Design Section 4.5 Service Continuity Management5.3 Context Setting5.4.4 Evaluation5.4.3 Risk Analysis5.4 Risk Assessment

Risk MonitoringRisk Profile5.4.2 Identification5.5 Risk TreatmentPractice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced:to evaluate whether selected controls are still applicable and effective, andto evaluate the possible risk level changes in the business environment.

5.6 Risk MonitoringInitial risk management plans will never be perfect. Practice, experience, and actual loss results will necessitate changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. The reasons for this are:to evaluate whether the previously selected security controls are still applicable and effective, andto evaluate the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment.

30Service Design Section 4.5 Service Continuity ManagementRisk Assessment is a CobIT Control Object (PO09):IT risk identification and impact analysis, involving multi-disciplinary functions and taking cost-effective measures to mitigate risks.

with the following objectives:Business Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updatesRisk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skillsRisk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classificationRisk Measurement - Measurement of risk exposure, assessment of risk acceptance capacityRisk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptanceRisk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilitiesSafeguard Selection - Control system to balance prevention, detection, correction and recovery measuresRisk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanismsCobIT Risk Assessment Control Objectives

Implementing Risk Assessment measures and procedures require significant discipline and commitment by the organization. The capability to do this is often a product of the organizations overall level of maturity as defined by Capability Maturity Modelling and evaluated by ISAAC through the CobIT framework. A CobIT assessment audit will evaluate the organization against the following Control Objectives:

Business Risk Assessment - Risk assessment framework, risk assessment at a number of levels, reassessments and information updatesRisk Assessment Approach - establish a general risk assessment approach which defines the scope and boundaries, the methodology to be adopted for risk assessments, the responsibilities and the required skillsRisk Identification - Cause/effect relationships, qualitative and quantitative risk ranking, risk classificationRisk Measurement - Measurement of risk exposure, assessment of risk acceptance capacityRisk Action Plan - Cost-effective controls and security measures, risk strategies in terms of avoidance, mitigation or acceptanceRisk Acceptance - Formal acceptance of residual risk, offset by insurance, contractual liabilitiesSafeguard Selection - Control system to balance prevention, detection, correction and recovery measuresRisk Assessment Commitment - Important tool in design and implementation as well as monitoring and evaluation mechanisms

31Service Design Section 4.5 Service Continuity ManagementCobIT Risk Assessment Maturity LevelsOrganizations may undertake risk assessment at one of six maturity levels:Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements. 0 (Non-existent)1 (Ad Hoc)Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 2 (Repeatable)Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies.

CobIT provide descriptions of organizations against these Control Objectives for different levels of organizational maturity:

0 - Non-existent There is little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements.

1 - Initial/Ad HocRisk assessment for processes and business decisions does not occur. The organisation does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. Risk management has not been identified as relevant to acquiring IT solutions and delivering IT services.

2 - Repeatable but IntuitiveThe organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. Informal assessments of project risk take place as determined by each project. Risk assessments are not likely to be identified specifically within a project plan or to be assigned to specific managers involved in the project. IT management does not specify responsibility for risk management in job descriptions or other informal means. Specific IT-related risks such as security, availability and integrity are occasionally considered on a project-byproject basis. IT-related risks affecting day-to-day operations are infrequently discussed at management meetings. Where risks have been considered, mitigation is inconsistent.

3 - Defined ProcessAn organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individuals discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis.

4 - Managed and MeasurableThe assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organisation will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established.

5 - OptimizedRisk assessment has developed to the stage where a structured, organisation-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organisation. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organisation takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services. 32Service Design Section 4.5 Service Continuity ManagementCobIT Risk Assessment Maturity LevelsOrganizations may undertake risk assessment at one of six maturity levels:Little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements. 0 (Non-existent)1 (Ad Hoc)Risk assessment for processes and business decisions does not occur. The organization does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. 2 (Repeatable)Organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. 3 (Defined)An organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training.4 (Managed & Measured)The assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation.5 (Optimized)Risk assessment has developed to the stage where a structured, organization-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organization.

CobIT provide descriptions of organizations against these Control Objectives for different levels of organizational maturity:

0 - Non-existent There is little awareness of external requirements that affect IT, with no process regarding compliance with regulatory, legal and contractual requirements.

1 - Initial/Ad HocRisk assessment for processes and business decisions does not occur. The organisation does not consider the business impacts associated with security vulnerabilities and with development project uncertainties. Risk management has not been identified as relevant to acquiring IT solutions and delivering IT services.

2 - Repeatable but IntuitiveThe organization is aware of its legal and contractual responsibilities and liabilities, but considers IT risks in an ad hoc manner, without following defined processes or policies. Informal assessments of project risk take place as determined by each project. Risk assessments are not likely to be identified specifically within a project plan or to be assigned to specific managers involved in the project. IT management does not specify responsibility for risk management in job descriptions or other informal means. Specific IT-related risks such as security, availability and integrity are occasionally considered on a project-byproject basis. IT-related risks affecting day-to-day operations are infrequently discussed at management meetings. Where risks have been considered, mitigation is inconsistent.

3 - Defined ProcessAn organization-wide risk management policy defines when and how to conduct risk assessments. Risk assessment follows a defined process that is documented and available to all staff through training. Decisions to follow the process and to receive training are left to the individuals discretion. The methodology is convincing and sound, and ensures that key risks to the business are likely to be identified. Decisions to follow the process are left to individual IT managers and there is no procedure to ensure that all projects are covered or that the ongoing operation is examined for risk on a regular basis.

4 - Managed and MeasurableThe assessment of risk is a standard procedure and exceptions to following the procedure would be noticed by IT management. It is likely that IT risk management is a defined management function with senior level responsibility. The process is advanced and risk is assessed at the individual project level and also regularly with regard to the overall IT operation. Management is advised on changes in the IT environment which could significantly affect the risk scenarios, such as an increased threat from the network or technical trends that affect the soundness of the IT strategy. Management is able to monitor the risk position and make informed decisions regarding the exposure it is willing to accept. Senior management and IT management have determined the levels of risk that the organisation will tolerate and have standard measures for risk/return ratios. Management budgets for operational risk management projects to reassess risks on a regular basis. A risk management database is established.

5 - OptimizedRisk assessment has developed to the stage where a structured, organisation-wide process is enforced, followed regularly and well managed. Risk brainstorming and root cause analysis, involving expert individuals, are applied across the entire organisation. The capturing, analysis and reporting of risk management data are highly automated. Guidance is drawn from leaders in the field and the IT organisation takes part in peer groups to exchange experiences. Risk management is truly integrated into all business and IT operations, is well accepted and extensively involves the users of IT services. 33Service Continuity Management

RiskAnalysisService Design Section 4.5 Service Continuity Management

34Hendershott Consulting Inc

Email: len.hendershott@rogers.comITIL process site: hci-itil.com

Service Design Section 4.5 Service Continuity Management