LHSLHS
Managing Risk in a
Service Management Environment
John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA, QiCA, CFE
LHS Business Control Tel: +44 (0)1707 85145447 Grangewood Fax: +44 (0)1707 851455Potters Bar Cell: +44 (0)7774 145638Herts EN6 1SL [email protected] www.lhscontrol.com
© John Mitchell
2
LHSLHS
© John Mitchell
Themes
Risk management in a nutshellService delivery risksRisk management reportingRisk assurance groups
3
LHSLHS
© John Mitchell
Risk Components
Inherent risk – without controlsRisk treatment - controlsResidual risk – where you are after applying the controlsRetained risk – what the Board agrees to live with (risk appetite)
4
LHSLHS
© John Mitchell
Risk Management Process
Inherent Risk Identification
Control Implementation
Risk Management Plan
Monitoring& Evaluating
5
LHSLHS
© John Mitchell
Inherent RiskThe likelihood and consequence of risk crystallisation before mitigating actions (controls) have been put in place
6
LHSLHS
© John Mitchell
7
LHSLHS
© John Mitchell
8
LHSLHS
© John Mitchell
Residual RiskThe likelihood and consequence of risk crystallisation after mitigating actions (controls) have been put in place
9
LHSLHS
© John Mitchell
10
LHSLHS
© John Mitchell
Risk Components
EVENT – leading to
CONSEQUENCE – resulting in
EFFECT (IMPACT) ON BUSINESS OBJECTIVE
11
LHSLHS
© John Mitchell
Handling Risk
TERMINATE
TOLERATETRANSFER
TREAT
RISK
12
LHSLHS
© John Mitchell
Decision Matrix
Likelihood
ConsequenceLow High
High
EmergencyPlanning
(Transfer?)
LocalControl(Treat?)
No Action(Tolerate?)
ImmediateRemedial Action
(Terminate?)
13
LHSLHS
© John Mitchell
Mapping Likelihood & Consequence
High
E
LIKE
D
LIHO
C
OD B
Low
A
A B C D ELow CONSEQUENCE High
Senior ManagementAttentionLocal ManagementAttention
No Action
14
LHSLHS
© John Mitchell
Risk Management in a Nutshell
High
E
LIKE
D
LIHO
C
OD B
Low
A
A B C D ELow CONSEQUENCE High
Contr
olsInherentRisk
Residual Risk
Senior ManagementAttention
Local ManagementAttention
No Action
15
LHSLHS
© John Mitchell
Service Delivery Risks
Non-AvailabilitySlow response timesInadequate incident handlingPoor problem solvingInferior configuration management
16
LHSLHS
© John Mitchell
Non-Availability Risks
EVENT -> CONSEQUENCE -> IMPACT
Customers are unable to access the system (EVENT) leading to them being unable to place orders (CONSEQUENCE) resulting in loss of income (IMPACT)Customers are unable to obtain help with non-availability problems (EVENT) leading to dissatisfaction with the company (CONSEQUENCE) resulting in loss of customers (IMPACT)
17
LHSLHS
© John Mitchell
Non-Availability Root Causes (1)
1) Failure of connectivity as a result of loadingcompany recommended third-party softwareon to customer computers
2) Failure of connectivity as a result of loadingcompany produced software onto customercomputers
3) Failure of the company’s internet connection4) Company firewall prevents legitimate access5) Company internal network failure6) Key hardware failure7) Key software failure
18
LHSLHS
© John Mitchell
Non-Availability Root Causes (2)
8) Customer forgets access credentials9) Inadequate capacity
10) Hacking attack:a) Halts serversb) Halts network
11) Virus/worm infestation disrupts the system12) Power loss13) Failure of the back-up/restore process14) Ineffective third-party support for critical
software15) Complete destruction of computer facilities
19
LHSLHS
© John Mitchell
Inadequate Support Root Causes
16) Support staff not available when required17) Support staff unresponsive to requests for
help18) Support staff have inadequate knowledge to
deal with the problem
20
LHSLHS
© John Mitchell
Availability Risks(Inherent to Residual Risk Mapping)
High
E 8
LIKE
D 2,18 3,4,5,6,7,9, 10,11,13,14 12
LIHO
C 16
OD B 1
Low
A 17 15
A B C D ELow CONSEQUENCE High
12) PowerLoss
15) Loss of Computing
14) 3rd Party Support
21
LHSLHS
© John Mitchell
Risk DocumentationIT risk register– Structure– Coverage
ConfidentialityIntegrityAvailabilityComplianceManagement
– Inherent to retained logic– Embedded monitors– Early warning indicators
Planned improvement projects
Microsoft Excel Worksheet
22
LHSLHS
© John Mitchell
The Role of IT Audit
Primary– Provide assurance to the Board that IT
risks are being effectively managed
Secondary– Provide assurance that IT is providing
value for money– Assist IT in developing well controlled
business solutions
23
LHSLHS
© John Mitchell
Assurance Tools
International standards:– ISO 20000– ISO 9126– ISO 17799– Control Objectives for IT (CobiT)
Best practices:– ITIL– Benchmarking
Data analytics software– ACL– IDEA
24
LHSLHS
© John Mitchell
Assurance Organisations
BCS IRMAISACAITGIIIA
25
LHSLHS
© John Mitchell
BCS IRMA
Information Risk Management & Audit SGOldest specialist group in the BCS -formed 1965Active programme of meetingsQuarterly magazineMembership of the BCS Security Panelwww.bcs-irma.org
26
LHSLHS
© John Mitchell
ISACAInformation Systems Audit & Control AssociationCertified Information Systems Auditor (CISA) qualificationCertified Information Security Manager (CISM) qualificationPrimarily concerned with assurance of IT and security processeswww.isaca.org
27
LHSLHS
© John Mitchell
ITGIInformation Technology Governance InstituteControl Objectives for IT and related technologies (CobiT) international open standardPrimarily concerned with IT governancewww.itgi.org
28
LHSLHS
© John Mitchell
IIA
Institute of Internal AuditorsQualification in Computer Auditing (QiCA)Primary concerned with internal controlwww.iia.org.uk
29
LHSLHS
© John Mitchell
Summary
Risk management is simply a processInherent to residual/retained risk is achieved by controlsControl effectiveness can be measured by assurance professionals
30
LHSLHS
© John Mitchell
Questions?John Mitchell
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455
Managing Risk in a Service Management EnvironmentThemesRisk ComponentsRisk Management ProcessRisk ComponentsHandling RiskDecision MatrixMapping Likelihood & ConsequenceRisk Management in a NutshellService Delivery RisksNon-Availability RisksNon-Availability Root Causes (1)Non-Availability Root Causes (2)Inadequate Support Root CausesAvailability Risks(Inherent to Residual Risk Mapping)Risk DocumentationThe Role of IT AuditAssurance ToolsAssurance OrganisationsBCS IRMAISACAITGIIIASummaryQuestions?