CRISCa

Governance and Risk

Management Concepts
IT Risk Management Context - Governance

o Governance establishes
requirements for balancing
performance and conformance
o Not confined to senior
management
o Closely tied to Risk Management
o Board of Directors are
accountable
IT Risk Management Context - Governance

o Governance answers:
o Are we doing the right things?
o Are we doing them the right
way?
o Are we getting them done well?
o Are we seeing expected
benefits?
 Organizational Strategy Archetypes

The Enterprise exists solely for achieving the defined strategic vision

o Growth/Acquisition
o Innovation/Differentiation
o Cost Leadership
o Client Service/Stability
 Organizational Strategy Archetypes

The Enterprise exists solely for achieving the defined strategic vision

o Risk Practitioner Goals:

o Provide accurate, complete and
timely information
o Identify, assess and advise on
appropriate responses
o Allow for performance and
conformance
 What is Risk Management?

o Coordinated activities,
processes, practices
o Informing, directing and
influencing senior
management
o Continuous attention to risk
Major Categories of Risk

Strategic Market/Credit Compliance Operational Environment

Risk Risk Risk Risk Risk

Enterprise Risk

IT Benefit/Value
IT Project Risk IT Operations Risk Cyber and Info Risk
Enablement

IT-related Risk
Key Risk Concepts

o All parties need to understand

the taxonomy of risk
o Likelihood (Probability) and
Consequences (Impact)
o Threats vs. Opportunities
o Vulnerabilities and Attacks
 Risk in the Enterprise

o Using Risk Scenarios helps

understand the impact to:
oResponse costs
oLegal (fines, penalties, etc.)
oDamaged Reputation
oHealth and Safety
oProductivity
Two Important Things When You Understand Impact

o Easier for Managers to assign

monetary value
o Easier for Managers to make risk
response decisions
Importance and Value of IT Risk Management

o Gives better oversight of assets

o Reduces or minimizes losses
o Identifies threats, vulnerabilities and
consequences
o Prioritizes risk response efforts
o Increased probability of project
success
o Improved decision making by senior
management
 IT Risk Strategy of the Enterprise

o IT Risk Management is part of

overall business risk
o Should be guided by an IT Risk
strategy that aligns with
business goals and objectives
o Needs formal definitions,
documentation, monitoring
 Types of IT Business Risk
Type of Risk Description
Cyber/Information Risk Failure to safeguard privacy, confidentiality and integrity of
Information
Availability Risk Service may be lost. Data is not accessible.
Infrastructure Risk IT Infrastructure and systems may be unable to handle current or
future capacity. Threat actors may disable or damage equipment
Program/Project Risk IT projects fail to meet objectives, get behind schedule, or go over
budget
Talent Risk Unable to source or retain qualified talent in order to meet the
organization’s goals or objectives
Third-party/Vendor Risk Threats inserted by an external entity that might negatively
impact the organization
Access Risk Information may be divulged or made available to
individuals/groups that do not have authorization.
Management Support

o Vitally important to have Senior

Management support
o Should be visible and active
o Risk Management will not be
successful without it
 Business Goals and Objectives

o Risk management must align with

Business goals and objectives
o Must consider risk across all
departments
o Maintain an active dialogue with
Senior Management
o Always consider the strategy and
vision of the organization
IT Risk Management Lifecycle

IT Risk
Identification

Risk and
Control IT Risk
Monitoring & Assessment
Reporting

Risk
Response
The Power of the RACI chart

o Gives understanding to the team on

who does what
o Tool you would use to help bring
comprehension and communication to
the organization
o There are four main types of roles:
oResponsible
oAccountable
oConsulted
oInformed
Key Roles for Risk Management

o Risk Manager – Responsible

o Risk Analyst – Responsible
o Risk Owner – Accountable
o Control Owner – Accountable
o Control Stewards – Responsible
o Subject Matter Experts –
Consult/Inform
Organizational Structure and Culture

o Structure and Culture of an

Organization is critical to a risk
management program
o Enterprise mandates on
participation
o Behavior and attitude towards risk
is part of the culture
o Collaboration and sharing of
information is vital for success
 Culture of an Organization

o Risk management is a core

part of corporate governance
o This requires understanding
of the organization’s culture
o There are many types of
cultures
Impact on Risk Management: What is Culture?

o Culture drives the behaviors of

personnel
o All employees should be aware of
their risk culture
o Subcultures can exist within an
organization
o Risk awareness is a powerful tool in
creating the culture and forming
ethics
 Risk Awareness

o Risk is well understood

o IT Risk issues are identifiable
o Enterprise understands what’s
required to manage risk
o Awareness education and training
are key
o Awareness of InfoSec policies,
standards and procedures are
necessary
o Different training for different levels
(i.e. management vs. senior mgmt)
Risk Culture Elements

o Behavior toward taking risk

o Behavior toward policy
compliance
o Behavior toward negative
outcomes
 What Happens When Risk Management Goes Wrong?

o Misalignment between Risk

Appetite and actual behavior
o Existence of a Blame Culture
 Handy Dandy Exam Simulation Question!

Which of the following is MOST

important when selecting an appropriate
risk management methodology?
A. Cost-Benefit Analysis
B. Control Design
C. Risk appetite
D. Risk culture
The Importance of Risk Communication

o Communication is key to
successful Risk Management
o Not all incidents need to be
reported
o However, lack of communication
leads to unhealthy organizations
 Benefits of Good Communication

o More informed risk decisions

o Greater awareness within the
organization of risk
o Transparency to customers
and vendors
Consequences of Bad Communication

o Overconfidence in organizations
abilities to manage risk
o False sense of security
o Decrease in value to
stakeholders
o Incorrect categorization of risk
 What Should Be Communicated

o Expectations from senior

management
o Current risk management
capability
o Status of all departments
Policies, Standards, Procedures

o Policies provide direction on

acceptable behaviors and actions
o Standards and procedures
support the requirements of
policies
o All three are needed for risk
management
 Types of Risk Management Policies

o Enterprise Risk Policy

o Information Security Policy
o Privacy Policy
o Risk Appetite/Tolerance Policy
o Risk Acceptance Policy
Standards

o Mandatory requirements
o Code of Practice
o Might be based on external
standards (ISO, etc)
o Might be based internally
 Procedures

o More granular than standards

o Support implementation of
standards
o The “How to” for standards
Exceptions

o There may be cases in which

an exception is needed
o Exceptions MUST be
documented
o Exceptions are only allowed
through a formal process
Reviewing the Business Process

o Examines the effectiveness of the

business in meeting its goals
o Requires input from
knowledgeable people from all
departments
o You may also bring in external
experts (consultants)
 Steps to Review the Business Processes

1. Document and evaluate the

current processes
2. Identify any potential
changes
3. Schedule and implement the
changes
4. Gain feedback and evaluate
Business Process Review

o Outdated business processes

introduce risk
o Periodic review of critical
processes should be mandatory
o Updates should be performed as
appropriate
Risk Management Principles, Processes, and Controls

o Risk management should not

unduly affect business ops
o Risk practitioners give information
to the Risk owner to make wise
decisions
o Processes and controls can cause
businesses to become slow and
ineffective
Principles

o Risk associated with process

failures, economic trends, or acts
of nature need to be considered
o Any threat that prevents the
enterprise from meeting its goals
should be managed
o Thus the need for guiding
principles to help manage risk
 Principles

o Connect management of IT
risk to business objectives
o Align management of risk with
ERM
o Balance the costs and benefits
of managing IT risk
o Promote ethical and open
communication of all IT risk
Processes and Controls

o Care and consideration must be taken

when introducing processes and
controls
o Benefits and values must be properly
communicated
o Being transparent with controls and
the need for them will limit staff
“workarounds”
o Try not to hamper productivity if
possible
IT Risk And Its Relation To Other Business Functions

o Taking on too much risk or

exceeding risk capacity can be
harmful
o Senior Management is
RESPONSIBLE for establishing risk
appetite and tolerances
o Risk practitioners must understand
that IT is connected to many other
business functions
Risk and Business Continuity

o IT risk management is closely linked to

business continuity
o Risk management attempts to reduce
risk to an acceptable level
o As part of this, identifying potential
disasters or major incidents is vital for
the BCP
 Risk and Audit

o Audit is all about insuring

compliance with policy and/or
regulations
o IS audits should be conducted
by trained professionals
o Risk practitioners should
review the relationship
between IS auditor and area
being audited
 Control Risk

o Controls are created or chosen to

mitigate a risk

CONTROL o Controls need to be reviewed

continuously
o Risk owners should be presented with
Justifies Traceable some options to choose from

o Controls should be judged by:

RISK oEfficiency
oEffectiveness
oExposure
Project Risk

o Projects often fail due to lack of

proper risk management
o Failure of an IT project presents
risk to an enterprise
o Proper identification of risk for a
project will increase chances of
success
Change Risk

o Risk is not static

o Technology, regulations, processes,
etc. change all the time
o Risk practitioners must keep a
continuous eye on risk
o Change Advisory Boards (CABs) should
communicate and identify risk
People and Technology

o One of the biggest assets of an

enterprise is the people
o Enterprises are vulnerable to the
loss of a key employee
o Cross-training, proper
communication, financial incentives
can be vital to retaining talent
Technology

o Technology changes all the time

o Equipment needs updating or
replacing constantly
o Systems that are scheduled for
disposal might contain sensitive
data
o Data retention is important for
regulations and legal reasons
Data

o Data is extremely valuable for

organizations
o Data should be clearly identified for
business value
o Data security classification should be
clearly defined
Intellectual Property

o Trademark
o Copyright
o Patent
o Trade Secret
IT Risk Management Good Practices

o It all starts with reviewing existing

practices and procedures
o IT Risk management should be:
o Comprehensive
o Complete
o Auditable
o Justifiable
o Compliant
o Monitored
Enterprise Management and Excellence in
Frameworks

o Risk Management is the

coordinated activities to direct and
control an enterprise in regards to
risk
o Risk is a challenge to achieving
objectives
o Risk Management lowers the
chances of occurring risks and their
impact
Three Lines of Defense

o Implemented by many organizations

o Identifies business functions
between risk owner and risk
practitioner – Specifies roles
o First Line – Operational
Management
o Second Line – Risk and Compliance
Functions
o Third Line - Audit
First Line of Defense – Operational Managment

o Implemented by the business unit

o Ensures the conductive control
environment
o Expected to be fully aware of risk
factors
o Able to execute effective internal
control in their business units
o First Line – Operational Managers are
responsible for managing risk
 Second Line of Defense - Compliance

o Comprised of Risk Management

and Compliance Functions
o Focused to ensure that first-line
defenses are properly designed
o This is where enterprise buy-in
occurs
Third Line of Defense - Audit

o Gaining the appropriate level of

assurances to senior management
o Needs independent and objective
reviews
o Reviews and evaluates the design and
implementation of risk management
 Role of the Risk Practitioner for 3 Lines of Defense

o Risk Practitioner works across the

first two lines of defense within
an organization
o Auditors work in the third-line of
defense
o However, the auditor will give
information TO the risk
practitioner to help with
delivering information to senior
management and the board
 Handy Dandy Simulation Question

Which is the MOST significant benefit of

using the three lines of defense model?
A. Creates a cost-effective risk
management initiative
B. Enhances communication between
senior management and workers
C. Clarifies essential roles of the
stakeholders
D. Helps risk owners decide a risk
response
What is a Risk Profile?

o Based on the overall risk posture of

the enterprise
o Reflected in its attention to
monitoring controls
o Helps the enterprise have proactive
identification, analysis and response
to risk
o Key input to developing a risk
culture
Changing The Risk Profile

o Changes occur because of:

o Changes to procedures
o New or revised regulations
o New Technologies
o Actions of competitors
o Effectiveness of the risk awareness
program
 Changing The Risk Profile
o Risk at the top level of an
organization is the result of
many individual risks
o Risk posture may be affected by
cascading effects of minor risks
o IT risk management objectives
should be reviewed consistently
o Risk is owned by management
but risk practitioners work with
them to make them aware of
those risks
Risk Appetite
o The amount of risk that an entity is
willing to accept
o The Owners or Board of Directors
set the risk appetite for the
company
o This can also be delegated to senior
management
o Translates into standards and
policies to maintain risk at the level
of the risk appetite
Risk Capacity

o Risk capacity is the amount of loss

an enterprise can take without
being in danger of closing
o Helps to set the risk appetite
 Risk Tolerance
o The acceptable level of variation
that management is willing to
allow for any particular risk
o This allows for occasional (and
approved) deviations from the
risk appetite
o The risk tolerance level is still
under the risk capacity level
o Defined at the enterprise level
and reflected in policies
Benefits Of Defining Risk Capacity and Appetite

o Supports risk-based decision

making
o Supports the understanding of
how everything contributes to the
overall risk profile
o Supports the prioritization and
approval process of risk response
actions
o Helps identify specific areas where
a risk response should happen
 Best Case Outcomes Of Communicating Risk Appetite

o Consistent implementation
o Effective monitoring and
communication
o Consistent understanding of
risk appetite and related
tolerance
Legal, Regulatory, and Contractual Requirements
o Companies must comply with laws
and regulations in their jurisdictions
o Some laws and regulations can be
challenging to a business
o Some laws and regulations
contradict each other
o If an Enterprise is global, set up
global polices and then have
regional or country-based
exceptions as necessary
Types of Regulations

o GDPR
o PCI-DSS
o HIPAA
o SOX
 Risk Practitioner and Professional Ethics
o Risk practitioners should work
with legal counsel when
building reporting
o Must have appropriate controls
in place
o Compliance is a risk decision
o Risk is often impacted by ethics
o Ethics apply to how people
believe that they have been
treated
 Handy Dandy Exam Simulation Question
Acme Widget has outsourced the majority of its IT
department to a company that has datacenters in
several countries. Which of the following is the
MOST critical security consideration?
A. A security breach notification might be delayed
B. Laws and regulations of your country might
not be enforceable in those countries
C. Additional network intrusion sensors will need
to be installed so that you can have proper
monitoring
D. The company might not be able to do
adequate compliance monitoring on those
datacenters