Anda di halaman 1dari 294

RISK

SCENARIOS
Using COBIT® 5 for Risk

Personal Copy of: Mr. Yonscun Yonscun


Risk Scenarios Using COBIT® 5 for Risk

About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust
in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge,
standards, networking, and career development for information systems audit, assurance, security, risk, privacy and
governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology.
ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified
Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of
Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. The association
has more than 200 chapters worldwide.

Disclaimer
ISACA has designed and created Risk Scenarios Using COBIT® 5 for Risk (“the Work”) primarily as an educational resource
for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive
of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, assurance, governance, risk and security professionals should
apply their own professional judgment to the specific circumstances presented by the particular systems or information
technology environment.

Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this
publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and
must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org

Provide feedback: www.isaca.org/riskscenarios


Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

Risk Scenarios Using COBIT® 5 for Risk


ISBN 978-1-60420-468-1

2
Personal Copy of: Mr. Yonscun Yonscun
Acknowledgments

Acknowledgments
ISACA wishes to recognize:
Lead Developer
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Fischer IT GRC Beratung & Schulung, Switzerland

Development Team
Evelyn Anton, CISA, CISM, CGEIT, CRISC, UTE, Uruguay
Robert E Stroud, CGEIT, CRISC, CA, USA
Mike Hughes, CISA, CGEIT, CRISC, 123 Consultants GRC Ltd., United Kingdom
Elza Adams, CISA, CISSP, PMP HP, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria
Eduardo Ritegno, CISA, CRISC, QAR (IIA), Banco de la Nacion Argentina, Argentina
Andre Pitkowski, CGEIT, CRISC, APIT Informatica, Brazil

Expert Reviewers
Mohamed Tawfik Abul Farag, KPMG, Egypt
Mark Adler, CISA, CISM, CGEIT, CRISC, CCSA, CFE, CFSA, CIA, CISSP, CRMA, CRP, Wal-Mart Stores, Inc., USA
Gerardo H. Arancibia Vidal, CISM, CRISC, Ernst & Young, Chile
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK
Vilius Benetis , CISA, CRISC, PhD, NRD CS, Lithuania
Jean-Louis Bleicher, CRISC, France
Graham Carter, CISA, CGEIT, ABB Limited, Switzerland
Richard Cartwright, CGEIT, ISP/ITCP, ITIL, PMP, MZP Solutions, Canada
Katalina Coronel Hoyos, CISA, SASCURE Cia. Ltda., Ecuador
Gabriel Croci, CISA, CRISC, SOMOS Consultancy Services, Uruguay
Diego Patricio del Hoyo, CISM, CRISC, CISSP, Westpac Banking Corporation, Australia
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT Certified Assessor, COBIT 5 Accredited Trainer, PMP,
Venlee IT Consultancy LLP, India
Joseph Fodor, CISA, CPA, Ernst & Young, LLP, USA
Giovanni Guzman De Leon, CISM, ITIL, CFC, ISO 9001, PhD Candidate, Independent Consultant, Guatemala
Jason Hageman, CISA, ITIL V3, MGM Resorts International, USA
Tomas Hellum, LinkGRC, Denmark
Sharon Jones, CISA, MGM Resorts International, USA
Masatoshi Kajimoto, CISA, CRISC, Independent Consultant, Japan
Satish Kini, CRISC, CISSP, COBIT 5 Certified Assessor, Firstbest Consultants Pvt Ltd., India
Vaman Amarjeet Gokuldas Kini, CISA, CISM, CEH, CISSP, LPT, 27KLA, The World Bank Group, India
Shruti Shrikant Kulkarni, CISA, CRISC, CISSP, CPISI, CCSK, ITIL V3 Expert, Infosys Technologies Limited, India
John W. Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/U, IBM Global Business Services, USA
Michel Lambert, CISA, CISM, CGEIT, CRISC, Ministere de l’Agriculture, des Pecheries et de l’Alimentation du
Quebec, Canada
Romualdas Lecickis, CISA, CISM, CGEIT, CRISC, NRD CS, Lithuania
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA
Sebastian Marondo, CISA, CISM, NRD-EA, National Audit Office- Tanzania, Tanzania
John Simiyu Masika, CISA, CISM, Kenya Airways Ltd., Kenya
Radmila Mihajlovic, CISA, Consultant, Canada
Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, GovernaTI, Colombia
Oscar Moreno Mulas, CISA, OKY Consulting/Zelaya Rivas Asociados, El Salvador
Raphael Otieno Onyango, CISA, BCOM, CPA (K), Ecumenical Church Loan Fund – Kenya, Kenya
Abdul Rafeq, Wincer Infotech Limited, India
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India
Franco Rigante, CISA, CRISC, PMP, Grant Thornton Argentina, Argentina
Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico
Eddy J. Schuermans, CGEIT, ESRAS bvba, Belgium
Paras K. Shah, CISA, CGEIT, CRISC, CA, Vital Interacts, Australia
David Sheidlower, CISM, Health Quest, USA
Emil David Skrdla, CISA, CISM, CGEIT, CRISC, ITIL V3, PCI ISA, PCIP, The University of Oklahoma, USA
Gustavo A. Solís, Grupo Cynthus, S.A. de C.V., Mexico
Mark Stacey, CISA, FCA, BG Group, USA

3
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Acknowledgments (cont.)
Expert Reviewers (cont.)
Donald T. Steane, CIA, CMA, CPA, CRMA, DTS Consulting Services, Canada
Dirk Steuperaert, CISA, CGEIT, CRISC, ITIL, IT In Balance BVBA, Belgium
Louis C. Tinto, CISA, CRISC, CFE, CIA, Omnicom Media Group, USA
Alok Tuteja, CGEIT, CRISC, CIA, CISSP, Mazrui Holdings LLC, UAE
Orlando Tuzzolo, CISM, CGEIT, CRISC, World Pass IT Solutions, Brazil

ISACA Board of Directors


Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA,
Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co. (retired), USA, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany

Guidance and Practices Committee


Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Exp, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, CISSP, Deloitte, USA
James Seaman, CISM, CRISC, A. Inst. IISP, CCP, QSA, RandomStorm Ltd., UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CRISC, CISSP, Merck, Germany

Special recognition for financial support:


New Jersey Chapter

4
Personal Copy of: Mr. Yonscun Yonscun
Table of Contents

Table of Contents
List of Figures............................................................................................................................................................................7

Chapter 1. Introduction............................................................................................................................................................9
Background.............................................................................................................................................................................9
Purpose of This Publication..................................................................................................................................................10
Who Should Use This Guide?..............................................................................................................................................10
Scope and Approach.............................................................................................................................................................11
Prerequisite Knowledge........................................................................................................................................................11

Chapter 2. High-level Description of Risk Management Concepts...................................................................................13

Chapter 3. Risk Scenarios Explained....................................................................................................................................15


Risk Scenarios Defined........................................................................................................................................................15
Developing Risk Scenarios Workflow..................................................................................................................................16
Risk Factors...........................................................................................................................................................................16
IT Risk Scenario Structure....................................................................................................................................................19
Main Issues When Developing and Using Risk Scenarios..................................................................................................20
Characteristics of Good Scenarios........................................................................................................................................22

Chapter 4. Generic Risk Scenarios........................................................................................................................................23

Chapter 5. Using COBIT 5 Enablers to Mitigate IT Risk Scenarios................................................................................31


Risk Scenario Category 1: Portfolio Establishment and Maintenance...............................................................................32
Risk Scenario Category 2: Programme/Project Life Cycle Management..........................................................................34
Risk Scenario Category 3: IT Investment Decision Making..............................................................................................36
Risk Scenario Category 4: IT Expertise and Skills.............................................................................................................37
Risk Scenario Category 5: Staff Operations........................................................................................................................39
Risk Scenario Category 6: Information...............................................................................................................................41
Risk Scenario Category 7: Architecture..............................................................................................................................43
Risk Scenario Category 8: Infrastructure............................................................................................................................45
Risk Scenario Category 9: Software....................................................................................................................................47
Risk Scenario Category 10: Business Ownership of IT......................................................................................................49
Risk Scenario Category 11: Suppliers.................................................................................................................................51
Risk Scenario Category 12: Regulatory Compliance.........................................................................................................52
Risk Scenario Category 13: Geopolitical............................................................................................................................53
Risk Scenario Category 14: Infrastructure Theft or Destruction........................................................................................54
Risk Scenario Category 15: Malware..................................................................................................................................55
Risk Scenario Category 16: Logical Attacks.......................................................................................................................57
Risk Scenario Category 17: Industrial Action.....................................................................................................................59
Risk Scenario Category 18: Environmental........................................................................................................................60
Risk Scenario Category 19: Acts of Nature.........................................................................................................................61
Risk Scenario Category 20: Innovation...............................................................................................................................62

Chapter 6. Expressing and Describing Risk.........................................................................................................................65


Preparation of a Risk Scenario Analysis...............................................................................................................................65
Risk Analysis Methods—Quantitative vs. Qualitative.........................................................................................................67
Expressing Impact in Business Terms..................................................................................................................................68
Expressing Frequency...........................................................................................................................................................72
Risk Scenarios in Risk Response (Reduction).....................................................................................................................72

5
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Chapter 7. Risk Scenario Analysis Examples.......................................................................................................................75


How to Read Risk Scenario Analysis...................................................................................................................................75
01 Portfolio Establishment and Maintenance ......................................................................................................................76
02 Programme/Projects Life Cycle Management................................................................................................................85
03 IT Investment Decision Making......................................................................................................................................97
04 IT Expertise and Skills...................................................................................................................................................107
05 Staff Operations.............................................................................................................................................................119
06 Information.....................................................................................................................................................................127
07 Architecture....................................................................................................................................................................137
08 Infrastructure..................................................................................................................................................................146
09 Software.........................................................................................................................................................................159
10 Business Ownership of IT.............................................................................................................................................170
11 Suppliers.........................................................................................................................................................................179
12 Regulatory Compliance.................................................................................................................................................189
13 Geopolitical....................................................................................................................................................................199
14 Infrastructure Theft or Destruction................................................................................................................................209
15 Malware..........................................................................................................................................................................219
16 Logical Attacks...............................................................................................................................................................229
17 Industrial Action.............................................................................................................................................................239
18 Environmental................................................................................................................................................................249
19 Acts of Nature................................................................................................................................................................253
20 Innovation.......................................................................................................................................................................263

Appendix 1. Risk Scenario Analysis Template...................................................................................................................273

Appendix 2. Glossary............................................................................................................................................................277

Appendix 3. Processes for Governance and Management of Enterprise IT...................................................................279

6
Personal Copy of: Mr. Yonscun Yonscun
List of Figures

List of Figures figures


figures

Figure 1—Risk Scenario Overview...........................................................................................................................................9

Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits.....................................................................10

Figure 3—Document Overview and Guidance on its Use......................................................................................................11

Figure 4—IT Risk Categories..................................................................................................................................................13

Figure 5—Risk Duality............................................................................................................................................................13

Figure 6—Two Perspectives on Risk.......................................................................................................................................14

Figure 7—Scope of COBIT 5 for Risk.....................................................................................................................................14

Figure 8—Risk Scenario Overview.........................................................................................................................................15

Figure 9—Risk Factors.............................................................................................................................................................17

Figure 10—Internal Risk Factor Considerations.....................................................................................................................18

Figure 11—Risk Scenarios Structure......................................................................................................................................20

Figure 12—Risk Scenario Technique Main Focus Areas........................................................................................................21

Figure 13—Characteristics of Good Risk Scenarios...............................................................................................................22

Figure 14—Example Risk Scenarios.......................................................................................................................................23

Figure 15—Enterprise Goals...................................................................................................................................................70

Figure 16—Probability Rating.................................................................................................................................................72

Figure 17—Risk Response Workflow......................................................................................................................................73

Figure 18—COBIT 5 Process Reference Model...................................................................................................................279

7
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

8
Personal Copy of: Mr. Yonscun Yonscun
Chapter 1
Introduction

Chapter 1
Introduction
Background
Risk scenario analysis is an important component of enterprise risk management (ERM) (figure 1). This technique is
a powerful tool because it helps describe risk in terms that are easier for business leaders to understand. ISACA has
issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals who are responsible for helping their
enterprises manage their risk portfolios.

Figure 1—Risk Scenario Overview

The Risk Management


Process (AP012)

All Related Enablers


APO12.01 Top Down Risk Factors
Collect Data
Principles, Policies Business Goals
and Frameworks
• Identify business Internal
APO12.02 objectives.
Processes Analyse Risk Environmental
• Identify scenarios with Factors
highest impact on
achievement of
business objectives.
Organisational APO12.03 External
Structures Maintain a Environmental
Risk Profile Factors
Culture, Ethics Risk Scenarios
and Behaviour
Risk
APO12.04 Management
Articulate Risk Capabilities
• Identify hypothetical
Information scenarios.
• Reduce through
high-level analysis.
Services, APO12.05 Define a IT-related
Infrastructure and Risk Management
Action Portfolio Generic Risk Capabilities
Applications Scenarios

People, Skills and Bottom Up


Competencies APO12.06
Respond to Risk

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 34

Risk Scenarios Using COBIT 5 for Risk is a practical guide on how to use COBIT 5 for Risk to prepare IT-related risk scenarios
that can be used for risk analysis and assessment. Risk Scenarios Using COBIT 5 for Risk provides readers with potential
scenarios to consider in their own organizations—to allow the scenarios to be tailored—this will require that scenarios be
added, removed and amended to provide a focused set of relevant scenarios that fit organizations’ specific risk, risk appetite and
business needs.

Risk analysis is the process used to estimate the frequency and magnitude of IT-related risk scenarios. Risk assessment is a
process used to identify and evaluate risk, its potential effects and evaluation of the probabilities of a particular event. Risk
assessment is slightly broader, and includes the preliminary and ancillary activities of risk analysis, i.e., the identification
of detailed risk scenarios and the definition of responses such as mitigation plans and the description of existing controls.
Risk analysis and assessment is a core approach to bring realism, insight, organizational engagement, improved analysis and
structure to the complex matter of IT risk. Risk scenarios are the tangible and assessable representation of risk, and are one of
the key information items needed to identify, analyze and respond to risk (COBIT 5 Process APO12).

9
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Purpose of This Publication


Risk Scenarios Using COBIT 5 for Risk focuses on the development of IT-related risk scenarios and should be read in the
context of COBIT 5 for Risk and the COBIT 5 framework. The publication provides a high-level overview of risk concepts,
along with 60 risk scenario examples covering all 20 categories described in COBIT 5 for Risk. An accompanying tool kit
is available on the ISACA web site and contains interactive risk scenario templates for each of the 20 categories.

The main purpose of Risk Scenarios Using COBIT 5 for Risk is to give guidance on the development of IT-related risk
scenarios. These scenarios are based on the determination of the value of an asset or a business process. The potential threats
and vulnerabilities that can lead to a loss event should be considered as well as the potential benefits to more effective and
efficient achievement of business objectives and protection or increase of business value. The secondary purpose of this
publication is to provide guidance on how to respond to risk that exceeds the enterprise’s tolerance level. Special guidance is
given on how the COBIT 5 enablers can help in risk management activities.

Who Should Use This Guide?


The intended audience for Risk Scenarios Using COBIT 5 for Risk is extensive, and includes any person responsible for
helping the enterprise manage risk. Risk management professionals, in particular, can benefit from this publication and
the guidance provided to develop risk scenario analysis to support ERM efforts. IT and business professionals, in general,
benefit from the concepts and practices described in this publication and can understand better the role they can play in the
ERM process.

The adoption of risk scenario analysis can help satisfy requirements from multiple stakeholders. Figure 2 describes the
potential stakeholder benefits that risk scenario analysis can provide.

Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits
Role/Function Benefits of Adopting Risk Scenarios Using COBIT 5 for Risk
Board and executive management Better understanding of the implications of IT risk to enterprise strategic objectives and how to better use IT for
successful strategy execution
Chief risk officer (CRO) and Assistance with managing IT risk, in line with generally accepted ERM principles, and incorporating IT risk into
corporate risk managers for enterprise risk
enterprise risk management (ERM)
Operational risk managers Linking their ERM framework to COBIT 5 for Risk; identification of operational losses or development of key risk
indicators (KRIs)
IT management Better understanding of how to identify and manage IT risk and how to communicate IT risk to business
decision makers
IT service managers Enhancement of their view of operational risk
IT security Positioning of security risk among other categories of IT risk
Information security/chief Positioning IT risk within the enterprise information risk management structure
information security officer (CISO)
Chief financial officer (CFO) Gaining a better view of IT risk and its financial implications
Business Better understanding and management of IT risk in line with business objectives
Internal auditors Better analysis of risk in support of audit plans and reports
Compliance Advise the risk function with regards to compliance requirements and their potential impact on the enterprise
General counsel Advise the risk function on regulation-related risk and potential impact or legal implications on the enterprise
Regulators Support assessment of regulated enterprises’ IT risk management approach and the impact of risk on
regulatory requirements
External auditors Additional guidance on exposure levels when establishing an opinion over the quality of internal control
Insurers Help establish adequate IT insurance coverage and obtain agreement on exposure levels
IT contractors and subcontractors Better alignment of utility and warranty of IT services provided; understanding of responsibilities arising from
risk assessment

10
Personal Copy of: Mr. Yonscun Yonscun
Chapter 1
Introduction

Scope and Approach


The practical guidance in this publication is specifically dedicated to the preparation of IT-related risk scenarios and risk
scenario analysis. Risk Scenarios Using COBIT 5 for Risk describes, at a high level, risk management concepts and the
different steps needed to prepare a complete risk scenario analysis. Figure 3 provides a brief description of each chapter
and appendix.

Figure 3—Document Overview and Guidance on its Use


Chapter Description
Chapter 1. Introduction Presents an overview on who should use this guidance, the scope and approach, and provides prerequisite guidance
Chapter 2. High-level Description of Describes in high level the concepts of risk management on which this guidance is based
Risk Management Concepts
Chapter 3. Risk Scenarios Gives a definition of risk scenarios; explains how a risk scenario workflow can be developed and how risk
Explained factors can be used in the context of risk scenarios; gives the characteristics of good scenarios
Chapter 4. Generic Risk Scenarios Contains example IT-related generic risk scenario categories and some practical advice on how to best use
these examples
Chapter 5. Using COBIT 5 Enablers Provides examples that show how to use COBIT 5 enablers to respond to the risk scenario examples described
to Mitigate IT Risk Scenarios in chapter 4
Chapter 6. Expressing and Describes the additional components necessary to prepare a comprehensive risk scenario analysis; describes
Describing Risk processes that can be used to analyse risk impact and frequency; and describes possible risk response options
Chapter 7. Detailed Example Contains over 50 risk scenario analyses and describes the COBIT 5 enablers that can be used to respond in
Risk Scenarios each particular scenario
Appendix 1. Risk Scenario Provides a comprehensive risk scenario analysis template
Analysis Template
Appendix 2. Glossary Defines the key terms that are used throughout this guide
Appendix 3. Processes for Shows the 37 governance and management processes defined in COBIT 5 and their respective activities as
Governance and Management of defined in COBIT 5: Enabling Processes
Enterprise IT

Prerequisite Knowledge
Risk Scenarios Using COBIT 5 for Risk builds on COBIT 5 for Risk. The key concepts about the use of scenarios from
COBIT 5 for Risk are repeated in this guide, making it a fairly stand-alone guide, in essence not requiring any prerequisite
knowledge. However, an understanding of COBIT 5 for Risk will accelerate the comprehension of the contents of this
guide. In addition, some risk-relevant items that are described in detail in COBIT 5 for Risk are not repeated in Risk
Scenarios Using COBIT 5 for Risk and may require the use of other guides in the COBIT 5 product family.

For risk mitigation, Risk Scenarios Using COBIT 5 for Risk refers mainly to the COBIT 5 enablers and also to the process
reference model and COBIT 5 processes described therein. If readers wish to know more about COBIT 5 enablers, e.g.,
to implement or improve some of them as part of a risk response (mitigation), they are referred to the following COBIT 5
product family guides: the COBIT 5 framework, COBIT 5: Enabling Processes and COBIT 5: Enabling Information.

11
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

12
Personal Copy of: Mr. Yonscun Yonscun
Chapter 2
High-Level Description of Risk Management Concepts

Chapter 2
High-level Description of Risk Management Concepts1
Risk is generally defined as the combination of the probability of an event and its consequence (ISO Guide 73).
Consequences are that enterprise objectives are not met. COBIT 5 for Risk defines IT risk as business risk, specifically,
the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an
enterprise. IT risk consists of IT-related events that could potentially impact the business. IT risk can occur with both
uncertain frequency and impact and creates challenges in meeting strategic goals and objectives.

Figure 4 shows that for all categories of downside IT risk (‘Fail to Gain’ and ‘Lose’ business value) there is an equivalent
upside (‘Gain’ and ‘Preserve’ business).

Figure 4—IT Risk Categories

Business Value
Examples
Fail to Gain Gain
• Technology enabler for
IT Benefit/Value new business initiatives
Enablement • Technology enabler for
efficient operations

• Project quality
IT Programme
• Project relevance
and Project Delivery • Project overrun

• IT service interruptions
IT Operations and
• Security problems
Service Delivery • Compliance issues
Lose Preserve

Business Value

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 5

It is important to keep this upside/downside duality of risk in mind (see figure 5) during all risk-related decisions.

Figure 5—Risk Duality


Positive Outcomes: Value
Creation or Preservation

Well governed and managed Poorly governed and


information and technology managed information and
delivers business benefits technology will destroy
Negative Outcomes: Value
Destruction or Fail to Gain

and/or preserves value value or fail to deliver benefits.


• New IT-enabled business • Unrealised or reduced
opportunities business value
• Enhanced business • Missed IT-enabled
opportunities business opprtunities
• Sustainable competitive • Adverse IT-related
advantage events destroying value

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 6

1
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.

13
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

COBIT 5 for Risk explains the following two perspectives on how to use COBIT 5 in a risk context (figure 6):
• Risk function perspective—Describes what is needed in an enterprise to build and sustain efficient and effective core
risk governance and management activities.
• Risk management perspective—Describes how the core risk management process of identifying, analysing, responding
to and reporting on risk can be assisted by the COBIT 5 enablers.

Figure 6—Two Perspectives on Risk

Risk Function Risk Management


Perspective Perspective
COBIT 5 Enablers
The risk management
The risk function Organisational Culture, Ethics perspective looks at
Processes
perspective describes Structures and Behaviour core risk governance
how to build and sustain Risk Function Risk Management and risk managment
a risk function in the Perspective Perspective processes and risk
Principles, Policies and Frameworks scenarios. This
enterprise by using the
COBIT 5 enablers. perspective describes
Services, People, how risk can be mitigated
Information Infrastructure Skills and by using COBIT 5 enablers.
and Applications Competencies

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 8

Figure 7 shows the scope of COBIT 5 for Risk and the relationship between risk scenarios and the risk management
perspective. Risk scenarios support this perspective by providing a link between the identified risk and the COBIT 5
enablers that can be used to mitigate it.

Figure 7—Scope of COBIT 5 for Risk

COBIT 5 for Risk


COBIT 5 Enablers for the
Risk Function Core Risk
Processes
Organisational Culture, Ethics
Processes
Structures and Behaviour COBIT 5 Framework
Risk Function Risk Management Mapping
Risk Scenarios to
Principles, Policies and Frameworks
Perspective Perspective
COBIT 5 Enablers COBIT 5: Enabling
Processes
Services, People, Skills Risk
Information Infrastructure and Scenarios
and Applications Competencies

COSO ISO 31000 ISO/IEC Others ITIL. ISO/IEC ISO/IEC Others


ERM 27005 20000 27001/2

Enterprise Risk IT Management


Management Standards Frameworks

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 10

14
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained

Chapter 3
Risk Scenarios Explained2
A key information item used in the COBIT 5 core risk management process APO12 is the risk scenario (figure 8).

Figure 8—Risk Scenario Overview

The Risk Management


Process (AP012)

All Related Enablers


APO12.01 Top Down Risk Factors
Collect Data
Principles, Policies Business Goals
and Frameworks
• Identify business Internal
APO12.02 objectives. Environmental
Processes Analyse Risk • Identify scenarios with Factors
highest impact on
achievement of
business objectives.
Organisational APO12.03 External
Structures Maintain a Environmental
Risk Profile Factors
Culture, Ethics Risk Scenarios
and Behaviour
Risk
APO12.04 Management
Articulate Risk Capabilities
• Identify hypothetical
Information scenarios.
• Reduce through
high-level analysis.
Services, APO12.05 Define a IT-related
Infrastructure and Risk Management
Action Portfolio Generic Risk Capabilities
Applications Scenarios

People, Skills and Bottom Up


Competencies APO12.06
Respond to Risk

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 34

Risk Scenarios Defined


A risk scenario is a description of a possible event that, when occurring, will have an uncertain impact on the achievement
of the enterprise’s objectives. The impact can be positive or negative.

The core risk management process requires risk needs to be identified, analysed and acted on. Well-developed risk
scenarios support these activities and make them realistic and relevant to the enterprise.

Figure 8 also shows that risk scenarios can be derived via two different mechanisms:
• A top-down approach, where one starts from the overall enterprise objectives and performs an analysis of the most
relevant and probable IT risk scenarios impacting the enterprise objectives. If the impact criteria used during risk
analysis are well aligned with the real value drivers of the enterprise, relevant risk scenarios will be developed.
• A bottom-up approach, where a list of generic scenarios is used to define a set of more relevant and customised
scenarios, applied to the individual enterprise situation.

The approaches are complementary and should be used simultaneously. Indeed, risk scenarios must be relevant and linked
to real business risk. On the other hand, using a set of example generic risk scenarios could assist to identify risk and
reduce the chance of overlooking major/common risk scenarios and can provide a comprehensive reference for IT risk.
However, specific risk items for each enterprise and critical business requirements need to be considered in the enterprise
risk scenarios.

Note: Do not over rely on the list of example generic risk scenarios. The list, although quite comprehensive, broad and
covering most potential risk items, needs to be adapted to the enterprise specific situation. It is not intended that, going
forward, all IT risk management will use the same set of pre-defined IT risk scenarios. Rather, it is encouraged that this list
be used as a basis for the development of specific, relevant scenarios.

2
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.

15
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Developing Risk Scenarios Workflow


In practice, the following approach is suggested:
• Use the list of example generic risk scenarios (see figure 14 in chapter 4, Generic Risk Scenarios) to define a
manageable set of tailored risk scenarios for the enterprise. To determine a manageable set of scenarios a business
might begin by considering commonly occurring scenarios in its industry or product area, scenarios representing
threat sources that are increasing in number or severity, and scenarios that involve legal and regulatory requirements
applicable to the business. Another approach might be to identify high-risk business units and assess one or two
high-risk operating processes within each, including the IT components that enable that process. Also, some less
common situations should be included in the scenarios.
• Perform a validation against the business objectives of the entity. Do the selected risk scenarios address potential
impacts on achievement of business objectives of the entity, in support of the overall enterprise’s business objectives?
• Refine the selected scenarios based on this validation; detail them to a level in line with the criticality of the entity.
• Reduce the number of scenarios to a manageable set. ‘Manageable’ does not signify a fixed number, but should
be in line with the overall importance (size) and criticality of the unit. There is no general rule, but if scenarios are
reasonably and realistically scoped, the enterprise should expect to develop at least a few dozen scenarios.
• Keep all scenarios in a list so they can be re-evaluated in the next iteration and included for detailed analysis if they
have become relevant at that time.
• Include in the scenarios an unspecified event, e.g., an incident not covered by other scenarios.

Once the set of risk scenarios is defined, it can be used for risk analysis, where frequency and impact of the scenario are
assessed. Important components of this assessment are the risk factors.

The enterprise can also consider evaluating scenarios that have a chance of occurring simultaneously. This is frequently
referred to as ‘stress’ testing and actually entails combining multiple scenarios and understanding what the extra impact
would be of them occurring together.

Risk Factors
Risk factors are those conditions that influence the frequency and/or business impact of risk scenarios. They can be of
different natures and can be classified into two major categories:
•C  ontextual factors—Can be divided into internal and external factors, the difference being the degree of control an
enterprise has over them:
– I nternal contextual factors—To a large extent, are under the control of the enterprise, although they may not always be
easy to change
–E  xternal contextual factors—To a large extent, are outside the control of the enterprise
• Capabilities—How effective and efficient the enterprise is in a number of IT-related activities. They can be
distinguished in line with the COBIT 5 framework:
– I T risk management capabilities—Indicate to what extent the enterprise is mature in performing the risk management
processes
– I T-related capabilities—Indicate the capability of the IT-related COBIT 5 enablers

The importance of risk factors lies in the influence they have on risk. They are heavy influencers on the frequency and
impact of IT scenarios and should be taken into account during every risk analysis.

Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as vulnerabilities or
weaknesses. These are terms often used in other risk management frameworks.

Scenario analysis should not only be based on past experience and known current events, but should also look forward
to possible future circumstances. Future risk could be related to emerging technologies, new regulations, demographic
changes and new business initiatives.

Risk factors change over time; therefore, scenarios will also change. This change requires an enterprise to perform
continuous risk assessments and risk monitoring. Risk assessment that is based on the scenarios should be performed at
least on an annual basis, and when an important change in internal or external risk factors occurs.

Figure 9 depicts risk factors, which are discussed in more detail in the following paragraphs.

16
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained

Figure 9—Risk Factors

Risk Factors
• Market and economic factors
• Rate of change in the market/product life cycle
• Industry and competition
External • Geopolitical situation
Context • Regulatory environment
• Technology status and evolution
• Threat landscape

• Enterprise goals and objectives


• Strategic importance of IT for the business
• Complexity of IT
Internal • Complexity of the entity and degree of change
Context • Change management capability
• Operating model
• Strategic priorities
• Culture of the enterprise
• Financial capacity

Risk • Risk governance


Management • Risk management
Capabilities
• Evaluate, direct and monitor (EDM)
IT-related • Align, plan and organise (APO)
Capabilities • Build, acquire and implement (BAI)
• Deliver, service and support (DSS)
• Monitor, evaluate and assess (MEA)

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 35

External Context
Contextual IT risk factors, i.e., those circumstances that can increase the frequency or impact of an event and which are not
always directly controllable by the enterprise, include:
•M  arket/economic factors—The industry sector in which the enterprise operates, i.e., operating in the financial sector
requires different IT requirements and IT capabilities than operating in a manufacturing environment. Other economic
factors can be included as well, e.g., nationalisation, mergers and acquisitions, consolidations.
• Rate of change in the market in which the enterprise operates—Are business models changing fundamentally? Is the
product or service at the end of an important life cycle moment?
• Competitive environment—Market, industry or region in which the enterprise operates
• Geopolitical situation—Is the geographic location subject to frequent natural disasters? Does the local political and
overall economic context represent an additional risk?
• Regulatory environment—Is the enterprise subject to new or more strict IT-related regulations or regulations
impacting IT? Are there any other compliance requirements beyond regulation, e.g., industry-specific, contractual?
•T  echnology status and evolution—Is the enterprise using state-of-the art technology and, more important, how fast
are relevant technologies evolving?
•T  hreat landscape—How are relevant threats evolving in terms of frequency of occurring and level of capability?

Risk factors in the external context are outside of an enterprise’s control. Therefore, the enterprise is limited in the direct
actions that it can take to manage such risk. However, the enterprise can deal with the risk by developing strategies
to prevent exposures, avoid risk and respond to an incident efficiently and effectively when the risk materialises, e.g.,
building dikes to prevent flooding, moving to an area not subject to flooding, and procuring insurance can all be used to
contend with natural disasters such as floods.

17
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Internal Context
Internal risk factors include:
• Enterprise goals and objectives—What are the needs of the stakeholders and how could these be impacted by risk?
• Strategic importance of IT in the enterprise—Is IT a strategic differentiator, a functional enabler or a supporting function?
•C  omplexity of IT—Is IT highly complex (e.g., complex architecture, recent mergers) or is IT simple, standardised
and streamlined?
• Complexity of the enterprise (including geographic spread and value chain coverage, e.g., in a manufacturing
environment)—Does the enterprise manufacture and distribute parts, and/or is it also doing assembly activities?
•D  egree of change—What degree of change is the enterprise is experiencing?
• Change management capability—To what extent is the enterprise capable of organisational change?
•T  he risk management philosophy—What is the risk philosophy of the enterprise (risk averse or risk taking) and, linked
with that, the values of the enterprise?
•O  perating model—The degree to which the enterprise operates independently or is connected to its clients/suppliers, the
degree of centralisation/decentralisation
• Strategic priorities—What are the strategic priorities of the enterprise?
• Culture of the enterprise—Does the existing culture of the enterprise require changing to be able to effectively embrace
risk management?
• Financial capacity—The capacity of the enterprise to provide financial support to enhance and maintain the IT
environment while optimising risk

When considering the internal risk factors during the development and/or refinement of the scenarios the following
considerations should be taken into account (figure 10):

Figure 10—Internal Risk Factor Considerations


Focus/Issue Summary Guidance
Importance of Integrity An enterprise’s strategy and objectives, and the way they are implemented, are based on preferences, value judgments and
and Ethics of Enterprise management styles. Management’s integrity and commitment to ethical values influences these preferences and judgments,
Management which are translated into standards of behavior.

Because an enterprise’s good reputation is so valuable, the standards of behavior must go beyond mere compliance with the
law. Management values must balance the concerns of the enterprise, employees, suppliers, customers, competitors and
the public. Managers of well-run enterprises increasingly have accepted the view that good ethics pay off, and that ethical
behavior is good for the business.

An enterprise that operates with a high degree of ethics may have a lower incidence of risk related to fraud or
misappropriation. Integrity and ethical values are essential elements of an enterprise’s internal environment and affect the
design, administration and monitoring of other enterprise risk management (ERM) components.
Role of Enterprise Top management—starting with the chief executive officer (CEO)—plays a key role in determining the corporate culture or,
Management in as some say, the “Tone at the Top.” As the dominant personality in an enterprise, the CEO often sets the ethical tone. Certain
Determining Enterprise organizational factors also can influence the likelihood of fraudulent and creative accounting. Those same factors are likely
Culture to influence ethical behavior. Individuals may engage in dishonest, illegal or unethical acts simply because the enterprise
gives them strong incentives or temptations to do so. Undue emphasis on results, particularly in the short term, can foster in
inappropriate internal environment.
Management Competence reflects the knowledge and skills needed to perform assigned tasks. Management decides how much to invest
Determination of in making sure that tasks are executed properly using skilled resources, equipment and defined processes.
Competency Levels
This requires weighing the enterprise’s strategy and objectives against plans for their implementation and achievement.
A trade-off often exists between competence and cost. The risk of failure is higher with untrained staff, poorly maintained or
old equipment, or undefined procedures.
Board of Directors An enterprise’s board of directors is a critical part of the internal environment and significantly influences its elements. The
Role in the Internal board’s role in risk governance through independent oversight of management, scrutiny of activities, and appropriateness of
Environment the enterprise’s risk appetite and strategy all play a role.

An active and involved board of directors should possess an appropriate degree of management, financial, technical and
other expertise, coupled with the mind-set necessary to perform its oversight responsibilities. This is critical to an effective
ERM environment as the board must be prepared to question and scrutinize management’s activities, present alternative
views, and act in the face of wrongdoing.
Impact of Enterprise An enterprise’s organizational structure provides the framework to plan, execute, control and monitor its activities.
Organizational Whatever the structure, an enterprise should be organized to enable effective ERM and to carry out its activities to achieve
Structure its objectives.

18
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained

Figure 10—Internal Risk Factor Considerations (cont.)


Focus/Issue Summary Guidance
Assignment of Assignment of authority and responsibility involves the degree to which individuals and teams are authorized (and limited by
Authority and their authority) and encouraged to use initiative to address issues and solve problems. This includes also the development
Responsibility and enforcement of policies for appropriate business practices, the knowledge of key personnel and the resources provided
for carrying out duties.
Impact of Delegation Along with better, market-driven decisions, delegation may increase the number of undesirable or unanticipated decisions.
The internal environment is greatly influenced by the extent to which individuals recognize that they will be held accountable.
This holds true all the way to the chief executive, who, with board oversight, has ultimate responsibility for all activities within
an enterprise.
Impact of Human HR practices pertaining to hiring, orientation, training, evaluating, counseling, promoting, compensating and taking remedial
Resource (HR) actions should send messages to employees regarding expected levels of integrity, ethical behavior and competence.
Practices
Adapted from: ISACA, CRISCTM Review Manual 2014, USA, 2012, pp. 39-41.

Risk Management Capability


Risk management capability is an indication of how well the enterprise is executing the core risk management processes
and the related enablers. This can be measured by using a risk scorecard. The better performing the enablers are, the more
capable the risk management programme is.

This factor is correlated with the capability of the enterprise to recognise and detect risk and adverse events; therefore, it
should not be neglected.

Risk management capability is a very significant element in the frequency and impact of risk events in an enterprise
because it is responsible for management’s risk decisions (or lack thereof), as well as for the presence, absence and/or
effectiveness of controls that exist within an enterprise.

IT Related Capability
IT-related capabilities are associated with the capability level of IT processes and all other enablers. The generic enabler
model in COBIT 5 contains an enabler performance model supporting capability assessments. A high maturity with regard
to the different enablers is equivalent to high IT-related capabilities, which can have a positive influence on:
• Reducing the frequency of events, e.g., having good software development processes in place to deliver high-quality
and stable software, or having good security measures in place to reduce the number of security-related incidents
• Reducing the business impact when events happen, e.g., having a good business continuity plan (BCP)/disaster
recovery plan (DRP) in place when disaster strikes

IT Risk Scenario Structure


An IT risk scenario is a description of an IT-related event that can lead to a business impact, when and if it should occur.
For risk scenarios to be complete and usable for risk analysis purposes, they should contain the following components, as
shown in figure 11:
• Actor—Who generates the threat that exploits a vulnerability? Actors can be internal or external and they can be
human or non-human:
– Internal actors are within the enterprise, e.g., staff, contractors.
– External actors include outsiders, competitors, regulators and the market.
Not every type of threat requires an actor, e.g., failures or natural causes.
• Threat type (the nature of the event)—Is it malicious? If not, is it accidental or is it a failure of a well-defined
process? Is it a natural event?
• Event—Is it disclosure of confidential information, interruption of a system or of a project, theft or destruction?
Action also includes ineffective design of systems, processes, etc., inappropriate use, changes in rules and regulation
that will materially impact a system) or ineffective execution of processes, e.g., change management procedures,
acquisition procedures, project prioritisation processes.
• Asset/resource—On which the scenario acts. An asset is any item of value to the enterprise that can be affected by the
event and lead to business impact. A resource is anything that helps to achieve IT goals. Assets and resources can be
identical, e.g., IT hardware is an important resource because all IT applications use it, and at the same time, it is an
asset because it has a certain value to the enterprise. Assets/resources include:
– People and skills
– Organisational structures
– IT processes, e.g., modelled as COBIT 5 processes, or business processes

19
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

– Physical infrastructure, facilities, equipment, etc.


– IT infrastructure, including computing hardware, network infrastructure, middleware
– Other enterprise architecture (EA) components, including information, applications

Assets can be critical or not, e.g., a client-facing web site of a major bank compared to the web site of the local garage
or the intranet of the software development group. Critical resources will probably attract a greater number of attacks or
greater attention on failure; therefore, the frequency of related scenarios will probably be higher. It takes skill, experience
and thorough understanding of dependencies to understand the difference between a critical asset and a non-critical asset.
• Time—Dimension, where the following could be described, if relevant to the scenario:
– The duration of the event, e.g., extended outage of a service or data centre
– The timing (Does the event occur at a critical moment?)
– Detection (Is detection immediate or not?)
– Time lag between the event and consequence (Is there an immediate consequence, e.g., network failure, immediate
downtime, or a delayed consequence, e.g., wrong IT architecture with accumulated high costs over a time span of
several years?)

It is important to stay aware of the differences between loss events, threat events and vulnerability events. When a risk
scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (threat type plus event in
figure 11). The frequency of the threat event leading to a loss event is influenced by the risk factors or vulnerability.
Vulnerability is usually a state and can be increased/decreased by vulnerability events, e.g., the weakening of controls or
by the threat strength. One should not mix these three types of events into one big ‘risk list’.

Figure 11—Risk Scenarios Structure

Event
• Disclosure
• Interruption
• Modification
• Theft
• Destruction
• Ineffective design
Threat Type • Ineffective execution Asset/Resource
• Malicious • Rules and regulations • People and skills
• Accidental • Inappropriate use • Organisational structures
• Error • Process
• Failure • Infrastructure (facilities)
• Nature • IT infrastructure
• External requirement • Information
• Applications

Actor Time
• Internal (staff, contractor) • Duration
• External (competitor, outsider, Risk Scenario • Timing occurrence (critical or non-critical)
business partner, regulator, market) • Detection
• Time lag

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 36

Chapter 4 Generic Risk Scenarios and chapter 7 Detailed Example Risk Scenarios contain IT risk scenarios that are built
in line with the model described in the previous paragraphs. The sets of scenarios contain examples of negative outcomes,
but also examples where a risk, when managed well, can lead to a positive outcome.

Main Issues When Developing and Using Risk Scenarios


The use of scenarios is key to risk management, and the technique is applicable to any enterprise. Each enterprise needs to
build a set of scenarios (containing the components described previously) as a starting point to conduct its risk analysis.

Building a complete set of scenarios means—in theory—that each possible value of every component should be
combined. Each combination should then be assessed for relevance and realism and, if found to be relevant, entered into
the risk register. In practice, this is not possible; very quickly, an unfeasible number of different risk scenarios can be
generated. The number of scenarios to be developed and analysed should be kept to a relatively small number in order to
remain manageable.

20
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained

Figure 12 shows some of the main areas of focus/issues to address when using the risk scenario technique.

Figure 12—Risk Scenario Technique Main Focus Areas


Focus/Issue Summary Guidance
Maintain currency of risk Risk factors and the enterprise change over time; hence, scenarios will change over time, over the course of a
scenarios and risk factors. project or over the evolution of technology.

For example, it is essential that the risk function develop a review schedule and the CIO works with the business
lines to review and update scenarios for relevance and importance. Frequency of this exercise depends on
the overall risk profile of the enterprise and should be done at least on an annual basis, or when important
changes occur.
Use generic risk scenarios as One technique of keeping the number of scenarios manageable is to propagate a standard set of generic scenarios
a starting point and build more through the enterprise and develop more detailed and relevant scenarios when required and warranted by the
detail where and when required. risk profile only at lower (entity) levels. The assumptions made when grouping or generalising should be well
understood by all and adequately documented because they may hide certain scenarios or be confusing when
looking at risk response.

For example, if ‘insider threat’ is not well defined within a scenario, it may not be clear whether this threat includes
privileged and non-privileged insiders. The differences between these aspects of a scenario can be critical when
one is trying to understand the frequency and impact of events, as well as mitigation opportunities.
Number of scenarios should Risk management helps to deal with the enormous complexity of today’s IT environments by prioritising potential
be representative and reflect action according to its value in reducing risk. Risk management is about reducing complexity, not generating it;
business reality and complexity. hence, another plea for working with a manageable number of risk scenarios. However, the retained number of
scenarios still needs to accurately reflect business reality and complexity.
Risk taxonomy should reflect There should be a sufficient number of risk scenario scales reflecting the complexity of the enterprise and the
business reality and complexity. extent of exposures to which the enterprise is subject.

Potential scales might be a ‘low, medium, high’ ranking or a numeric scale that scores risk importance from 0 to 5.
Scales should be aligned throughout the enterprise to ensure consistent scoring.
Use generic risk scenario Similarly, for risk reporting purposes, entities should not report on all specific and detailed scenarios, but could do
structure to simplify risk reporting. so by using the generic risk structure.

For example, an entity may have taken generic scenario 15 (project quality), translated it into five scenarios for its
major projects, subsequently conducted a risk analysis for each of the scenarios, then aggregated or summarised
the results and reported back using the generic scenario header ‘project quality’.
Ensure adequate people and Developing a manageable and relevant set of risk scenarios requires:
skills requirements for developing • E xpertise and experience, to not overlook relevant scenarios and not be drawn into highly unrealistic3 or irrelevant
relevant risk scenarios. scenarios. While the avoidance of scenarios that are unrealistic or irrelevant is important in properly utilising
limited resources, some attention should be paid to situations that are highly infrequent and unpredictable, but
which could have a cataclysmic impact on the enterprise.
• A thorough understanding of the environment. This includes the IT environment (e.g., infrastructure, applications,
dependencies between applications, infrastructure components), the overall business environment, and an
understanding of how and which IT environments support the business environment to understand the
business impact.
• The intervention and common views of all parties involved—senior management, which has the decision power;
business management, which has the best view on business impact; IT, which has the understanding of what can
go wrong with IT; and risk management, which can moderate and structure the debate amongst the other parties.
• The process of developing scenarios usually benefits from a brainstorming/workshop approach, where a
high-level assessment is usually required to reduce the number of scenarios to a manageable, but relevant and
representative, number.
Use the risk scenario building Scenario analysis is not just an analytical exercise involving ‘risk analysts’. A significant additional benefit of
process to obtain buy-in. scenario analysis is achieving organisational buy-in from enterprise entities and business lines, risk management,
IT, finance, compliance and other parties. Gaining this buy-in is the reason why scenario analysis should be a
carefully facilitated process.
Involve first line of defence in the In addition to co-ordinating with management, it is recommended that selected members of the staff who are
scenario building process. familiar with the detailed operations be included in discussions, where appropriate. Staff whose daily work is in the
detailed operations are often more familiar with vulnerabilities in technology and processes that can be exploited.

Do not focus only on rare and When developing scenarios, one should not focus only on worst-case events because they rarely materialise,
extreme scenarios. whereas less-severe incidents happen more often.

3
Unrealistic signifies not fixed in time or static. What used to be unthinkable, mainly because it never happened or because it happened too long ago,
becomes realistic as soon as it occurs again. A striking example is the 11 September 2001 terrorist attacks in the US. It is human nature for things that have
not yet happened, even when they are theoretically possible, to be estimated as not possible or extremely unlikely. Only when they occur will they be taken
seriously in risk assessments. This may be regarded as lack of foresight or lack of due care, but it is actually the essence of risk management—trying to
shape and contain the future based on past experience and future predictions.

21
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Figure 12—Risk Scenario Technique Main Focus Areas (cont.)


Focus/Issue Summary Guidance
Deduce complex scenarios from Simple scenarios, once developed, should be further fine-tuned into more complex scenarios, showing cascading
simple scenarios by showing and/or coincidental impacts and reflecting dependencies. For example:
impact and dependencies. • A scenario of having a major hardware failure can be combined with the scenario of failed DRP.
• A scenario of major software failure can trigger database corruption and, in combination with poor data
management backups, can lead to serious consequences, or at least consequences of a different magnitude than
a software failure alone.
• A scenario of a major external event can lead to a scenario of internal apathy.
Consider systemic and Attention should be paid to systemic and/or contagious risk scenarios:
contagious risk. • Systemic—Something happens with an important business partner, affecting a large group of enterprises within
an area or industry. An example would be a nationwide air traffic control system that goes down for an extended
period of time, e.g., six hours, affecting air traffic on a very large scale.
• Contagious—Events that happen at several of the enterprise’s business partners within a very short time frame.
An example would be a clearinghouse that can be fully prepared for any sort of emergency by having very
sophisticated disaster recovery measures in place, but when a catastrophe happens, finds that no transactions
are sent by its providers and hence is temporarily out of business.
Use scenario building to increase Scenario development also helps to address the issue of detectability, moving away from a situation where an
awareness for risk detection. enterprise ‘does not know what it does not know’. The collaborative approach for scenario development assists in
identifying risk to which the enterprise, until then, would not have realised it was subject to (and hence would never
have thought of putting in place any countermeasures). After the full set of risk items is identified during scenario
generation, risk analysis assesses frequency and impact of the scenarios.

Questions to be asked include:


• Will the enterprise ever detect that the risk scenario has materialised?
• Will the enterprise notice something has gone wrong so it can react appropriately?

Generating scenarios and creatively thinking of what can go wrong will automatically raise and, hopefully, cause
response to, the question of detectability. Detectability of scenarios includes two steps: visibility and recognition.
The enterprise must be in a position that it can observe anything going wrong, and it needs the capability to
recognise an observed event as something wrong.
Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 37

Characteristics of Good Scenarios


Risk scenarios must be realistic, unbiased and reliable to provide assurance that management is making decisions based
on quality information. The benefits of using risk scenarios as part of ERM are significant, and risk professionals should
become proficient in the preparation of this important information item to help management identify, analyze and respond
to risk.

Scenarios should have the following characteristics (figure 13):


Relevance—Scenarios should provide meaningful information to support decisions. Generic (market or industry)
scenarios must be customized to reflect factors that are relevant to the enterprise.
Consistency—Each scenario must be compelling by itself. Adequate management response depends on the credibility and
completeness of the scenarios used to make decisions.
Plausibility—Scenarios must be believable and realistic.
Likelihood—Scenarios must, to a certain extent, be likely to occur.
Timely—Scenarios must be prepared using the must current data to reflect the enterprise environment.

Figure 13—Characteristics of Good Risk Scenarios


Characteristic Explanation
Relevance for decision Scenarios should deliver meaningful information to support decisions. Generic (market or industry) scenarios are
usually not adequate enough and need to be augmented.
Consistency Each scenario has to be compelling by itself. If it is not, the credibility of a scenario can be negatively affected.
Plausibility Scenarios need to be realistic. They must meet principal requirements of basic feasibility.
Likelihood Each scenario should, to a certain extent, be likely to occur.
Timely Scenarios must reflect current events and circumstances.

22
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios

Chapter 4
Generic Risk Scenarios4
An IT risk scenario is a description of an IT-related event that can lead to a loss event that has a business impact, when
and if it should occur. The generic scenarios serve, after customization, as input to risk analysis activities, where the
ultimate business impact (among others) needs to be established. This chapter contains a set of generic IT risk scenarios
(figure 14), built in line with the model described in the previous sections of this guide. The set of generic scenarios
contains both negative and positive example scenarios.

A word of warning: The table with generic scenarios does not replace the creative and reflective phase that every
scenario-creating exercise should contain. In other words, it is not recommended that an enterprise blindly use this list
and assume that no other risk scenarios are possible, or assume that every scenario contained in the list is applicable to the
enterprise. Intelligence and experience are needed to derive a relevant and customized list of scenarios starting from this
generic list.

The generic risk scenarios in figure 14 include the following information:


• Risk scenario category—High-level description of the category of scenario (e.g., IT project selection). In total, there
are 20 categories.
• Risk type—The type to which scenarios derived from this generic scenario will fit, using the three risk types
explained earlier:
– IT benefit/value enablement risk—Associated with (missed) opportunities to use technology to improve the efficiency
or effectiveness of business processes or as an enabler for new business initiatives
– IT programme and project delivery risk—Associated with the contribution of IT to new or improved business
solutions, usually in the form of projects and programs
– IT operations and service delivery risk—Associated with the operational stability, availability, protection and
recoverability of IT services, which can bring destruction or reduction of value to the enterprise
• Risk scenario outcome—Positive outcomes are scenarios that can result in value creation or preservation. Negative
outcomes are scenarios that can result in value destruction or failure to gain.

A ‘P’ indicates a primary (higher degree) fit and an ‘S’ represents a secondary (lower degree) fit. Blank cells indicate that
the risk category is not relevant for the risk scenario at hand.
• Example scenarios—For each scenario category, one or several small examples are given of scenarios with a negative
outcome, indicating whether it is more of a value destruction or a failure to gain, and/or positive outcome, indicating
value gain. In total, 111 risk scenario examples are included with possible negative and/or positive outcomes.

Figure 14—Example Risk Scenarios


Risk Type Example Scenarios
and Service Delivery
and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Enablement

Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0101 Portfolio establishment Wrong programmes are selected for Programmes lead to successful new
and maintenance P P S implementation and are misaligned with business initiatives selected for execution.
corporate strategy and priorities.
0102 There is duplication between initiatives. Aligned initiatives have streamlined
P P S
interfaces.
0103 A new important programme creates long- New programmes are assessed for
P P S term incompatibility with the enterprise compatibility with existing architecture.
architecture.
0104 Competing resources are allocated and
P P S managed inefficiently and are misaligned to
business priorities.

4
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.

23
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
0201 Programme/projects Failing (due to cost, delays, scope creep, Failing or irrelevant projects are stopped on
life cycle management P P S changed business priorities) projects are a timely basis.
(programme/projects not terminated.
initiation, economics,
0202 There is an IT project budget overrun. The IT project is completed within
delivery, quality and S P S
agreed-on budgets.
termination)
0203 There is occasional late IT project delivery Project delivery is on time.
S P
by an internal development department.
0204 Routinely, there are important delays in IT The project critical path is managed
P P S
project delivery. accordingly and delivery is on time.
0205 There are excessive delays in outsourced IT Communication with third parties ensures
P P S development projects. the timely delivery within agreed-on scope
and quality.
0206 Programmes/projects fail due to not Change management is conducted
obtaining the active involvement throughout appropriately throughout the life cycle of the
P P
the programme/project life cycle of all programme/project to inform stakeholders on
stakeholders (including sponsor). progress and train future users.
0301 IT investment Business managers or representatives are There is co-ordinated decision making over
decision making not involved in important IT investment IT investments between business and IT.
P S
decision making (e.g., new applications,
prioritisation, new technology opportunities).
0302 The wrong software, in terms of cost, Upfront analysis is performed and a
P S performance, features, compatibility, etc., business case is prepared to ensure the
is selected for implementation. adequate selection of software.
0303 The wrong infrastructure, in terms of cost, Upfront analysis is performed and a
P P performance, features, compatibility, etc., business case is prepared to ensure the
is selected for implementation. adequate selection of infrastructure.
0304 P P Redundant software is purchased.
0401 IT expertise and skills There is a lack of or mismatched Attracting the appropriate staff increases
P P P IT-related skills within IT, e.g., due to new the service delivery of the IT department.
technologies.
0402 There is a lack of business understanding Correct staff and skill mix supports project
P P P by IT staff affecting the service delivery/ delivery and value delivery.
projects quality.
0403 There are insufficient skills to cover the Correct skill mix and training ensures that
business requirements. there is a thorough understanding of the
P P P
business by staff and allows full coverage
of business requirements.
0404 There is an inability to recruit IT staff. The correct amount of IT staff, with
appropriate skills and competencies
S P P
is attracted to support the business
objectives.
0405 There is a lack of due diligence in the Candidates are screened to ensure that
S P P recruitment process. appropriate skills, competencies and
attitude are present.
0406 There is a lack of training leading to IT staff members are able to determine
IT staff leaving. their own training plan based on their
S P P
aspirations and domains of interest, in
collaboration with their superiors.
0407 There is insufficient return on investment Career development is made formal
regarding training due to early leaving of and individual paths are determined to
S P P
trained IT staff (e.g., MBA). ensure IT staff is motivated to stay for a
considerable amount of time.

24
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0408 IT expertise and skills There is an overreliance on key IT staff. Job rotation ensures that nobody alone
(cont.) S P P possesses the entire knowledge of the
execution of a certain activity.
0409 There is an inability to update the IT skills Training, attending seminars and reading
to the proper level through training. thought leadership ensures that IT staff is
S P P
up to date with the latest developments in
its area of speciality.
0501 Staff operations Access rights from prior roles are abused. HR and IT administration co-ordinate on a
(human error and frequent basis to ensure timely removal of
S S P
malicious intent) access rights, avoiding the possibility
of abuse.
0502 IT equipment is accidentally damaged
S P
by staff.
0503 There are errors by IT staff (during backup, The four-eyes principle is applied,
S P during upgrades of systems, during decreasing the possibility of errors before
maintenance of systems, etc.). moving to production.
0504 Information is input incorrectly by IT staff or The four-eyes principle is applied, decreasing
S P
system users. the possibility of incorrect information input.
0505 The data centre is destroyed (sabotage, Data centre is appropriately secured, only
S P
etc.) by staff. allowing access to authorised IT staff.
0506 There is a theft of a device with sensitive Office premises are secured and monitored
S P
data by staff. for irregular activity.
0507 There is a theft of a key infrastructure Key infrastructure components are
component by staff. monitored 24/7 for performance,
S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.
0508 Hardware components were configured An enterprisewide configuration
P S P erroneously. management system is set up, ensuring
aligned configuration across the enterprise.
0509 Critical servers in the computer room were Key infrastructure components are
damaged (e.g., accident, etc.). monitored 24/7 for performance,
P S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.
0510 Hardware was tampered with intentionally Key infrastructure components are
(security devices, etc.). monitored 24/7 for performance,
P S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.

25
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
0601 Information (data Hardware components are damaged, Backup procedures, aligned to the business
breach: damage, S P leading to (partial) destruction of data by criticality of the data, are established,
leakage and access) internal staff. ensuring key business data is always
retained at a second location.
0602 The database is corrupted, leading to
S S P
inaccessible data.
0603 Portable media containing sensitive data Portable media are appropriately secured
S S P (CD, USB drives, portable disks, etc.) is lost/ and encrypted to ensure protection of data.
disclosed.
0604 Sensitive data is lost/disclosed through Sensitive data residing in the enterprise
logical attacks. premises are protected appropriately
S S P
behind firewalls and through continuous
network monitoring.
0605 Backup media is lost or backups are not
S S P
checked for effectiveness.
0606 Sensitive information is accidentally Employees are encouraged continuously to
disclosed due to failure to follow be ambassadors of the enterprise culture,
P S P
information handling guidelines. ethics and good behaviours, including
practices around information handling.
0607 Data (accounting, security-related The four-eyes principle is applied for
data, sales figures, etc.) are modified specific data inputs/modifications to create
P S P
intentionally. a peer review and decrease the stimulus
for intentional modification.
0608 Sensitive information is disclosed through Employees are encouraged continuously
email or social media. to be ambassadors of the enterprise
culture, ethics and good behaviours,
P S P
including practices involving distribution
of information through email and social
media.
0609 Sensitive information is discovered due The data retention policy is updated
P S P to inefficient retaining/archiving/disposing regularly and strict compliancy is endorsed
of information. for all employees.
0610 IP is lost and/or competitive information is IP clauses are incorporated in every
leaked due to key team members leaving contract, allowing the enterprise to fully
P S P
the enterprise. reap the benefits of all IP created in the
enterprise.
0611 The enterprise has an overflow of data The enterprise has an effective process
and cannot deduct the business relevant in place to process the data it has into
P S P
information from the data (e.g., big data business relevant information and use that
problem). information to create business value.
0701 Architecture The enterprise architecture is complex Modern and flexible architecture supports
(architectural vision and inflexible, obstructing further evolution business agility/innovation.
P P P
and design) and expansion leading to missed business
opportunities.
0702 The enterprise architecture is not fit for
P S P purpose and not supporting the business
priorities.
0703 There is a failure to adopt and exploit new
P S S
infrastructure in a timely manner.
0704 There is a failure to adopt and exploit new
P S S software (functionality, optimisation, etc.) in
a timely manner.

26
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0801 Infrastructure New (innovative) infrastructure is installed Appropriate testing is conducted before
(hardware, operating and as a result systems become unstable setting infrastructure into the production
P S P
system and controlling leading to operational incidents, e.g., Bring environment to ensure the availability and
technology) your own device (BYOD) programme. proper functioning of the entire system.
(selection/
0802 implementation, The systems cannot handle transaction
P S P
operations and volumes when user volumes increase.
0803 decommissioning) The systems cannot handle system load
P S P when new applications or initiatives
are deployed.
0804 Intermittently, there are failures of utilities Second line utilities are foreseen and
P S P (telecom, electricity). stand by 24/7 to support the continuous
execution of business critical transactions.
0805 The IT in use is obsolete and cannot satisfy IT is an innovator, ensuring a two-way
P S P new business requirements (networking, interaction between business and IT.
security, database, storage, etc.).
0806 P Hardware fails due to overheating.
0901 Software There is an inability to use the software The software in use stimulates the
to realise desired outcomes (e.g., failure generation of new ideas.
P S
to make required business model or
organisational changes).
0902 Immature software (early adopters, bugs,
P S
etc.) is implemented.
0903 The wrong software (cost, performance, Upfront analysis is performed and a
P S features, compatibility, etc.) is selected for business case is prepared to ensure the
implementation. adequate selection of software.
0904 There are operational glitches when new User adapted training and user acceptance
P S
software is made operational. testing is performed before the go-live
decision to ensure the smooth transition
0905 Users cannot use and exploit new to new software and that generation of
P S application software. business value continues.
0906 Intentional modification of software leading The four-eyes principle is applied for
P S
to wrong data or fraudulent actions. specific data inputs/modifications to
create a peer review and decrease the
0907 Unintentional modification of software leads stimulus for fraudulent actions or simply
P S to unexpected results. unexpected results.
0908 Unintentional configuration and change Enterprisewide configuration management
P S management errors occur. decreases resolution time for incident and
problem management.
0909 Regular software malfunctioning of critical Appropriate testing is conducted before the
P S
application software occurs. go-live decision to ensure the availability
and proper functioning of the software.
0910 Intermittent software problems with
P S
important system software occur.
0911 Application software is obsolete (e.g., old IT is an innovator, ensuring a two-way
technology, poorly documented, expensive interaction between business and IT.
P S
to maintain, difficult to extend, not
integrated in current architecture).
0912 There is an inability to revert back to former Backup and restore points are established
P S versions in case of operational issues with in accordance with business criticality of
the new version. software to ensure roll-back procedures.

27
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
1001 Business ownership Business does not assume accountability Business assumes appropriate
of IT over those IT areas it should, e.g., accountability over IT and co-determines
P P S functional requirements, development the strategy of IT, especially application
priorities, assessing opportunities through portfolio.
new technologies.
1002 There is extensive dependency and use of
end-user computing and ad hoc solutions
for important information needs, leading
P S S
to security deficiencies, inaccurate data
or increasing costs/inefficient use of
resources.
1003 Cost and ineffectiveness is related to A business case is always prepared
P S S IT related purchases outside of the to ensure optimal cost and effective
procurement process. purchasing of software.
1004 Inadequate requirements lead to ineffective
P
service level agreements (SLAs).
1101 Supplier (selection/ There is a lack of supplier due diligence Third party acts as strategic partner.
performance, regarding financial viability, delivery
S P
contractual compliance, capability and sustainability of supplier’s
termination of service service.
and transfer)
1102 Unreasonable terms of business are
S P
accepted from IT suppliers.
1103 Support and services delivered by vendors Appropriate key performance indicators
S P
are inadequate and not in line with the SLA. (KPIs), linked to rewards and penalties,
ensure adequate service delivery and
1104 Outsourcer performance is inadequate
support.
S P in a large-scale long-term outsourcing
arrangement.
1105 There is non-compliance with software Contractual arrangements are agreed on
S P licence agreements (use and/or distribution concerning the use of third-party software
of unlicenced software, etc.). and proprietary software.
1106 There is an inability to transfer to A phase-out and knowledge transfer clause
alternative suppliers due to overreliance on is added to the contract with the supplier,
current supplier. requiring them to do a handover with
new suppliers.
S P
A mix of internal and external employees
is set up for each process, avoiding full
knowledge of the process only residing
with external employees.
1107 Cloud services are purchased by the business
without the consultation/involvement of IT,
S P
resulting in inability to integrate the service
with in-house services.
1201 Regulatory compliance There is non-compliance with regulations, Full compliance with regulations is
P S S e.g., privacy, accounting, manufacturing. exploited towards clients to generate extra
business value.
1202 Unawareness of potential regulatory The enterprise sets up a legal and
changes have an impact on the operational compliance department to follow up on
P S S
IT environment. regulatory changes and to ensure the
continuation of business value generation.
1203 The regulator prevents cross-border
P S S
dataflow due to insufficient controls.

28
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
1301 Geopolitical There is no access due to disruptive Clear compliance with national policies and
P
incident in other premises. support of local initiatives ensures support
by local government and generation of
1302 Government interference and national
P business value.
policies limit service capability.
1303 Targeted action against the enterprise
P
results in destruction of infrastructure.
1401 Infrastructure theft or There is a theft of a device with Key infrastructure components are
S S P
destruction sensitive data. monitored 24/7 for performance,
availability, etc. Alarm bells are raised
1402 There is a theft of a substantial number of
S S P in case of irregularities and acted on
development servers.
immediately.
1403 Destruction of the data centre (sabotage, Data centre is appropriately secured, only
S S P
etc.) occurs. allowing access to authorised IT staff.
1404 There is accidental destruction of individual
S S P
devices.
1501 Malware There is an intrusion of malware on critical IT infrastructure will be appropriately
S P
operational servers. protected behind firewalls and through
continuous monitoring of the network
1502 Regularly, there is infection of laptops with
S P to ensure the execution of day-to-day
malware.
activities.
1503 A disgruntled employee implements a time
S P
bomb that leads to data loss.
1504 Company data are stolen through
S P unauthorised access gained by a
phishing attack.
1601 Logical attacks Unauthorised users try to break into
S P
systems.
1602 There is a service interruption due to
S P
denial-of-service attack.
1603 S P The web site is defaced.
1604 S P Industrial espionage takes place.
1605 S P There is a virus attack.
1606 S P Hacktivism takes place.
1701 Industrial action Facilities and building are not accessible A business continuity plan foresees action
because of a labour union strike. to be taken to always ensure the execution
S S P
of business critical tasks in case the
building is not accessible anymore.
1702 Key staff is not available through industrial A flexible work policy, allowing employees
action (e.g., transportation strike). to work from another location other than
S S P
the office building simulates freedom and
creates a positive work atmosphere.
1703 A third party is not able to provide services
S S P
because of a strike.
1704 There is no access to capital caused by a
S S P
strike of the banking industry.

29
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Figure 14—Example Risk Scenarios (cont.)


Risk Type Example Scenarios

and Service Delivery


and Project Delivery
IT Benefit/Value

IT Programme

IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
1801 Environmental The equipment used is not environmentally Being awarded for environmental
friendly (e.g., power consumption, friendliness creates positive media
S S P
packaging). attention, attracts new customers and
employees, and ensures value creation.
1901 Acts of nature S S P There is an earthquake.
1902 S S P There is a tsunami.
1903 There are major storms and tropical
S S P
cyclones.
1904 S S P There is a major wildfire.
1905 S S P There is flooding.
1906 S S P The water table is rising.
2001 Innovation New and important technology trends are Innovation and trend watch are endorsed
not identified. and encouraged, ensuring new technology
P S S
(trends) are timely assessed for business
impact and adopted if required.
2002 There is a failure to adopt and exploit new Innovation and trend watch are endorsed
P S software (functionality, optimisation, etc.) in and encouraged, ensuring new technology
a timely manner. (trends) are timely assessed for business
impact and adopted if required.
2003 New and important software trends are not
P S
identified (consumerisation of IT).
Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 38

Chapter 5, Using COBIT 5 Enablers to Mitigate IT Risk Scenarios, provides a set of examples that show how COBIT 5
enablers can be used to respond to the risk scenarios described in figure 14. Other IT management frameworks, such as
Information Technology Infrastructure Library (ITIL), and International Organization for Standardization (ISO)
and International Electrotechnical Commission (IEC) 27001/2, can also be used for that purpose, but no detailed
links/mappings are included.

30
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios5
During the risk response process, risk mitigation is one of the options that can be used to respond to risk. IT-related risk
mitigation is equivalent to implementing a number of IT controls. In COBIT 5 terms, IT controls can be any enabler,
e.g., principles, policies and frameworks; processes; organisational structures; culture, ethics and behaviour; information;
services, infrastructure and applications; or people, skills and competencies.

This chapter provides examples that show how COBIT 5 enablers can be used to respond to risk scenarios. For each of
the risk scenario categories identified in chapter 4, potential mitigating actions relating to all seven COBIT 5 enablers are
provided, with a reference, title and description for each enabler.

When using the examples in this chapter, the reader should keep in mind that:
• The examples do not replace the risk analysis exercise. The risk scenario categories presented here are generic and, in
themselves, can cover many derived and varying scenarios. Every enterprise first needs to customize and define its own
set of risk scenarios.
• The examples need to be customized to include every risk and all surrounding risk factors that should be considered
before risk mitigation measures are defined.
• The suggested IT controls/enablers are not absolute. They need to be weighed in terms of cost and benefit, i.e.,
how effective they will be in addressing risk and the cost to implement them. The effect of the mitigating action on
potential impact and frequency of the risk should be estimated and depends on the maturity of the IT control/enabler
implementation, the context of the enterprise, etc. When effect on impact and frequency is estimated to be “high,” the
action can be considered “essential” for the enterprise.
• The suggested list of IT controls/enablers may not be complete for a particular situation, so the user should be prepared
to carefully analyze whether any controls need to be added or removed based on each situation. For some scenarios,
additional and more detailed guidance may be required. Examples are information security risk items and controls such
as vulnerability management or application security scanning.

The value of this section ties into:


• Risk assessment and analysis—When frequency and impact need to be assessed, IT controls/enablers need to be taken into
account to determine the impact and a realistic frequency assessment. Enabler maturity is a very important risk factor.
• Risk mitigation—When risk can be mitigated, i.e., IT controls/enablers need to be defined, assessed and implemented.
The examples in this chapter provide a number of suggested IT controls/enablers for each risk in the examples.

Note: The tables linking each risk scenario category to a set of mitigating enablers stay at a very generic level, thus
providing a starting point for to prepare mitigation plans. Each enterprise will need to tailor the set of enablers required to
analyze and mitigate each specific risk scenario in scope.

5
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.

31
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 1: Portfolio Establishment and Maintenance


Risk Scenario Category Portfolio establishment and maintenance
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Program/project management policy To enforce the use of the overall program/project methodology including corporate policy on business case
or due diligence in order to improve the visibility of the relative value of programs (compared to each other).
This policy should describe approval investment thresholds for program value.
Process Enabler
Reference Title Governance and Management Practices
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled investments, services and assets to determine the likelihood
optimization. of achieving enterprise objectives and delivering value at a reasonable cost. Identify and make judgment on
any changes in direction that need to be given to management to optimize value creation.
EDM02.02 Direct value Direct value management principles and practices to enable optimal value realization from IT-enabled
optimization. investments throughout their full economic life cycle.
EDM02.03 Monitor value Monitor the key goals and metrics to determine the extent to which the business is generating the expected
optimization. value and benefits to the enterprise from IT-enabled investments and services. Identify significant issues
and consider corrective actions.
APO01.01 Define the Establish an internal and extended organizational structure that reflects business needs and IT priorities. Put
organizational in place the required management structures (e.g., committees) that enable management decision making
structure. to take place in the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and
management users throughout the enterprise.
objectives and
direction.
APO02.03 Define the target Define the target business and IT capabilities and required IT services. This should be based on the
IT capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
process and IT environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
APO04.03 Monitor and scan Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
the technology technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
environment. costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging
technologies or innovation ideas in the enterprise context.
APO05.01 Establish the target Review and ensure clarity of the enterprise and IT strategies and current services. Define an appropriate
investment mix. investment mix based on cost, alignment with strategy, and financial measures such as cost and expected
return on investment (ROI) over the full economic life cycle, degree of risk, and type of benefit for the
programs in the portfolio. Adjust the enterprise and IT strategies where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix requirements, evaluate and prioritize program business cases,
programs to fund. and decide on investment proposals. Allocate funds and initiate programs.
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and projects, IT services and IT assets.
APO06.02 Prioritize resource Implement a decision-making process to prioritize the allocation of resources and rules for discretionary
allocation. investments by individual business units. Include the potential use of external service providers and consider
the buy, develop and rent options.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, specify and agree on business information, functional,
business functional technical and control requirements covering the scope/understanding of all initiatives required to achieve
and technical the expected outcomes of the proposed IT-enabled business solution.
requirements.
Organisational Structures Enabler
Reference Contribution to Response
Program and project management office Responsible for the quality of the business cases
(PMO)
Board of directors Approval is required when programs surpass a certain value threshold and risk level.
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs.

32
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 1: Portfolio Establishment and Maintenance (cont.)


Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Program selection includes Decisions should be objective, nonbiased and based on supported information.
data-driven decisions
Stakeholder engagement The full range of success factors will be taken into account when selecting programs.
Focus on enterprise objectives Ensure alignment with corporate strategy and priorities.
Information Enabler
Reference Contribution to Response
Program business case Improves the visibility of the relative value of programs (compared to each other)
Defined investment mix Improves the visibility of the relative value of programs (compared to each other)
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Portfolio management tools Decrease complexity and increase overview on programs and projects.
People, Skills and Competencies Enabler
Reference Contribution to Response
Program/project finance skills Create visibility on program value.
Business requirements analysis Transparency on enterprise strategy, related business requirements and priorities
Marketing-related skills Create visibility on program value.

33
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 2: Programme/Project Life Cycle Management


Risk Scenario Category Program/project life cycle management
Scope: Program/project initiation, economics, delivery, quality and termination
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Program/project management policy Measuring visibility and true status for decision makers should be based on common language
and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep, changed business priorities,
etc.) and create information flows to induce corrective action.
• To prevent failure, scope changes to existing projects need to be managed strictly
Process Enabler
Reference Title Governance and Management Practices
EDM02.03 Monitor value Monitor the key goals and metrics to determine the extent to which the business is generating the expected
optimization. value and benefits to the enterprise from IT-enabled investments and services. Identify significant issues
and consider corrective actions.
APO01.01 Define the Establish an internal and extended organizational structure that reflects business needs and IT priorities. Put
organizational in place the required management structures (e.g., committees) that enable management decision making
structure. to take place in the most effective and efficient manner.
APO06.04 Model and allocate Establish and use an IT costing model based on the service definition, ensuring that allocation of costs for
costs. services is identifiable, measurable and predictable, to encourage the responsible use of resources including
those provided by service providers. Regularly review and benchmark the appropriateness of the cost/
chargeback model to maintain its relevance and appropriateness to the evolving business and IT activities.
APO06.05 Manage costs. Implement a cost management process comparing actual costs to budgets. Costs should be monitored
and reported and, in the case of deviations, identified in a timely manner and their impact on enterprise
processes and services assessed.
BAI01.01 Maintain a standard Maintain a standard approach for program and project management that enables governance and
approach for management review and decision making and delivery management activities focused on achieving value
program and project and goals (requirements, risk, costs, schedule, quality) for the business in a consistent manner.
management.
BAI01.02 Initiate a program. Initiate a program to confirm the expected benefits and obtain authorization to proceed. This includes
agreeing on program sponsorship, confirming the program mandate through approval of the conceptual
business case, appointing program board or committee members, producing the program brief, reviewing
and updating the business case, developing a benefits realization plan, and obtaining approval from
sponsors to proceed.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely
engagement. information that reaches all relevant stakeholders. This includes planning, identifying and engaging
stakeholders and managing their expectations.
BAI01.04 Develop and maintain Formulate a program to lay the initial groundwork and to position it for successful execution by formalizing
the program plan. the scope of the work to be accomplished and identifying the deliverables that will satisfy its goals and
deliver value. Maintain and update the program plan and business case throughout the full economic life
cycle of the program, ensuring alignment with strategic objectives and reflecting the current status and
updated insights gained to date.
BAI01.05 Launch and execute Launch and execute the program to acquire and direct the resources needed to accomplish the goals and
the program. benefits of the program as defined in the program plan. In accordance with stage-gate or release review
criteria, prepare for stage-gate, iteration or release reviews to report on the progress of the program and to
be able to make the case for funding up to the following stage-gate or release review.
BAI01.06 Monitor, control and Monitor and control program (solution delivery) and enterprise (value/outcome) performance against plan
report on the program throughout the full economic life cycle of the investment. Report this performance to the program steering
outcomes. committee and the sponsors.
BAI01.07 Start up and initiate Define and document the nature and scope of the project to confirm and develop among stakeholders a
projects within a common understanding of project scope and how it relates to other projects within the overall IT-enabled
program. investment program. The definition should be formally approved by the program and project sponsors.
BAI01.08 Plan projects. Establish and maintain a formal, approved integrated project plan (covering business and IT resources) to
guide project execution and control throughout the life of the project. The scope of projects should be clearly
defined and tied to building or enhancing business capability.
BAI01.09 Manage program and Prepare and execute a quality management plan, processes and practices, aligned with the quality
project quality. management system (QMS) that describes the program and project quality approach and how it will be
implemented. The plan should be formally reviewed and agreed on by all parties concerned and then
incorporated into the integrated program and project plans.

34
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 2: Programme/Project Life Cycle Management (cont.)


Process Enabler (cont.)
Reference Title Governance and Management Practices
BAI01.10 Manage program and Eliminate or minimize specific risk associated with program and projects through a systematic process
project risk. of planning, identifying, analyzing, responding to and monitoring and controlling the areas or events that
have the potential to cause unwanted change. Risk faced by program and project management should be
established and centrally recorded.
BAI01.11 Monitor and control Measure project performance against key project performance criteria such as schedule, quality, cost and
projects. risk. Identify any deviations from the expected. Assess the impact of deviations on the project and overall
program, and report results to key stakeholders.
BAI01.12 Manage project Manage project work packages by placing formal requirements on authorizing and accepting work
resources and work packages, and assigning and coordinating appropriate business and IT resources.
packages.
BAI01.13 Close a project or At the end of each project, release or iteration, require the project stakeholders to ascertain whether
iteration. the project, release or iteration delivered the planned results and value. Identify and communicate any
outstanding activities required to achieve the planned results of the project and the benefits of the program,
and identify and document lessons learned for use on future projects, releases, iterations and programs.
Organizational Structures Enabler
Reference Contribution to Response
Program and project management Ensure consistency of approach within program/project monitoring.
office (PMO)
Chief information officer (CIO) Take corrective action, if required.
Program/project sponsor Overall accountable for budget tracking and value demonstration
Program/project manager Overall responsible for budget tracking and value demonstration
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Program/project monitoring includes Decisions should be objective, nonbiased and based on supported information.
data-driven activities
Admitting to bad news is supported by Enables earlier decision making and minimizes impact
senior management
Information Enabler
Reference Contribution to Response
Program benefit realization plan This input will provide the necessary data to track the progress and estimate potential overrun.
Program budget and benefits register This input will provide the necessary data to track the progress and estimate potential overrun.
Program status report Measuring visibility and true status for decision makers should be based on common language and
methodology.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Portfolio management tools Increase transparency on budgetary status.
People, Skills and Competencies Enabler
Reference Contribution to Response
Performance and budget control skills The correct analytical skills will allow estimation of the consequences of failing projects such as potential
budget overruns.

35
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 3: IT Investment Decision Making


Risk Scenario Category IT investment decision making
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Program/project management policy The policy should define who needs to be involved in investment decisions and the chain of approval.
Process Enabler
Reference Title Governance and Management Practices
APO05.06 Manage benefits Monitor the benefits of providing and maintaining appropriate IT services and capabilities, based on the
achievement. agreed-on and current business case.
APO06.02 Prioritize resource Implement a decision-making process to prioritize the allocation of resources and rules for discretionary
allocation. investments by individual business units. Include the potential use of external service providers and consider
the buy, develop and rent options.
APO06.03 Create and maintain Prepare a budget reflecting the investment priorities supporting strategic objectives based on the portfolio of
budgets. IT-enabled programs and IT services.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or on major changes to the enterprise or operational or IT
appropriate staffing. environments to ensure that the enterprise has sufficient human resources to support enterprise goals and
objectives. Staffing includes both internal and external resources.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely
engagement. information that reaches all relevant stakeholders. This includes planning, identifying and engaging
stakeholders and managing their expectations.
BAI03.04 Procure solution Procure solution components based on the acquisition plan in accordance with requirements and detailed
components. designs, architecture principles and standards, and the enterprise’s overall procurement and contract
procedures, quality assurance (QA) requirements, and approval standards. Ensure that all legal and
contractual requirements are identified and addressed by the supplier.
Organisational Structures Enabler
Reference Contribution to Response
Board of directors Accountable for proper investment decision making
Chief information officer (CIO) Responsible for proper investment decision making
Chief financial officer (CFO) Responsible for proper investment decision making
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Decision-making process is data driven Decisions should be objective, nonbiased and based on supported information.
Information Enabler
Reference Contribution to Response
Business cases Clarify the purpose, cost and return on investment of IT initiatives.
Prioritization and ranking of IT initiatives Overview of IT initiatives to facilitate selection
IT budget and plan Overview on available IT budget and guidelines
People, Skills and Competencies Enabler
Reference Contribution to Response
Cost allocation and budgeting Ability to detail financial aspects of IT initiatives
Business case analysis Clarify the purpose, cost and return on investment of IT initiatives.

36
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 4: IT Expertise and Skills


Risk Scenario Category IT expertise and skills
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
HR policy Describes the requirements development for selecting and evaluating IT profiles throughout the entire
career.
Process Enabler
Reference Title Governance and Management Practices
APO01.01 Define the Establish an internal and extended organizational structure that reflects business needs and IT priorities. Put
organizational in place the required management structures (e.g., committees) that enable management decision making
structure. to take place in the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding of IT objectives and direction to appropriate stakeholders and
management users throughout the enterprise.
objectives and
direction.
APO02.01 Understand enterprise Consider the current enterprise environment and business processes, as well as the enterprise strategy
direction. and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant
regulations, basis for competition).
APO03.01 Develop the enterprise The architecture vision provides a high-level description of the baseline and target architectures, covering
architecture vision. the business, information, data, application and technology domains. The architecture vision provides the
sponsor with a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise.
The architecture vision describes how the new capability will meet enterprise goals and strategic objectives
and address stakeholder concerns when implemented.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or on major changes to the enterprise or operational or IT
appropriate staffing. environments to ensure that the enterprise has sufficient human resources to support enterprise goals and
objectives. Staffing includes both internal and external resources.
APO07.02 Identify key IT Identify key IT personnel while minimising reliance on a single individual performing a critical job function
personnel. through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies required of personnel. Regularly verify that personnel
and competencies of have the competencies to fulfill their roles on the basis of their education, training and/or experience, and
personnel. verify that these competencies are being maintained, using qualification and certification programs where
appropriate. Provide employees with ongoing learning and opportunities to maintain their knowledge, skills
and competencies at a level required to achieve enterprise goals.
APO07.04 Evaluate employee job Perform timely performance evaluations on a regular basis against individual objectives derived from
performance. the enterprise’s goals, established standards, specific job responsibilities, and the skills and competency
framework. Employees should receive coaching on performance and conduct whenever appropriate.
APO07.05 Plan and track the Understand and track the current and future demand for business and IT human resources with
usage of IT and responsibilities for enterprise IT. Identify shortfalls and provide input into sourcing plans, enterprise and IT
business human recruitment processes sourcing plans, and business and IT recruitment processes.
resources.
Organisational Structures Enabler
Reference Contribution to Response
Chief information officer (CIO) Responsible for gap analysis regarding IT skills and competencies
Head of HR Accountable for establishing expectations toward staff
Specific IT management functions Responsible for identifying specific requirements
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Awareness of business activities by IT staff should know the core business activities of the enterprise they support.
IT staff
Foster competency development with Continuous development of existing IT skills.
IT staff

37
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 4: IT Expertise and Skills (cont.)


Information Enabler
Reference Contribution to Response
Skills and competencies matrix Describe the existing skills and competencies within the IT organization and allow for gap analysis
Competency and career/skills Describe the required evolution of specific IT profiles.
development plans
Generic job function descriptions Describe skills/experience and knowledge requirements for generic profiles within the IT organizations.
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing knowledge regarding processes,
technology, etc.
People, Skills and Competencies Enabler
Reference Contribution to Response
Human resources management skills Hire qualified personnel and manage the skills development process.
Business analysis Matching the business needs to the required IT skills

38
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 5: Staff Operations


Risk Scenario Category Staff operations
Scope: Human error and malicious intent
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
HR policy Describes the continued restrictions after leaving the organization
Information security policy Defines technical limitations on sharing and using information
Ethics policy Rules of behavior, acceptable use of technology and required precautions
Process Enabler
Reference Title Governance and Management Practices
APO07.01 Maintain adequate Evaluate staffing requirements on a regular basis or upon major changes to the enterprise or operational or
and appropriate IT environments to ensure that the enterprise has sufficient human resources to support enterprise goals
staffing. and objectives. Staffing includes both internal and external resources.
APO07.03 Maintain the skills and Define and manage the skills and competencies required of personnel. Regularly verify that personnel
competencies have the competencies to fulfill their roles on the basis of their education, training and/or experience, and
of personnel. verify that these competencies are being maintained, using qualification and certification programs where
appropriate. Provide employees with ongoing learning and opportunities to maintain their knowledge, skills
and competencies at a level required to achieve enterprise goals.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel who support the enterprise with IT skills know and comply
with the organization’s policies and meet agreed-on contractual requirements.
BAI03.07 Prepare for solution Establish a test plan and required environments to test the individual and integrated solution components,
testing. including the business processes and supporting services, applications and infrastructure.
DSS01.01 Perform operational Maintain and perform operational procedures and operational tasks reliably and consistently.
procedures.
DSS01.04 Manage the Maintain measures for protection against environmental factors. Install specialized equipment and devices
environment. to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations,
technical and business requirements, vendor specifications, and health and safety guidelines.
DSS04.03 Develop and Develop a business continuity plan (BCP) based on the strategy that documents the procedures and
implement a business information in readiness for use in an incident to enable the enterprise to continue its critical activities.
continuity response.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined
review the BCP. outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will
work as anticipated.
DSS05.05 Manage physical Define and implement procedures to grant, limit and revoke access to premises, buildings and areas
access to IT assets. according to business needs, including emergencies. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This should apply to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party.
DSS06.02 Control the processing Operate the execution of the business process activities and related controls, based on enterprise risk, to
of information. ensure that information processing is valid, complete, accurate, timely, and secure (i.e., reflects legitimate
and authorized business use).
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels of authority and segregation of duties needed to support
responsibilities, the business process objectives. Authorize access to any information assets related to business information
access privileges and processes, including those under the custody of the business, IT and third parties. This ensures that the
levels of authority. business knows where the data are and who is handling data on its behalf.
Organisational Structures Enabler
Reference Contribution to Response
Information security manager Responsible for technical protection of assets and information
Head of HR Responsible for establishing expectations about staff
Head of IT operations Accountable for managing the operational environment
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Everybody is responsible for the Leading by example
protection of information within the
enterprise
People respect the importance of policies Preventing errors and accidents
and procedures

39
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 5: Staff Operations (cont.)


Information Enabler
Reference Contribution to Response
Staffing contract Contractual obligations, restrictions and rights of the staff
Access and event logs Detect wrongful activity.
Allocated roles and responsibilities/levels Provide clarity on organizational distribution.
of authority
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Access control To prevent unauthorized logical access
Alarm and monitoring security system To prevent unauthorized physical access
People, Skills and Competencies Enabler
Reference Contribution to Response
Security skills Prevent malicious intent.

40
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 6: Information


Risk Scenario Category Information
Scope: Damage, leakage and access
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Physical security policy Access should only be provided to authorized staff.
Backup policy Backups are available and usable.
Business continuity and disaster Validate recoverability of data.
recovery policy
Information security policy Defines limitations on sharing and using information.
Process Enabler
Reference Title Governance and Management Practices
APO01.06 Define information Define and maintain responsibilities for ownership of information (data) and information systems. Ensure
(data) and system that owners make decisions about classifying information and systems and protecting them in line
ownership. with this classification.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, specify and agree on business information, functional,
business functional technical and control requirements covering the scope/understanding of all initiatives required to achieve
and technical the expected outcomes of the proposed IT-enabled business solution.
requirements
BAI04.05 Investigate and Address deviations by investigating and resolving identified availability, performance and capacity issues.
address availability,
performance and
capacity issues.
DSS01.01 Perform operational Maintain and perform operational procedures and operational tasks reliably and consistently.
procedures.
DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations,
technical and business requirements, vendor specifications, and health and safety guidelines.
DSS04.03 Develop and Develop a business continuity plan (BCP) based on the strategy that documents the procedures and
implement a business information in items that enable the enterprise to continue its critical activities after an incident.
continuity response.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined
review the BCP. outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will
work as anticipated.
DSS05.02 Manage network and Use security measures and related management procedures to protect information over all methods of
connectivity security. connectivity.
DSS05.05 Manage physical Define and implement procedures to grant, limit and revoke access to premises, buildings and areas
access to IT assets. according to business needs, including emergencies. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This should apply to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, accounting practices and inventory management over sensitive
documents and output IT assets, such as special forms, negotiable instruments, special-purpose printers or security tokens.
devices.
DSS06.04 Manage errors and Manage business process exceptions and errors and facilitate their correction. Include escalation of
exceptions. business process errors and exceptions and the execution of defined corrective actions. This provides
assurance of the accuracy and integrity of the business information process.
DSS06.05 Ensure traceability of Ensure that business information can be traced to the originating business event and accountable parties.
Information events and This enables traceability of the information through its life cycle and related processes. This provides
accountabilities. assurance that information that drives the business is reliable and has been processed in accordance with
defined objectives.
Organisational Structures Enabler
Reference Contribution to Response
Information security manager Provide guidance on proper controls and measures to protect data and hardware.
Head of IT operations Responsible for implementing proper controls to protect data and hardware

41
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 6: Information (cont.)


Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Information security is practiced in daily Always select the safest option with regard to daily operations.
operations
Need to access only Limit the access of staff without affecting performance.
Everybody is responsible for the Management provides training to create awareness and accountability.
protection of information within the
enterprise
Information Enabler
Reference Contribution to Response
Backup reports Describes the status regarding backups.
Data loss prevention campaigns Increase awareness within the enterprise.
Nondisclosure agreements Contractually protect intellectual property (IP) by deterring staff from disclosing IP to unauthorized parties.
Access and event logs Detect suspicious activity.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Access control To prevent unauthorized logical access
Backup systems Ensure proper recovery in case of loss, modification or corruption of data.
Data protection infrastructure and Encryption, passwords, email monitoring, etc., to apply the need-to-know principle
applications
People, Skills and Competencies Enabler
Reference Contribution to Response
Technical skills Regarding the proper controls and measures to protect data and hardware (e.g., data backup, storage)

42
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 7: Architecture


Risk Scenario Category Architecture
Scope: Architectural vision and design
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Architecture principles Architecture principles define the underlying general rules and guidelines for the use and deployment of
all IT resources and assets across the enterprise.
Exceptions procedure In specific cases exceptions to the existing architectural rules can be allowed. Specific cases and the
procedure to follow for approval should be described.
Process Enabler
Reference Title Governance and Management Practices
APO02.01 Understand enterprise Consider the current enterprise environment and business processes, as well as the enterprise strategy
direction. and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant
regulations, basis for competition).
APO02.03 Define the target IT Define the target business and IT capabilities and required IT services. This should be based on the
capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
process and IT environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
APO03.01 Develop the enterprise The architecture vision provides a high-level description of the baseline and target architectures, covering
architecture vision. the business, information, data, application and technology domains. The architecture vision provides the
sponsor with a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise.
The architecture vision describes how the new capability will meet enterprise goals and strategic
objectives and address stakeholder concerns when implemented.
APO03.02 Define reference The reference architecture describes the current and target architectures for the business, information,
architecture. data, application and technology domains.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target architectures, taking both business and technical
solutions. perspectives, and logically group them into project work packages. Integrate the project with any related
IT-enabled investment programs to ensure that the architectural initiatives are aligned with and enable
these initiatives as part of overall enterprise change. Make this a collaborative effort with key enterprise
stakeholders from business and IT to assess the enterprise’s transformation readiness, and identify
opportunities, solutions and all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration plan in alignment with the program and project portfolios.
implementation. Ensure that the plan is closely coordinated to ensure that value is delivered and the required resources are
available to complete the necessary work.
APO03.05 Provide enterprise The provision of enterprise architecture services within the enterprise includes guidance to and monitoring
architecture services. of implementation projects, formalizing ways of working through architecture contracts, and measuring
and communicating architecture’s value-add creation and compliance monitoring.
APO04.03 Monitor and scan the Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
technology environment. technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging
technologies or innovation ideas in the enterprise context.
APO04.04 Assess the potential of Analyze identified emerging technologies and/or other IT innovation suggestions. Work with stakeholders
emerging technologies to validate assumptions on the potential of new technologies and innovation.
and innovation ideas.
APO04.06 Monitor the Monitor the implementation and use of emerging technologies and innovations during integration,
implementation and use adoption and for the full economic life cycle to ensure that the promised benefits are realised and to
of innovation. identify lessons learned.
Organisational Structures Enabler
Reference Contribution to Response
Architecture board Ensure compliance with the target architecture and grant exceptions only when needed.
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Respect agreed-on standards The enterprise should encourage the use of agreed-on standards.
Information Enabler
Reference Contribution to Response
Architecture model Target architecture model

43
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 7: Architecture (cont.)


Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Architecture modeling software Modeling application will optimize the architecture development and minimize the effort of analyzing
impact to architecture in case of exceptions or changes.
People, Skills and Competencies Enabler
Reference Contribution to Response
Leadership and communication Clarify the rationale for the architecture and the potential consequences.
Architecture skills Develop efficient and effective architecture aligned to the business requirements.

44
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 8: Infrastructure


Risk Scenario Category Infrastructure
Scope: Hardware, operating system and controlling technology; selection/implementation, operations and
decommissioning
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Architecture principles Define the underlying general rules and guidelines for the use and deployment of all IT resources and assets
across the enterprise.
Change management policy Define the rules and guidelines to change infrastructure components in a controlled and safe way.
Process Enabler
Reference Title Governance and Management Practices
APO02.03 Define the target IT Define the target business and IT capabilities and required IT services. This should be based on the
capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
process and IT environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
APO04.03 Monitor and scan Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
the technology technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
environment. costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging
technologies or innovation ideas in the enterprise context.
BAI03.03 Develop solution Develop solution components progressively in accordance with detailed designs following development
components. methods and documentation standards, quality assurance (QA) requirements, and approval standards.
Ensure that all control requirements in the business processes, supporting IT applications and infrastructure
services, services and technology products, and partners/suppliers are addressed.
BAI04.01 Assess current Assess availability, performance and capacity of services and resources to ensure that cost-justifiable
availability, performance capacity and performance are available to support business needs and deliver against service level
and capacity and create agreements (SLAs). Create availability, performance and capacity baselines for future comparison.
a baseline.
BAI04.02 Assess business Identify important services to the enterprise, map services and resources to business processes, and identify
impact. business dependencies. Ensure that the impact of unavailable resources is fully understood and accepted by the
business owner. Ensure that, for critical business functions, the SLA availability requirements can be satisfied.
BAI04.03 Plan for new or changed Plan and prioritize availability, performance and capacity implications of changing business needs and
service requirements. service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review availability, performance and capacity. Identify deviations
availability and from established baselines. Review trend analysis reports identifying any significant issues and variances,
capacity. initiating actions where necessary, and ensuring that all outstanding issues are followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving identified availability, performance and capacity issues.
availability, performance
and capacity issues.
BAI10.04 Produce status and Define and produce configuration reports on status changes of configuration items.
configuration reports.
BAI10.05 Verify and review Periodically review the configuration repository and verify completeness and correctness against the desired
integrity of the target.
configuration repository.
DSS05.05 Manage physical Define and implement procedures to grant, limit and revoke access to premises, buildings and areas
access to IT assets. according to business needs, including emergencies. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This should apply to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Reference Contribution to Response
Head of IT operations Accountable for the proper management and maintenance of the IT infrastructure
Head of architecture Designing architecture in an optimal way
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Respect the available assets All staff is required to maintain the assets in an appropriate manner

45
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 8: Infrastructure (cont.)


Information Enabler
Reference Contribution to Response
Architecture model Target architecture model
(Updates to) asset inventory Tracking all assets throughout the enterprise
Maintenance plan Planning the maintenance of the IT infrastructure
Configuration status reports Tracking changes to configuration
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Configuration management database Assists in identifying areas for improvement.
(CMDB)
People, Skills and Competencies Enabler
Reference Contribution to Response
Architecture skills Develop efficient and effective architecture aligned to the business requirements.
Technical skills Managing the different infrastructure components

46
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 9: Software


Risk Scenario Category Software
Scope: Selection/implementation, operations and decommissioning
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Change management policy Define the rules and guidelines to change infrastructure components in a controlled and safe way.
Fallback procedures Guidelines in case rollback is necessary
Architecture principles Architecture principles define the underlying general rules and guidelines for the use and deployment of all
IT resources and assets across the enterprise.
Process Enabler
Reference Title Governance and Management Practices
BAI03.01 Design high-level Develop and document high-level designs using agreed-on and appropriate phased or rapid agile
solutions. development techniques. Ensure alignment with the IT strategy and enterprise architecture. Reassess
and update the designs when significant issues occur during detailed design or building phases or as the
solution evolves. Ensure that stakeholders actively participate in the design and approve each version.
BAI03.02 Design detailed Develop, document and elaborate detailed designs progressively using agreed-on and appropriate phased or
solution components. rapid agile development techniques, addressing all components (business processes and related automated
and manual controls, supporting IT applications, infrastructure services and technology products, and
partners/suppliers). Ensure that the detailed design includes internal and external service level agreements
(SLAs) and operational level agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively in accordance with detailed designs following development
components. methods and documentation standards, quality assurance (QA) requirements, and approval standards.
Ensure that all control requirements in the business processes, supporting IT applications and infrastructure
services, services and technology products, and partners/suppliers are addressed.
BAI03.05 Build solutions. Install and configure solutions and integrate with business process activities. Implement control, security
and auditability measures during configuration, and during integration of hardware and infrastructural
software, to protect resources and ensure availability and data integrity. Update the services catalog to
reflect the new solutions.
BAI03.06 Perform quality Develop, resource and execute a quality assurance (QA) plan aligned with the quality management system
assurance (QA). (QMS) to obtain the quality specified in the requirements definition and the enterprise’s quality policies
and procedures.
BAI03.07 Prepare for solution Establish a test plan and required environments to test the individual and integrated solution components,
testing. including the business processes and supporting services, applications and infrastructure.
BAI03.08 Execute solution Execute testing continually during development, including control testing, in accordance with the defined
testing. test plan and development practices in the appropriate environment. Engage business process owners and
end users in the test team. Identify, log and prioritize errors and issues identified during testing.
BAI03.09 Manage changes to Track the status of individual requirements (including all rejected requirements) throughout the project life
requirements. cycle and manage the approval of changes to requirements.
BAI03.10 Maintain solutions. Develop and execute a plan for the maintenance of solution and infrastructure components. Include periodic
reviews against business needs and operational requirements.
BAI05.05 Enable operation and Plan and implement all technical, operational and usage aspects such that all those who are involved in the
use. future state environment can exercise their responsibility.
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the impact on business processes and IT services, and to
and authorize change assess whether change will adversely affect the operational environment and introduce unacceptable risk.
requests. Ensure that changes are logged, categorized, assessed, authorized, prioritized, planned and scheduled.
BAI06.02 Manage emergency Carefully manage emergency changes to minimize further incidents and make sure the change is controlled
changes. and takes place securely. Verify that emergency changes are appropriately assessed and authorized after
the change.
BAI06.03 Track and report Maintain a tracking and reporting system to document rejected changes, communicate the status of
change status. approved and in-process changes, and complete changes. Make certain that approved changes are
implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update accordingly the solution and user documentation and the
the changes. procedures affected by the change.
BAI07.01 Establish an Establish an implementation plan that covers system and data conversion, acceptance testing criteria,
implementation plan. communication, training, release preparation, promotion to production, early production support, a
fallback/backout plan, and a postimplementation review. Obtain approval from relevant parties.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide standards that define roles, responsibilities, and entry and exit
criteria. Ensure that the plan is approved by relevant parties.

47
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 9: Software (cont.)


Process Enabler (cont.)
Reference Title Governance and Management Practices
BAI07.05 Perform acceptance Test changes independently in accordance with the defined test plan prior to migration to the live
tests. operational environment.
BAI07.08 Perform a Conduct a postimplementation review to confirm outcome and results, identify lessons learned, and develop
postimplementation an action plan. Evaluate and check the actual performance and outcomes of the new or changed service
review. against the predicted performance and outcomes (i.e., the service expected by the user
or customer).
BAI08.01 Nurture and facilitate Implement processes and tools that facilitate a knowledge-sharing culture.
a knowledge-sharing
culture.
BAI08.04 Use and share Propagate available knowledge resources to relevant stakeholders and communicate how these resources
knowledge. can be used to address different needs (e.g., problem solving, learning, strategic planning and decision
making).
BAI10.04 Produce status and Define and produce configuration reports on status changes of configuration items.
configuration reports.
BAI10.05 Verify and review Periodically review the configuration repository and verify completeness and correctness against the
integrity of the desired target.
configuration
repository.
Organisational Structures Enabler
Reference Contribution to Response
Head of software development Responsible for the proper design and development of the software components
Head of architecture Designing architecture in an optimal way
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Testing is performed on all Users and developers cooperate in testing the software components.
appropriate levels
Information Enabler
Reference Contribution to Response
Architecture model Target architecture model
Design specifications Clarifying the needs of the users
Quality assurance (QA) plan (test plan Defining the steps to take in order to assure quality
and procedures)
Maintenance plan Planning the maintenance of the software
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Integrated development environment (IDE) Facilitating development and consisting of a source code editor, build automation tools and a debugger
Knowledge repositories Sharing and coordinating knowledge regarding development activities
People, Skills and Competencies Enabler
Reference Contribution to Response
Architecture skills Develop efficient and effective architecture aligned to the business requirements
Technical skills Designing and developing the proper software components

48
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 10: Business Ownership of IT


Risk Scenario Category Business ownership of IT
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Enterprise governance guiding principles Involving business and IT
Reporting and communication principles Clarifying the means of communication
Process Enabler
Reference Title Governance and Management Practices
EDM01.01 Evaluate the Continually identify and engage with the enterprise’s stakeholders, document an understanding of the
governance system. requirements, and make a judgment on the current and future design of governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, buy-in and commitment. Guide the structures, processes and
system. practices for the governance of IT in line with agreed-on governance design principles, decision-making
models and authority levels. Define the information required for adequate decision making.
EDM01.03 Monitor the Monitor the effectiveness and performance of the enterprise’s governance of IT. Assess whether the
governance system. governance system and implemented mechanisms (including structures, principles and processes) are
operating effectively and provide appropriate oversight of IT.
APO01.04 Communicate Communicate awareness and understanding of IT objectives and direction to stakeholders throughout
management the enterprise.
objectives and
direction.
APO02.01 Understand enterprise Consider the current enterprise environment and business processes, as well as the enterprise strategy
direction. and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant
regulations, basis for competition).
APO05.06 Manage benefits Monitor the benefits of providing and maintaining appropriate IT services and capabilities, based on the
achievement. agreed-on and current business case.
APO09.03 Define and prepare Define and prepare service agreements (SLAs) based on the options in the service catalogues. Include
service agreements. internal operational level agreements (OLAs).
APO09.04 Monitor and report Monitor service levels, identify trends and provide reports that management can use to make decisions and
service levels. manage future requirements for performance.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an active exchange of accurate, consistent and timely
engagement. information that reaches all relevant stakeholders. This includes planning, identifying and engaging
stakeholders and managing their expectations.
BAI02.01 Define and maintain Based on the business case, identify, prioritise, specify and agree on business information, functional,
business functional technical and control requirements covering the scope/understanding of all initiatives required to achieve
and technical the expected outcomes of the proposed IT-enabled business solution.
requirements.
Organisational Structures Enabler
Reference Contribution to Response
Program and project management Provide a common methodology, used by business and IT, to define proper requirements.
office (PMO)
Finance Provide a common methodology, used by business and IT, to assess opportunities in terms of value for
the enterprise.
Strategy (IT executive) committee Key structure that should take accountability over IT and business cooperation
Board of directors Accountable for the governance framework setting and maintenance
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Business and IT work together Business takes into account the difficulties IT faces, IT learns the business issues to find common solutions
as partners
Information Enabler
Reference Contribution to Response
IT strategy Aligning IT plans with business objectives for a more efficient monitoring of the business over IT.
Authority levels Clarifying the decision-making responsibilities
Service level agreements (SLAs) Describe the service level objectives to meet business expectations.

49
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 10: Business Ownership of IT (cont.)


People, Skills and Competencies Enabler
Reference Contribution to Response
Relationship management skills IT employees should have the proper skills to build relations with relevant business stakeholders
IT-related skills/affinity Business employees should be trained to have a minimal affinity with IT

50
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 11: Suppliers


Risk Scenario Category Suppliers
Scope: Selection, performance, contractual compliance, termination of service and transfer
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Procurement policy Providing a formal approach to selecting suppliers including the acceptance criteria by the business
Architecture principles Architecture principles define the underlying general rules and guidelines for the use and deployment of all
IT resources and assets across the enterprise.
Information security policy Defines technical limitations on sharing and using information.
Process Enabler
Reference Title Governance and Management Practices
APO10.02 Select suppliers. Select suppliers according to a fair and formal practice to ensure a viable fit based on specified
requirements. Requirements should be optimized with input from potential suppliers and enterprise
stakeholders.
APO10.03 Manage supplier Formalize and manage the supplier relationships for strategic supplier. Manage, maintain and monitor
relationships and contracts and service delivery. Ensure that new or changed contracts conform to enterprise standards and
contracts. legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the ability to continually provide secure, efficient and effective
service delivery.
APO10.05 Monitor supplier Periodically review the overall performance of suppliers, compliance to contract requirements, and value
performance and delivery, and address identified issues promptly.
compliance.
Organisational Structures Enabler
Reference Contribution to Response
Legal group Review of proposed terms of business
Business process owners Setting requirements, performance indicators and ensure proper expectations are incorporated in the
contracts
Procurement department Provide the support and approach to efficiently engage with suppliers.
Chief information officer (CIO) Accountable for managing suppliers
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Respect procurement procedures Additional effort is required to ensure proper supplier selection.
Transparent and participative culture To optimize the outcome of the vendor relationships
focus.
Information Enabler
Reference Contribution to Response
Business requirements Used for negotiations and service level definition.
IT strategy Defining boundaries and enterprise objectives to take into account when negotiating contracts
Supplier catalog A structured presentation of known suppliers, including previous performance statistics
Service level agreeements (SLAs) Monitor service levels, identify trends and provide reports that management can use to make decisions and
manage future requirements for performance.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Vendor management system Keep track of the vendor management life cycle
People, Skills and Competencies Enabler
Reference Contribution to Response
Negotiation skills Ensure that requirements are supported.
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal impact on the enterprise.
Legal analysis skills Support cooperation with supplier while drafting contracts and SLAs.

51
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 12: Regulatory Compliance


Risk Scenario Category Regulatory compliance
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Industry/market specific policies Define the rules and guidelines to identify specific compliance requirements and the procedures to meet
applicable requirements.
Compliance policy Guiding the identification of external compliance requirements and procedures to meet applied requirements,
Process Enabler
Reference Title Governance and Management Practices
MEA03.01 Identify external On a continuous basis, identify and monitor for changes in local and international laws, regulations and
compliance other external requirements applicable to the enterprise.
requirements.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, procedures and methodologies to ensure that legal,
external requirements. regulatory and contractual requirements are addressed and communicated. Consider industry standards,
codes of good practice, and best practice guidance for adoption and adaptation of existing plans.
MEA03.03 Confirm external Confirm compliance plans with legal, regulatory and contractual requirements.
compliance.
Organisational Structures Enabler
Reference Contribution to Response
Privacy officer Identify privacy requirements and ensure compliance.
Regulatory compliance department Provides guidance on legal, regulatory and contractual compliance. Tracks new and changing regulations.
Legal group Legal support during analysis and litigation related to regulatory compliance.
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Risk- and compliance-aware culture All members of the enterprise are encouraged to facilitate regulatory compliance.
is present throughout the enterprise
including the proactive identification and
escalation of risk.
Compliance is embedded in daily All members of the enterprise are encouraged to facilitate regulatory compliance.
operations.
Information Enabler
Reference Contribution to Response
Risk appetite/tolerance Balancing compliance requirements with enterprise risk appetite/tolerance
Assurance reports Internal and external audits
Internal control framework Optimize the efficiency of internal control.
Analysis of new legal and regulatory Helps determine applicability
compliance requirements
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Regulatory databases Facilitating the follow-up of compliance requirements
Governance, risk and compliance Overview of controls and practices to ensure compliance
(GRC) tools
People, Skills and Competencies Enabler
Reference Contribution to Response
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal impact.
Legal analysis skills Understand expectations of local regulators.
Internal control Evaluate compliance with relevant regulations and report results to management.

52
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 13: Geopolitical


Risk Scenario Category Geopolitical
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Safe harbour policies Provide guidance about provisions of a law or regulation that specify that certain conduct will be deemed
not to violate a given rule.
Process Enabler
Reference Title Governance and Management Practices
DSS04.02 Maintain a continuity Evaluate business continuity management options and choose a cost-effective and viable continuity
strategy. strategy that will ensure enterprise recovery and continuity in the face of a disaster or other major
incident or disruption.
MEA03.01 Identify external On a continuous basis, identify and monitor for changes in local and international laws, regulations and
compliance other external requirements applicable to the enterprise.
requirements.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, procedures and methodologies to ensure that legal,
external requirements. regulatory and contractual requirements are addressed and communicated. Consider industry standards,
codes of good practice, and best practice guidance for adoption and adaptation of existing plans.
Organisational Structures Enabler
Reference Contribution to Response
Privacy officer Identify privacy requirements and ensure compliance.
Regulatory compliance department Guidance on legal, regulatory and contractual compliance requirements
Legal group Legal support during analysis and litigation related to compliance
Business continuity/disaster Maintain detailed plans and resource requirements for continuous service.
recovery plan
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Controlled growth and expansion Ensure that the regulations and external requirements are integrated in growth plans.
Information Enabler
Reference Contribution to Response
Analysis of new regulations Regulations imposed by local government need to be analyzed.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
External legal services Gain advice on new regulations from local governments and the impact they have on the enterprise.
People, Skills and Competencies Enabler
Reference Contribution to Response
Litigation skills Once prosecution is initiated, the proper skills are required to minimize legal impact on the enterprise.
Legal analysis skills Understand expectations of local regulators.
Contingency planning skills Maintain options for continuous service in the event of a disruption.

53
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 14: Infrastructure Theft or Destruction


Risk Scenario Category Infrastructure theft or destruction
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Information security policy Restricting physical access to infrastructure in order to prevent destruction
Business continuity and disaster Validate recoverability of information, services, applications and infrastructure.
recovery policy
Process Enabler
Reference Title Governance and Management Practices
DSS01.04 Manage the Maintain measures for protection against environmental factors. Install specialized equipment and devices
environment. to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations,
technical and business requirements, vendor specifications, and health and safety guidelines.
DSS05.05 Manage physical Define and implement procedures to grant, limit and revoke access to premises, buildings and areas
access to IT assets. according to business needs, including emergencies. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This should apply to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Reference Contribution to Response
Information security manager Implementation of security measures to prevent theft or destruction
Head of IT operations Responsible for the protection of the IT environment
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Information security is practiced in To prevent unauthorized physical access
daily operations.
People respect the importance of To prevent unauthorized physical access
information security policies and principles.
Stakeholders are aware of how to identify To minimize impact of infrastructure theft and destruction
and respond to threats to the enterprise.
Information Enabler
Reference Contribution to Response
Access requests Provide information about users authorized to access facilities.
Access logs Reporting on access activity
Facilities assessments reports The enterprise is aware of the state and risk of the facilities.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Access control To prevent unauthorized logical access
Alarm and monitoring security system To prevent unauthorized physical access
People, Skills and Competencies Enabler
Reference Contribution to Response
Information security skills To implement controls that prevent or reduce the impact of infrastructure theft and destruction

54
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 15: Malware


Risk Scenario Category Malware
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Information security policy Outlines information security arrangements within the enterprise to prevent malware
Malicious software prevention policy Details the preventive, detective and corrective measures in place across the enterprise to protect
information systems and technology from malware.
Architecture principles Information security requirements are embedded within the enterprise architecture and translated into a
formal information security architecture.
Incident recovery policy Validate recoverability of information, services, applications and infrastructure in case of a security incident.
Process Enabler
Reference Title Governance and Management Practices
APO01.03 Maintain the enablers Maintain the enablers of the management system and control environment for enterprise IT, and ensure
of the management that they are integrated and aligned with the enterprise’s governance and management philosophy and
system. operating style. These enablers include the clear communication of expectations/requirements. The
management system should encourage cross-divisional cooperation and teamwork, promote compliance
and continuous improvement, and handle process deviations (including failure).
APO01.08 Maintain compliance Implement procedures to maintain compliance, performance measurement of policies and other enablers of
with policies and the control framework, and enforce the consequences of noncompliance or inadequate performance. Track
procedures. trends and performance and consider these in the future design and improvement of the control framework.
DSS05.01 Protect against Implement and maintain preventive, detective and corrective measures in place (especially up-to-date
malware. security patches and anti-malware) across the enterprise to protect information systems and technology
from viruses, worms, spyware, spam, etc.
DSS05.07 Monitor the Using intrusion detection tools, monitor the infrastructure for unauthorized access and ensure that events
infrastructure for are integrated with general event monitoring and incident management procedures.
security-related events.
Organisational Structures Enabler
Reference Contribution to Response
Information security manager Implementation of security measures
Head of IT operations Management of the incident response team to restore service in a timely fashion
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Information security is practiced in daily To prevent the unintentional installation of malware
operations.
People respect the importance of To prevent the unintentional installation of malware
information security policies and
principles.
Stakeholders are aware of how to identify To minimize impact of the installation of malware
and respond to threats to the enterprise.
Awareness and training regarding To prevent the unintentional installation of malware
malware, email and Internet usage
Information Enabler
Reference Contribution to Response
Threat information Intelligence regarding types of attacks
Monitoring reports Identification of attack attempts, threat events, etc.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Firewall Protection against malware
System information and event Provides real-time analysis of security alerts generated by network hardware and applications.
management (SIEM)
Malicious software protection tools Protection against malware
Monitoring and alert services Timely notification of potential threats

55
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 15: Malware (cont.)


People, Skills and Competencies Enabler
Reference Contribution to Response
Information security skills Preventing and reducing the impact of malware by implementing controls
IT technical skills Appropriate configuration of IT infrastructure, such as firewalls to prevent unintentional malware installations.

56
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 16: Logical Attacks


Risk Scenario Category Logical attacks
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Information security policy Outlines information security arrangements within the enterprise.
Technical security policies and procedure Details the technical consequences of the information security policy.
Architecture principles Information security requirements are embedded within the enterprise architecture and translated into a
formal information security architecture.
Business continuity and disaster Validate recoverability of information, services, applications and infrastructure.
recovery policy
Process Enabler
Reference Title Governance and Management Practices
APO13.01 Establish and maintain Establish and maintain an ISMS that provides a standard, formal and continuous approach to security
an information security management for information, enabling secure technology and business processes that are aligned with
management system business requirements and enterprise security management.
(ISMS).
APO13.03 Monitor and review Maintain and regularly communicate the need for, and benefits of, continuous information security
the ISMS. improvement. Collect and analyze data about the ISMS, and improve the effectiveness of the ISMS. Correct
nonconformities to prevent recurrence. Promote a culture of security and continual improvement.
BAI03.07 Prepare for solution Establish a test plan and required environments to test the individual and integrated solution components,
testing. including the business processes and supporting services, applications and infrastructure.
DSS01.03 Monitor IT Monitor the IT infrastructure and related events. Store sufficient chronological information in operations logs
infrastructure. to enable the reconstruction, review and examination of the time sequences of operations and the other
activities surrounding or supporting operations.
DSS04.03 Develop and Develop a business continuity plan (BCP) based on the strategy that documents the procedures and
implement a business information in readiness for use in an incident to enable the enterprise to continue its critical activities.
continuity response.
DSS05.01 Protect against Implement and maintain preventive, detective and corrective measures in place (especially up-to-date
malware. security patches and anti-malware) across the enterprise to protect information systems and technology
from viruses, worms, spyware, spam, etc.
DSS05.02 Manage network and Use security measures and related management procedures to protect information over all methods of
connectivity security. connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the infrastructure for unauthorized access and ensure that any
infrastructure for events are integrated with general event monitoring and incident management.
security-related events.
Organisational Structures Enabler
Reference Contribution to Response
Information security manager Responsible for the implementation of security measures
Head of IT operations Management of the incident response team to restore service in a timely fashion
Service manager In case attacks are successful, communicate with end user and help to manage the response.
Chief security architect Design of security measures
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Information security is practiced in To prevent logical attacks
daily operations.
People respect the importance of To prevent logical attacks
information security policies and
principles.
Stakeholders are aware of how to identify To minimize impact of logical attacks
and respond to threats to the enterprise.

57
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 16: Logical Attacks (cont.)


Information Enabler
Reference Contribution to Response
Incident response plan Detailing the action to be undertaken in case of attack
Threat information Intelligence regarding types of attacks
Monitoring reports Identification of attack attempts, threat events, etc.
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Firewall Prevent successful logical attacks.
System information and event Provides real-time analysis of security alerts generated by network hardware and applications.
management (SIEM)
Network management tools/vulnerability Identifying and reporting weaknesses
scanners
Monitoring and alert services Timely notification of potential threats
People, Skills and Competencies Enabler
Reference Contribution to Response
Information security skills Preventing and reducing the impact of logical attacks by implementing controls
IT technical skills Appropriate configuration of IT infrastructure such as firewalls, critical network components, etc., to prevent
logical attacks.

58
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 17: Industrial Action


Risk Scenario Category Industrial action
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
HR policy Define rights and obligations of all staff, detailing acceptable and unacceptable behavior by the
employees, and in doing so managing the risk that is linked to human behavior.
Vendor management policy Define backup or emergency service delivery options.
Process Enabler
Reference Title Governance and Management Practices
APO01.01 Define the organizational Establish an internal and extended organizational structure that reflects business needs and IT priorities.
structure. Put in place the required management structures (e.g., committees) that enable management decision
making to take place in the most effective and efficient manner.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or on major changes to the enterprise or operational or
appropriate staffing. IT environments to ensure that the enterprise has sufficient human resources to support enterprise goals
and objectives. Staffing includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing reliance on a single individual performing a critical job function
through knowledge capture (documentation), knowledge sharing, succession planning and staff backup.
APO07.05 Plan and track the usage Understand and track the current and future demand for business and IT human resources with
of IT and business responsibilities for enterprise IT. Identify shortfalls and provide input into sourcing plans, enterprise and IT
human resources. recruitment processes sourcing plans, and business and IT recruitment processes.
Organisational Structures Enabler
Reference Contribution to Response
Head of HR Responsible for establishing expectations from and about staff
Legal group Support initial contracting and prosecution in case of breach of contract.
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational structure for stakeholder
communication
Business executives Facilitating two-way communication with employees
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Transparent and participative culture is an To prevent industrial action from occurring
important focus point.
Information Enabler
Reference Contribution to Response
Contract agreement with staff Clear definition of responsibilities, rights and obligations for staff
Supplier contracts Clear definition of responsibilities, rights and obligations for specific arrangements with suppliers
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing knowledge regarding processes,
technology, etc.
Resource shortfall analysis Clear analysis of critical level of resources
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Third-party backup services Temporary support in case of industrial action
People, Skills and Competencies Enabler
Reference Contribution to Response
HR skills Management of skills and competencies
Negotiation skills Facilitate the maximal two-way communication and ensure that minimal operational requirements are
met after industrial action.
Litigation skills Once prosecution is initiated, the proper skills are required to defend the interests of the enterprise.

59
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 18: Environmental


Risk Scenario Category Environmental
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Social and environmental policy Environmental awareness should be part of the overall enterprise policy on corporate responsibility.
Vendor management policy Environmental awareness should be included in all contracts and agreements with vendors.
Rules of behavior (acceptable use) Users should be made aware of their individual impact on the environment.
Process Enabler
Reference Title Governance and Management Practices
APO02.03 Define the target Define the target business and IT capabilities and required IT services. This should be based on the
IT capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
process and IT environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
APO04.03 Monitor and scan the Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
technology environment. technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging
technologies or innovation ideas in the enterprise context.
BAI03.04 Procure solution Procure solution components based on the acquisition plan in accordance with requirements and detailed
components. designs, architecture principles and standards, and the enterprise’s overall procurement and contract
procedures, QA requirements, and approval standards. Ensure that all legal and contractual requirements
are identified and addressed by the supplier.
DSS01.04 Manage the environment. Maintain measures for protection against environmental factors. Install specialized equipment and devices
to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations,
technical and business requirements, vendor specifications, and health and safety guidelines.
Organisational Structures Enabler
Reference Contribution to Response
Head of IT operations Responsible for managing the IT environment and facilities
Head architect Design of environmental friendly measures
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
A clearly defined structure for ethical People are involved and aware of the consequences of environmental issues and are empowered to
responsibility and a culture that promotes handle according to ethical guidelines.
specific accountability is developed and
supported.
Information Enabler
Reference Contribution to Response
IT strategy Environmental awareness should be part of the IT strategy.
Asset register To assess the environmental impact of the used technology
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Asset inventory Helps identify assets that should be replaced to reduce environmental impact.
People, Skills and Competencies Enabler
Reference Contribution to Response
Architecture development Architectural development can assist to reduce the environmental impact of technology.
System development Streamlining and optimizing used technology

60
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 19: Acts of Nature


Risk Scenario Category Acts of nature
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
Backup policy Backups are available.
Business continuity and disaster Validate recoverability of data.
recovery policy
Process Enabler
Reference Title Governance and Management Practices
DSS01.04 Manage the Maintain measures for protection against environmental factors. Install specialized equipment and devices
environment. to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and communications equipment, in line with laws and regulations,
technical and business requirements, vendor specifications, and health and safety guidelines.
DSS04.03 Develop and Develop a business continuity plan (BCP) based on the strategy that documents the procedures and
implement a business information in readiness for use in an incident to enable the enterprise to continue its critical activities.
continuity response.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined
review the BCP. outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will
work as anticipated.
DSS05.05 Manage physical Define and implement procedures to grant, limit and revoke access to premises, buildings and areas
access to IT assets. according to business needs, including emergencies. Access to premises, buildings and areas should be
justified, authorized, logged and monitored. This should apply to all persons entering the premises, including
staff, temporary staff, clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Reference Contribution to Response
Business continuity manager Accountable for business continuity plan (BCP)
Head IT operations Responsible for managing the IT environment and facilities
Chief information officer (CIO) Responsible for developing and implementing disaster recovery plans
Business process owners Responsible for developing and implementing business continuity plans
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Stakeholders are aware of how to identify People are involved and aware of how to react when an incident occurs.
and respond to threats.
Business management engages in The business is committed and proactively contributes to the preparation of continuity plans.
continuous cross-functional collaboration
to allow for efficient and effective
business continuity programmes.
Information Enabler
Reference Contribution to Response
Insurance policy Insurance in case of acts of nature is available.
Facilities assessments reports The enterprise is aware of the state and risk of the facilities.
Incident response actions and People are aware of how to react when an incident occurs.
communications
Services, Infrastructure and Applications Enabler
Reference Contribution to Response
Monitoring and alert services Timely notification of potential threats
People, Skills and Competencies Enabler
Reference Contribution to Response
Information risk management Identify and formulate response to information risk related to acts of nature.
Technical understanding Technical expertise regarding specific and relevant acts of nature

61
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Scenario Category 20: Innovation


Risk Scenario Category Innovation
Principles, Policies and Frameworks Enabler
Reference Contribution to Response
IT strategy Define the underlying general rules and guidelines for the use and deployment of all IT resources and assets
across the enterprise.
Process Enabler
Reference Title Governance and Management Practices
APO02.01 Understand enterprise Consider the current enterprise environment and business processes, as well as the enterprise strategy
direction. and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant
regulations, basis for competition).
APO02.03 Define the target Define the target business and IT capabilities and required IT services. This should be based on the
IT capabilities. understanding of the enterprise environment and requirements; the assessment of the current business
process and IT environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
APO03.01 Develop the enterprise The architecture vision provides a high-level description of the baseline and target architectures, covering
architecture vision. the business, information, data, application and technology domains. The architecture vision provides the
sponsor with a key tool to sell the benefits of the proposed capability to stakeholders within the enterprise.
The architecture vision describes how the new capability will meet enterprise goals and strategic objectives
and address stakeholder concerns when implemented.
APO04.01 Create an environment Create an environment that is conducive to innovation, considering issues such as culture, reward,
conducive to collaboration, technology forums, and mechanisms to promote and capture employee ideas.
innovation.
APO04.02 Maintain an Work with stakeholders to understand their challenges. Maintain an adequate understanding of enterprise
understanding strategy and the competitive environment or other constraints so that opportunities enabled by new
of the enterprise technologies can be identified.
environment.
APO04.03 Monitor and scan Perform systematic monitoring and scanning of the enterprise’s external environment to identify emerging
the technology technologies that have the potential to create value (e.g., by realizing the enterprise strategy, optimizing
environment. costs, avoiding obsolescence, and better enabling enterprise and IT processes). Monitor the marketplace,
competitive landscape, industry sectors, and legal and regulatory trends to be able to analyze emerging
technologies or innovation ideas in the enterprise context.
APO04.04 Assess the potential of Analyze identified emerging technologies and/or other IT innovation suggestions. Work with stakeholders to
emerging technologies validate assumptions on the potential of new technologies and innovation.
and innovation ideas.
APO04.05 Recommend Evaluate and monitor the results of proof-of-concept initiatives and, if favorable, generate recommendations
appropriate further for further initiatives and gain stakeholder support.
initiatives.
APO04.06 Monitor the Monitor the implementation and use of emerging technologies and innovations during integration, adoption
implementation and and for the full economic life cycle to ensure that the promised benefits are realized and to identify
use of innovation. lessons learned.
Organisational Structures Enabler
Reference Contribution to Response
Chief executive officer (CEO) Accountable for creating the environment conducive for innovation
Strategy committee Accountable for taking forward and monitoring favorable innovation initiatives
Chief information officer (CIO) Accountable for identifying technology-based innovations and for assessing their potential
Innovation group Responsible for identifying innovation opportunities and for developing business cases for
innovation initiatives
Culture, Ethics and Behaviour Enabler
Reference Contribution to Response
Willingness to take risk Innovation by definition is about new technologies and new ways of working, resulting in potential
resistance and unsure benefits. However, not having a willingness to take risk will exclude upfront any
potential for innovation.
Support of senior management for Senior management support is required to fund the innovation initiatives and to support them to overcome
innovation initiatives initial resistance.
“Failure is allowed” Not every innovation project or initiative will be successful, and a certain amount of failure should be
accepted as part of the price to pay for successful initiatives.

62
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios

Risk Scenario Category 20: Innovation (cont.)


Information Enabler
Reference Contribution to Response
Innovation plan Innovations are clearly laid out so they can be monitored and incorporated into the enterprise’s
strategic plans.
Recognition program Innovation needs to be adequately rewarded, according to an agreed-on and formalized plan.
Evaluation of innovation initiatives Formal evaluation of innovation initiatives facilitates executive decision making.
People, Skills and Competencies Enabler
Reference Contribution to Response
Leadership and communication Clarify the rationale for the architecture and the potential consequences.
Architecture skills Develop efficient and effective architecture aligned to the business requirements.

63
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

64
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk

Chapter 6
Expressing and Describing Risk6
Preparation of a Risk Scenario Analysis
Risk scenarios can be used to describe risk and document the risk factors needed to estimate frequency and impact. Appendix 1
contains a generic template that has been developed to facilitate the documentation of information useful for treatment of the
risk scenario under analysis. Chapter 7 provides practical and detailed examples of risk scenarios, which are based on this
template. In total, there are 60 detailed risk scenario examples derived from the 20 risk scenario categories.

The template contains seven sections to document the following information:

•R  isk Scenario Title


• Risk Scenario Category
High-level description of the scenario category. In total, there are 20 categories:
– 01 Portfolio establishment and maintenance
– 02 Programme/projects life cycle management
– 03 IT investment decision making
– 04 IT expertise and skills
– 05 Staff operations
– 06 Information
– 07 Architecture
– 08 Infrastructure
– 09 Software
– 10 Business ownership of IT
– 11 Suppliers
– 12 Regulatory compliance
– 13 Geopolitical
– 14 Infrastructure theft or destruction
– 15 Malware
– 16 Logical attacks
– 17 Industrial action
– 18 Environmental
– 19 Acts of nature
– 20 Innovation
• Risk Scenario
A detailed description of the practical risk/opportunity scenario, including a discussion of the potential negative and
positive outcomes.
• Risk Scenario Components
This section of the template clarifies the threat/vulnerability type of the detailed practical risk/opportunity scenario and
includes the following components:
– T  hreat Type
The nature of the event, e.g., malicious, accidental, an error, a failure of a well-defined process, a natural event, or an
external requirement.
– Actor
Who or what generates the threat that exploits a vulnerability. Actors can be internal to the enterprise or external,
human or nonhuman.
– E  vent
The event that will impact (positively or negatively) the achievement of the enterprise objectives. The event can be
disclosure (of confidential information), interruption or modification (of a system or a project), theft or destruction.
An event can also include ineffective design (of systems, processes, etc.), inappropriate use, changes in rules and
regulation that materially impact a system, or ineffective execution of processes, e.g., change management procedures,
acquisition procedures or project prioritization processes.

6
Content in this chapter is based on the following publications: ISACA, COBIT® 5 (the framework), USA, 2012; ISACA, COBIT® 5 for Risk, USA, 2013;
ISACA, The Risk IT Practitioner Guide, USA, 2009.

65
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

– A sset/Resource
An asset is something of either tangible or intangible value that is worth protecting, including people, systems,
infrastructure, finances and reputation. A resource is anything that helps to achieve a goal. An asset/resource can be:
. Process
. People and skills
. Organizational structure
. Physical infrastructure (facilities, equipment, etc.)
. IT infrastructure, including computing hardware, networks, middleware
. Information
. Applications
Assets and resources can be identical. For example, IT hardware is an important resource because IT applications use it,
and it is an asset because it has a value to the enterprise.
– Time issues
. Timing of occurrence (critical, noncritical—Does the event occur at a critical moment?)
. Duration (short, moderate, extended—The duration of the event, e.g., extended outage of a service or data center)
. Detection (slow, moderate, instant)
. Time lag (immediate, delayed—Lag between the event and the consequence. Is there an immediate consequence,
e.g., network failure, immediate downtime, or delayed consequence, or an incorrect IT architecture with
accumulated high costs, over a time span of several years?)
• Risk Type
A description of the type of risk to which scenarios that are derived from the generic scenario fit, using the three risk
types explained previously.

A “P” indicates a primary (higher degree) fit, and an “S” a secondary (lower degree) fit. Blank cells indicate that the risk
category is not relevant for the risk scenario at hand.
– IT Benefit/Value Enablement
Associated with opportunities, or missed opportunities, to use technology to improve efficiency or effectiveness of
business processes, or as an enabler for new business initiatives:
. Technology enabler for new business initiatives
. Technology enabler for efficient operations
– IT Programme and Project Delivery
Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and
programs as part of investment portfolios:
. Project quality
. Project relevance
. Project overrun
– IT Operations and Service Delivery:
Associated with all aspects of the business as usual performance of IT systems and services, which can bring
destruction or reduction of value to the enterprise:
. IT service interruptions
. Security problems
. Compliance issues
• Risk Response
Description of how the enterprise will respond to the risk. The purpose of defining a risk response is to bring risk in line
with the defined risk appetite and tolerance for the enterprise. Risk response can be:
– Risk avoidance
– Risk acceptance
– Risk sharing/transfer
– Risk mitigation
• Risk Mitigation Using COBIT 5 Enablers
Description of how the enterprise will work to avoid the risk from materializing. For risk mitigation possibilities, see the
COBIT 5 enablers in chapter 5. Provide the following information:
– Reference, title and description of one or more relevant enablers that can help to mitigate the risk
– The estimated effect that implementing this enabler will have on the frequency and impact of the risk. Possible values
are low, medium or high.
– Based on the two parameters of frequency and impact, indicate whether or not this enabler is essential (a key
management practice to mitigate the risk). An enabler is considered essential if it has a high effect on reducing either
impact or frequency of the scenario.
• Key Risk Indicators
Identification of a number of metrics to detect and monitor the risk scenario and the risk response

66
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk

Chapter 7 provides 60 detailed examples of risk scenario analysis, which are based on the template in appendix 1.

Important: The detailed scenario examples do not replace the creative and reflective phase that every scenario-creating
exercise should contain. In other words, an enterprise should not blindly use the example scenarios and assume that
no other risk scenarios are possible or assume that every scenario contained in the list is applicable to the enterprise.
Intelligence and experience are needed to derive a relevant and customised list of scenarios, starting from the generic list.

Risk Analysis Methods—Quantitative vs. Qualitative


As mentioned previously, risk analysis is the process of estimating the two essential properties of each risk scenario:
• Frequency—The number of times in a given period (usually in a year) that an event is likely to occur
• Impact—The business consequences of the scenario

Several methods for risk analysis exist, ranging between high-level and mostly qualitative to very detailed and/or
quantitative, with hybrid methods in between. Both forms may be needed at different stages of the risk management
process. For example, qualitative tends to be better at the initial risk assessment stage to establish priorities, and
quantitative can then provide the required rigour and accuracy for the selected high-risk areas.

The enterprise’s culture, resources, skills and knowledge of IT risk management, environment, risk appetite, and its
existing approach to ERM will determine which methodology should be used.

The different methods—quantitative and qualitative—have some common limitations:


• No method is fully objective, and results of risk assessments are always dependent on the person performing them and
his/her skills and views.
• IT-risk-related data (such as loss data and IT risk factors) are very often of poor quality or quite subjective (e.g.,
process maturity, control weaknesses). Using structures or models can help to achieve more objectivity and can
provide at least a basis for discussion in the risk analysis.
• Quantitative approaches run the risk of creating over-confidence in complex models based on insufficient data.
However, over-simplified qualitative or quantitative models can also result in unreliable results.

Qualitative Risk Analysis


A qualitative risk assessment approach uses expert opinions to estimate the frequency and business impact of adverse
events. The frequency and the magnitude of impact are estimated using qualitative labels. These labels can vary depending
on the circumstances and different environments.

When to use, strengths, limitations, and weaknesses:


• In situations where there is only limited or low-quality information available, qualitative risk analysis methods are
usually applied.
• The major disadvantages of using the qualitative approach are a high level of subjectivity, great variance in human
judgements and lack of standardised approach during the assessment.
• However, qualitative risk assessment is usually less complex than quantitative analysis, and consequently is also
less expensive.

Quantitative Risk Analysis


As soon as quantitative values are used (e.g., ranges) to define qualitative values, or when only quantitative values are
used, it is a quantitative analysis. The essence of quantitative risk assessment is to derive the frequency and consequences
of risk scenarios, based on statistical methods and data.

When to Use, Strengths, Limitations, Weaknesses:


• Quantitative risk analysis is more objective because it is based on formal empirical data.
• Using purely quantitative methods requires sufficient, complete and reliable data on past and comparable events.
Obtaining these data is in many cases very difficult unless the enterprise has already embraced process improvement
and follows an approach such as Six Sigma for IT monitoring and productivity improvement.
• Some things are very hard or impossible to quantify—value of human life, cost of terrorist attacks or similar events,
loss of reputation.

67
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Combining Qualitative and Quantitative, Moving Toward Probabilistic Risk Assessment


Both techniques have some advantages and disadvantages. Furthermore, neither of the approaches described previously
seems to meet all the requirements for management of IT risk to extensively support the overall ERM processes.

Analysis based on subjective opinions or estimated data may be insufficient. There is still the question of uncertainty.
How certain can one be about the results of risk assessment? Some advanced methods exist to increase reliability of risk
assessments, but these require deep statistical skills. They include:
 robabilistic risk assessment—Using a mathematical model to construct the qualitative risk assessment approach
•P
while using the quantitative risk assessment techniques and principles. In a simple way, the statistical models are used
and missing data to populate these models are collected using qualitative risk assessment methods (interviews, Delphi
method, etc.).
 onte Carlo simulation—A powerful method for combining qualitative and quantitative approaches, which is based
•M
on normal deterministic simulation model described previously, but iteratively evaluates the model using sets of
random numbers as inputs. While deterministic models will provide the expected value, Monte Carlo simulation will
give the value as a probability distribution based on the quality of the information provided.

Practical Guidance on Analysing Risk


The selection for qualitative or quantitative risk analysis depends on many factors:
• User needs—Is there a need for highly accurate data or is a qualitative approach adequate?
• Availability and quality of the data related to IT-related risk
• Time available for risk analysis
• Level of comfort and expertise of those experts who are giving input
Statistical data may be available in varying quantities and quality, ranging on a continuous scale from almost non-existent
to widely available. At the higher end of the scale, i.e., when a wide choice of statistical data are available, a quantitative
assessment might be the preferred risk assessment method; at the other end of the scale, with very little, incomplete or
poor data, a qualitative assessment may be the only available solution. Hybrid risk assessment methods may be applied to
situations in between both extremes described here.

There are many sources of data that can be leveraged to support risk analysis. Some of these sources can exist already
in the enterprise; for example, business process improvement (BPI), project management office (PMO), enterprise
architecture (EA), quality control (QC) and other organisations that collect similar data to support their functions.

The following section of this chapter describes some suggested techniques that are mostly qualitative techniques and
will be most commonly used. Despite their inherently lower precision, they can provide very insightful and relevant data
because they provide a model by which all risk can be measured and described using the same language and reference
base, eliminating the most notorious cases of subjectivity and ambiguity. For example:
• If a time frame is not specified in a scenario, then a conclusion that the likelihood of an event is ‘high’ may be
interpreted differently by different people. One person might assume that it is highly likely to occur this year, while
another person might assume that it means it is highly likely to happen eventually.
• If scales are not defined for loss magnitude, then one person’s subjective interpretation of ‘severe loss’ can be
significantly different from someone else’s interpretation.

Expressing Impact in Business Terms


Meaningful IT risk assessments and risk-based decisions require that IT risk be expressed in unambiguous and clear
business-relevant terms. Effective risk management requires mutual understanding between IT and the business over
which risk needs to be managed and why. All stakeholders must have the ability to understand and express how adverse
events may affect business objectives. This means that:
• An IT person should understand how IT-related failures or events can impact enterprise objectives and cause direct or
indirect loss to the enterprise.
• A business person should understand how IT-related failure or events can affect key services and/or processes.

The link between IT risk scenarios and ultimate business impact needs to be established to understand the effects of
adverse events. Several techniques and options exist that can help the enterprise to describe IT risk in business terms,
and there is no right or wrong option. One has to choose the option that fits best with the enterprise and complement this
scheme with a range of scales to quantify the risk during risk analysis.

IT-related risk can be translated/expressed into business relevant terms, but a prescription for any single method does not
exist. Some available methods are discussed in the following sections.

68
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk

The following considerations need to be made, irrespective of the choice of impact description method:
• Define impact scales that are linked to the chosen impact description method so that they are clear and unambiguous
for everyone and truly represent business objectives.
• Ensure that the chosen method and scales allow for the risk appetite to be easily defined, e.g., the acceptable and
unacceptable risk, in the same terms, across the enterprise.
• Ensure that IT-related scenarios are clearly mapped to the business impact descriptions. This means that dependencies
between events (e.g., hardware failure) and ultimate business impact and consequence (e.g., customers cannot place
orders, resulting in customer dissatisfaction) need to be mapped and included in every risk analysis.

Business Requirements for Information


Business requirements for information allow for the expression of business aspects related to the use of IT. They
express a condition to which information (in the widest sense), as provided through IT, must conform for it to be
beneficial to the enterprise.

Business requirements for information are:


• Effectiveness—Information is effective if it meets the needs of the information consumer who uses the information
for a specific task. If the information consumer can perform the task with the information, then the information
is effective. This corresponds to the following information quality goals: appropriate amount, relevance,
understandability, interpretability, objectivity.
• Efficiency—Whereas effectiveness considers the information as a product, efficiency relates more to the process
of obtaining and using information, so it aligns to the ‘information as a service’ view. If information that meets the
needs of the information consumer is obtained and used in an easy way (i.e., it takes few resources—physical effort,
cognitive effort, time, money), then the use of information is efficient. This corresponds to the following information
quality goals: believability, accessibility, ease of operation, reputation.
• Confidentiality—Confidentiality corresponds to the restricted access information quality goal.
• Integrity—If information has integrity, then it is free of error and complete. It corresponds to the following
information quality goals: completeness, accuracy.
• Availability—Availability is one of the information quality goals under the accessibility and security heading.
• Compliance—Compliance in the sense that information must conform to specifications is covered by any of
the information quality goals, depending on the requirements. Compliance to regulations is most often a goal or
requirement of the use of the information, not so much an inherent quality of information.
• Reliability—Reliability is often seen as a synonym of accuracy; however, it can also be said that information is
reliable if it is regarded as true and credible. Compared to integrity, reliability is more subjective, more related to
perception, and not just factual. It corresponds to the following information quality goals: believability,
reputation, objectivity.

The business impact of any IT-related event lies in the consequence of not achieving the information criteria. By describing
impact in these terms, this remains a sort of intermediate technique, not fully describing the business impact, e.g., impact
on customers or in financial terms.

COBIT 5 Enterprise Goals and Balanced Scorecard


A further technique is based on the ‘enterprise goals’ concept of COBIT 5 (figure 15). Indeed, business risk lies in any
combination of those enterprise goals not being achieved. The COBIT 5 enterprise goals are structured in line with the
four classic balanced scorecard (BSC) perspectives: financial, customer, internal and growth.

COBIT 5 defines 17 generic enterprise goals. Figure 15 includes the following information:
• The BSC dimension under which the enterprise goal fits
• The enterprise goal description
• The relationship to the three main governance objectives—benefits realisation, risk optimisation and resource
optimisation. (‘P’ stands for primary relationship and greater impact on achievement and ‘S’ for secondary relationship
and less impact on achievement).

For practical purposes, one can imagine that for each enterprise goal, a translation is possible to express the
non-achievement of the goal in terms of its impact on the overall business.

69
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Figure 15—Enterprise Goals


Relation to Governance Objectives
Benefits Risk Resource
BSC Dimension Enterprise Goal Realisation Optimisation Optimisation
Financial 1. Stakeholder value of business investments P S
2. Portfolio of competitive products and services P P S
3. Managed business risk (safeguarding of assets) P S
4. Compliance with external laws and regulations P
5. Financial transparency P S S
Customer 6. Customer-oriented service culture P S
7. Business service continuity and availability P
8. Agile responses to a changing business environment P S
9. Information-based strategic decision making P P P
10. Optimisation of service delivery costs P P
Internal 11. Optimisation of business process functionality P P
12. Optimisation of business process costs P P
13. Managed business change programmes P P S
14. Operational and staff productivity P P
15. Compliance with internal policies P
Learning and Growth 16. Skilled and motivated people S P P
17. Product and business innovation culture P
Source: COBIT® 5 (the framework), ISACA, USA, 2012, figure 5

Extended Balanced Scorecard Criteria


A variant of the approach described in the previous paragraphs goes one step further, linking the BSC dimensions to a
limited set of more tangible criteria. The following criteria are often observed to be used for this purpose:
• Financial
– Share value
– Profit
– Revenue
– Cost of capital
• Customer
– Market share
– Customer satisfaction
– Customer service
• Internal
– Regulatory compliance
• Growth
– Competitive advantage
– Reputation

This set of criteria can be used selectively, and the user should be aware that there are still cause-effect relationships
included in this table (e.g., customer [dis]satisfaction can impact competitive advantage and/or market share). Usually a
subset of these criteria is used to express risk in business terms.

Westerman 4 ‘A’s—An Alternative Approach to Express Business Impact7


Another means of expressing IT risk into business terms is based on the 4A framework. This defines IT risk as the
potential for an unplanned event involving IT to threaten any of four interrelated enterprise objectives:
• Agility—Possess the capability to change with managed cost and speed.
• Accuracy—Provide correct, timely and complete information that meets the requirements of management, staff,
customers, suppliers and regulators.
• Access—Ensure appropriate access to data and systems, so that the right people have the access they need and wrong
people do not.
• Availability—Keep the systems (and their business processes) running, and recover from interruptions.

7
Westerman, G.; Hunter R.‚ IT Risk—Turning Business Threats Into Competitive Advantage, Harvard Business School Press, USA, 2007

70
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk

COSO ERM
The Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM)—
Integrated Framework lists the following criteria to express business impact:8
• Strategic—High-level goals, aligned with and supporting the enterprise mission. Strategic objectives reflect
management’s choice as to how the enterprise will seek to create value for its stakeholders.
• Operations—These pertain to the effectiveness and efficiency of the enterprise’s operations, including performance
and profitability goals and safeguarding resources against loss.
• Reporting—These pertain to the reliability of reporting. They include internal and external reporting and may involve
financial and non-financial information.
• Compliance—These pertain to adherence to relevant laws and regulations

FAIR (Factor Analysis of Information Risk)9


The FAIR method is security-oriented in origin, but the impact criteria apply to all IT-related risk. The criteria used here are:
• Productivity—The reduction in an enterprise’s ability to generate its primary value proposition (e.g., income,
goods, services)
• Responses—Expenses associated with managing a loss event (e.g., internal or external person-hours, logistical expenses)
• Replacement—The intrinsic value of an asset, typically represented as the capital expense associated with replacing
lost or damaged assets
• Competitive advantage—Losses associated with diminished competitive advantage
• Legal—Legal or regulatory actions levied against an enterprise
• Reputation—Losses associated with an external perception that an enterprise’s value proposition is reduced or
leadership is incompetent, criminal or unethical

Example COBIT 5 Enterprise Goals


Because there are multiple options for expressing IT risk in business terms, and there is no right or wrong option, one has
to choose the option that fits best with the enterprise and complement this scheme with a range of scales to quantify the
risk during risk analysis.

The following example demonstrates how COBIT 5 Enterprise goals can be used to achieve the link between the ‘atomic’
IT scenario and enterprise goals, i.e., how this scenario can jeopardise one or several enterprise goals:
• Impact is expressed in business-relevant terms, using the words of the ‘enterprise goals’ as used in COBIT 5. For
example, the enterprise, running an online travel business, has as its major enterprise goals: ‘Customer-oriented
service culture’ and ‘Business service continuity and availability’.
• The COBIT 5 framework cascades the enterprise goals to IT-related goals (how the goals of the IT department support
the achievement of the enterprise goals), and this link can also be read in the other direction: Not achieving an
IT-related goal might have a negative impact on the achievement of an enterprise goal. In the example, the ‘Business
service continuity and availability’ enterprise goal implies that IT pays importance to some specific IT-related goals,
e.g., alignment of IT and business strategy, managed IT-related business risk, delivery of IT services in line with
business requirements, adequate use of applications, information and technology solutions.
• This cascade is continued down to the IT process level and IT management practice level, using the same principle
that not achieving a ‘lower-level’ goal will jeopardise the achievement of the ‘higher-level’ goal. The IT goals set in
the example would require a number of IT processes to be excellent, including COBIT 5 processes APO09 Manage
Service Agreements, APO11 Manage Quality, BAI02 Manage Requirements Definition, BAI04 Manage Availability
and Capacity and some others. This would require the activities (as described in the process model for each COBIT5
IT process) to be executed well.
• When analysing IT-related risk scenarios, each scenario can be linked to one or more IT processes, e.g., if the process
does not perform, the frequency and/or impact of the scenario will increase (refer also to Capability Risk Factors in part
Risk Factor section page). Applying this cascade backwards, it is possible to trace all potential impact paths that an event
can have on business goals, and use this information in risk analyses. In the example, this means that any disruption of
the mentioned IT processes, e.g., lack of project management (BAI01), inadequate software testing (BAI06), bad
third-party relationship management or service level management (APO09 and APO10), can have a negative impact
on the achievement of the stated service-oriented enterprise goals. However, when these processes are really mature and
being performed, this means that the enterprise is in good shape to achieve the stated enterprise goals.

8
 dapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO); COSO Enterprise Risk Management Framework, USA,
A
2004, www.coso.org
9
Jones, Jack A., An Introduction to Factor Analysis of Information Risk (FAIR), Risk Management Insight LLC, 2005

71
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Expressing Frequency
Some risk management methods use the terms ‘likelihood’ or ‘frequency’. In Risk Scenarios Using COBIT 5 for Risk, the
term ‘probability’ is preferred, indicating a quantitative measure such as a percentage, frequency of occurrence, or other
numerical metric.

Figure 16 proposes a scheme that can be used for expressing the probability of risk scenarios occurring. The example
uses a 0 to 5 scale, with a probability threshold associated with each scale value. In the example, a logarithmic scale has
been used for probability although, in many cases, this is not mandatory; linear scales can be used as well. Alternatively,
an index scale can be used. Probability is then translated into a number from 0 to 100, e.g., based on a logarithmic scale or
any other sort of scale. The choice for either method depends on how the results of the risk analysis will be presented,
e.g., in a risk matrix. In figure 16, a risk scenario that is estimated to occur five times in a year gets the score of 3.

Figure 16—Probability Rating


Frequency Rating Times Occurring per Year
5 100
4 10
3 1
2 0.1
1 0.01
0 0.001
Source: The Risk IT Practitioner Guide, ISACA, USA, 2009, figure 25

Some enterprises prefer a three-level scale instead of a five-level scale. The advantage of such a scale is that analyses will
go faster and might look a bit easier; however, there is a loss of precision, and using a three-level scale has a tendency to
create a lot of ‘middle’ values because of people being averse to creating extreme cases, leading to even more inaccuracies.

Some enterprises assign labels, e.g., ‘very frequent’, ‘frequent’, ‘infrequent, ‘rare’, to the scales mentioned in figure 16.
The use of only these labels as means of expressing frequency is not advisable because they can mean different things for
different risk scenarios and consequently can generate confusion. For example, an attempt for network intrusion through
the firewall might happen hundreds of times per day, which may be considered ‘average’; an ‘average’ frequency of a hardware
failure (e.g., disk crash) might be once every two or three years. So the word ‘average’ means different frequencies for two
different scenarios and, hence, is not well suited as an objective and unambiguous indicator of frequency.

Risk Scenarios in Risk Response (Reduction)


Risk Response Workflow and Risk Response Options
The purpose of defining a risk response is to bring risk in line with the defined risk appetite for the enterprise. In other
words, a response needs to be defined such that as much future residual risk (current risk with the risk response defined
and implemented) as possible (usually depending on budgets available) falls within risk tolerance limits. The full risk
response workflow is depicted in figure 17.

This risk response evaluation is not a one-time effort; rather, it is part of the risk management process cycle. When risk
analysis of all identified risk scenarios, after weighing risk vs. potential return has shown that risk is not aligned with the
defined risk appetite and tolerance levels, a response is required. This response can be any of the four possible responses
explained in the following sub-sections.

Risk Avoidance
Avoidance means exiting the activities or conditions that give rise to risk. Risk avoidance applies when no other risk
response is adequate. This is the case when:
• There is no other cost-effective response that can succeed in reducing the frequency and impact below the defined
thresholds for risk appetite.
• The risk cannot be shared or transferred.
• The exposure level is deemed unacceptable by management.
Some IT-related examples of risk avoidance may include:
• Relocating a data centre away from a region with significant natural hazards
• Declining to engage in a very large project when the business case shows a notable risk of failure
• Declining to engage in a project that would build on obsolete and convoluted systems because there is no acceptable
degree of confidence that the project will deliver anything workable
• Deciding not to use a certain technology or software package because it would prevent future expansion
72
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk

Figure 17—Risk Response Workflow

Risk Scenarios

Risk Analysis Risk Map

Risk Exceeding
Risk Appetite
Risk Response Options Risk Response Parameters

Mitigate Efficiency of Exposure


Avoid Select Risk Response
Response
Options Response Effectiveness
Share/Transfer Accept Implementation of Response
Capability

Risk Responses

Risk Response Prioritisation


Current Risk Level
Prioritise Risk Normal High
Priority Priority
Responses
Low Normal
Priority Priority

Risk Action Plan Benefit/Cost Ratio


With Prioritised
Risk Responses

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 42

Risk Acceptance
Acceptance means that exposure to loss is recognised but no action is taken relative to a particular risk, and loss is accepted
when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed
decision has been made by management to accept it as such (e.g., when cost of remediation outweighs the risk).

If an enterprise adopts a risk acceptance stance, it should carefully consider who can accept the risk—even more so with
IT risk. IT risk should be accepted only by business management (and business process owners), in collaboration with and
supported by IT, and acceptance should be communicated (i.e., documented) to senior management and the board (Refer
to EDM3.02 detailed activities 5.3 and 5.4).

Some examples of risk acceptance may include:


• There may be a risk that a certain project will not deliver the required business functionality by the planned delivery
date. Management may decide to accept the risk and proceed with the project.
• If a particular risk is assessed to be extremely rare but very important (catastrophic) and approaches to reduce it are
prohibitive, management may decide to accept it.

Self-insurance is another form of risk acceptance, although this manages only magnitude of the loss and has no
impact on frequency.

73
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Sharing/Transfer
Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common
techniques include insurance and outsourcing. Examples include taking out insurance coverage for IT-related incidents,
outsourcing part of the IT activities, or sharing IT project risk with the provider through fixed-price arrangements or
shared-investment arrangements. In both a physical and legal sense these techniques do not relieve an enterprise of the
risk ownership, but can involve the skills of another party in managing the risk and reduce the financial consequence
if an adverse event occurs. Also from a reputation point of view, risk transfer or sharing does not transfer ownership or
accountability over risk.

Some IT-related examples of risk sharing or transfer may include:


• A large organisation identified and assessed the risk of fire to its infrastructure across diverse geographic regions
and assessed the cost of sharing the impact of its risk through insurance coverage. It concluded that, because of the
location of its sites, the incremental cost of insurance and related deductibles was not prohibitive, and insurance
coverage was taken.
• In a major IT-related investment, project risk may be shared by outsourcing the development to an outsourcer for a
fixed price on a risk/reward basis.
• Some enterprises outsource some or all of their IT function to hosting enterprises and contractually share a portion of
the risk.
• Where application hosting is outsourced, the organisation always remains accountable for protecting client privacy, but
if the outsourcer is negligent and a breach occurs, risk (financial impact) might at least be shared with the outsourcer.

Other techniques contributing to risk sharing include:


• Large enterprises with multiple legal entities, where IT risk can be transferred to other divisions within the enterprise
(reinsurance is a common example)
• Statement on Standards for Attestation Engagements No. 16 (SSAE16) reporting, which allows a service organisation
to transfer a portion of a risk back to the client through the user control considerations section of the report

Risk Mitigation
Risk mitigation means that mitigating action is taken to reduce the frequency and/or impact of a risk. The most common
ways of mitigating risk include:
• Strengthening overall IT risk management practices, i.e., implement sufficiently mature IT risk management processes
as defined by the COBIT 5 framework
• Introducing a number of control measures intended to reduce either frequency of an adverse event happening and/or
the business impact of an event, should it happen. Controls are, in the context of risk management, employed to
mitigate a risk, e.g., the policies, procedures and practices, structures, information flows, etc. The COBIT 5 set of
interconnected enablers provides a comprehensive set of controls that can be implemented. It is possible to identify,
for any given risk scenario that would exceed risk appetite, a set of COBIT 5 enablers (processes, organisational
structures, behaviours, etc.) that can mitigate the risk scenario. For a comprehensive list of controls (expressed as
COBIT 5 enablers) that can mitigate risk (list of example generic risk scenarios as defined in chapter 4) refer
to chapter 5.
• Mitigation of risk is possible by other means or methods, e.g., there are well known IT management frameworks
and standards able to assist.

74
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Chapter 7
Risk Scenario Analysis Examples
This chapter contains 60 detailed risk scenario analysis examples that have been prepared using the generic risk scenario
categories and possible outcomes described in figure 14 in chapter 4. The template described in chapter 6 has been used
to conduct the analysis of each risk scenario, and the list of COBIT 5 enablers described in chapter 5 have been used to
complete the risk mitigation section.

How to Read Risk Scenario Analysis


Risk Scenario Title—This is the unique and specific name for the risk scenario analysis example.
Risk Scenario Category—This is a reference to one of the 20 risk scenario categories described in figure 14, chapter 4.
Risk Scenario Reference12—This section is a number composed by the risk scenario category number and the risk
scenario reference number. For example, Risk Scenario Reference 0101 indicates that this particular analysis applies to:

Risk scenario category 01 Risk scenario reference 0101*


“Portfolio establishment and maintenance” “Wrong programmes are selected for “Programmes lead to successful new
implementation and are misaligned with corporate business initiatives selected for execution.”
strategy and priorities.” (negative outcome) (positive outcome)

*P
 lease note that there is not one example for every risk scenario reference within a risk scenario category, therefore the
numbers are not sequential.

Risk Scenario—The examples used in this section are comprehensive versions of the generic positive or negative risk
scenarios described in figure 14. These examples have been prepared with more details to add context to the scenario and
help risk professionals explain risk in business terms.
Risk Scenario Components—This section provides examples of the information needed to calculate impact and
frequency and prepare possible risk responses (for detailed descriptions of the different sections in the risk scenario
analysis refer to chapter 6).
• Threat Type
• Actor
• Event
• Asset/Resource (Cause)
• Asset/Resource (Effect)
• Time issues
Risk Type—This describes the relationship between the risk scenario and the three different types of risk described in
COBIT 5 for Risk and chapter 2 of this publication (figure 4).
Possible Risk Responses—These are examples of risk responses that can be used to address the risk scenario.
Risk Mitigation Using COBIT 5 Enablers—This section offers a list of enablers that can be used to mitigate risk
impact or frequency.
Key Risk indicators—This section offers a list of KRIs that have been defined for the IT Goals that can be impacted by
the risk scenario and KRIs defined for the Process enabler included in the risk mitigation section. (The complete list of
KRIs for IT Goals can be found in the COBIT 5 framework, and the complete list of KRIs for the Process enabler can be
found in COBIT 5: Enabling Processes.)

12
 isk scenario reference is used in the examples provided in this publication, but it is not included in the template. If necessary, the person preparing the
R
risk scenario analysis can include this section to specify risk scenario category and reference.

75
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

01 Portfolio Establishment and Maintenance


0101 Selected programs are not optimizing business benefits

Risk Scenario Title Selected programs are not optimizing business benefits
Risk Scenario Category 01 Portfolio establishment and maintenance
Risk Scenario Reference 0101
Risk Scenario
The individual accountable for the selection of programs (chief executive officer [CEO]) made a questionable decision when selecting programs to fund.
The decision was driven by unclear and biased information that was provided by one of the key stakeholders and the internal and external auditors who
put a focus on fostering security controls and formalizing processes rather than supporting business growth.
Risk Scenario Components
Threat Type
The nature of the event is a failure in the decision-making process to take into account all stakeholder requirements and the ineffective prioritization of
these requirements.
Actor
The actor who generates the threat that exploits a vulnerability is internal—the CEO.
Event
The event is the ineffective execution of the program selection process.
Asset/Resource (Cause)
The resource that leads to the business impact is the program selection process.
Asset/Resource (Effect)
The resources that are affected are various business processes.
Time
The duration of the event is extended lack of supporting business growth. The timing of occurrence is noncritical. The event cannot immediately be
detected, and, therefore, detection is slow. The consequence is delayed because the selected programs will be implemented over a longer time span.
Risk Type
IT Benefit/Value Enablement P The allocation of priorities leads to the assignment of resources to strengthen the security of
existing systems, and key resources are not available for developing new services supporting
business growth. Consequently, new business initiatives are not initiated.
IT Programme and Project Delivery P Ongoing projects need to be rescheduled due to the lack of resources.
IT Operations and Service Delivery S Security problems of (unimportant) services are being addressed.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The CEO is aware of the misalignment and accepts the impacts.
• Risk Sharing/Transfer: The enterprise request third-party service providers to reevaluate contracts and adjust timelines and resources without
additional cost.
• Risk Mitigation: Reprioritization of ongoing projects to optimize business benefit

76
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Risk Mitigation Using COBIT 5 Enablers


Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project To enforce the use of the overall program/project methodology, including High Medium YES
management policy corporate policy on the business case or due diligence in order to improve the
visibility of the relative value of programs (compared to each other). This policy
should describe approval investment thresholds for program value.
Process Enabler
Effect Effect
on on Essential
Reference Title Governance and Management Practices Frequency Impact Control
EDM01.01 Evaluate the governance Continually identify and engage with the High High YES
system. enterprise’s stakeholders, document an
understanding of the requirements and make
a judgment on the current and future design of
governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, High High YES
system. buy-in and commitment. Guide the structures,
processes and practices for the governance of
IT in line with agreed-on governance design
principles, decision-making models and authority
levels. Define the information required for
adequate decision making.
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the High High YES
system. enterprise’s governance of IT. Assess whether
the governance system and implemented
mechanisms (including structures, principles and
processes) are operating effectively and provide
appropriate oversight of IT.
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled High High YES
optimization. investments, services and assets to determine
the likelihood of achieving enterprise objective
and delivering value at a reasonable cost. Identify
and make judgment on any changes in direction
that need to be given to management to optimize
value creation.
EDM02.02 Direct value optimization. Direct value management principles and High High YES
practices to enable optimal value realization
from IT-enabled investments throughout their full
economic life cycle.
EDM02.03 Monitor value optimization. Monitor the key goals and metrics to determine High High YES
the extent to which the business is generating
the expected value and benefits to the enterprise
from IT-enabled investments and services.
Identify significant issues and consider corrective
actions.
APO05.01 Establish the target Review and ensure clarity of the enterprise Medium Medium NO
investment mix. and IT strategies and current services. Define
an appropriate investment mix based on cost,
alignment with strategy, and financial measures
such as cost and expected return on investment
(ROI) over the full economic life cycle, degree of
risk, and type or benefit for the programs in the
portfolio. Adjust the enterprise and IT strategies
where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium Medium NO
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Medium NO
report on investment performance of the investment portfolio and
portfolio performance. individual programs throughout the entire
investment life cycle.

77
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler (cont.)


Effect Effect
on on Essential
Reference Title Governance and Management Practices Frequency Impact Control
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and Medium Medium NO
projects, IT services and IT assets.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium Medium NO
achievement. appropriate IT services and capabilities, based on
the agreed-on and current business case.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs. High Medium YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program selection includes Decisions should be objective, nonbiased and based on supported information. Medium Medium NO
data-driven decisions
Stakeholder engagement The full range of success factors will be taken into account when High Medium YES
selecting programs.
Focus on enterprise Ensure alignment with corporate strategy and priorities. High Medium YES
objectives
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program business case Improves the visibility of the relative value of programs (compared to each other) High Medium YES
Defined investment mix Improves the visibility of the relative value of programs (compared to each other) High Medium YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Portfolio management Decreases complexity and increases overview on programs and projects Medium Low NO
tools
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business requirements Transparency on enterprise strategy, related business requirements and High Medium YES
analysis priorities
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (06) Percentage of investment business cases with clearly defined and approved expected IT-related costs and benefits
• (06) Satisfaction survey of key stakeholders regarding the level of transparency, understanding and accuracy of IT financial information
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (13) Number of programmes needing significant rework due to quality defects
• (17) Level of business executive awareness and understanding of IT innovation possibilities
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM01) Level of stakeholder satisfaction (measured through surveys)
• (EDM02) Level of stakeholder satisfaction with the enterprise’s ability to obtain value from IT-enabled initiatives
• (EDM02) Percentage of IT initiatives in the overall portfolio where value is being managed through the full life cycle
• (EDM02) Level of stakeholder satisfaction with progress towards identified goals, with value delivery based on surveys
• (EDM02) Percentage of expected value realised
• (APO05) Percentage of IT investments that have traceability to the enterprise strategy
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case

78
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0103 Incompatibility of business systems

Risk Scenario Title Incompatibility of business systems


Risk Scenario Category 01 Portfolio establishment and maintenance
Risk Scenario Reference 0103
Risk Scenario
In a hospital, the chief of the radiology department decided to purchase a particular x-ray system from a vendor without consulting other departments
or IT. The department chiefs can decide on necessary equipment/programs and frequently make these decisions without considering the enterprise
architecture (EA). As the new system interacts with other systems in the enterprise (e.g., patient records, medication), automated information exchange
cannot be performed to keep the patient records up to date.
Risk Scenario Components
Threat Type
The nature of the event is a failure in the processes BAI03 Manage solutions identification and build and APO03 Manage enterprise architecture.
Actor
The actor who generates the threat that exploits a vulnerability is internal—the chief of the radiology department (business process owner).
Event
The event is an ineffective design and, respectively, an ineffective execution of the processes BAI03 Manage solutions identification and build and
APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the processes BAI03 Manage solutions identification and build and APO03 Manage enterprise
architecture and the organizational structures because the chief of the department does not consider information as a resource caused by the lack of
a decision-making model.
Asset/Resource (Effect)
The asset affected is information. The procured system potentially will be incompatible with other hospital systems, and, therefore, unable to share
information with other systems. Patient records may not be up to date (accuracy of information completeness and lack of consistent representation).
Time
The duration of the event is extended inconsistency in the presentation of patient records. The timing of occurrence is noncritical. Detection will be
instant because the business will recognize immediately the lack of consistent representation. The consequence is delayed because the event needs
proper analysis and changes in the system to make it compliant with the existing systems/architecture.
Risk Type
IT Benefit/Value Enablement P Efficiency of the hospital operations is reduced and affects patients (e.g., no re-use of x-ray
images and time delay in treatments).
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Information cannot be automatically exchanged between the systems, which leads to unmet
resource needs and inconsistent records.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The CEO and the chief of radiology accept the unaligned system and the additional resources required to update
incompatible systems.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Clarification on decision-making rights for purchasing system, creation of (automated) interfaces and fostering enterprise
architecture principles (e.g., minimum standards for system interoperability).
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project To enforce the use of the overall program/project methodology, including Medium Medium NO
management policy corporate policy on the business case or due diligence in order to improve the
visibility of the relative value of programs (compared to each other). This policy
should describe approval investment thresholds for program value.

79
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
EDM01.01 Evaluate the governance Continually identify and engage with the Medium Medium NO
system. enterprise’s stakeholders, document an
understanding of the requirements and make
a judgment on the current and future design of
governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, Medium Medium NO
system. buy-in and commitment. Guide the structures,
processes and practices for the governance of
IT in line with agreed-on governance design
principles, decision-making models and authority
levels. Define the information required for
adequate decision making.
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the Medium Medium NO
system. enterprise’s governance of IT. Assess whether
the governance system and implemented
mechanisms (including structures, principles and
processes) are operating effectively and provide
appropriate oversight of IT.
APO05.01 Establish the target Review and ensure clarity of the enterprise Medium Medium NO
investment mix. and IT strategies and current services. Define
an appropriate investment mix based on cost,
alignment with strategy, and financial measures
such as cost and expected return on investment
(ROI) over the full economic life cycle, degree of
risk, and type or benefit for the programs in the
portfolio. Adjust the enterprise and IT strategies
where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix High High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Medium NO
report on investment performance of the investment portfolio and
portfolio performance. individual programs throughout the entire
investment life cycle.
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and Medium Medium NO
projects, IT services and IT assets.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium Medium NO
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles
and standards, and the enterprise’s overall
procurement and contract procedures, quality
assurance (QA) requirements, and approval
standards. Ensure that all legal and contractual
requirements are identified and addressed by the
supplier.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Board of directors Require approval when programs surpass a certain value threshold and Medium Medium NO
risk level.

80
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Culture, Ethics and Behaviour Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program selection includes Decisions should be objective, nonbiased and based on supported information. High Medium YES
data-driven decisions
Stakeholder engagement The full range of success factors will be taken into account when selecting High Medium YES
programs.
Focus on enterprise Ensure alignment with corporate strategy and priorities. High Medium YES
objectives
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business requirements Transparency on enterprise strategy, related business requirements Medium Low NO
analysis and priorities
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (03) Percentage of executive management roles with clearly defined accountabilities for IT decisions
• (03) Number of times IT is on the board’s agenda in a proactive manner
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (07) Percentage of users satisfied with the quality of IT service delivery
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes that need significant rework due to quality defects
• (17) Level of business executive awareness and understanding of IT innovation possibilities
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM01) Level of stakeholder satisfaction (measured through surveys)
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (BAI03) Number of reworked solution designs due to misalignment with requirements
• (BAI03) Time taken to approve that design deliverable has met requirements
• (BAI03) Number of errors found during testing
• (BAI03) Number of demands for maintenance that go unsatisfied

81
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0104 Unaligned Culture

Risk Scenario Title Unaligned Culture


Risk Scenario Category 01 Portfolio establishment and maintenance
Risk Scenario Reference 0104
Risk Scenario
In an industrial enterprise, the key IT resources are being used to operate and maintain the financial reporting system; there is no focus on the
maintenance of production planning and production systems, which results in a split in the culture of the IT staff. One part of the department is focused
on the financial reporting system, and is seen as the beneficial and finance/business focus part; the other part is seen as the engineers. For the
engineering part of the staff there are different career paths, a lack of motivation and disengagement, leading to lower productivity and innovation.
Risk Scenario Components
Threat Type
The nature of the event is a failure in prioritization.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is responsible for the assignment of IT resources is the
chief financial officer (CFO) function. The CFO puts the financial reporting system at the center of attention. A secondary internal actor is the Human
Resources (HR) department, which does not support staff motivation.
Event
The event is ineffective execution of the APO07 Manage human resources process.
Asset/Resource (Cause)
The resource that leads to the business impact is the APO07 Manage human resources process because HR management cannot demonstrate to the
engineers the value that they contribute and because there is a lack of integration of culture and processes.
Asset/Resource (Effect)
The resources that are affected are people and skills because the enterprise is losing knowledge and staff.
Time
The duration of the event is extended because the staff is demotivated. The timing of occurrence is noncritical. Because the lack of knowledge and
the rise in fluctuation cannot be detected immediately, the detection is slow. The consequence is delayed because the lack of staff and knowledge will
happen in the future.
Risk Type
IT Benefit/Value Enablement P Potential for innovation is unused because staff members are not involved.
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Investments in HR (knowledge) are ineffective when staff leave the company; service
interruptions and security breaches can result due to disgruntled remaining staff; IT service
interruptions can result due to departing staff.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Communicate the value that the engineers bring to the enterprise and provide individual rewards and motivation.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project To enforce the use of the overall program/project methodology, including Medium Low NO
management policy corporate policy on the business case or due diligence in order to improve the
visibility of the relative value of programs (compared to each other). This policy
should describe approval investment thresholds for program value.

82
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO04.01 Create an environment Create an environment that is conducive to Low Medium NO
conducive to innovation. innovation, considering issues such as culture,
reward, collaboration, technology forums, and
mechanisms to promote and capture employee
ideas.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium High YES
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.03 Maintain the skills Define and manage the skills and competencies High Low YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program selection includes Decisions should be objective, nonbiased and based on supported information. High Medium YES
data-driven decisions
Stakeholder engagement The full range of success factors will be taken into account when selecting High Medium YES
programs.
Focus on enterprise Ensure alignment with corporate strategy and priorities. High Medium YES
objectives
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program business case Improves the visibility of the relative value of programs (compared to each High Low YES
other)
Defined investment mix Improves the visibility of the relative value of programs (compared to High Low YES
each other)
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A

83
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

People, Skills and Competencies Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business requirements Transparency on enterprise strategy, related business requirements and High Medium YES
analysis priorities
Key Risk Indicators (KRIs) Related to IT Goals
• (05) Percentage of IT services where expected benefits are realised
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Level of business user understanding of how technology solutions support their processes
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO04) Increase in market share or competitiveness due to innovations
• (APO04) Enterprise stakeholder perceptions and feedback on IT innovation
• (APO04) Percentage of implemented initiatives with a clear linkage to an enterprise objective
• (APO04) Inclusion of innovation or emerging technology-related objectives in performance goals for relevant staff
• (APO04) Stakeholder feedback and surveys
• (APO05) Percentage of IT investments that have traceability to the enterprise strategy
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO07) Level of executive satisfaction with management decision making
• (APO07) Number of decisions that could not be resolved within management structures and were escalated to governance structures
• (APO07) Percentage of staff turnover
• (APO07) Average duration of vacancies
• (APO07) Percentage of IT posts vacant

84
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

02 Programme/Projects Life Cycle Management


0201 Terminate failing projects

Risk Scenario Title Terminate failing projects


Risk Scenario Category 02 Programme/projects life cycle management
Risk Scenario Reference 0201
Risk Scenario
A company decided to replace its existing enterprise resource planning (ERP) system and allocated a budget of EUR 5 million. The company planned a
two-year project and a big-bang approach to replacement of the existing systems and processes. The plan was based on the estimate prepared by a
provider that became a key stakeholder throughout the project. After spending EUR 50 million and three years of customizing, the enterprise did a
review on the project setup and decided to stop the initiative. The invested resources were lost. The lack of project risk management and benefit
management was obvious. The project could have been stopped in its very early stages, but the enterprise did not apply good management practice in
the project life cycle.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes APO05 Manage portfolio and BAI01 Manage programmes and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for the monitoring and control of projects,
the Steering (Programs/Projects) Committee.
Event
The event is an ineffective design and/or ineffective execution of the processes APO05 Manage portfolio and BAI01 Manage programmes and projects.
Asset/Resource (Cause)
The resources that led to the business impact are the processes APO05 Manage portfolio and BAI01 Manage programmes and projects, which led to
inappropriate decision making. Organizational structure can also be the resource that led to the business impact because of the lack of a
decision-making model to be followed by the Steering (Programs/Projects) Committee.
Asset/Resource (Effect)
The assets affected are unimproved business processes due to the stopped initiative.
Time
The duration of the event is extended because a long period of time passes before the project is stopped. The timing of occurrence is noncritical. The
event is detected only after the project has been running for several years and, therefore, detection is slow. The consequence is delayed because a new
project must be started to improve the business processes.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to achieve the planned enterprise benefits such as improved operation of
the enterprise and transparency in planning
IT Programme and Project Delivery P Stranded costs for project delivery with no beneficial outcome
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Accepting the fact that the enterprise continues without business operation improvement
•R isk Sharing/Transfer: Share responsibility for the project failure with the provider who prepared the estimate, and request a refund for some of the
cost of the project.
•R isk Mitigation: Stop the project (earlier) and applying an agile/staged approach to delivery processes and systems rather than a big-bang replacement
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project Measuring visibility and true status for decision makers should be based on Medium High YES
management policy common language and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep,
changed business priorities, etc.) and create information flows to induce
corrective action
• To prevent failure, scope changes to existing projects need to be
managed strictly

85
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Low NO
report on investment performance of the investment portfolio and
portfolio performance. individual programs throughout the entire
investment life cycle.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium High YES
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
BAI01.11 Monitor and control Measure project performance against key project High High YES
projects. performance criteria such as schedule, quality,
cost and risk. Identify any deviations from the
expected. Assess the impact of deviations on the
project and overall program, and report results to
key stakeholders.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Take corrective action, if required. Medium Medium NO
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project monitoring Decisions should be objective, nonbiased and based on supported information. Low Low NO
includes data-driven
activities
Admitting to bad news Enables earlier decision making and minimizes impact. High High YES
is supported by senior
management
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program benefit realization This input will provide the necessary data to track the progress and estimate Medium Medium NO
plan potential overrun.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Performance to budget The correct analytical skills will allow estimating the consequences of failing Low Medium NO
control skills projects such as potential budget overruns

86
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Key Risk Indicators (KRIs) Related to IT Goals


• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
Key Risk Indicators (KRIs) Related to Process Goals
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of active programmes undertaken without valid and updated programme value maps
• (BAI01) Frequency of status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Level of stakeholder satisfaction expressed at project closure review

87
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0204 Routine delays in IT projects

Risk Scenario Title Routine delays in IT projects


Risk Scenario Category 02 Programme/projects life cycle management
Risk Scenario Reference 0204
Risk Scenario
The IT organization of an enterprise initiated an IT security management project (implementing an information security management system [ISMS] with
the objective of obtaining a certificate) and planned a one-year time frame. After six months, the plan had to be rescheduled due to a number of missed
deadlines and a high uncertainty of meeting the project time line. The budget is already fully consumed. The organization does not have a view of a final
outcome and has uncertainty regarding required additional funds. The IT security manager is leading the project and puts more focus on technical issues
than on managing the project and delivering the results. The IT security manager does not see the delay of implementing the ISMS or the overspending
as a concern.

The risk is the possibility of not obtaining the certification, which has a negative impact on the enterprise’s image and ability to meet compliance
requirements. In addition, initial and ongoing costs for the ISMS and the time for successful delivery of the project results are unclear.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI01 Manage programme and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for the monitoring and the control of
projects, the Steering (Programmes/Projects) Committee.
Event
The event is an ineffective design or/and ineffective execution of the process BAI01 Manage programme and projects.
Asset/Resource (Cause)
The resources that lead to the business impacts are the process BAI01 Manage programme and projects and people and skills because the project
manager focuses on project content rather than on managing the project.
Asset/Resource (Effect)
The resource/asset that is affected is the process DSS05 Manage security services and the information because the security of information is
in danger.
Time
The duration of the event is extended because a long period of time passes before the project is on target. The timing of occurrence is noncritical. The
event is detected only after the project has been running for some time; therefore, detection is slow. The consequence is delayed because the project
runs over planned implementation and budget.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to achieve the planned enterprise benefits such as improved operation of
the enterprise and transparency in planning.
IT Programme and Project Delivery P Stranded costs for project delivery with no beneficial outcome
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Accepting the fact that the enterprise continues without business operation improvement can be a possible response. However, the
enterprise has to consider that accepting the fact that it continues without business operation improvement means that the enterprise also accepts the
risk of reputational damage.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Stop the project (earlier) and apply an agile/staged approach to delivery of processes and systems.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project Measuring visibility and true status for decision makers should be based on High High YES
management policy common language and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep,
changed business priorities, etc.) and create information flows to induce
corrective action.
• To prevent failure, scope changes to existing projects need to be
managed strictly

88
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
BAI01.08 Plan projects. Establish and maintain a formal, approved Medium High YES
integrated project plan (covering business and IT
resources) to guide project execution and control
throughout the life of the project. The scope of
projects should be clearly defined and tied to
building or enhancing business capability.
BAI01.11 Monitor and control Measure project performance against key project High High YES
projects. performance criteria such as schedule, quality,
cost and risk. Identify any deviations from the
expected. Assess the impact of deviations on the
project and overall program, and report results to
key stakeholders.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Take corrective action, if required Medium High YES
officer (CIO)
Program/project sponsor Overall accountable for budget tracking and value demonstration Medium Medium NO
Program/project manager Overall responsible for budget tracking and value demonstration Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Admitting to bad news Enables earlier decision making and minimizes impact Medium High YES
is supported by senior
management
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program benefit This input will provide the necessary data to track the progress and estimate High Medium YES
realization plan potential overrun.
Program budget and This input will provide the necessary data to track the progress and estimate High Medium YES
benefits register potential overrun.
Program budget and Measuring visibility and true status for decision makers should be based on High Medium YES
benefits register common language and methodology.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Portfolio management tools Increase transparency on budgetary status High Low YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Performance to budget The correct analytical skills will allow estimating the consequences of failing Medium Medium NO
control skills projects such as potential budget overruns.

89
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Key Risk Indicators (KRIs) Related to IT Goals


• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
Key Risk Indicators (KRIs) Related to Process Goals
• (APO05) Percentage of IT investments that have traceability to the enterprise strategy
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Ratio between funds allocated and funds used
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of changes from the investment programme reflected in the relevant portfolios
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Frequency of status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review

90
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0205 Excessive delays in an IT-enabled business initiative

Risk Scenario Title Excessive delays in an IT-enabled business initiative


Risk Scenario Category 02 Programme/projects life cycle management
Risk Scenario Reference 0205
Risk Scenario
The board of directors of a government-owned power, supply and distribution (whole cycle) enterprise decided to re-define the customer process
(customer-facing connection, billing, etc.) and to renew the underlying information systems. A one-year program was planned, and first program results
were delivered with a two-year delay, while still suffering from quality issues and a lack of interoperability with other enterprise systems (connection of
new customers, measurement of client’s energy consumption, etc.).

An external provider was hired to support the change of customer processes and the underlying technology, which was new for the enterprise. The
enterprise staff was not convinced of the new system’s adequacy, particularly because the legacy system provided specific functionalities to the business
users that were not considered in the initial program planning and had to be developed in parallel.

The IT assets delivered by the program need to be corrected/amended to meet full functionality. Functional specifications were created, but developers
deviated from those specifications without appropriate approval or feedback. The additional work and inefficiencies in service development caused
delays on the deliveries, exceeding costs on IT and on the provider’s services, and lower service quality to the customers, e.g., from incomplete
information for customer service and support staff. The delay of 200 percent and the excess of 100 percent of the project costs summarize the
performance of the program delivery.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI01 Manage programme and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for monitoring and control of projects, the
Steering (Programs/Projects) Committee or, specifically, the customer chief executive officer (CEO) and the chief information officer (CIO) in charge of
the project.
Event
The event is an ineffective design or/and ineffective execution of the process BAI01 Manage programme and projects.
Asset/Resource (Cause)
The resources that lead to the business impact are the processes BAI01 Manage programme and projects and BAI07 Manage change acceptance and
transitioning by poor testing of deliverables. Another resource is people and skills, because the project manager focuses on project content rather than
on managing the project. Another resource is IT infrastructure because the acquisition of IT assets did not work properly.
Asset/Resource (Effect)
The resources that are affected are business processes such as customer-facing connection and billing.
Time
The duration of the event is extended because a long period of time passes before the project is on target. The timing of occurrence is noncritical.
The event is detected only after the project has been running for some time. Therefore, detection is moderate. The consequence is delayed because the
project runs over planned implementation and budget.
Risk Type
IT Benefit/Value Enablement P Planned improvement on efficiency was not achieved and was delayed.
P Other initiatives had to be postponed because of the delays, and the corresponding
information systems could not be planned accordingly.
Programme and Project Delivery P Delayed delivery of project results
P Overrun of budget
P Incomplete functionality of the applications delivered and undetected errors in the systems
due to weak testing
IT Operations and Service Delivery S Incomplete/inaccurate information that is provided to customer service, support and customers
P Delays on the service provision to the end customers (e.g., connecting new customers) due to
incomplete/inaccurate information
P Information security problems that are caused by giving access to critical customer
(individuals and enterprises) information due to inadequate security in application
development
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Accept that the enterprise continues without business operation improvement and budget overrun.
• Risk Sharing/Transfer: Share responsibility for the project failure with the provider who prepared the estimate, and request a refund for some
of the cost of the project.
• Risk Mitigation: Use a proper project management office (PMO) and adequate processes to manage the program. Improved testing/quality assurance
(QA) and application security in early phases of the program. Apply a stringent functional and security requirement identification and testing of the
quality delivered.

91
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Mitigation Using COBIT 5 Enablers


Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project Measuring visibility and true status for decision makers should be based on High High YES
management policy common language and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep,
changed business priorities, etc.) and create information flows to induce
corrective action.
• To prevent failure, scope changes to existing projects need to be
managed strictly
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO05.03 Evaluate and select Based on the overall investment portfolio mix Low High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an Low High YES
engagement. active exchange of accurate, consistent and
timely information that reaches all relevant
stakeholders. This includes planning, identifying
and engaging stakeholders and managing their
expectations.
BAI01.06 Monitor, control and report Monitor and control program (solution delivery) Medium High YES
on the program outcomes. and enterprise (value/outcome) performance
against plan throughout the full economic life
cycle of the investment. Report this performance
to the program steering committee and the
sponsors.
BAI01.09 Manage program and Prepare and execute a quality management plan, Low High YES
project quality. processes and practices, aligned with the quality
management system (QMS) that describes the
program and project quality approach and how it
will be implemented. The plan should be formally
reviewed and agreed on by all parties concerned
and then incorporated into the integrated
program and project plans.
BAI01.11 Monitor and control Measure project performance against key project High High YES
projects performance criteria such as schedule, quality,
cost and risk. Identify any deviations from the
expected. Assess the impact of deviations on the
project and overall program, and report results to
key stakeholders.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, Low High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all
initiatives required to achieve the expected
outcomes of the proposed IT-enabled business
solution.
BAI02.04 Obtain approval of Coordinate feedback from affected stakeholders Low Medium NO
requirements and and, at predetermined key stages, obtain
solutions. business sponsor or product owner approval
and sign-off on functional and technical
requirements, feasibility studies, risk analyses
and recommended solutions.

92
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler (cont.)


Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
BAI03.02 Design detailed solution Develop, document and elaborate detailed Medium Low NO
components. designs progressively using agreed-on and
appropriate phased or rapid agile development
techniques, addressing all components
(business processes and related automated
and manual controls, supporting IT applications,
infrastructure services and technology products,
and partners/suppliers). Ensure that the detailed
design includes internal and external service
level agreements (SLAs) and operational level
agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively Medium High YES
components. in accordance with detailed designs following
development methods and documentation
standards, QA requirements, and approval
standards. Ensure that all control requirements
in the business processes, supporting IT
applications and infrastructure services, services
and technology products, and partners/suppliers
are addressed.
BAI03.05 Build solutions. Install and configure solutions and integrate Medium High YES
with business process activities. Implement
control, security and auditability measures during
configuration, and during integration of hardware
and infrastructural software, to protect resources
and ensure availability and data integrity.
Update the services catalogue to reflect the new
solutions.
BAI03.06 Perform quality assurance Develop, resource and execute a quality Medium High YES
(QA). assurance (QA) plan aligned with the quality
management system (QMS) to obtain the quality
specified in the requirements definition and the
enterprise’s quality policies and procedures.
BAI03.07 Prepare for solution Establish a test plan and required environments Medium Medium YES
testing. to test the individual and integrated solution
components, including the business processes
and supporting services, applications and
infrastructure.
BAI03.08 Execute solution testing. Execute testing continually during development, Medium High YES
including control testing, in accordance with the
defined test plan and development practices in
the appropriate environment. Engage business
process owners and end users in the test team.
Identify, log and prioritize errors and issues
identified during testing.
BAI07.05 Perform acceptance tests. Test changes independently in accordance with Medium High YES
the defined test plan prior to migration to the live
operational environment.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Take corrective action, if required Medium High YES
officer (CIO)
Program/project sponsor Overall accountable for budget tracking and value demonstration Medium Medium NO
Program/project manager Overall responsible for budget tracking and value demonstration Medium Medium NO

93
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Culture, Ethics and Behaviour Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Admitting to bad news Enables earlier decision making and minimizes impact Medium High YES
is supported by senior
management
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program benefit This input will provide the necessary data to track the progress and estimate High Medium YES
realization plan potential overrun.
Program budget and This input will provide the necessary data to track the progress and estimate High Medium YES
benefits register potential overrun.

Program budget and Measuring visibility and true status for decision makers should be based on High Medium YES
benefits register common language and methodology.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Portfolio management tools Increase transparency on budgetary status High Low YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Performance to budget The correct analytical skills will allow to estimate the consequences of failing Medium Medium NO
control skills projects such as potential budget overruns
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Level of business user understanding of how technology solutions support their processes
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (12 ) Number of business processing incidents caused by technology integration errors
• (12 ) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12 ) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12 ) Number of applications or critical infrastructures operating in silos and not integrated
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost

94
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Key Risk Indicators (KRIs) Related to Process Goals


• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Ratio between funds allocated and funds used
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Frequency of status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
• (BAI02) Percentage of requirements reworked due to misalignment with enterprise needs and expectations
• (BAI02) Level of stakeholder satisfaction with requirements
• (BAI02) Percentage of requirements satisfied by proposed solution
• (BAI02) Percentage of business case objectives met by proposed solution
• (BAI02) Percentage of stakeholders not approving solution in relation to business case
• (BAI03) Number of reworked solution designs due to misalignment with requirements
• (BAI03) Time taken to approve that design deliverable has met requirements
• (BAI03) Number of errors found during testing
• (BAI03) Number of demands for maintenance that go unsatisfied
• (BAI07) Percentage of stakeholders satisfied with the completeness of testing process
• (BAI07) Number and percentage of releases not ready for release on schedule
• (BAI07) Number or percentage of releases that fail to stabilise within an acceptable period
• (BAI07) Percentage of releases causing downtime

95
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

96
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

03 IT Investment Decision Making


0302 Niche software construction

Risk Scenario Title Niche software construction


Risk Scenario Category 03 IT investment decision making
Risk Scenario Reference 0302
Risk Scenario
A specialized niche market company with many decades of experience and research offers state-of-the-art solutions that are commonly accepted
in the market.

Disregarding this fact, a client with an internal development department and staff, but without the necessary maturity in its processes for the software
development life cycle (SDLC) and its Quality Assurance (QA) department, decides to build its own solution. The client does not consider the advantage of
purchasing this software over developing the solution internally and is without a real understanding of business and compliance requirements.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI03 Manage solutions identification and build, but also could be classified as accidental/error
because an external solution was not considered.
Actor
The actors that generates the threat that exploits a vulnerability are internal—the Steering (Programme/Projects) Committee and the chief information
officer (CIO).
Event
The event can be classified as ineffective design and/or ineffective execution of the process BAI03 Manage solutions identification and build.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process BAI03 Manage solutions identification and build.
Asset/Resource (Effect)
The affected resources/assets are business processes, information and applications because the internally developed solution does not fit the
business and compliance requirements due to a lack of understanding.
Time
The timing of occurrence is critical because competitors already use solutions that fulfil the compliance requirements. The duration of the event is
extended because the internally developed solution must be amended to fit business and compliance requirements. The detection is slow because the
internally developed solution is misaligned with business and compliance requirements, which is not detected before final acceptance tests or before
the implementation is in production. The consequences are delayed because the internally developed solution must be improved or the external solution
must be implemented.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use state-of-the-art solution to improve efficiency and effectiveness,
IT Programme and Project Delivery S Lack of understanding of business and compliance requirements,
Operations and Service Delivery P Unduly tested systems because of insufficient maturity in QA
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The enterprise accepts that the costs derived from internal development are going to be higher due to the time needed to
understand and develop the SDLC and QA processes and governance framework. The company also accepts the risk that its competitors may gain a
competitive advantage by the early adoption of a package solution while the company designs and builds its own solution. The company also accepts
the risk of penalties imposed by its regulators for non-compliance.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Develop and maintain a standard approach for program and project management and for solution identification and build
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project The policy should define who needs to be involved in investment decisions High High YES
management policy and what the chain of approval is.

97
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO03.01 Develop the enterprise The architecture vision provides a high-level Low High YES
architecture vision. description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed
capability to stakeholders within the enterprise.
The architecture vision describes how the
new capability will meet enterprise goals and
strategic objectives and address stakeholder
concerns when implemented.
APO05.03 Evaluate and select Based on the overall investment portfolio mix High High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO06.04 Model and allocate costs. Establish and use an IT costing model based on Low Low NO
the service definition, ensuring that allocation of
costs for services is identifiable, measurable and
predictable, to encourage the responsible use of
resources, including those provided by service
providers. Regularly review and benchmark the
appropriateness of the cost/chargeback model
to maintain its relevance and appropriateness to
the evolving business and IT activities.
APO06.05 Manage costs. Implement a cost management process Low High NO
comparing actual costs to budgets. Costs
should be monitored and reported and, in the
case of deviations, identified in a timely manner
and their impact on enterprise processes and
services assessed.
BAI01.01 Maintain a standard Maintain a standard approach for program and High High YES
approach for program and project management that enables governance
project management. and management review and decision making
and delivery management activities focused on
achieving value and goals (requirements, risk,
costs, schedule, quality) for the business in a
consistent manner.
BAI03.03 Develop solution Develop solution components progressively High High YES
components. in accordance with detailed designs following
development methods and documentation
standards, QA requirements, and approval
standards. Ensure that all control requirements
in the business processes supporting IT
applications and infrastructure services, services
and technology products, and partners/suppliers
are addressed.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High High YES
compliance. contractual requirements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Decision making process is Decisions should be objective, nonbiased and based on supported information. High Medium YES
data-driven

98
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business cases Clarify the purpose, cost and return on investment (ROI) of IT initiatives. Medium Medium NO
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business case analysis Clarify the purpose, cost and ROI of IT initiatives. Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (02) Coverage of compliance assessments
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (06) Percentage of investment business cases with clearly defined and approved expected IT-related costs and benefits
• (06) Percentage of IT services with clearly defined and approved operational costs and expected benefits
• (06) Satisfaction survey of key stakeholders regarding the level of transparency, understanding and accuracy of IT financial information
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
Key Risk Indicators (KRIs) Related to Process Goals
• (APO03) Number of exceptions to architecture standards and baselines applied for and granted
• (APO03) Level of architecture customer feedback
• (APO03) Project benefits realised that can be traced back to architecture involvement (e.g., cost reduction through re-use)
• (APO03) Percentage of projects using enterprise architecture services
• (APO03) Level of architecture customer feedback
• (APO03) Number of identified gaps in models across enterprise, information, data, application and technology architecture domains
• (APO03) Level of architecture customer feedback regarding quality of information provided
• (APO03) Percentage of projects that utilise the framework and methodology to re-use defined components
• (APO03) Number of people trained in the architecture methodology and tool set
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Ratio between funds allocated and funds used
• (APO05) Ratio between funds available and funds allocated
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (APO06) Number of budget changes due to omissions and errors
• (APO06) Number of deviations between expected and actual budget categories

99
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Key Risk Indicators (KRIs) Related to Process Goals (cont.)


• (APO06) Percentage of alignment of IT resources with high-priority initiatives
• (APO06) Number of resource allocation issues escalated
• (APO06) Percentage of overall IT costs that are allocated according to the agreed-on cost models
• (APO06) Percentage of variance amongst budgets, forecasts and actual costs
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of projects undertaken without approved business cases
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of active programmes undertaken without valid and updated programme value maps
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Number of resource issues (e.g., skills, capacity)
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
• (BAI03) Number of reworked solution designs due to misalignment with requirements
• (BAI03) Time taken to approve that design deliverable has met requirements
• (BAI03) Number of errors found during testing
• (BAI03) Number of demands for maintenance that go unsatisfied
• (MEA03) Average time lag between identification of external compliance issues and resolution
• (MEA03) Frequency of compliance reviews
• (MEA03) Number of critical non-compliance issues identified per year
• (MEA03) Percentage of process owners signing off, confirming compliance

100
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0303 Infrastructure platform upgrade

Risk Scenario Title Infrastructure platform upgrade


Risk Scenario Category 03 IT investment decision making
Risk Scenario Reference 0303
Risk Scenario
A large enterprise needs to update its branches’ mission-critical software to enhance its functionality with new business functions that are needed to
obtain higher revenues. The company knows in advance that this software update needs a critical upgrade on the branches’ IT infrastructures because
the new software will not work with the current version.

The components of the branches’ IT infrastructures are diverse and require many providers to build the complete architecture. After the request for
proposal (RFP) is constructed, the company does not consider the different schedules that each provider needs to deliver the required hardware. When
the procurement process is initiated, the company finds out that a specific component cannot be provided, which hinders the entire infrastructure
implementation.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the management processes BAI03 Manage solutions identification and build, BAI02 Manage requirements
definition and APO03 Manage enterprise architecture and is a failure of the governance process EDM02 Ensure benefits delivery.
Actor
The actors that generate the threat that exploits a vulnerability are internal—overall, the Steering (Program/Projects) Committee and also the chief
information officer (CIO) and the head architect.
Event
The event can be classified as ineffective design and/or ineffective execution of the processes EDM02 Ensure benefits delivery, BAI03 Manage
solutions identification and build, BAI02 Manage requirements definition and APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process BAI03 Manage solutions identification and build.
Asset/Resource (Effect)
The affected resources/assets are business processes, information, infrastructure and applications because the company cannot update its
branches’ mission-critical systems, and people and enterprise because they must work with the out-of-date applications.
Time
Because the company needs the new systems for its branches to create higher revenues, the timing of occurrence is critical. The duration of the event
is extended because the infrastructure implementation is hindered. The detection is moderate because the event is detected during the procurement
process. The consequences are delayed because the company has to continue its business while using the incorrect IT architecture, with accumulated
high costs, over a time span of several years.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to create more revenue with the new systems for the branches
IT Programme and Project Delivery P Identified solutions do not match the requirements.
IT Operations and Service Delivery P Inflexible architecture with accumulated high costs
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The enterprise accepts and tolerates the inflexible architecture, does not achieve higher revenues and loses
business competitiveness.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: The enterprise considers alternative providers to deliver the required piece of hardware. Additional contracts will be considered, and
the time losses and cost of opportunity will be accepted. The program of work is re-prioritized to ensure that the prerequisites are completed, to allow
for success. The governance framework for the infrastructure upgrades process must be followed and department managers must be trained.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project The policy should define who needs to be involved in investment decisions Medium Medium NO
management policy and what the chain of approval is.

101
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled Low High YES
optimization. investments, services and assets to determine
the likelihood of achieving enterprise objective
and delivering value at a reasonable cost.
Identify and make judgment on any changes in
direction that need to be given to management
to optimize value creation.
EDM02.02 Direct value optimization. Direct value management principles and Low High YES
practices to enable optimal value realization
from IT-enabled investments throughout their full
economic life cycle.
BAI01.01 Maintain a standard Maintain a standard approach for program and Low High YES
approach for program and project management that enables governance
project management. and management review and decision making
and delivery management activities focused on
achieving value and goals (requirements, risk,
costs, schedule, quality) for the business in a
consistent manner.
BAI01.08 Plan projects. Establish and maintain a formal, approved Low High YES
integrated project plan (covering business and IT
resources) to guide project execution and control
throughout the life of the project. The scope of
projects should be clearly defined and tied to
building or enhancing business capability.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, Low High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles
and standards, and the enterprise’s overall
procurement and contract procedures, quality
assurance (QA) requirements, and approval
standards. Ensure that all legal and contractual
requirements are identified and addressed
by the supplier.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Accountable for proper investment decision making Medium Medium NO
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Decision making process is Decisions should be objective, nonbiased and based on supported information. Low Low NO
data driven
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A

102
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Services, Infrastructure and Applications Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (12) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12) Number of applications or critical infrastructures operating in silos and not integrated
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM02) Level of stakeholder satisfaction with the enterprise’s ability to obtain value from IT-enabled initiatives
• (EDM02) Percentage of IT initiatives in the overall portfolio where value is being managed through the full life cycle
• (EDM02) Level of stakeholder satisfaction with progress towards identified goals, with value delivery based on surveys
• (EDM02) Percentage of expected value realised
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of projects undertaken without approved business cases
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of active programmes undertaken without valid and updated programme value maps
• (BAI01) Frequency of status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
• (BAI02) Percentage of requirements reworked due to misalignment with enterprise needs and expectations
• (BAI02) Level of stakeholder satisfaction with requirements
• (BAI02) Percentage of requirements satisfied by proposed solution
• (BAI02) Percentage of business case objectives met by proposed solution
• (BAI02) Percentage of stakeholders not approving solution in relation to business case
• (BAI03) Number of reworked solution designs due to misalignment with requirements
• (BAI03) Time taken to approve that design deliverable has met requirements
• (BAI03) Number of demands for maintenance that go unsatisfied

103
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0304 Purchase of redundant software

Risk Scenario Title Purchase of redundant software


Risk Scenario Category 03 IT investment decision making
Risk Scenario Reference 0304
Risk Scenario
An enterprise purchases redundant software for a key business area. This software is a competing software to software that was purchased previously
and is in production. The new software was purchased without reference to procurement because the purchase was within the person’s budgetary
signature approval process and was for use within the department, for the duration.

This particular purchase represented a lack of conformance with organizational processes and policies. The system was not considered in the enterprise
architecture (EA) and, therefore, lacked interoperability with other systems and software, and its functionality overlapped with other business functions.

The software was purchased by a key business user, and, because the procurement process was immature, the software was not included in the
enterprise strategy for business continuity and disaster recovery planning.

The new purchase required additional training for the department and investment and integration with existing systems.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation, APO05 Manage portfolio, APO06 Manage budget and cost and
BAI10 Manage configuration.
Actor
The actors that generate the threat that exploits a vulnerability are internal—overall, the Steering (Program/Projects) Committee, and also the key
business user who purchased the software.
Event
The event can be classified as ineffective design and/or ineffective execution of the processes APO04 Manage innovation, APO05 Manage portfolio,
APO06 Manage budget and cost and BAI10 Manage configuration.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are mainly the processes APO04 Manage innovation and BAI10 Manage configuration.
Asset/Resource (Effect)
The affected resources/assets are business processes, information, infrastructure and applications because the new software lacks interoperability
with other systems, and people and enterprise because they must use workarounds.
Time
The timing of occurrence is noncritical. The duration is extended, due to the cost associated with this inappropriate purchase and the overburden that
the company had to experience to guarantee interoperability with existing systems. The detection is slow because the redundancy was not detected
before the system was ready to use. The time lag is immediate because of the immature procurement process.
Risk Type
IT Benefit/Value Enablement P Immature procurement process
IT Programme and Project Delivery N/A
IT Operations and Service Delivery S Lack of interoperability with other systems
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Train all department heads on a centralized software catalogue for the enterprise. Governance frameworks for the software
procurement process must be improved to be mature and they must be followed. The department managers will be trained. All software purchases
have to be added to the business continuity (BCP) and disaster recovery plan (DRP).
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project The policy should define who needs to be involved in investment decisions High Medium YES
management policy and what the chain of approval is.

104
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO02.05 Define the strategic plan Create a strategic plan that defines, in Low High YES
and road map. cooperation with relevant stakeholders, how
IT-related goals will contribute to the enterprise’s
strategic goals. Include how IT will support
IT-enabled investment programs, business
processes, IT services and IT assets. Direct IT
to define the initiatives that will be required
to close the gaps, the sourcing strategy and
the measurements to be used to monitor
achievement of goals, then prioritize the
initiatives and combine them in a high-level
road map.
APO05.03 Evaluate and select Based on the overall investment portfolio mix Low High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO06.05 Manage costs. Implement a cost management process Low High YES
comparing actual costs to budgets. Costs
should be monitored and reported and, in the
case of deviations, identified in a timely manner
and their impact on enterprise processes and
services assessed.
APO08.04 Coordinate and Work with stakeholders and coordinate the Low High YES
communicate. end-to-end delivery of IT services and solutions
provided to the business.
BAI10.05 Verify and review integrity Periodically review the configuration repository High High YES
of the configuration and verify completeness and correctness against
repository. the desired target.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Accountable for proper investment decision making High Medium YES
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business cases Clarify the purpose, cost and return on investment (ROI) of IT initiatives. Medium Low NO
Prioritization and ranking of Overview of IT initiatives to facilitate selection Medium Low NO
IT initiatives
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business case analysis Clarify the purpose, cost and ROI of IT initiatives. Medium Low NO

105
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Key Risk Indicators (KRIs) Related to IT Goals


• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (06) Percentage of investment business cases with clearly defined and approved expected IT-related costs and benefits
• (06) Percentage of IT services with clearly defined and approved operational costs and expected benefits
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Level of business user understanding of how technology solutions support their processes
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (12) Number of business processing incidents caused by technology integration errors
• (12) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12) Number of applications or critical infrastructures operating in silos and not integrated
• (13) Cost of application maintenance vs. overall IT cost
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO02) Percentage of enterprise objectives addressed in the IT strategy
• (APO02) Level of enterprise stakeholder satisfaction survey feedback on the IT strategy
• (APO02) Percentage of strategic enterprise objectives obtained as a result of strategic IT initiatives
• (APO02) Percentage of IT initiatives/projects championed by business owners
• (APO02) Percentage of strategic initiatives with accountability assigned
• (APO04) Increase in market share or competitiveness due to innovations
• (APO04) Enterprise stakeholder perceptions and feedback on IT innovation
• (APO04) Percentage of implemented initiatives that realise the envisioned benefits
• (APO04) Percentage of implemented initiatives with a clear linkage to an enterprise objective
• (APO04) Inclusion of innovation or emerging technology-related objectives in performance goals for relevant staff
• (APO05) Percentage of IT investments that have traceability to the enterprise strategy
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Ratio between funds allocated and funds used
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of changes from the investment programme reflected in the relevant portfolios
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (APO06) Number of budget changes due to omissions and errors
• (APO06) Number of deviations between expected and actual budget categories
• (APO06) Percentage of alignment of IT resources with high-priority initiatives
• (APO06) Number of resource allocation issues escalated
• (APO06) Percentage of variance amongst budgets, forecasts and actual costs
• (APO08) Percentage of alignment of IT services with enterprise business requirements
• (APO08) Ratings of user and IT personnel satisfaction surveys
• (APO08) Survey of business stakeholder technology level of awareness
• (APO08) Inclusion rate of technology opportunities in investment proposals
• (BAI10) Number of deviations between the configuration repository and live configuration
• (BAI10) Number of discrepancies relation to incomplete or missing configuration information

106
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

04 IT Expertise and Skills


0401 Human resources hiring policies

Risk Scenario Title Human resources hiring policies


Risk Scenario Category 04 IT expertise and skills
Risk Scenario Reference 0401
Risk Scenario
The Human Resources (HR) department has strict general regulations regarding the maximum age for internal staff recruitment. This particular issue is
affecting technical areas that need to raise that limit to ensure that the right expertise and skills are present in new personnel, due to the technologies
(new and old) that continue to be in use and are relied on in the enterprise architecture (EA).

Currently, the enterprise is expecting that, in the next five years, 35 percent of its specialized professionals are going to retire. The minimum standard
knowledge that is required is the base to start next-level internal training. Due to the complexity of the systems in production, the training process for
new staff to get the necessary expertise to be able to run the daily operations historically has taken three years.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process APO07 Manage human resources, especially the management practices of maintaining adequate and
appropriate staffing and maintaining the skills and competencies of personnel.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the HR function.
Event
The event is an ineffective design of the process APO07 Manage human resources.
Asset/Resource (Cause)
The resource that leads to the business impact is the process APO07 Manage human resources.
Asset/Resource (Effect)
The resources that are affected are the IT processes in the technical area because of a lack of competent staff, and the IT architecture (information and
applications) because it cannot be maintained and improved adequately due to the lack of expertise and skills.
Time
The duration of the event is moderate because the policy can easily be changed. The timing of occurrence is noncritical. The lack of skills and expertise
will be detected in moderate time. The consequence can easily be delayed because the right staff has to be recruited, and this process can take quite a
long time.
Risk Type
IT Benefit/Value Enablement P Lack of skills and expertise for using technology for new business initiatives
IT Programme and Project Delivery P Lack of skills and expertise may lead to bad quality of projects.
IT Operations and Service Delivery P The technical environment cannot be adequately maintained.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The enterprise accepts the risk that it may be unable to recruit the right skills and experience, which will limit the enterprise’s
ability to design, build and deliver IT solutions to help deliver business goals. In addition, the enterprise may have to pay a premium for potential
recruits with the required skills and experience.
• Risk Sharing/Transfer: HR and IT are to share their responsibilities for the risk that the enterprise is taking by being unable to hire the right personnel.
• Risk Mitigation: IT can outsource and use contractors to cover critical skills shortages.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR policy Describes the requirements development for selecting and evaluating IT High High YES
profiles throughout the entire career

107
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO01.01 Define the organizational Establish an internal and extended organizational Low Low NO
structure. structure that reflects business needs and IT
priorities. Put in place the required management
structures (e.g., committees) that enable
management decision making to take place in
the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding of Medium Low NO
management objectives IT objectives and direction to stakeholders and
and direction. users throughout the enterprise.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing Medium Medium NO
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
APO07.05 Plan and track the usage Understand and track the current and future High Low YES
of IT and business human demand for business and IT human resources
resources. with responsibilities for enterprise IT. Identify
shortfalls and provide input into sourcing
plans, enterprise and IT recruitment processes
sourcing plans, and business and IT recruitment
processes.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel Low Medium NO
who support the enterprise with IT skills know
and comply with the enterprise’s policies and
meet agreed-on contractual requirements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Responsible for gap analysis regarding IT skills and competencies High High YES
officer (CIO)
Head of HR Responsible for establishing expectations about staff High High YES
Specific IT management Responsible for identifying specific requirements High High YES
functions
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A

108
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Skills and competencies Describe the existing skills and competencies within the IT organization and High Low YES
matrix allows for gap analysis.
Competency and career/ Describe the required growth of specific IT profiles. High Medium YES
skills development plans
Generic job function Describes skills/experience and knowledge requirements for generic profiles High High YES
descriptions within the IT organizations
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Medium High YES
knowledge regarding processes, technology, etc.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR skills Management of skills and competencies High High YES
Key Risk Indicators (KRIs) Related to IT Goals
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Cost of application maintenance vs. overall IT cost
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO07) Percentage of staff turnover
• (APO07) Average duration of vacancies
• (APO07) Percentage of IT posts vacant

109
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0403 Ineffective leadership skills

Risk Scenario Title Ineffective leadership skills


Risk Scenario Category 04 IT expertise and skills
Risk Scenario Reference 0403
Risk Scenario
The chief information officer (CIO) of a large enterprise has a strong technical operations background; however, he does not communicate regularly with
other business unit managers. He lacks business acumen and, therefore, he does not communicate the business understanding to his staff, nor does he
keep the necessary alignment required for IT governance.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process APO01 Manage the IT management framework, particularly a failure of communication of
management objectives and direction.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the CIO.
Event
The event is an ineffective execution of the process APO01 Manage the IT management framework, but can also eventually be an ineffective design
of the organizational structure.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the process APO01 Manage the IT management framework and also the
organizational structure.
Asset/Resource (Effect)
The resources that are affected are business processes because the IT staff does not know about or does not understand the needs from the business.
IT personnel are also affected as they are unsatisfied because they cannot provide the solution and services expected from them.
Time
The duration of the event is extended because it is not expected that the CIO can or will change his behavior soon. The timing of occurrence is
noncritical. The detection is moderate until the behavior of the CIO will be detected. The consequence is delayed because the CIO cannot be
replaced or have his behavior changed immediately.
Risk Type
IT Benefit/Value Enablement P Because IT staff does not understand business needs, IT misses the opportunity to be an
enabler for successful business initiatives.
IT Programme and Project Delivery P Project delivery will affect the quality because the requirements will not be fulfilled
successfully.
IT Operations and Service Delivery S Business stakeholders are not satisfied with IT service delivery.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Governance board and upper management (C-level) have to be aware of this situation and decide who is the person for the job.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Human resources (HR) Describes the requirements development for selecting and evaluating IT Medium Medium NO
policy profiles throughout the entire career

110
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO01.01 Define the organizational Establish an internal and extended organizational High High YES
structure. structure that reflects business needs and IT
priorities. Put in place the required management
structures (e.g., committees) that enable
management decision making to take place in
the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding High High YES
management objectives of IT objectives and direction to stakeholders
and direction. throughout the enterprise.
APO03.01 Develop the enterprise The architecture vision provides a high-level Low Low NO
architecture vision. description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed
capability to stakeholders within the enterprise.
The architecture vision describes how the
new capability will meet enterprise goals and
strategic objectives and address stakeholder
concerns when implemented.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing Medium Medium NO
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
APO07.05 Plan and track the usage Understand and track the current and future Low Low NO
of IT and business human demand for business and IT human resources
resources. with responsibilities for enterprise IT. Identify
shortfalls and provide input into sourcing plans,
and business and IT recruitment processes.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of HR Responsible for establishing expectations about staff High Low YES

111
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Culture, Ethics and Behaviour Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Awareness of business IT staff should know the core business activities of the enterprise they support. Medium Medium NO
activities by IT staff
Information Enabler
Skills and competencies Describe the existing skills and competencies within the IT organization and High Medium YES
matrix allow for gap analysis.
Competency and Describe the required growth activities for specific IT profiles. Medium Medium NO
career/skills development
plans
Generic function Describes skills/experience and knowledge requirements for generic profiles High Medium YES
descriptions within the IT organization.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR skills Management of skills and competencies Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (15) Percentage of stakeholders who understand policies
• (15) Percentage of policies supported by effective standards and working practices
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO07) Level of executive satisfaction with management decision making
• (APO07) Number of decisions that could not be resolved within management structures and were escalated to governance structures
• (APO07) Percentage of staff turnover
• (APO07) Average duration of vacancies
• (APO07) Percentage of IT posts vacant

112
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0404 Critical staff turnover

Risk Scenario Title Critical staff turnover


Risk Scenario Category 04 IT expertise and skills
Risk Scenario Reference 0404
Risk Scenario
A largely established software company with low personnel turnover did not take into account the necessary time to prepare new specialized human
resources personnel for its impending retirement of a large proportion of its staff. This situation primarily affects the morale of the remaining staff, due to
the necessary overwork to support current operations.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process APO07 Manage human resources, especially the management practices to maintain adequate and
appropriate staffing and maintain the skills and competencies of personnel.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the human resources (HR) function.
Event
The event is an ineffective design and/or ineffective execution of the process APO07 Manage human resources. The event is also an interruption of
the development or/and maintenance of the software with which the company works.
Asset/Resource (Cause)
The resource that leads to the business impact is the process APO07 Manage human resources.
Asset/Resource (Effect)
The resources that are affected are the development and maintenance processes for the software with which the company works.
Time
The duration of the event is extended because new specialist staff is not easy to get. The timing of occurrence is critical because the company cannot
fulfil customer wishes, but the competitors can. The time to detect lack of skills and expertise will be slow. The consequence can easily be delayed
because the right staff has to be recruited, and this process can take quite some time.
Risk Type
IT Benefit/Value Enablement P Lack of skills and expertise for developing and maintaining the software products
IT Programme and Project Delivery P Lack of skills and expertise may lead to bad quality of projects and customer dissatisfaction.
IT Operations and Service Delivery P The technical environment cannot be adequately maintained to support the development and
maintenance of the software products.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: Contracting external staff
• Risk Mitigation: The enterprise considers a program to retain critical staff, while transitioning to an effective staff to build a model.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR policy Describes the requirements development for selecting and evaluating IT High High YES
profiles throughout the entire career

113
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO02.01 Understand enterprise Consider the current enterprise environment and Medium Low NO
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also
the external environment of the enterprise
(industry drivers, relevant regulations, basis for
competition).
APO06.02 Prioritize resource Implement a decision-making process to Medium Low NO
allocation. prioritize the allocation of resources and rules for
discretionary investments by individual business
units. Include the potential use of external
service providers and consider the buy, develop
and rent options.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High Medium YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing High Medium YES
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Responsible for gap analysis regarding IT skills and competencies High High YES
officer (CIO)
Head of HR Responsible for establishing expectations about staff High High YES
Specific IT management Responsible for identifying specific requirements High High YES
functions
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Medium High Yes
knowledge regarding processes, technology, etc.

114
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Services, Infrastructure and Applications Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR skills Management of skills and competencies Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO02) Percentage of objectives in the IT strategy that support the enterprise strategy
• (APO02) Percentage of enterprise objectives addressed in the IT strategy
• (APO02) Trends in ROI of initiatives included in the IT strategy
• (APO02) Level of enterprise stakeholder satisfaction survey feedback on the IT strategy
• (APO02) Percentage of projects in the IT project portfolio that can be directly traced back to the IT strategy
• (APO02) Percentage of strategic enterprise objectives obtained as a result of strategic IT initiatives
• (APO02) Number of new enterprise opportunities realised as a direct result of IT developments
• (APO02) Achievement of measurable IT strategy outcomes part of staff performance goals
• (APO02) Frequency of updates to the IT strategy communication plan
• (APO02) Percentage of strategic initiatives with accountability assigned
• (APO06) Percentage of alignment of IT resources with high-priority initiatives
• (APO06) Number of resource allocation issues escalated
• (APO07) Level of executive satisfaction with management decision making
• (APO07) Percentage of staff turnover
• (APO07) Average duration of vacancies
• (APO07) Percentage of IT posts vacant

115
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0408 Pandemic disaster

Risk Scenario Title Pandemic disaster


Risk Scenario Category 04 IT expertise and skills
Risk Scenario Reference 0408
Risk Scenario
A new strain of avian flu (developed in a secret lab) has occurred at a certain enterprise’s main offices. The flu strain has infected a large number of
employees of the enterprise. This has included a number of the board of directors and the majority of the key IT personnel. The business continuity
program needs to be invoked immediately because governance and key IT services are disrupted due to the absence of decision makers and support
staff, severely impacting business operations.
Risk Scenario Components
Threat Type
The nature of the event is the malicious act of developing the new strain of the avian flu and its release to the environment by the secret lab.
Actor
The actor that generates the threat that exploits the vulnerability is the external secret lab.
Event
The event is interruption of IT service and business processes.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the people from the secret lab.
Asset/Resource (Effect)
The assets/resources that are affected are the people and the organizational structure, specifically, the key staff/personnel of the main offices of the
company and the business processes.
Time
The duration of the event is extended lack of key personnel because the avian-flu-affected staff will not get well soon, if at all. The timing of occurrence
is critical because it affects most of the board of directors and the C-level at the same time, meaning key personnel and their backup or deputies are not
available. The detection of event can be classified as immediate because the flu-affected personnel do not show up at the offices. For the same reason,
the time lag between event and consequence is immediate.
Risk Type
IT Benefit/Value Enablement S As innovation comes to a standstill, there are missed opportunities to use technology to improve
efficiency and/or effectiveness.
IT Programme and Project Delivery P Programmes and projects are stopped, and there is no contribution of IT to new or improved
business solutions for quite some time.
IT Operations and Service Delivery P The operational stability, availability and protection that can lead to destruction or reduction of value
to the enterprise
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: The enterprise needs to update the pandemic disaster plan to guarantee chain of command and the physical site security policy.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Human resources (HR) Describes the requirements development for selecting and evaluating IT Low Low NO
policy profiles throughout the entire career

116
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the environment. Maintain measures for protection against Low High YES
environmental factors. Install specialized
equipment and devices to monitor and control
the environment.
DSS01.05 Manage facilities. Manage facilities, including power and Low High YES
communications equipment, in line with
laws and regulations, technical and business
requirements, vendor specifications, and health
and safety guidelines.
DSS04.05 Review, maintain and Conduct a management review of the continuity Low Medium NO
improve the continuity capability at regular intervals to ensure its
plan. continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with
the change control process to ensure that the
continuity plan is kept up to date and continually
reflects actual business requirements.
DSS05.05 Manage physical access to Define and implement procedures to grant, limit High High YES
IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged
and monitored. This should apply to all persons
entering the premises, including staff, temporary
staff, clients, vendors, visitors or any other third
party.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Responsible for gap analysis regarding IT skills and competencies Low Medium NO
officer (CIO)
Specific IT management Responsible for identifying specific requirements Low Medium NO
functions
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Low High YES
knowledge regarding processes, technology, etc.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business analysis Matching the business needs to the required IT skills Low Medium NO

117
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Key Risk Indicators (KRIs) Related to IT Goals


• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (10) Frequency of security assessment against latest standards and guidelines
Key Risk Indicators (KRIs) Related to Process Goals
• (DSS01) Number of non-standard operational procedures executed
• (DSS01) Number of incidents caused by operational problems
• (DSS04) Number of critical business systems not covered by the business continuity plan
• (DSS04) Percentage of agreed-on improvements to the business continuity plan that have been incorporated
• (DSS04) Percentage of issues identified that have been subsequently addressed in the plan
• (DSS04) Percentage of internal and external stakeholders hat have received business continuity training
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity training materials
• (DSS05) Percentage of periodic tests of environmental security devices
• (DSS05) Average rating for physical security assessments
• (DSS05) Number of physical security-related incidents

118
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

05 Staff Operations
0501 Inappropriate access rights

Risk Scenario Title Inappropriate access rights


Risk Scenario Category 05 Staff operations
Risk Scenario Reference 0501
Risk Scenario
A business user builds up inappropriate access rights over time, from performing different roles within the enterprise. This results in the breakdown of
segregation of duties, allowing the user to commit fraudulent actions. The business user sets up a new supplier, inputs a fictitious invoice and pays the
invoice to an account that belongs to him.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process DSS06 Manage business process controls, especially the management practice manage roles,
responsibilities, access privileges and levels of authority.
Actor
The actor which generates that the threat exploits the vulnerability is internal, the business user.
Event
The event is an ineffective design and/or ineffective execution of the process DSS06 Manage business process controls, which leads to access
controls invoking inadequate and ineffective segregation of duties.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process DSS06 Manage business process controls.
Asset/Resource (Effect)
The assets/resources that are affected are the organizational structures (segregation of duties).
Time
The timing of the event is extended because the business user can fraud the company over a long period of time until the fraud will be detected. The
timing of occurrence is noncritical. The event is not easily detected. Usually it is just by accident that such a fraud is uncovered and, therefore, detection
is slow. The consequences are delayed because the business user has to build up the different inappropriate access rights over time, until he/she can
misuse them to fraud the company.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Security problems and compliance issues
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Frequent review and immediate removal of inappropriate access rights
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security policy • Defines limitations on sharing and using information High High Yes
• Rules of behavior, acceptable use of technology and required precautions
such as segregation of duties
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High Low YES
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to business
information processes, including those under the
custody of the business, IT and third parties. This
ensures that the business knows where the data are
and who is handling data on its behalf.

119
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Organisational Structures Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of HR Responsible for establishing expectations about staff Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leading by example Everybody is responsible for the protection of information within the enterprise. Medium Medium NO
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access and event logs Detecting of wrongful activity Low High YES
Allocated roles and Provide clarity on organizational distribution High Medium YES
responsibilities/levels of
authority
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Security administration Preventing malicious activity Yes Low NO
skills
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
Key Risk Indicators (KLRIs) Related to Process Goals
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls within test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of business process roles with assigned access rights and levels of authority
• (DSS06) Percentage of business process roles with clear separation of duties
• (DSS06) Number of incidents and audit findings due to access or separation of duties violations
• (DSS06) Percentage of completeness of traceable transaction log
• (DSS06) Number of incidents where transaction history cannot be recovered

120
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0503 Backup process failure

Risk Scenario Title Backup process failure


Risk Scenario Category 05 Staff operations
Risk Scenario Reference 0503
Risk Scenario
The daily backup process fails to successfully back up all data files, and the failure goes undetected. An operational problem occurs, requiring the
backup to be restored. Only then is it discovered that it is not possible to do so, requiring the last successful backup to be restored, which is more than
one week old. This results in the loss of several days of processed transactions and the resulting management information.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes DSS01 Manage operations and DSS04 Manage continuity. The management practice that fails is to
manage backup arrangements.
Actor
The actor that generates the threat that exploits a vulnerability is internal—a failure of an internal backup process that is not detected by IT
operational staff.
Event
The event is an ineffective design and/or ineffective execution of the processes DSS01 Manage operations and DSS04 Manage continuity. Because it
is a failure of an internal backup process, the system sends an alert about the failure, but the alert is not picked up by IT operational staff.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the processes DSS01 Manage operations and DSS04 Manage continuity and people and
skills, due to the IT operational staff failure to pick up the data backup failure alert.
Asset/Resource (Effect)
The assets/resources that are affected are on the business processes in which the processed transactions are lost and the management information
that is also lost.
Time
The duration of the event is extended because it takes quite some time to reprocess the business transactions. The timing of occurrence is noncritical
at the time of the failure. Detection is immediate because it is as soon as the operational staff wants to restore the backup that they discover it is not
possible to do so. The time lag between event and consequence is because the backup failure may not be detected until it is required for recovery from
the backup.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Security problems—availability of information as well as compliance issues
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Periodically test backups.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security policy Rules of behavior, acceptable use of technology and required precautions Medium Medium NO

121
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.01 Perform operational Maintain and perform operational procedures and High High YES
procedures. operational tasks reliably and consistently.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular High High YES
review the business basis to exercise the recovery plans against
continuity plan (BCP). pre-determined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS04.07 Manage backup Maintain availability of business-critical information High High YES
arrangements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Responsible for technical protection of assets and information High High YES
manager
Head of IT operations Responsible for managing the operational environment High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leading by example Everybody is responsible for the protection of information within the enterprise. Medium Medium NO
Culture of preventing People respect the importance of policies and procedures. High High YES
errors and accidents
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor

122
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Key Risk Indicators (KRIs) Related to Process Goals


• (DSS01) Number of non-standard operational procedures executed
• (DSS01) Number of incidents caused by operational problems
• (DSS01) Ratio of events compared to the number of incidents
• (DSS01) Percentage of critical operational event types covered by automatic detection systems
• (DSS04) Percentage of successful and timely restoration from back or alternate media copies
• (DSS04) Percentage of backup media transferred and stored securely
• (DSS04) Number of exercises and tests that have achieved recovery objectives
• (DSS04) Frequency of disaster recovery tests
• (DSS04) Percentage of agreed-on improvements to the business continuity plan that have been incorporated
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity plan
• (DSS04) Percentage of internal and external stakeholders that have received business continuity training
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity training materials

123
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0506 Disclosure of client data to a competitor

Risk Scenario Title Disclosure of client data to a competitor


Risk Scenario Category 05 Staff operations
Risk Scenario Reference 0506
Risk Scenario
An internal member of staff, who has authorized access to sales information, makes an unauthorized copy of commercially sensitive data. This sales
representative downloads and copies the customer database to a USB drive, and then gives it to a competitor of the enterprise.
Risk Scenario Components
Threat Type
The nature of the event is a malicious action of an employee.
Actor
The actor that generates the threat that exploits the vulnerability is an internal member of staff, who has authorized access to sales information and
makes an unauthorized copy of the information.
Event
The event is theft and disclosure of commercial information.
Asset/Resource (Cause)
The resource that leads to the business impact is people, the sales representative.
Asset/Resource (Effect)
The asset/resource that is affected is the sensitive business/commercial information.
Time
The duration of the event is likely to be extended because the disclosure of commercial data can continue for a long period of time before it is detected.
The timing of occurrence is noncritical. Because theft of data is usually only detected by accident, the event cannot be detected immediately and
detection is classified as slow. The time lag between event and consequence is delayed, usually more and more customers will move to a competitor.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Security problems
S Compliance issues
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Recruitment procedures, access controls and data loss prevention (DLP) controls will be implemented and/or improved.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security policy • Defines limitations on sharing and using information High Low YES
•R ules of behavior, acceptable use of technology and required precautions
such as segregation of duties
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular basis or Low Low NO
appropriate staffing. upon major changes to the enterprise or operational
or IT environments to ensure that the enterprise has
sufficient human resources to support enterprise
goals and objectives. Staffing includes both internal
and external resources.
APO07.02 Identify key IT Identify key IT personnel while minimizing Low Low NO
personnel. reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.

124
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler (cont.)


Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO07.04 Evaluate employee job Perform timely performance evaluations on a Medium Low NO
performance. regular basis against individual objectives derived
from the enterprise’s goal, established standards,
specific job responsibilities, and the skills and
competency framework. Employees should receive
coaching on performance and conduct whenever
appropriate.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel Medium Low NO
who support the enterprise with IT skills know and
comply with the enterprise’s policies and meet
agreed-on contractual requirements.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High Low NO
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS05.05 Manage physical Define and implement procedures to grant, limit Medium Medium NO
access to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, Medium Low NO
documents and output accounting practices and inventory management
devices. over sensitive IT assets, such as special forms,
negotiable instruments, special-purpose printers or
security tokens.
DSS06.02 Control the processing Operate the execution of the business process High Low YES
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels Low Low NO
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to
business information processes, including those
under the custody of the business, IT and third
parties. This ensures that the business knows
where the data are and who is handling data on its
behalf.
DSS06.06 Secure information Secure information assets accessible by the High Low YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Responsible for technical protection of assets and information High Low YES
manager

125
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Culture, Ethics and Behaviour Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access and event logs Detecting of wrongful activity Low High YES
Allocated roles and Provide clarity on organizational distribution. High Low YES
responsibilities/ levels of
authority
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access control In order to prevent unauthorized physical access High Low YES
management
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Security management Preventing malicious activity High Medium YES
skills
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (02) Coverage of compliance assessments
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Frequency of security assessment against latest standards and guidelines
• (16) Percentage of staff satisfied with their roles
Key Risk Indicators (KRIs) Related to Process Goals
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Percentage of individuals receiving awareness training related to use of endpoint devices
• (DSS05) Number of incidents involving endpoint devices
• (DSS05) Number of unauthorised devices detected on the network or in the end-user environment
• (DSS05) Percentage of periodic tests of environmental security devices
• (DSS05) Average rating for physical security assessments
• (DSS05) Number of physical security-related incidents
• (DSS05) Number of incidents relating to unauthorised access to information
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of business process roles with assigned access rights and levels of authority
• (DSS06) Percentage of business process roles with clear separation of duties
• (DSS06) Number of incidents and audit findings due to access or separation of duties violations

126
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

06 Information
0602 Uncontrolled shutdown

Risk Scenario Title Uncontrolled shutdown


Risk Scenario Category 06 Information
Risk Scenario Reference 0602
Risk Scenario
A company that relies heavily on its e-commerce sales system is not protected by an uninterruptable power supply (UPS), backup generator or database
management system (DBMS) transaction rollback facility. Following a power failure, the server running the e-commerce sales system does not perform a
controlled shutdown, which results in the database tables becoming corrupted.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process DSS06 Manage business process controls. It is the failure of the management practice to control the
processing of information and the respective activity and to maintain the integrity of data during unexpected interruptions in business processing and
confirm data integrity after processing failures.
Actor
Not every type of threat requires an actor, e.g., failures of equipment or natural causes. This event is a clear failure of equipment (UPS) or the procedure
‘controlled shutdown’ and there is no actor for this event.
Event
The event is an either an ineffective design or an ineffective execution of a process or operational procedure (system shutdown). However, the event
can also be classified as destruction of the database.
Asset/Resource (Cause)
The asset that leads to the business impact is the infrastructure (power supply).
Asset/Resource (Effect)
The asset/resource that is affected is information, the corrupted database.
Time
The duration of the event is extended because the database stays corrupted and has to be recovered from the backups. The time of occurrence of the
event (power failure) is critical because, at that time, the equipment was not in a state to perform a controlled shutdown. The detection is immediate
because the lack of integrity of the database is discovered immediately after the restart of the systems. The time lag between event and consequence is
immediate because the database is corrupted directly by the event (uncontrolled shutdown).
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruption
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Maintain the integrity of data during unexpected interruptions in business processing, and confirm data integrity after processing
failures. Installation of a UPS, backup generator and DBMS transaction rollback facility.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup policy Backups are available Low High YES
Business continuity and Validate recoverability of data High High YES
disaster recovery policy

127
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI04.05 Investigate and address Address deviations by investigating and resolving Low Medium NO
availability, performance identified availability, performance and capacity
and capacity issues. issues.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Low High YES
review the business basis to exercise the recovery plans against
continuity plan (BCP). predetermined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS06.02 Control the processing Operate the execution of the business process Low Medium NO
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.04 Manage errors and Manage business process exceptions and errors Low High YES
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Responsible to implement proper controls and measures to protect data High Medium YES
and hardware
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Always select the safest option to perform daily operations Medium Medium NO
is practiced in daily
operations.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup reports Describes the status of backups
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup systems Ensure proper recovery in case of loss, modification or corruption of data. Low High YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Technical skills Implement proper controls and measures to protect data and hardware (e.g., High High YES
data backup, storage)

128
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Key Risk Indicators (KRIs) Related to IT Goals


• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI04) Number of unplanned capacity, performance or availability upgrades
• (BAI04) Number of availability incidents
• (BAI04) Number and percentage of unresolved availability, performance and capacity issues
• (DSS01) Number of non-standard operational procedures executed
• (DSS01) Number of incidents caused by operational problems
• (DSS01) Ratio of events compared to the number of incidents
• (DSS01) Percentage of critical operational event types covered by automatic detection systems
• (DSS04) Percentage of IT services meeting uptime requirements
• (DSS04) Percentage of successful and timely restoration from back or alternate media copies
• (DSS04) Percentage of backup media transferred and stored securely
• (DSS04) Number of critical business systems not covered by the backup plan
• (DSS04) Number of exercises and tests that have achieved recovery objectives
• (DSS04) Frequency of business continuity and disaster recovery tests
• (DSS04) Percentage of agreed-on improvements to the business continuity plan that have been incorporated
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity plan
• (DSS04) Percentage of internal and external stakeholders hat have received business continuity training
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity training materials
• (DSS06) Percentage of completed inventory of critical process and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of completeness of traceable transaction log
• (DSS06) Number of incidents where transaction history cannot be recovered

129
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0607 Modification of client data

Risk Scenario Title Modification of client data


Risk Scenario Category 06 Information
Risk Scenario Reference 0607
Risk Scenario
In an enterprise with poor access rights management procedures, a sales manager is given database administration (DBA) rights in error. This privileged
level of access is then used for unauthorized modification of sales data, which results in the misrepresentation of sales activity and inflates the sales
manager’s sales target bonus. The data modification is not detected, the additional payments of the sales bonuses are issued and the fraudulent
behavior goes undetected.
Risk Scenario Components
Threat Type
The nature of the event is a malicious and fraudulent act.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the sales manager (business user).
Event
The event is an unauthorized modification of sales data that was allowed by the ineffective design and/or ineffective execution of the process DSS05
Manage security services, its management practice DSS05.04 Manage user identity and logical access, the process DSS06 Manage business process
controls and its management practice DSS06.05 Ensure traceability of information events and accountabilities, which allowed the sales manager to
inherit DBA access rights.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the process DSS05 Manage security services and its management practice DSS05.04
Manage user identity and logical access and the process DSS06 Manage business process controls and its management practice DSS06.05 Ensure
traceability of information events and accountabilities, which allowed the sales manager to inherit DBA access.
Asset/Resource (Effect)
The asset/resource that is affected is information, the sales data.
Time
The duration of the event is extended because the modification of the sales data and the fraudulent behavior can go undetected for a long period of time
before it is detected. Because the bonus was not yet calculated and paid out at the time of the modification of the sales data, the timing of occurrence is
critical. Because such modifications of data and fraudulent actions are usually only detected by accident, the time for detection is classified as slow. For
the same reason, the time between event and consequence is classified as delayed.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Security problems
S Compliance issues
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
•R isk Mitigation: The enterprise will implement effective management of privileged access rights, including the periodic review of inherited access
rights and change management over data, which includes the traceability of changes made to data, by whom and when.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security policy • Defines limitations on sharing and using information High Low YES
•R ules of behavior, acceptable use of technology and required precautions
such as segregation of duties

130
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS05.04 Manage user identity Ensure that all users have information access rights High Low YES
and logical access. in accordance with their business requirements and
coordinate with business units that manage their
own access rights within business processes.
DSS06.01 Align control activities Continually assess and monitor the execution Medium Low NO
embedded in business of the business process activities and related
processes with controls, based on enterprise risk, to ensure that
enterprise objectives. the processing controls are aligned with business
needs.
DSS06.02 Control the processing Operate the execution of the business process Medium Low NO
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High Medium YES
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to
business information processes, including those
under the custody of the business, IT and third
parties. This ensures that the business knows
where the data are and who is handling data on its
behalf.
DSS06.04 Manage errors and Manage business process exceptions and errors Low Low NO
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
DSS06.05 Ensure traceability of Ensure that business information can be traced Medium High YES
Information events and to the originating business event and to the
accountabilities. parties accountable. This enables traceability of
the information through its life cycle and related
processes. This provides assurance that information
that drives the business is reliable and has been
processed in accordance with defined objectives.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Provide guidance on proper controls and measures to protect data and Medium Medium NO
manager hardware.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Always select the safest option with regards to daily operations. Medium Low NO
is practiced in daily
operations.
Need to access only Limit the access of staff without affecting performance. High Low YES
Everybody is responsible Lead by example. Low Low NO
for the protection of
information within the
enterprise.

131
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Data loss prevention Increase awareness within the enterprise Medium Low NO
campaigns
Nondisclosure agreements Contractually protect intellectual property (IP) by deterring staff from disclosing Medium Medium NO
information to malicious parties.
Access and event logs Detecting of wrongful activity Low High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access control To prevent unauthorized physical access High Low YES
Data protection Encryption, passwords, email monitoring, etc., to enforce least privilege Medium Medium NO
infrastructure and principle
applications
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (02) Coverage of compliance assessments
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Time to grant, change and remove access privileges, compared to agreed-on service levels
• (10) Frequency of security assessment against latest standards and guidelines
Key Risk Indicators (KRIs) Related to Process Goals
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Average time between change and update of accounts
• (DSS05) Number of accounts (vs. number of unauthorised users/staff)
• (DSS05) Number of incidents relating to unauthorised access to information
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of business process roles with assigned access rights and levels of authority
• (DSS06) Percentage of business process roles with clear separation of duties
• (DSS06) Number of incidents and audit findings due to access or separation of duties violations
• (DSS06) Percentage of completeness of traceable transaction log
• (DSS06) Number of incidents where transaction history cannot be recovered

132
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0608 Disclosure of patient data

Risk Scenario Title Disclosure of patient data


Risk Scenario Category 06 Information
Risk Scenario Reference 0608
Risk Scenario
A clerical assistant at an insurance company creates an email message that contains patient identifiable data, in plain text, that details medical
conditions and sends it to the wrong email distribution list in error. The clerical assistant either does not realize his/her error, or realizes, but keeps quiet
about the error. This results in inappropriate disclosure of patient identifiable information.
Risk Scenario Components
Threat Type
The nature of the event is accidental inappropriate disclosure of patient identifiable information.
Actor
The actor that generates the threat that exploits the vulnerability is internal, a business user (the clerical assistant).
Event
The event is disclosure of patient identifiable information.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is people and skills because the clerical assistant makes the error. A blaming culture could also
lead to non-disclosure of the error, which would apply to organizational structures.
Asset/Resource (Effect)
The resource that is affected is information (the patient data).
Time
Timing is critical. When a user realizes he/she has sent sensitive information to the wrong email address, it is essential that the user informs his/her
supervisor, to allow the situation to be effectively managed. However, in the majority of enterprises, a blame culture exists, and, it is unlikely that the user
will admit to the error. Therefore, the duration is likely to be extended, detection is likely to be slow and the time lag between event and consequence is
delayed because it is likely that the error will not be detected for a long period of time.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Security problems and compliance issues
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Data classification and security controls are defined, such as sensitive information is encrypted before email messages are sent.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security policy • Defines limitations on sharing and using information Medium Medium NO
•R ules of behavior, acceptable use of technology and required precautions
such as segregation of duties

133
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.06 Define information Position the IT capability in the overall organizational Low High YES
(data) and system structure to reflect an enterprise model relevant
ownership. to the importance of IT within the enterprise,
specifically its criticality to enterprise strategy and
the level of operational dependence on IT. The
reporting line of the Chief information officer (CIO)
should be commensurate with the importance of IT
within the enterprise.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, High High YES
documents and output accounting practices and inventory management
devices. over sensitive IT assets, such as special forms,
negotiable instruments, special-purpose printers or
security tokens.
DSS06.01 Align control activities Continually assess and monitor the execution Medium Low NO
embedded in business of the business process activities and related
processes with controls, based on enterprise risk, to ensure that
enterprise objectives. the processing controls are aligned with business
needs.
DSS06.02 Control the processing Operate the execution of the business process High High YES
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.04 Manage errors and Manage business process exceptions and errors Low Medium NO
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
DSS06.05 Ensure traceability of Ensure that business information can be traced Low Low NO
Information events and to the originating business event and to the
accountabilities. parties accountable. This enables traceability of
the information through its life cycle and related
processes. This provides assurance that information
that drives the business is reliable and has been
processed in accordance with defined objectives.
DSS06.06 Secure information Secure information assets accessible by the Low High YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Provide guidance on proper controls and measures to protect data and High High YES
manager hardware.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Always select the safest option to perform daily operations. High High YES
is practiced in daily
operations.
Lead by example Everybody is responsible for the protection of information within the enterprise. High High YES

134
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Data loss prevention Increase awareness within the enterprise. High High YES
campaigns
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Data protection Encryption, passwords, email monitoring, etc., to enforce lease privilege Medium Medium NO
infrastructure and principle
applications
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Number of non-compliance issues relating to contractual agreements with IT service providers
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Frequency of security assessment against latest standards and guidelines
• (15) Number of incidents related to non-compliance to policy
• (15) Percentage of stakeholders who understand policies
• (15) Percentage of policies supported by effective standards and working practices
Key Risk Indicators (KRIs) Related to Process Goals
• (APO01) Number of risk exposures due to inadequacies in the design of the control environment
• (DSS05) Number of vulnerabilities discovered
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls

135
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

136
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

07 Architecture
0701 Inability to implement mobile banking

Risk Scenario Title Inability to implement mobile banking


Risk Scenario Category 07 Architecture
Risk Scenario Reference 0701
Risk Scenario
A mid-sized US bank is applying host systems for the core banking applications, in particular, for retail banking. The director for retail banking, a member
of the board, requested that a mobile banking solution (application) be offered for the retail market and expected a return on investment (ROI) within two
years. The core banking system, however, is not capable of handling the communications with a mobile application environment. The chief information
officer (CIO) maintains a good relationship with the host provider and, in a defensive position on new systems, analyzed the requirements. The CIO
came to the conclusion that the solution can be implemented, but only by using new middleware and communications systems. These additions were
exceeding the forecasted budget and were new technologies to the bank. Therefore, the initiative was not deemed to be able to create an acceptable ROI
and was not started.

Competitors, however, currently provide a mobile solution to their customers and the bank’s customers are moving to those other banks.
Risk Scenario Components
Threat Type
The nature of the event is failure of the process APO03 Manage enterprise architecture.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the director for retail banking and the CIO.
Event
The event is an ineffective design and/or ineffective execution of the process APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the lack of an effective process APO03 Manage enterprise architecture and the IT infrastructure
because the host system is inflexible and unable to meet the customer expectations.
Asset/Resource (Effect)
The resource that is affected is the business process retail banking because it is not available for mobile devices.
Time
The duration of the event is extended because the software application for retail banking on mobile devices cannot be delivered. The timing of the
occurrence is critical because the competitors already provide mobile solutions to their customers. The event is detected during the study and before
the project was started and, therefore, is moderate. The consequence is delayed and ongoing because the project cannot be executed.
Risk Type
IT Benefit/Value Enablement P Customer expectations for efficient processes using mobile devices cannot be met.Unsatisfied
customers are leaving the bank.
IT Programme and Project Delivery P New solutions cannot be developed without significantly changing the software and hardware
environment resulting in a lack of agility.
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The board is accepting the inability to apply upcoming technology options. The board also accepts that the enterprise will lose
business competitiveness because competitors are currently providing a similar service to their customers and therefore may lose market share.
• Risk Sharing/Transfer: The chief executive officer (CEO) can outsource the mobile banking infrastructure and transfer the risk through the
outsourcing contract.
• Risk Mitigation: Apply architecture management and scenarios to amend the capabilities of the host and/or to replace the host system.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Architecture principles define the underlying general rules and guidelines for High High YES
the use and deployment of all IT resources and assets across the enterprise.
Exceptions procedure In specific cases, exceptions to the existing architectural rules can be allowed. High High YES
Specific cases and the procedure to follow for approval should be described.

137
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target Low High YES
solutions. architectures, taking both business and technical
perspectives, and logically group them into project
work packages. Integrate the project with any
related IT-enabled investment programs to ensure
that the architectural initiatives are aligned with
and enable these initiatives as part of overall
enterprise change. Make this a collaborative effort
with key enterprise stakeholders from business
and IT to assess the enterprise’s transformation
readiness, and identify opportunities, solutions and
all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration Medium High YES
implementation. plan in alignment with the program and project
portfolios. Ensure that the plan is closely
coordinated to ensure that value is delivered and
the required resources are available to complete the
necessary work.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture board Ensure compliance with the target architecture and allow exceptions High High YES
when needed.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect agreed-on The enterprise should stimulate the use of agreed-on standards. Medium Medium NO
standards
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture modelling Modelling application will optimize the architecture development and minimize Medium High YES
software the effort of analyzing impact to architecture in case of exceptions or changes.

138
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

People, Skills and Competencies Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leadership and Clarify the rationale for the architecture and the potential consequences. High High YES
communication
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
Key Risk Indicators (KRIs)Related to Process Goals
• (APO03) Number of exceptions to architecture standards and baselines applied for and granted
• (APO03) Level of architecture customer feedback
• (APO03) Project benefits realised that can be traced back to architecture involvement (e.g., cost reduction through re-use)
• (APO03) Percentage of projects using enterprise architecture services
• (APO03) Level of architecture customer feedback
• (APO03) Date of last update to domain and/or federated architectures
• (APO03) Number of identified gaps in models across enterprise, information, data, application and technology architecture domains
• (APO03) Level of architecture customer feedback regarding quality of information provided
• (APO03) Percentage of projects that utilise the framework and methodology to re-use defined components

139
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0702 New products cannot be implemented

Risk Scenario Title New products cannot be implemented


Risk Scenario Category 07 Architecture
Risk Scenario Reference 0702
Risk Scenario
The chief executive officer (CEO) of a large insurance company plans to issue eight new products per year to the market. He does not consult the IT
department. Product development starts the project and creates the eight new products. As they involve the IT department in the project, they find out
that, based on the existing architecture and old legacy systems, IT is able to introduce the administration for only four new products per year. Therefore,
at least half of the work of the product development team was wasted.
Risk Scenario Components
Threat Type
The nature of the event is failure of the process APO03 Manage enterprise architecture.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the CEO and the product development team because they did not involve
the IT department at the start of the project.
Event
The event is an ineffective design or/and ineffective execution of the process APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the lack of an effective process APO03 Manage enterprise architecture and the IT infrastructure
because the host system is unable to meet the customer expectations.
Asset/Resource (Effect)
The resource that is affected is the business process new products because the company cannot start to sell the new products.
Time
The duration of the event is extended because only four of the new products can be started and the remaining four must be held until the following year.
The timing of the occurrence is critical because the competitors currently offer new products. The event is not detected before the company wants to
start with the new products and, therefore, is slow. The consequence is delayed and ongoing because the project cannot be executed.
Risk Type
IT Benefit/Value Enablement P Customer expectations for issuing new products cannot be met.
P Unsatisfied customers are leaving the insurance company.
IT Programme and Project Delivery P New products cannot be developed without significantly changing the software and hardware
environment, which results in a lack of agility.
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
•R isk Acceptance: The board is accepting the inability to implement new products as fast as expected, therefore, losing the opportunity to gain
business advantage.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Apply architecture management and scenarios to amend the capabilities of the host and/or to replace the host system.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Architecture principles define the underlying general rules and guidelines for Medium Medium NO
the use and deployment of all IT resources and assets across the enterprise.

140
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target Low High YES
solutions. architectures, taking both business and technical
perspectives, and logically group them into project
work packages. Integrate the project with any
related IT-enabled investment programs to ensure
that the architectural initiatives are aligned with
and enable these initiatives as part of overall
enterprise change. Make this a collaborative effort
with key enterprise stakeholders from business
and IT to assess the enterprise’s transformation
readiness, and identify opportunities, solutions and
all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration Medium High YES
implementation. plan in alignment with the program and project
portfolios. Ensure that the plan is closely
coordinated to ensure that value is delivered and
the required resources are available to complete the
necessary work.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture board Ensure compliance with the target architecture and allow exceptions Low Low NO
when needed.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture modelling Modeling application will optimize the architecture development and minimize Medium High YES
software the effort of analyzing impact to architecture in case of exceptions or changes.

141
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

People, Skills and Competencies Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leadership and Clarify the rationale for the architecture and the potential consequences. High High YES
communication
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
Key Risk Indicators (KRIs) Related to Process Goals
• (APO03) Number of exceptions to architecture standards and baselines applied for and granted
• (APO03) Level of architecture customer feedback
• (APO03) Project benefits realised that can be traced back to architecture involvement (e.g., cost reduction through re-use)
• (APO03) Percentage of projects using enterprise architecture services
• (APO03) Level of architecture customer feedback
• (APO03) Date of last update to domain and/or federated architectures
• (APO03) Number of identified gaps in models across enterprise, information, data, application and technology architecture domains
• (APO03) Level of architecture customer feedback regarding quality of information provided
• (APO03) Percentage of projects that utilise the framework and methodology to re-use defined components

142
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0703 Distribution of mobile devices

Risk Scenario Title Distribution of mobile devices


Risk Scenario Category 07 Architecture
Risk Scenario Reference 0703
Risk Scenario
To satisfy requirements of the business management (board members and directors), the chief information officer (CIO) distributed mobile devices
(e.g., smartphones, tablets) so that management can easily have access to the enterprise applications and email from everywhere. The CIO did not
develop a program to address all requirements for mobile devices by following the enterprise architecture good practices (e.g., The Open Group
Architecture Framework [TOGAF]). Appropriate security policies and procedures were not developed. The devices are not equipped with security features
(e.g., encryption of information and secure connection) to preserve the enterprise information in case of security breaches (e.g., stolen/lost devices,
unauthorized access to the devices and their information). Before the devices were distributed, their management was not based on good practice (e.g.,
life-cycle management and baseline configuration).
Risk Scenario Components
Threat Type
The nature of the event is failure of the process APO03 Manage enterprise architecture.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the CIO and the information security manager.
Event
The event is an ineffective design or/and ineffective execution of the process APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the processes BAI09 Manage assets, BAI10 Manage configuration and DSS05 Manage security
services due to a lack of ensuring coverage of all capabilities, such as training, security, replacement and service desk. Another resource is people and
skills because the CIO is trying to fulfil board requirements on short notice, and the information security officer is not stopping the initiative. Information
is also a resource due to the lack of a policy to handle security of information on new technology.
Asset/Resource (Effect)
The resource that is affected is information, specifically, the security information on the mobile devices and in transport.
Time
The duration of the event is extended because equipping the devices with appropriate security features requires some time. The timing of the
occurrence is noncritical. The event is detected as the devices start being used and is moderate. The consequence is delayed and ongoing because
the security weaknesses cannot be addressed immediately and need proper analysis.
Risk Type
IT Benefit/Value Enablement S Higher efficiency of management staff
IT Programme and Project Delivery S Delayed delivery of the initiative’s results if all requirements were considered
P The mobile devices delivered are not capable of meeting the enterprise and legal requirements, in
particular, with regards to security baselines.
IT Operations and Service Delivery P Enterprise information can be compromised which lead to potential compliance issues.
Possible Risk Responses
• Risk Avoidance: Do not distribute mobile devices until risk mitigation is in place.
• Risk Acceptance: The board accepts the lack of security.
• Risk Sharing/Transfer: Mobile users are held liable for any damage occurred with the mobile device.
• Risk Mitigation: Define a policy to customize the mobile devices before distribution. Implement security features, monitor the devices, and maintain
their security (remote deletion of lost/stolen devices etc.).
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Architecture principles define the underlying general rules and guidelines for High High YES
the use and deployment of all IT resources and assets across the enterprise.
Exceptions procedure In specific cases, exceptions to the existing architectural rules can be allowed. High High YES
Specific cases and the procedure to follow for approval should be described.

143
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
BAI09.03 Manage the asset life Manage assets from procurement to disposal to Low Medium NO
cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
BAI10.02 Establish and maintain Establish and maintain a configuration Low High YES
a configuration management repository and create controlled
repository and baseline. configuration baselines.
BAI10.03 Maintain and control Maintain an up-to-date repository of configuration Medium Medium NO
configuration items. items by populating with changes.
BAI10.05 Verify and review Periodically review the configuration repository and Low Low NO
integrity of the verify completeness and correctness against the
configuration repository. desired target.
DSS05.01 Protect against Implement and maintain preventive, detective and High Low YES
malware. corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.02 Manage network and Use security measures and related management Low High YES
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, Low High YES
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Medium Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events events are integrated with general event monitoring
and incident management procedures.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture board Ensure compliance with the target architecture and allow exceptions High High YES
when needed.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect policies and The enterprise should stimulate the use of agreed-on standards. High High YES
standards
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model Medium Medium NO

144
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Services, Infrastructure and Applications Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture modelling Modelling application will optimize the architecture development and minimize Medium Medium NO
software the effort of analyzing impact to architecture in case of exceptions or changes.
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leadership and Clarify the rationale for the architecture and the potential consequences. High High YES
communication
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Frequency of security assessment against latest standards and guidelines
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI09) Number of assets not utilised
• (BAI09) Number of obsolete assets
• (BAI10) Number of deviations between the configuration repository and live configuration
• (BAI10) Number of discrepancies relation to incomplete or missing configuration information
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Number of firewall breaches
• (DSS05) Percentage of individuals receiving awareness training related to use of endpoint devices
• (DSS05) Number of incidents involving endpoint devices
• (DSS05) Number of unauthorised devices detected on the network or in the end-user environment
• (DSS05) Number of incidents relating to unauthorised access to information

145
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

08 Infrastructure
0802 System not scalable to meet business growth

Risk Scenario Title System not scalable to meet business growth


Risk Scenario Category 08 Infrastructure
Risk Scenario Reference 0802
Risk Scenario
A small offline trading enterprise operates an online shop, is increasing its customer base and invests heavily in marketing initiatives. All IT equipment
is procured by shop personnel who do not have the appropriate technical skills to apply best practices and vendor usage recommendations. The IT
infrastructure was stable and available in the past, but when the user base and usage of the system increase, the system availability significantly drops,
compromising the service level needed for this vertical market.
Risk Scenario Components
Threat Type
The nature of the event is in the inappropriate design of the infrastructure caused by accident/error.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the shop owner (chief executive officer [CEO]).
Event
The event is interruption caused by a significant drop of system availability and ineffective design of the infrastructure.
Asset/Resource (Cause)
The resources that lead to the business impact are the process BAI04 Manage availability and capacity and the IT infrastructure servers that are not
capable of meeting the rising demand.
Asset/Resource (Effect)
The resources affected are business processes such as the sales process (online shop), which are often not available, and applications because the
online shop is not regularly available.
Time
The duration of the event is extended because as it needs a long period of time to upgrade or replace the infrastructure. The online shop is not regularly
available, so business is missed. Therefore, the timing of occurrence is critical. Because the online shop is not available, the detection is instant.
Because there is momentarily no business, the consequence is immediate.
Risk Type
IT Benefit/Value Enablement P Online sales are not available, resulting in lost business.
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruptions
Possible Risk Responses
• Risk Avoidance: Not offering an online shop
• Risk Acceptance: The shop owner accepts the lost business.
• Risk Sharing/Transfer: Outsourcing of the IT service and agreed-on service level agreement (SLA) availability with appropriate penalties
• Risk Mitigation: Outsourcing of the IT service and agreed-on SLA availability. Upgrade of the existing system to increase the IT capability
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Define the underlying general rules and guidelines for the use and deployment Medium Medium NO
of all IT resources and assets across the enterprise.
Change Management Define the rules and guidelines to change infrastructure components in a Medium Medium NO
policy controlled and safe way.

146
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO02.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO02.02 Assess the current Assess the performance of current internal business High High YES
environment, and IT capabilities and external IT services,
capabilities and and develop an understanding of the enterprise
performance. architecture in relation to IT. Identify issues currently
being experienced and develop recommendations
in areas that could benefit from improvement.
Consider service provider differentiators and options
and the financial impact and potential costs and
benefits of using external services.
BAI04.01 Assess current Assess availability, performance and capacity of Low High YES
availability, performance services and resources to ensure that
and capacity and create cost-justifiable capacity and performance are
a baseline. available to support business needs and deliver
against service level agreements (SLAs). Create
availability, performance and capacity baselines for
future comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review Low Medium NO
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
availability, performance identified availability, performance and capacity
and capacity issues. issues.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Accountable for the proper management and maintenance of the IT Low Low NO
infrastructure
Head of architecture Design architecture in an optimal way. Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A

147
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Configuration status Track changes to configuration. Medium Medium NO
reports
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Configuration management Assists in identifying areas for improvement High High YES
database (CMDB)
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs) Related to IT Goals
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (14) Number of business process incidents caused by non-availability of information
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI04) Number of unplanned capacity, performance or availability upgrades
• (BAI04) Number of transition peaks where target performance is exceeded
• (BAI04) Number of availability incidents
• (BAI04) Number of events where capacity has exceeded planned limits
• (BAI04) Number and percentage of unresolved availability, performance and capacity issues

148
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0804 Secondary utilities

Risk Scenario Title Secondary utilities


Risk Scenario Category 08 Infrastructure
Risk Scenario Reference 0804
Risk Scenario
An particular enterprise is required by industry regulators to have dual data centers to support operations for its 24/7 mission-critical online systems.
Both facilities were built with redundant technology infrastructure and connected using dual ring (redundant) optical fibers. When the request for proposal
(RFP) was written, it did not contain the prerequisite that each communication ring should be offered by different providers. The communications provider
that offered the service tried to reduce its installation costs by taking advantage of existing subway tunnels to deploy the fibers instead of building its
own tunneling system as required by regulations.

During a maintenance shift, local subway train system employees were repairing the rails and accidentally cut off the optical fiber, which caused an
interruption in the service that was offered by the provider. This situation was detected immediately by the enterprise’s remote monitoring system and
alerts were given to the communications provider, which missed its service level agreements (SLAs) and took more than three days to find the spot
where the fiber was cut off.

During that time, the data center operated in yellow alert mode with reduced service and no ability to balance transactions or maintain data replication
between the two existing network attached storage (NAS). Because of the loss of communication, the enterprise invoked data backup procedures on
portable storage media and established four synchronized points per day, which incurred additional service costs.
Risk Scenario Components
Threat Type
The nature of the event is an accidental failure of the IT infrastructure. Secondarily, it is also a failure of the procurement process.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the Steering (Program/Projects)
Committee. The external actor is train system employees.
Event
The event is primarily a destruction of the IT infrastructure (network), which caused the interruption of the IT services. The event is also ineffective
design and/or ineffective execution of the process BAI01 Manage programmes and projects, specifically, the management practices Maintain a
standard approach for programme and project management and Manage project resources and work packages; and ineffective design
and/or ineffective execution of the process BAI03 Manage solutions identification and build, specifically, the management practice Procure
solution components.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the processes BAI01 Manage programmes and projects and BAI03 Manage solutions
identification and build and the people from the train system.
Asset/Resource (Effect)
The assets/resources that are affected by the event are the physical and IT structure that was destroyed and the information and applications that
are interrupted.
Time
The duration of the event is extended, because the provider missed its SLAs and took more than three days to find the spot where the fiber was cut off.
The time of occurrence is critical because the company currently has no redundant communication lines. The event was detected immediately by the
company’s remote monitoring system and alerts were given to the communications service provider. The time lag between event and consequences is
also immediate because at the moment that the fiber was cut, there was no network access.
Risk Type
IT Benefit/Value Enablement P Because the IT infrastructure cannot be used for innovation, there are missed opportunities to use
technology to improve efficiency and/or effectiveness.
IT Programme and Project Delivery S Because the IT infrastructure cannot be used to support programs and projects, there is no contribution
of IT to new or improved business solutions for quite a while.
IT Operations and Service Delivery P The operational stability, availability and protection are affected, which can lead to destruction or
reduction of value to the enterprise.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Ensure that the programs and projects are correctly defined, with specific requirements, including all environmental concerns.

149
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Mitigation Using COBIT 5 Enablers


Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Define the underlying general rules and guidelines for the use and deployment High High YES
of all IT resources and assets across the enterprise.
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO02.03 Define the target IT Define the target business and IT capabilities and Low High YES
capabilities. required IT services. This should be based on the
understanding of the enterprise environment and
requirements; assess the current business process
and IT environment and issues; and consider
reference standards, best practices and validated
emerging technologies or innovation proposals.
BAI01.01 Maintain a standard Maintain a standard approach for program and Medium Low NO
approach for project management that enables governance
program and project and management review and decision making
management. and delivery management activities focused on
achieving value and goals (requirements, risk, costs,
schedule, quality) for the business in a consistent
manner.
BAI01.12 Manage project Manage project work packages by placing formal Medium Low NO
resources and work requirements on authorizing and accepting
packages. work packages, and assigning and coordinating
appropriate business and IT resources.
BAI03.04 Procure solution Procure solution components based on the Low High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles and
standards, and the enterprise’s overall procurement
and contract procedures, quality assurance (QA)
requirements, and approval standards. Ensure that
all legal and contractual requirements are identified
and addressed by the supplier.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Accountable for the proper management and maintenance of the IT Medium Medium NO
infrastructure
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model Medium Medium NO
Current asset inventory Track all assets throughout the enterprise. High High YES

150
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Services, Infrastructure and Applications Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Configuration management Assists in identifying areas for improvement Medium Medium YES
database (CMDB)
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Technical skills Manage the different infrastructure components. Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (07) Number of business disruptions due to IT service incidents
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO02) Percentage of strategic initiatives with accountability assigned
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
• (BAI03) Number of reworked solution designs due to misalignment with requirements
• (BAI03) Time taken to approve that design deliverable has met requirements
• (BAI03) Number of errors found during testing
• (BAI03) Number of demands for maintenance that go unsatisfied
• (DSS01) Number of incidents caused by operational problems
• (DSS01) Ratio of events compared to the number of incidents
• (DSS01) Percentage of critical operational event types covered by automatic detection systems

151
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0805 Inappropriate segregation of networks

Risk Scenario Title Inappropriate segregation of networks


Risk Scenario Category 08 Infrastructure
Risk Scenario Reference 0805
Risk Scenario
The network of a telecommunications (telecom) company consists of two key networks: an office network dedicated to corporate processes and an
operations network for the provision of telecom services. The networks are managed by separate IT departments with different baselines and procedures
that are driven by different requirements. Telecom systems cannot, for technical reasons, be patched on short notice to maintain the service level. The
company does not have a common incident and event management process in place that addresses both networks, which would ensure the handling
and resolution of incidents in an appropriate length of time.

Some users, due to their job description, need access to both networks. This access is realized with two network interface cards in the end-user
computer. However, these computers are not adequately patched and are vulnerable to malicious code.

A malware infection of one of those computers resulted in the infection of multiple computers in the operations network and, due to the lack of security,
also in the office network.
Risk Scenario Components
Threat Type
The nature of the event lies in the inappropriate design of the network architecture caused by error.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the chief information officer (CIO), the
information security officer, the network manager and the operations network manager. The external actors are the developers of malicious code.
Event
The event is interruption caused by systems not available and ineffective design of the network architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the process DSS05 Manage security services, with ineffective patch management and inadequate
security incident procedures, and the IT infrastructure, with unpatched systems, inadequate segregation of networks and monitoring capabilities (e.g.,
intrusion prevention system [IPS]).
Asset/Resource (Effect)
The resources affected are business processes, which cannot be operated because no IT services are available; the unavailable IT infrastructure; the
accessibility of information; and the accessibility of applications.
Time
The duration of the event is extended because a long period of time is required to upgrade or replace the network infrastructure. The timing of
occurrence is critical because business processes are regularly unavailable, which results in missed business. Because security events are not detected
immediately, the detection is moderate. The consequence is immediate because there is momentarily no business.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruptions
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: Outsourcing of patch management services
•R isk Mitigation: Separate networks with proper mechanisms and apply an IPS. Define and apply a patch management process for both networks.
Monitor network security.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Define the underlying general rules and guidelines for the use and deployment Medium Medium NO
of all IT resources and assets across the enterprise.

152
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
BAI04.01 Assess current Assess availability, performance and capacity of Low High YES
availability, performance services and resources to ensure that
and capacity and create cost-justifiable capacity and performance are
a baseline. available to support business needs and deliver
against service level agreements (SLAs). Create
availability, performance and capacity baselines for
future comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review Low Medium NO
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
availability, performance identified availability, performance and capacity
and capacity issues. issues.
BAI09.01 Identify and record Maintain an up-to-date and accurate record of all High High YES
current assets. IT assets required to deliver services and ensure
alignment with configuration management and
financial management.
BAI09.02 Manage critical assets. Identify assets that are critical in providing service High High YES
capability and take steps to maximize their
reliability and availability to support business needs.
BAI09.03 Manage the asset Manage assets from procurement to disposal to Low Medium NO
life cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
DSS05.02 Manage network and Use security measures and related management Low High YES
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Medium Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.

153
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Organisational Structures Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Accountable for the proper management and maintenance of the IT High High YES
infrastructure
Head of architecture Design architecture in an optimal way. High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Maintenance plan Plan the maintenance of the IT infrastructure. Low High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Configuration management Assists in identifying areas for improvement Medium Medium NO
database (CMDB)
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Technical skills Manage the different infrastructure components. Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update or risk profile
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Frequency of security assessment against latest standards and guidelines
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (14) Level of business user satisfaction with quality and timeliness (or availability) of management information
• (14) Number of business process incidents caused by non-availability of information
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI04) Number of unplanned capacity, performance or availability upgrades
• (BAI04) Number of availability incidents
• (BAI04) Number and percentage of unresolved availability, performance and capacity issues
• (BAI09) Number of obsolete assets
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Number of firewall breaches
• (DSS05) Number of unauthorised devices detected on the network or in the end-user environment
• (DSS05) Average time between change and update of accounts
• (DSS05) Number of accounts (vs. number of unauthorised users/staff)
• (DSS05) Number of incidents relating to unauthorised access to information

154
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

0806 Data center infrastructure not adapted to growing needs

Risk Scenario Title Data center infrastructure not adapted to growing needs
Risk Scenario Category 08 Infrastructure
Risk Scenario Reference 0806
Risk Scenario
A data center is hosting operational, development and testing equipment. As the business demand grew, additional IT infrastructure was installed in the
data center, but the data center infrastructure (e.g., the air-conditioning cooling capability) was not adapted to the growing needs.

In peak times, the development and test systems had to be shut down due to overheating of the server room. Due to overheating, some servers had a
hardware failure, some shut down independently and some air conditioning systems broke and had to be replaced.

A proper plan to maintain the physical infrastructure was not in place, and corrective action was taken in an ad hoc manner, rather than being based on a
sound business continuity plan (BCP).
Risk Scenario Components
Threat Type
The nature of the event is in the inappropriate design of the data center caused by accident/error.
Actor-
The actor that generates the threat that exploits a vulnerability is internal—the head of operations.
Event
The event is interruption, which is caused by a significant drop of system availability, and ineffective design of the data center.
Asset/Resource (Cause)
The resources that lead to the business impact are the process BAI09 Manage assets, e.g., ineffective management of infrastructure, the process
BAI04 Manage availability and capacity and the physical infrastructure, due to the inadequate data center infrastructure.
Asset/Resource (Effect)
The resources affected are processes such as development and testing, which cannot be executed; the IT infrastructure because hardware is broken
due to overheating or being shut down; the physical infrastructure because of broken air-conditioning equipment; information because it is not
available; and applications because testing and development environments are not available.
Time
The duration of the event is extended because a long period of time is required to upgrade or replace the infrastructure. Business is missed because
systems are not regularly available. Therefore, the timing of occurrence is critical. Because hardware failure and the system unavailability are immediate,
the detection is instant. Because a long period of time is required to update or replace the infrastructure, the consequences are delayed.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery P Delays in projects because development and test environments were not available
IT Operations and Service Delivery P IT service interruptions
Possible Risk Responses
• Risk Avoidance: Shut down some servers.
• Risk Acceptance: The board accepts the risk that there may be service disruptions.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Upgrade the infrastructure equipment to meet the technology needs. Replace servers with newer technologies and a lower footprint.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Define the underlying general rules and guidelines for the use and deployment Medium Medium NO
of all IT resources and assets across the enterprise.
Change management Define the rules and guidelines to change infrastructure components in a High High YES
policy controlled and safe way.

155
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
BAI04.01 Assess current Assess availability, performance and capacity Low High YES
availability, performance of services and resources to ensure that cost-
and capacity and create justifiable capacity and performance are available
a baseline. to support business needs and deliver against
service level agreements (SLAs). Create availability,
performance and capacity baselines for future
comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review High Medium YES
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
availability, performance identified availability, performance and capacity
and capacity issues. issues.
BAI09.01 Identify and record Maintain an up-to-date and accurate record of all High High YES
current assets. IT assets required to deliver services and ensure
alignment with configuration management and
financial management.
BAI09.02 Manage critical assets. Identify assets that are critical in providing service High High YES
capability and take steps to maximize their reliability
and availability to support business needs.
BAI09.03 Manage the asset Manage assets from procurement to disposal to Low Medium NO
life cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.

156
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Organisational Structures Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Accountable for the proper management and maintenance of the IT Medium High YES
infrastructure
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Current asset inventory Track all assets throughout the enterprise. Medium Low NO
Maintenance plan Plan the maintenance of the IT infrastructure. Medium High YES
Configuration status Track changes to configuration. High Medium YES
reports
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Configuration management Assists in identifying areas for improvement High High YES
database (CMDB)
People, Skills and Competencies Enabler
Technical skills Manage the different infrastructure components. High High YES
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI04) Number of unplanned capacity, performance or availability upgrades
• (BAI04) Number of transition peaks where target performance is exceeded
• (BAI04) Number of availability incidents
• (BAI04) Number of events where capacity has exceeded planned limits
• (BAI04) Number and percentage of unresolved availability, performance and capacity issues
• (DSS01) Number of non-standard operational procedures executed
• (DSS01) Number of incidents caused by operational problems
• (DSS01) Ratio of events compared to the number of incidents
• (DSS01) Percentage of critical operational event types covered by automatic detection systems

157
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

158
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

09 Software
0908 High number of emergency changes

Risk Scenario Title High number of emergency changes


Risk Scenario Category 09 Software
Risk Scenario Reference 0908
Risk Scenario
Business users frequently require changes to live applications on short notice and IT staff (development and operations) use the well-defined emergency
change process to fast-track these requests. Emergency changes do not require formal acceptance from business users and can be transitioned to
the live environment immediately. Because the emergency change process does not require functional requirements and critical documentation to be
updated, sometimes these changes are missed in upcoming releases.

An analysis of changes showed that 40 percent of all changes were emergency changes that were deployed without being properly tested. These
changes caused 80 percent of the incidents recorded.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI06 Manage changes.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers, the IT operations function and the business owners.
Event
The event is unauthorized and untested modification of applications.
Asset/Resource (Cause)
The resources that lead to the business impact are the ineffective process BAI06 Manage changes, a lack of people and skills to perform quality
assurance and a lack of people and skills in the business staff who should be involved in development and testing. Another asset that causes the
business impacts are the applications because a lack of quality is causing errors and requiring quick fixes and/or a lack of functionality is
requiring amendments.
Asset/Resource (Effect)
The resources and assets affected are business processes because erroneous applications cause IT service interruptions, which cause process
interruptions. Information is also affected because as it can be unduly changed or is inconsistent due to untested and erroneous applications. The lack
of change records and/or audit trails makes the effect on information even worse. Applications are affected because they are changed without being
duly tested.
Time
The duration of the event is extended because a long period of time is required to change the related processes and because the event is also a cultural
issue. The timing of occurrence can be critical because systems and applications are not available for doing business. The detection is moderate
because the malfunctions caused by emergency changes are usually detected shortly after implementation. Because systems and applications can be
interrupted at the moment, an emergency change is put into production and the time lag between event and consequence is immediate.
Risk Type
IT Benefit/Value Enablement S Updated solutions are available on short notice.
IT Programme and Project Delivery S Quick delivery of solutions
S Development resources can barely be planned, which leads to delays in projects.
IT Operations and Service Delivery P Quality issues and service interruptions due to untested applications
S Compliance and security issues due to unapproved changes
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Only the business owners experiencing quality and/or availability issues can approve emergency changes.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Define and apply a sound change management and approval process. Update access control for developers to the live environment.
Require, for emergency changes, a thorough test and documentation after deployment to the live environment to make emergency changes more
complex than regular changes. Require a formal test and approval by the business after deployment to the live environment to ensure that the
emergency change addressed the issue and the change was needed on short notice.

159
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Mitigation Using COBIT 5 Enablers


Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Change management Define the rules and guidelines to change infrastructure components in a High High YES
policy controlled and safe way.
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI03.09 Manage changes to Track the status of individual requirements Low Medium NO
requirements. (including all rejected requirements) throughout
the project life cycle and manage the approval of
changes to requirements.
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the High High YES
and authorize change impact on business processes and IT services,
requests. and to assess whether change will adversely
affect the operational environment and introduce
unacceptable risk. Ensure that changes are logged,
categorized, assessed, authorized, prioritized
planned and scheduled.
BAI06.02 Manage emergency Carefully manage emergency changes to minimize High High YES
changes. further incidents and make sure the change is
controlled and takes place securely. Verify that
emergency changes are appropriately assessed and
authorized after the change.
BAI06.03 Track and report Maintain a tracking and reporting system to Medium Medium YES
change status. document rejected changes, communicate the
status of approved and in-process changes, and
complete changes. Make certain that approved
changes are implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update Medium Medium YES
the changes. accordingly the solution and user documentation
and the procedures affected by the change.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of development Accountable for the proper design and development of the software Medium Medium NO
components
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Testing is performed on all Users and developers cooperate in testing the software components. High High YES
appropriate levels
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Quality assurance (QA) Define the steps to take in order to assure quality. High High YES
plan (test plan and
procedures)
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A

160
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

People, Skills and Competencies Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (07) Number of business disruptions due to IT service incidents
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI06) Amount of rework caused by failed changes
• (BAI06) Reduced time and effort required to make changes
• (BAI06) Number and age of backlogged change requests
• (BAI06) Percentage of unsuccessful changes to inadequate impact assessments
• (BAI06) Percentage of total changes that are emergency fixes
• (BAI06) Number of emergency changes not authorised after the change
• (BAI06) Stakeholder feedback ratings on satisfaction with communications

161
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0910 Unauthorized changes to applications

Risk Scenario Title Unauthorized changes to applications


Risk Scenario Category 09 Software
Risk Scenario Reference 0910
Risk Scenario
Due to an undetected failure in the production deployment process controls, IT developers have the opportunity to alter applications and deploy changes
to the live environment without approval of the business owner or IT operations staff (lack of a four-eyes principle). To keep up with the market, with a
particular product, there was significant business pressure to deploy new functionality before it was properly tested by Quality Assurance (QA).

The developers, who are confident in their work, agreed to apply changes to the system without proper end-user testing and, often, without informing
the end users of a new functionality. This practice results in added capabilities that are not used and late detection of errors in the changes and leads to
incorrect information, service disruption and incidents that result in business losses.
Risk Scenario Components
Threat Type
The nature of the event is failure of the process BAI06 Manage changes.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers.
Event
The event is unauthorized modification of applications.
Asset/Resource (Cause)
The resources that lead to the business impact are the ineffective processes BAI 06 Manage changes, BAI07 Manage change acceptance and
transitioning, and DSS06 Manage business process controls and people and skills, such as the developers who are applying changes without
authorization, the lack of sufficient staff to perform development QA and the lack of business users who are involved in development and testing.
Asset/Resource (Effect)
The resources affected are business processes caused by new and unplanned/untested alterations of functionality, applications caused by changed
functionality without adequate testing and acceptance and information that is unduly changed due to malfunction of applications.
Time
The duration of the event is extended because a long period of time is needed to change the related processes. The timing of occurrence is
noncritical. The detection is slow because malfunctions cannot always be detected immediately. Because a long period of time is needed to change the
related process and update the infrastructure, the consequences are delayed.
Risk Type
IT Benefit/Value Enablement P The added functionality is not used by the business functions.
IT Programme and Project Delivery S Usage of development resources is not aligned with business priorities and resources can barely
be planned.
IT Operations and Service Delivery P IT service interruptions due to malfunctioning applications
S Compliance issue due to untested and unapproved changes
S Compliance issue and security problems of developers having access to the live environment
Possible Risk Responses
• Risk Avoidance: Remove access rights to the live environment for developers.
•R isk Acceptance: Board approval of the risk. The chief information officer (CIO) or developers should not be able to accept the significant exposure of
developers having access to the live environment and the lack of a change process.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Define and apply a sound change management and approval process. Update access control for developers to the live environment.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Change management Define the rules and guidelines to change infrastructure components in a High High YES
policy controlled and safe way.

162
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the High Low YES
and authorize change impact on business processes and IT services,
requests. and to assess whether change will adversely
affect the operational environment and introduce
unacceptable risk. Ensure that changes are logged,
categorized, assessed, authorized, prioritized
planned and scheduled.
BAI06.03 Track and report Maintain a tracking and reporting system to Low Medium NO
change status. document rejected changes, communicate the
status of approved and in-process changes, and
complete changes. Make certain that approved
changes are implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update Low Low NO
the changes. accordingly the solution and user documentation
and the procedures affected by the change.
BAI07.01 Establish an Establish an implementation plan that covers High High YES
implementation plan. system and data conversion, acceptance testing
criteria, communication, training, release
preparation, promotion to production, early
production support, a fallback/backout plan, and a
postimplementation review. Obtain approval from
relevant parties.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide High High YES
standards that define roles, responsibilities, and
entry and exit criteria. Ensure that the plan is
approved by relevant parties.
BAI07.04 Establish a test Define and establish a secure test environment High High YES
environment. representative of the planned business process
and IT operations environment, performance and
capacity, security, internal controls, operational
practices, data quality and privacy requirements,
and workloads.
BAI07.05 Perform acceptance Test changes independently in accordance with High High YES
tests. the defined test plan prior to migration to the live
operational environment.
BAI07.06 Promote to production Promote the accepted solution to the business and Medium High YES
and manage releases. operations. Where appropriate, run the solution as
a pilot implementation or in parallel with the old
solution for a defined period and compare behavior
and results. If significant problems occur, revert
back to the original environment based on the
fallback/backout plan. Manage releases of solution
components.
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High High YES
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to
business information processes, including those
under the custody of the business, IT and third
parties. This ensures that the business knows
where the data are and who is handling data on its
behalf.

163
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Organisational Structures Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of development Accountable for the proper design and development of the software Medium Medium NO
components
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Testing is performed on all Users and developers cooperate in testing the software components. High High YES
appropriate levels.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Quality assurance (QA) Define the steps to take in order to assure quality. High High YES
plan (test plan and
procedures)
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Technical skills Design and develop the proper software components. Low Low NO
Key Risk Indicators (KRIs) elated to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update or risk profile
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Level of business user understanding of how technology solutions support their processes
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Time to grant, change and remove access privileges, compared to agreed-on service levels
• (10) Frequency of security assessment against latest standards and guidelines
• (12 ) Number of business processing incidents caused by technology integration errors
• (12 ) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12 ) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues

164
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Key Risk Indicators (KRIs) Related to Process Goals


• (BAI06) Amount of rework caused by failed changes
• (BAI06) Reduced time and effort required to make changes
• (BAI06) Number and age of backlogged change requests
• (BAI06) Percentage of unsuccessful changes to inadequate impact assessments
• (BAI06) Percentage of total changes that are emergency fixes
• (BAI06) Number of emergency changes not authorised after the change
• (BAI06) Stakeholder feedback ratings on satisfaction with communications
• (BAI07) Percentage of stakeholders satisfied with the completeness of testing process
• (BAI07) Number and percentage of releases not ready for release on schedule
• (BAI07) Number or percentage of releases that fail to stabilise within an acceptable period
• (BAI07) Percentage of releases causing downtime
• (BAI07) Number and percentage of root cause analyses completed
• (DSS06) Percentage of completed inventory of critical process and key controls
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of business process roles with assigned access rights and levels of authority
• (DSS06) Percentage of business process roles with clear separation of duties
• (DSS06) Number of incidents and audit findings due to access or separation of duties violations
• (DSS06) Percentage of completeness of traceable transaction log
• (DSS06) Number of incidents where transaction history cannot be recovered

165
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

0911 Unmanaged development and testing methodologies

Risk Scenario Title Unmanaged development and testing methodologies


Risk Scenario Category 09 Software
Risk Scenario Reference 0911
Risk Scenario
An IT organization’s software development department does not maintain a common standard for software development (e.g., development framework,
implementation standards) and testing methodologies (e.g., testing types and minimum requirements). This practice leads to differing approaches for
various development initiatives because the application of methodologies is left to the discretion of individuals. Testing methodologies (e.g., white box
testing, volume testing and socialization testing) are applied based on the availability of technology (testing environment), but are not driven by the type
of implementation. The lack of standards leads to deficiencies in the quality of the developed software, which causes numerous incidents. The effort to
adopt existing testing approaches is high because there is low re-use of testing methodologies. The teams frequently start from the beginning when
defining a test plan, which leads to a lack of resources for actual testing because effort is bound to planning rather than to test execution.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes APO11 Manage quality and BAI07 Manage change acceptance and transitioning.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers and the quality assurance (QA) (testing) function.
Event
The event is unauthorized modification of applications.
Asset/Resource (Cause)
The resources that lead to the business impact are the ineffective processes APO11 Manage quality and BAI07 Manage change acceptance because
consistent testing approaches are absent. The resource IT Infrastructure also leads to business impact because there is a lack of test environments,
e.g., for parallel testing.
Asset/Resource (Effect)
The resources affected are business processes because the inefficient QA and testing processes lead to unstable applications and inconsistent data
and information. Other resources that are affected are people and skills due to the ineffective use of testing staff.
Time
The duration of the event is extended because a long period of time is required to change the related processes and the IT infrastructure. The timing
of occurrence is noncritical. The detection is slow because malfunctions cannot always be detected immediately. Because a long period of time is
required for changing the related processes and for updating the IT infrastructure, the consequences are delayed.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery P Lack of adequate QA/testing in projects (QA is not applied due to an overly complex and burdensome
approach)
S Inefficient use of human and IT resources due to immature (ad hoc) testing processes
IT Operations and Service Delivery P Quality issues and service interruptions due to untested applications
S Compliance and security issues due to untested changes
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Accept the lack of QA by the chief information officer (CIO) and the business owners.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Apply professional and current testing approaches (in-house or outsourced).
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Change management Define the rules and guidelines to change infrastructure components in a High High YES
policy controlled and safe way.
Fallback procedure Guidelines in case rollback is necessary Low High YES

166
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO11.05 Integrate quality Incorporate relevant quality management practices High High YES
management into the definition, monitoring, reporting and ongoing
into solutions for management of solutions development and service
development and offerings.
service delivery.
BAI01.09 Manage program and Prepare and execute a quality management plan, Low Medium NO
project quality. processes and practices, aligned with the quality
management system (QMS) that describes the
program and project quality approach and how it
will be implemented. The plan should be formally
reviewed and agreed on by all parties concerned
and then incorporated into the integrated program
and project plans.
BAI03.01 Design high-level Develop and document high-level designs using High High YES
solutions. agreed-on and appropriate phased or rapid agile
development techniques. Ensure alignment with the
IT strategy and enterprise architecture. Reassess
and update the designs when significant issues
occur during detailed design or building phases or
as the solution evolves. Ensure that stakeholders
actively participate in the design and approve each
version.
BAI03.02 Design detailed Develop, document and elaborate detailed designs High High YES
solution components. progressively using agreed-on and appropriate
phased or rapid agile development techniques,
addressing all components (business processes
and related automated and manual controls,
supporting IT applications, infrastructure services
and technology products, and partners/suppliers).
Ensure that the detailed design includes internal
and external service level agreements (SLAs) and
operational level agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively High High YES
components. in accordance with detailed designs following
development methods and documentation
standards, QA requirements, and approval
standards. Ensure that all control requirements in
the business processes, supporting IT applications
and infrastructure services, services and technology
products, and partners/suppliers are addressed.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles and
standards, and the enterprise’s overall procurement
and contract procedures, quality assurance (QA)
requirements, and approval standards. Ensure that
all legal and contractual requirements are identified
and addressed by the supplier.
BAI03.05 Build solutions. Install and configure solutions and integrate High High YES
with business process activities. Implement
control, security and auditability measures during
configuration, and during integration of hardware
and infrastructural software, to protect resources
and ensure availability and data integrity. Update the
services catalogue to reflect the new solutions.
BAI03.06 Perform quality Develop, resource and execute a quality assurance High High YES
assurance (QA). (QA) plan aligned with the quality management
system (QMS) to obtain the quality specified in the
requirements definition and the enterprise’s quality
policies and procedures.

167
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Process Enabler (cont.)


Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI03.07 Prepare for solution Establish a test plan and required environments High High YES
testing. to test the individual and integrated solution
components, including the business processes and
supporting services, applications and infrastructure.
BAI03.08 Execute solution Execute testing continually during development, High High YES
testing. including control testing, in accordance with the
defined test plan and development practices in the
appropriate environment. Engage business process
owners and end users in the test team. Identify, log
and prioritize errors and issues identified during
testing.
BAI03.09 Manage changes to Track the status of individual requirements High High YES
requirements. (including all rejected requirements) throughout
the project life cycle and manage the approval of
changes to requirements.
BAI03.10 Maintain solutions. Develop and execute a plan for the maintenance High High YES
of solution and infrastructure components. Include
periodic reviews against business needs and
operational requirements.
BAI03.11 Define IT services and Define and agree on new or changed IT services High High YES
maintain the service and service level options. Document new or
portfolio. changed service definitions and service level options
to be updated in the services portfolio.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide Low Medium NO
standards that define roles, responsibilities, and
entry and exit criteria. Ensure that the plan is
approved by relevant parties.
BAI07.04 Establish a test Define and establish a secure test environment Medium Medium NO
environment. representative of the planned business process
and IT operations environment, performance and
capacity, security, internal controls, operational
practices, data quality and privacy requirements,
and workloads.
BAI07.05 Perform acceptance Test changes independently in accordance with Low Medium NO
tests. the defined test plan prior to migration to the live
operational environment.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of development Accountable for the proper design and development of the software High High YES
components
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Testing is performed on all Users and developers cooperate in testing the software components. High High YES
appropriate levels.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Quality assurance (QA) Define the steps to take in order to assure quality. High High YES
plan (test plan and
procedures)

168
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Services, Infrastructure and Applications Enabler


Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Integrated development Facilitate development; consists of a source code editor, build automation Medium Medium YES
environment (IDE) tools and a debugger
Knowledge repositories Share and coordinate knowledge regarding development activities. High High YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Technical skills Design and develop the proper software components. Medium Medium YES
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (05) Percentage of IT-enabled investments where benefits realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (07) Number of business disruptions due to IT service incidents
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (12 ) Number of business processing incidents caused by technology integration errors
• (12 ) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12 ) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
Key Risk Indicators (KRIs) Related to Process Goals
• (APO11) Average stakeholder satisfaction rating with solutions and services
• (APO11) Percentage of stakeholders satisfied with IT quality
• (APO11) Number of services with a formal quality management plan
• (APO11) Percentage of projects reviewed that meet target quality goals and objectives
• (APO11) Percentage of solutions and services delivered with formal certification
• (APO11) Number of defects uncovered prior to production
• (APO11) Number of processes with a defined quality requirement
• (APO11) Number of processes with a formal quality assessment report
• (APO11) Number of SLAs that include quality acceptance criteria
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Number of resource issues (e.g., skills, capacity)
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
• (BAI03) Number of errors found during testing
• (BAI03) Number of demands for maintenance that go unsatisfied
• (BAI07) Percentage of stakeholders satisfied with the completeness of testing process
• (BAI07) Number and percentage of releases not ready for release on schedule
• (BAI07) Number or percentage of releases that fail to stabilise within an acceptable period
• (BAI07) Percentage of releases causing downtime
• (BAI07) Number and percentage of root cause analyses completed

169
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

10 Business Ownership of IT
1001 Business failing to be accountable

Risk Scenario Title Business failing to be accountable


Risk Scenario Category 10 Business ownership of IT
Risk Scenario Reference 1001
Risk Scenario
A large global financial enterprise has a strategy of growing the business with expansion into new business domains. The business is constantly
changing its priorities with little or no communication with the IT organization. This practice leads to constant change in the requirements for the
technology under development and frequent escalations from business management to the head of development. A situation of the business and IT
constantly blaming each other exists, with the business not accepting any culpability in the process and blaming IT. The chief executive officer (CEO)
advised the chief information officer (CIO) that one of the business leaders had presented to the board a plan to immediately outsource all of IT. The CEO
requested that the CIO and the business work together to resolve the business challenges and to deliver the business.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI01 Manage programmes and projects.
Actor
The actors that generate the threat that exploits a vulnerability are internal—Steering (Program/Projects) Committee, business executive and business
process owners, CIO and head of development.
Event
The event is an ineffective design and/or ineffective execution of the process BAI01 Manage programmes and projects.
Asset/Resource (Cause)
The resource that leads to the business impact is the process BAI01 Manage programmes and projects. The organizational structure also leads to
some business impact because of a blaming culture that is caused by the business and by the IT people.
Asset/Resource (Effect)
The resources that are affected are the business processes because new applications do not fulfill the requirements and, therefore, business is not
satisfied with the results. The entire enterprise is affected because discord exists on the side of the business people and on the side of the IT staff.
Time
The duration of the event is extended because it is not easy to change the culture and it cannot be done quickly. The timing of occurrence is critical
because the enterprise is currently in a phase of growing the business with expansion into new business domains. As an increasing number of disputes
between business and IT surface, the detection can be classified as moderate. The consequences will last for a long period of time because the situation
(culture) cannot be improved easily and quickly, and, therefore, consequences are delayed.
Risk Type
IT Benefit/Value Enablement S The blaming culture hinders the enterprise from improving efficiency and/or effectiveness of business
processes. IT does not act as a real enabler for new business initiatives.
IT Programme and Project Delivery P Scope creep leads to project budget and time overruns and affects quality of project results.
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
•R isk Sharing/Transfer: Implement a governance process to manage and prioritize the business demand. Transfer risk from business and IT to a
governance body like the Steering (Program/Project) Committee.
•R isk Mitigation: Develop a process to work with the business areas through the system development life cycle (SDLC), incorporating requirements
and organizational alignment to business requirements. Communicate with the business about the financial aspects of existing technology, including
return on investment (ROI) and total cost of ownership (TCO), and the potential impacts of the future technologies.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Enterprise governance Involve business and IT. High High YES
guiding principles
Reporting and Clarify the means of communication. High High YES
communication principles

170
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.04 Communicate Communicate awareness and understanding of IT Medium Medium NO
management objectives objectives and direction to stakeholders throughout
and direction. the enterprise.
APO02.01 Understand enterprise Consider the current enterprise environment and Medium Medium NO
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO05.06 Manage benefits Monitor the benefits of providing and maintaining High High YES
achievement. appropriate IT services and capabilities, based on
the agreed-on and current business case.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an High High YES
engagement. active exchange of accurate, consistent and timely
information that reaches all relevant stakeholders.
This includes planning, identifying and engaging
stakeholders and managing their expectations.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Finance Provide a common methodology used by business and IT to assess High High YES
opportunities in terms of value for the enterprise.
Strategy (IT executive) Key structure that should take accountability over IT and business High High YES
committee cooperation
Board of directors Accountable for the governance framework setting and maintenance Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business and IT work The business takes into account the difficulties that IT faces, IT learns the High High YES
together as partners. business issues.
Information Enabler
IT strategy Align IT plans with business objectives and this will lead to a more efficient High High YES
accountability of the business over IT.
Authority levels Clarify the decision-making responsibilities. High High YES
Service level agreements Describe the service level/objectives established to meet business High High YES
(SLAs) expectations.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Relationship management IT should have the proper skills to build relations with relevant business Medium Medium NO
skills stakeholders.
IT-related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
required affinity with IT.

171
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Key Risk Indicators (KRIs) Related to IT Goals


• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (01) Percentage of IT value drivers mapped to business value drivers
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (07) Number of business disruptions due to IT service incidents
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
• (14) Level of business user satisfaction with quality and timeliness (or availability) of management information
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO01) Number of risk exposures due to inadequacies in the design of the control environment
• (APO01) Number of staff who attended training or awareness sessions
• (APO02) Percentage of objectives in the IT strategy that support the enterprise strategy
• (APO02) Percentage of enterprise objectives addressed in the IT strategy
• (APO02) Percentage of initiatives in the IT strategy that are self-funding (financial benefits in excess of costs)
• (APO02) Trends in ROI of initiatives included in the IT strategy
• (APO02) Level of enterprise stakeholder satisfaction survey feedback on the IT strategy
• (APO02) Percentage of projects in the IT project portfolio that can be directly traced back to the IT strategy
• (APO02) Percentage of strategic enterprise objectives obtained as a result of strategic IT initiatives
• (APO02) Number of new enterprise opportunities realised as a direct result of IT developments
• (APO02) Percentage of IT initiatives/projects championed by business owners
• (APO02) Achievement of measurable IT strategy outcomes part of staff performance goals
• (APO02) Frequency of updates to the IT strategy communication plan
• (APO02) Percentage of strategic initiatives with accountability assigned
• (APO05) Percentage of IT investments that have traceability to the enterprise strategy
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of changes from the investment programme reflected in the relevant portfolios
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (APO09) Number of business processes with undefined service agreements
• (APO09) Percentage of live IT services covered by service agreements
• (APO09) Percentage of customers satisfied that service delivery meets agreed-on levels
• (APO09) Percentage of services being monitored to service levels
• (APO09) Percentage of service targets being met
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of projects undertaken without approved business cases
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Percentage of active programmes undertaken without valid and updated programme value maps
• (BAI01) Frequency of programme/projects status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review

172
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

1003 Cloud service provider

Risk Scenario Title Cloud service provider


Risk Scenario Category 10 Business ownership of IT
Risk Scenario Reference 1003
Risk Scenario
A company decides to move its cloud services to a foreign country where the costs are lower than local providers, without doing appropriate due
diligence concerning the third parties that can provide the service. The business decides to outsource to cloud without counsel from IT in their areas of
competence. Even though the company has an IT governance framework in place, it was ignored and IT was not consulted. Therefore, implied security,
data privacy and compliance were not considered.

The cross-border data, security, privacy and potential compliance issues are:
• Personally identifiable information (PII) and various global data privacy laws
• Sensitive personal information (SPI)
• Cloud provider policies and procedures
• Data leakage

A process for reviewing the third-party compliance requirements is non-existent, and the decision was imposed on IT.

When the service is in place, the company detects data leakage in critical information and unknown areas of data.

Due to this severe issue, the impact to business reputation is severely damaged and will potentially drive the company out of business by losing future
service contracts.
Risk Scenario Components
Threat Type
The nature of the event is a failure (ignorance) of the governance process EDM01 Ensure governance framework setting and maintenance. The
consequence was non-compliance with rules and regulations.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the business executives that decided to outsource without involving IT.
Event
The event is an ineffective execution of the governance process EDM01 Ensure governance framework setting and maintenance and an ineffective
design of the management process MEA03 Monitor, evaluate and assess compliance with external requirements, which lead to a breach of rules and
regulations. The event can also be classified as disclosure because data leakage in critical information was detected.
Asset/Resource (Cause)
The resources/assets that lead to the business impact are the processes EDM01 Ensure governance framework setting and maintenance and
MEA03 Monitor, evaluate and assess compliance with external requirements and the people and skills, with business executives ignoring the
governance process.
Asset/Resource (Effect)
The resource/asset that was mainly affected is critical information due to data leakage. But also the entire enterprise (organizational structures and
people) is affected because its reputation is severely damaged, which can drive the company out of business.
Time
The duration of the events is extended because a long period of time is required to correct the situation, if ever. Because the company can be driven
out of business, the timing of occurrence is critical. The event was detected as soon as IT was involved and the noncompliance was recognized,
therefore, detection can be classified as moderate. The time lag between event and consequence is delayed because it can potentially drive the
company out of business.
Risk Type
IT Benefit/Value Enablement S IT not seen as technology enabler for new business initiatives.
IT Programme and Project Delivery P No contribution of IT to new or improved business solutions
IT Operations and Service Delivery S Service interruption.
Possible Risk Responses
• Risk Avoidance: Not engaging with third parties
• Risk Acceptance: If the contract has been executed (without IT review), the company has to accept that it is not going to be able to recover assets.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: The process for selection of third parties will be reviewed to include all technical and non-technical requirements.

173
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

Risk Mitigation Using COBIT 5 Enablers


Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Enterprise governance Involve business and IT. High High YES
guiding principles
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the High High YES
system. enterprise’s governance of IT. Assess whether the
governance system and implemented mechanisms
(including structures, principles and processes)
are operating effectively and provide appropriate
oversight of IT.
APO02.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO09.03 Define and prepare Define and prepare service agreements (SLAs) based High High YES
service agreements. on the options in the service catalogues. Include
internal operational level agreements (OLAs).
APO09.04 Monitor and report Monitor service levels, identify trends and provide High High YES
service levels. reports that management can use to make
decisions and manage future requirements for
performance.
APO10.01 Identify and evaluate Identify suppliers and associated contracts and High High YES
supplier relationships categorize them into type, significance and
and contracts. criticality. Establish supplier and contract evaluation
criteria and evaluate the overall portfolio of existing
and alternative suppliers and contracts.
APO10.02 Select suppliers. Select suppliers according to a fair and formal High High YES
practice to ensure a viable fit based on specified
requirements. Requirements should be optimized
with input from potential suppliers and enterprise
stakeholders.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Finance Provide a common methodology used by business and IT to assess High High YES
opportunities in terms of value for the enterprise.
Strategy (IT executive) Key structure that should take accountability over IT and business cooperation High High YES
committee
Board of directors Accountable for the governance framework setting and maintenance High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business and IT work The business takes into account the difficulties that IT faces, IT learns the High High YES
together as partners. business issues.

174
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples

Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
IT strategy Align IT plans with business objectives and this will lead to a more efficient High High YES
accountability of the business over IT.
Authority levels Clarify the decision-making responsibilities. High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Relationship management IT should have the proper skills to build relations with relevant business Medium Medium NO
skills stakeholders.
IT related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
required affinity with IT.
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Percentage of IT value drivers mapped to business value drivers
• (03) Percentage of executive management roles with clearly defined accountabilities for IT decisions
• (03) Number of times IT is on the board’s agenda in a proactive manner
• (03) Frequency of IT strategy (executive) committee meetings
• (03) Rate of execution of executive IT-related decisions
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (12) Number of business processing incidents caused by technology integration errors
• (12) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12) Number of applications or critical infrastructures operating in silos and not integrated
• (14) Level of business user satisfaction with quality and timeliness (or availability) of management information
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM01) Level of stakeholder satisfaction (measured through surveys)
• (APO02) Percentage of objectives in the IT strategy that support the enterprise strategy
• (APO02) Percentage of enterprise objectives addressed in the IT strategy
• (APO02) Percentage of initiatives in the IT strategy that are self-funding (financial benefits in excess of costs)
• (APO02) Trends in ROI of initiatives included in the IT strategy
• (APO02) Level of enterprise stakeholder satisfaction survey feedback on the IT strategy
• (APO02) Percentage of projects in the IT project portfolio that can be directly traced back to the IT strategy
• (APO02) Percentage of strategic enterprise objectives obtained as a result of strategic IT initiatives
• (APO02) Number of new enterprise opportunities realised as a direct result of IT developments
• (APO02) Percentage of IT initiatives/projects championed by business owners
• (APO02) Achievement of measurable IT strategy outcomes part of staff performance goals
• (APO02) Frequency of updates to the IT strategy communication plan
• (APO02) Percentage of strategic initiatives with accountability assigned
• (APO09) Number of business processes with undefined service agreements
• (APO09) Percentage of live IT services covered by service agreements
• (APO09) Percentage of customers satisfied that service delivery meets agreed-on levels
• (APO09) Number and severity of service breaches
• (APO09) Percentage of services being monitored to service levels
• (APO09) Percentage of service targets being met
• (BAI02) Percentage of requirements reworked due to misalignment with enterprise needs and expectations
• (BAI02) Level of stakeholder satisfaction with requirements
• (BAI02) Percentage of requirements satisfied by proposed solution
• (BAI02) Percentage of business case objectives met by proposed solution
• (BAI02) Percentage of stakeholders not approving solution in relation to business case

175
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk

1004 Ineffective Service Level Agreements

Risk Scenario Title Ineffective Service Level Agreements


Risk Scenario Category 10 Business ownership of IT
Risk Scenario Reference 1004
Risk Scenario
A business misses the majority of the service level agreements (SLAs) for its clients, which results in charge-back costs to the company revenue stream.
A review of the company’s SLAs found that they were written with an advantage to the client and not written to protect or aim to protect the company.
The company must have their legal department counsel review and rewrite all of the company’s SLA contracts in cooperation with the IT department.
After the SLAs are reviewed, the legal department must examine the language in the SLAs in detail to determine the frequency and timing of changes
with each client.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process APO09 Manage service agreements.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the business part that is responsible for the managed service accounts.
Event
The event is ineffective design and/or ineffective execution of the process APO09 Manage service agreements.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are all assets and resources, e.g., people and skills, infrastructure (facilities), IT
infrastructure, information and applications that enable services to be provided to clients.
Asset/Resource (Effect)
The assets/resources that are affected are the services (processes) that are provided to clients.
Time
The duration of the event is extended because a long period of time is required to review and rewrite all of the company’s SLA contracts. Because the
company encounters charge-back costs to the company revenue stream, the timing of occurrence is critical. The event was detected as soon as clients
complained and, therefore, is classified as instant. The time lag between event and consequence is immediate because the penalties (charge-back
costs) are due immediately after nonfulfillment of the service levels.
Risk Type
IT Benefit/Value Enablement