INTE2412 IT Governance and Change

Management

Week 9
Risk Management

SCHOOL OF BUSINESS INFORMATION

TECHNOLOGY AND LOGISTICS

COURSE EXPERIENCE SURVEY (CES)

Your Feedback Counts
This semester we have introduced new assessment tasks into the
course
Please tell us what you think about the assessment and the course
so we can continue to improve
The CES is being administered online now
Start Date: Monday, 19 September (HE)
End Date: Sunday, 16 October (HE)
You can access in four different ways:
email sent from RMIT Student Feedback Team (surveys@rmit.edu.au) to your RMIT
student email account
Blackboard
Survey Services Centre website (rmit.edu.au/ssc)
myRMIT

Instructions are on Blackboard

RMIT University2016

Survey Services Centre

Objectives
Review
Risk concepts
COSO ERM
COBIT 5 for Risk
Risk scenario

11/18/16

Review
Identify and describe at least four types of training or
professional development
Class room or laboratory based training or PD
Lecture style or hands on, activity based workshop training or PD
Self-paced training
Can be delivered online similar to Blackboard
Can be based on hard copy manuals
Can be delivered via a website with FAQ and quick guides
Webinars
Real time streamed sessions (e.g. via Skype or Google Hangouts)
Train the trainer
Training up a champion in a business unit who then trains other either one on
one or in a group
Shadowing
Following someone around and learning as you watch them to do a job
Mentoring or coaching
Meeting with someone in a formal/informal setting to share and receive advice on
particular aspects of your work or role
11/18/16

Review
Describe the COBIT 5 Implementation life cycle. List the
seven phases and describe what happens at each phase
of the life cycle
Guidance is provided
on each phase of the
life cycle

Role descriptions

Task descriptions what

gets done in this phase at
each ring or level

Required inputs and

outputs

RACI chart

(ISACA 2012, p. 19)

11/18/16

Review
What should a change management plan contain?
A change plan should include, but may not be limited to

A description of the change

A description of the change process

A stakeholder analysis

A description of the change implementation process

Actions plan and schedule

A communication plan

A training plan

A resistance plan

11/18/16

Activity Risk management concepts

Working with those at your table research risk management
concepts
Come up with a group response that identifies in your own words
1. Define risk and IT risk
2. Define risk management
3. What are the elements of the risk management process?

Cite at least 3 quality sources. More than one source per

answer is ideal
Elect a scribe and someone to report back to the class

Risk

Risk is a measure of the extent

to which an entity is threatened
by a potential circumstance or
event, and is typically a function
of:
i.

The adverse impacts that

would arise if the
circumstance or event
occurs; and

ii. The likelihood of

occurrence (Blank & Gallagher 2012, p.
6)

. The effect of uncertainty

upon objectives (ISACA 2015, p. 9)

IT Risk
The risk associated with the
use, ownership, operation,
involvement, influence and
adoption of IT within an
enterprise (ISACA 2015, p. 9)

11/18/16

Risk management
Risk management is an
insurance related concept
where an individual or an
enterprise will envision some
type of threat and then will
take actions to provide
protections in the event the
threat occurs (Moeller 2013, p. 125)

11/18/16

10

The risk management process

Risk management should be thought of as a four-step
process: (Moeller 2013, p. 126)

11/18/16

1.

Risk identification - An enterprise needs to identify the issues and

circumstances that can become significant risks to its operation

2.

Quantitative or qualitative assessments of the documented risks

Having identified potential risks, a next step is to employ tools to
estimate the potential impacts if any of these identified risks occur

3.

Risk prioritization and response planning The more significant

identified risks should be prioritized, and response plans should be
developed in the event of those risks occurring

4.

Risk monitoring Ongoing processes should be installed to assess

the current statuses of identified risks and both to take action if they
occur and to assess the progress of those remedial actions

11

Activity Exploring COSO ERM

Working with those at your table research COSO ERM
Come up with a group response
1. Define ERM what does it stand for and what does it mean?
2. What is COSO ERM?
a. What is it used for?
b. Who maintains and updates it?
3. What are its key elements?

Elect a scribe and someone to report back to the class

Enterprise Risk Management

Enterprise risk management is a process, effected by an
entitys board of directors, management and other
personnel, applied in a strategy setting and across the
enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives
Enterprise risk management enables management to
effectively deal with uncertainty and associated risk and
opportunity, enhancing capacity to build value
(COSO 2004, pp. 1-2)

11/18/16

13

Enterprise Risk Management

It helps organisations to (COSO 2004, p. 1):
Prevent loss of resources
Achieve performance and profitability targets
Ensure effective reporting
Ensure compliance with laws and regulations
Avoid damage to reputation

Enterprise risk management helps an entity to get where

it wants to go and avoid pitfalls and surprises along the
way (COSO 2004, p. 1)

11/18/16

14

What is COSO ERM?

It is a framework that supports risk management within an
enterprise
The complete name is Enterprise Risk Management Integrated
Framework
It is developed and maintained by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
It is currently being re-developed a project started in 2014

COSO ERM will help enterprises to have a consistent

definition of what is meant by enterprise-level risk that
should be considered across an entire enterprise in a
consistent manner (Moeller 2013, p. 134)
The structure of the COSO ERM Integrated Framework
is illustrated using a cube
11/18/16

15

COSO ERM

Four categories of objectives what is

achieved through applying the framework

Eight interrelated
components of
Enterprise Risk
Management
They note what is
required to achieve
the objectives noted
on top of cube
Each component
has principles to
guide interpretation
Organisational structure this is tailored
to suit the environment (COSO 2013, p. 6)
11/18/16

16

COSO ERM Components

Internal Environment The internal environment
encompasses the tone of an organization, and sets the basis
for how risk is viewed and addressed by an entitys people,
including risk management philosophy and risk appetite,
integrity and ethical values, and the environment in which
they operate.
Objective Setting Objectives must exist before
management can identify potential events affecting their
achievement. Enterprise risk management ensures that
management has in place a process to set objectives and
that the chosen objectives support and align with the entitys
mission and are consistent with its risk appetite
(COSO 2013, pp. 3-4)

11/18/16

17

COSO ERM Components

Event Identification Internal and external events affecting
achievement of an entitys objectives must be identified,
distinguishing between risks and opportunities. Opportunities
are channeled back to managements strategy or objectivesetting processes
Risk Assessment Risks are analyzed, considering
likelihood and impact, as a basis for determining how they
should be managed. Risks are assessed on an inherent and
a residual basis
Risk Response Management selects risk responses
avoiding, accepting, reducing, or sharing risk developing a
set of actions to align risks with the entitys risk tolerances
and risk appetite
(COSO 2013, pp. 3-4)

11/18/16

18

COSO ERM Components

Control Activities Policies and procedures are established
and implemented to help ensure the risk responses are
effectively carried out
Information and Communication Relevant information is
identified, captured, and communicated in a form and
timeframe that enable people to carry out their
responsibilities. Effective communication also occurs in a
broader sense, flowing down, across, and up the entity
Monitoring The entirety of enterprise risk management is
monitored and modifications made as necessary. Monitoring
is accomplished through ongoing management activities,
separate evaluations, or both
(COSO 2013, pp. 3-4)
11/18/16

19

Activity Exploring COBIT 5 for Risk

Working with those at your table research COBIT 5 for risk
using the manual provided on Blackboard
Come up with a group response to the following questions
1.
2.
3.
4.
5.
6.
7.

How does ISACA define risk governance?

Identify and describe the two COBIT 5 processes that focus on risk
What are the three categories of IT risk set out in COBIT 5 for risk?
How does ISACA define threat and vulnerability?
What are risk scenario techniques in the context of COBIT 5 for risk?
Define risk appetite and tolerance in the context of COBIT 5 for risk
What is a risk register? What are the key elements of a risk register?

Elect a scribe and someone to report back to the class

Risk governance
Risk governance is a subset of enterprise governance.
Its purpose is to ensure that risk management activities
align with the enterprises capacity for opportunity and
lossspecifically, with leaderships subjective tolerance of
lossand that the risk management strategy is aligned
with the overall business strategy.
There are four main objectives to risk governance:
1. Establish and maintain a common risk view.
2. Integrate risk management into the enterprise.
3. Make risk-aware business decisions.
4. Ensure that risk management controls are implemented and operating
correctly
(ISACA 2015, p. 10)
11/18/16

21

COBIT 5 for risk processes

Ensure Risk Optimisation (EDM03):
Understand, articulate and communicate the enterprise risk appetite and
tolerance
Ensure identification and management of risk to the enterprise value that is
related to IT use and its impact
Definite thresholds and make sure that risk is known
Effectively and efficiently manage critical enterprise risk
Ensure risk does not exceed the risk appetite

Manage Risk (AP012):

Continuously identify, assess and reduce risk to within levels of tolerance set
by enterprise executives
Manage IT-related risk in a manner integrated with overall enterprise risk
management
Balance the cost and benefits of risk by collecting appropriate data, analysing
risk, maintaining the enterprise risk profile, articulating risk, defining the riskmanagement action portfolio and responding to risk.

11/18/16

22

IT risk categories
Benefit/Value Enablement Risk, which is associated
with missed opportunities to improve effectiveness or
efficiency
Programme and Project Delivery Risk, which is
associated with new and improved capabilities delivered
to the enterprise by IT
Operations and Service Delivery Risk, which is
associated with business as usual delivery of IT services
to the enterprise
IT risk may fall under more than one category, particularly in cases
of complex or enterprise-level projects that involve replacement or
upgrading of existing infrastructure, systems or capabilities
(ISACA 2015, p. 18)
11/18/16

23

Threat and vulnerability

A threat is an action or actor
that (who) may act in a
manner that can result in loss
or harm (ISACA 2015, p. 18)
A vulnerability is the ability of
the action or actor to reach
and affect its target due to a
weakness in design,
implementation, operation or
internal control (ISACA 2015, p. 18)

11/18/16

24

Risk scenario techniques

An IT risk scenario is a description of an IT-related event
that can lead to a loss event that has a business impact,
when and if it should occur (ISACA 2015, p. 19)
Risk scenarios help with risk identification

(ISACA 2015, p. 19)

11/18/16

25

Risk appetite and tolerance

Risk appetite is the
amount of risk that the
enterprise prefers to accept
as it pursues its objectives
(ISACA 2015, p. 10)

Risk tolerance is the extent

that actual risk can be
permitted to deviate from
(exceed) the risk appetite (ISACA
2015, p. 10)

11/18/16

26

Risk register
A risk register contains the results of the risk
management process; it is often displayed as a table
(Schwalbe 2014, p. 456)

Schwalbe (2014, pp. 455-456) notes the elements that can be

presented in a risk register, including the following:

11/18/16

Id number
A description of the risk event Use the three part approach
Potential response
Probability of the risk occurring Hi, med, low
The impact if the risk occurs Hi, med, low
The status of the risk Traffic light indicator

27

Risk register example

ID

Description

Response

If our server reaches capacity,

it could trigger a Blackboard
outage, that could stop us from
teaching and learning online for
hours or days

Purchase a Med
new
server/extra server
capacity

11/18/16

Probability

Impact
Hi

28

Status

Describing risk
A risk should be described in three parts:
Cause (the situation that triggers a risk)
Event (the risk actually happening)
Business objective (what you are trying to achieve)
You write it like:
If [a risk cause] occurs, it could trigger [a risk event], that
would lead to [an impact on a business objective]
E.g.
If our server reaches capacity, it could trigger a Blackboard
outage, that could stop us from teaching and learning online
for hours or days
11/18/16

29

Activity Risk register for Moodle

Working with those at your table reflect on the Moodle
scenario discussed in a previous class
RMIT is implementing Moodle as their new LMS in 2016
Imagine that it is now 2017 and Moodle has been
implemented successfully. You are in charge of risk
management for learning and teaching technologies
Come up with a group response
1. Develop a risk register with at least two risk entries relating to the
operation and management of Moodle
ID, Risk Description, Response, Probability, Impact, Status
Use the risk scenario diagram for inspiration

. Elect a scribe and someone to report back to the class

Learning outcomes from class today

You should be able to describe,
critique and discuss
Risk concepts
COSO ERM
COBIT 5 for Risk
Risk register scenario

11/18/16

31

Required reading Complete before next

week
.Moeller, R 2013, Executives guide to IT
governance improving systems processes with
service management, COBIT, and ITIL, Wiley, New
York, USA.
Read chapter 8 on Risk Management

11/18/16

32

References
Content presented in this lectorial was drawn and adapted from the
following references:
Blank, R & Gallagher, P D 2012, Information Security, NIST Special
Publication 800-30, Revision 1, National Institute of Standards and
Technology, viewed 15 September 2015,
<http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf>.
COSO 2004, Enterprise Risk Management Integrated Framework:
Executive Summary, viewed 16 September 2015,
<http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf>.
ISACA 2015, Risk Management Student Book, ISACA, IL, USA.
Moeller, R 2013, Executives guide to IT governance improving systems
processes with service management, COBIT, and ITIL, Wiley, New York,
USA.
Schwalbe, K 2014, Information Technology Project Management, Revised 7th
edn., Cengage Learning, Boston, MA.
Where image citations are not present royalty free/copyright compliant images have been sourced from Pixabay
11/18/16

33