Management
Week 9
Risk Management
Objectives
Review
Risk concepts
COSO ERM
COBIT 5 for Risk
Risk scenario
11/18/16
Review
Identify and describe at least four types of training or
professional development
Class room or laboratory based training or PD
Lecture style or hands on, activity based workshop training or PD
Self-paced training
Can be delivered online similar to Blackboard
Can be based on hard copy manuals
Can be delivered via a website with FAQ and quick guides
Webinars
Real time streamed sessions (e.g. via Skype or Google Hangouts)
Train the trainer
Training up a champion in a business unit who then trains other either one on
one or in a group
Shadowing
Following someone around and learning as you watch them to do a job
Mentoring or coaching
Meeting with someone in a formal/informal setting to share and receive advice on
particular aspects of your work or role
11/18/16
Review
Describe the COBIT 5 Implementation life cycle. List the
seven phases and describe what happens at each phase
of the life cycle
Guidance is provided
on each phase of the
life cycle
Role descriptions
RACI chart
Review
What should a change management plan contain?
A change plan should include, but may not be limited to
A stakeholder analysis
A communication plan
A training plan
A resistance plan
11/18/16
Risk
IT Risk
The risk associated with the
use, ownership, operation,
involvement, influence and
adoption of IT within an
enterprise (ISACA 2015, p. 9)
11/18/16
Risk management
Risk management is an
insurance related concept
where an individual or an
enterprise will envision some
type of threat and then will
take actions to provide
protections in the event the
threat occurs (Moeller 2013, p. 125)
11/18/16
10
11/18/16
1.
2.
3.
4.
11
11/18/16
13
11/18/16
14
15
COSO ERM
Eight interrelated
components of
Enterprise Risk
Management
They note what is
required to achieve
the objectives noted
on top of cube
Each component
has principles to
guide interpretation
Organisational structure this is tailored
to suit the environment (COSO 2013, p. 6)
11/18/16
16
11/18/16
17
11/18/16
18
19
Risk governance
Risk governance is a subset of enterprise governance.
Its purpose is to ensure that risk management activities
align with the enterprises capacity for opportunity and
lossspecifically, with leaderships subjective tolerance of
lossand that the risk management strategy is aligned
with the overall business strategy.
There are four main objectives to risk governance:
1. Establish and maintain a common risk view.
2. Integrate risk management into the enterprise.
3. Make risk-aware business decisions.
4. Ensure that risk management controls are implemented and operating
correctly
(ISACA 2015, p. 10)
11/18/16
21
11/18/16
22
IT risk categories
Benefit/Value Enablement Risk, which is associated
with missed opportunities to improve effectiveness or
efficiency
Programme and Project Delivery Risk, which is
associated with new and improved capabilities delivered
to the enterprise by IT
Operations and Service Delivery Risk, which is
associated with business as usual delivery of IT services
to the enterprise
IT risk may fall under more than one category, particularly in cases
of complex or enterprise-level projects that involve replacement or
upgrading of existing infrastructure, systems or capabilities
(ISACA 2015, p. 18)
11/18/16
23
11/18/16
24
11/18/16
25
11/18/16
26
Risk register
A risk register contains the results of the risk
management process; it is often displayed as a table
(Schwalbe 2014, p. 456)
11/18/16
Id number
A description of the risk event Use the three part approach
Potential response
Probability of the risk occurring Hi, med, low
The impact if the risk occurs Hi, med, low
The status of the risk Traffic light indicator
27
Description
Response
Purchase a Med
new
server/extra server
capacity
11/18/16
Probability
Impact
Hi
28
Status
Describing risk
A risk should be described in three parts:
Cause (the situation that triggers a risk)
Event (the risk actually happening)
Business objective (what you are trying to achieve)
You write it like:
If [a risk cause] occurs, it could trigger [a risk event], that
would lead to [an impact on a business objective]
E.g.
If our server reaches capacity, it could trigger a Blackboard
outage, that could stop us from teaching and learning online
for hours or days
11/18/16
29
11/18/16
31
11/18/16
32
References
Content presented in this lectorial was drawn and adapted from the
following references:
Blank, R & Gallagher, P D 2012, Information Security, NIST Special
Publication 800-30, Revision 1, National Institute of Standards and
Technology, viewed 15 September 2015,
<http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf>.
COSO 2004, Enterprise Risk Management Integrated Framework:
Executive Summary, viewed 16 September 2015,
<http://www.coso.org/documents/COSO_ERM_ExecutiveSummary.pdf>.
ISACA 2015, Risk Management Student Book, ISACA, IL, USA.
Moeller, R 2013, Executives guide to IT governance improving systems
processes with service management, COBIT, and ITIL, Wiley, New York,
USA.
Schwalbe, K 2014, Information Technology Project Management, Revised 7th
edn., Cengage Learning, Boston, MA.
Where image citations are not present royalty free/copyright compliant images have been sourced from Pixabay
11/18/16
33