cobit 5 & cobit 5 for risk an overview - isaca · • cobit 5.0 sme reviewer • cobit for risk...
TRANSCRIPT
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT 5 & COBIT 5 for Risk –
An overview
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Agenda
• Introduction
• Introduction to COBIT 5.0
• Introduction to COBIT 5.0 for Risk
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Introduction
• ISACA involvement – past and present
• Central UK Chapter founding Board member and Immediate Past President
• International Membership Board
• International Membership Growth & Retention Committee
• International Finance Committee
• Cobit 5.0 SME Reviewer
• Cobit for Risk development workshop and SME reviewer
• Cobit for Risk Scenarios Guide Task Force
• Professional Career
• HWgrc, Principal Director (2014-…)
• 123 Consultants, Principal Director (2008-…)
• KPMG, Senior Manager (1988-2008)
• Britannic Assurance, IT Auditor (1986-1988)
• Data Sciences International, IT Operations (1979-1986)
• CSB Data Processing, IT Operations (1978-1979)
Mike Hughes
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Introduction
• Qualifications
• CISA
• CGEIT
• CRISC
Mike Hughes
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
What is IT Governance?
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
“IT governance is the term used to describe how those
persons entrusted with governance of an entity will
consider IT in their supervision, monitoring, control and
direction of the entity. How IT is applied will have an
immense impact on whether the entity will attain its
vision, mission or strategic goals”
ISACA & ITGI
What is IT Governance
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Enterprises that actively design their top-level IT governance arrangements make and implement better IT-related decisions.Gartner
Firms with focused strategies and above-average IT governance had more than 20 percent higher profits than other firms following the same strategies.Peter Weill and Jeanne W. Ross, IT Governance
Enterprises focused on converging their business and technology disciplines exhibited superior revenue growth and net margins relative to their industry groups and exhibited consistently greater rates of return than those of their competitors.BTM Institute
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT Framework
Member Free .pdf
Member Free .pdf
Member Free .pdf
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
The strategic question
The architecture question
The value question
The delivery question
• Many organisations practice elements of COBIT already
• COBIT provides a consistent, repeatable and comprehensive approach
• IT and business become equal shareholders because COBIThelps
management to answer these key questions:
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
The strategic question. Is the investment:
In line with our vision?
Consistent with our business principles?
Contributing to our strategic objectives?
Providing optimal value, at affordable cost, at an
acceptable level of risk?
The value question. Do we have:
• A clear and shared understanding of the expected
benefits?
• Clear accountability for realising the benefits?
• Relevant metrics?
• An effective benefits realisation process over the
full economic life cycle of the investment?
The architecture question. Is the investment:
• In line with our architecture?
• Consistent with our architectural principles?
• Contributing to the population of our architecture?
• In line with other initiatives?
The delivery question. Do we have:Effective and disciplined delivery and change management processes?Competent and available technical and business resources to deliver:
The required capabilities?The organisational changes required to leverage the capabilities?
Are we
doing
the right
things?
Are we
doing
the right
things?
Are we
doing them
the right
way?
Are we
doing them
the right
way?
Are we
getting
them done
well?
Are we
getting
them done
well?
Are we
getting
the
benefits?
Are we
getting
the
benefits?
Are we
getting
the
benefits?
Are we
doing
the right
things?
Are we
doing
the right
things?
Are we
doing
the right
things?
Are we
doing
the right
things?
Are we
doing them
the right
way?
Are we
doing them
the right
way?
Are we
doing them
the right
way?
Are we
doing them
the right
way?
Are we
getting
them done
well?
Are we
getting
them done
well?
Are we
getting
them done
well?
Are we
getting
them done
well?
Are we
getting
the
benefits?
Are we
getting
the
benefits?
Are we
getting
the
benefits?
Are we
getting
the
benefits?
Are we
getting
the
benefits?
Are we
getting
the
benefits?Some
fundamental
questions
about the
value enabled
by IT
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
• COBIT 5 helps enterprises to create optimal value from IT by
maintaining a balance between realising benefits and
optimising risk levels and resource use.
• COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the whole
enterprise, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.
The COBIT 5
Framework
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
2
The COBIT 5 Principles
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT 5 enablers
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
17
• The COBIT 5 process reference model subdivides the IT-
related practices and activities of the enterprise into two
main areas—governance and management— with
management further divided into domains of processes:
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with the
responsibility areas of plan, build, run and monitor
(PBRM).
COBIT 5
Enabling Processes
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
18Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
COBIT 5
Enabling Processes
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
• COBIT 5 aligns with the latest relevant other standards
and frameworks:
– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000
– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK,
PRINCE2, CMMI, etc.
• This allows COBIT 5 to be used as the overarching
governance and management framework integrator.
• COBIT 5 also integrates all major ISACA guidance:
COBIT 4.1, Risk IT, Val IT, BMIS, ITAF.
2
COBIT 5
Integrated Framework
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
• Simply stated: COBIT 5 helps enterprises create optimal
value from IT by maintaining a balance between realising
benefits and optimising risk levels and resource use
– COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
enterprise.
– The COBIT 5 principles and enablers are generic and useful for
enterprises of all sizes, whether commercial, not-for-profit or in
the public sector.
1
In summary ……
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT 5.0 for Risk
…… Introduction to risk management
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
You want to achieve your
objectives
You want to be in control - no
surprises
The world is also changing rapidly
and expectations are increasing
Managing risk is about maximising opportunities,not about introducing layers of bureaucratic control.
Why is risk management important?
Why is risk management
important?
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Evangelists:
Senior management
should receive a new risk
report every morning.
Risks should be on the
agenda for every
management meeting.
Risks can be accurately
assessed to the nth level
of detail through use of
specialist algorithms.
Pragmatists (the real world):
Senior management should
be aware of the most
significant/urgent risks.
Risks are inherently
uncertain therefore not
predictable with absolute
certainty.
Likelihood/impact, H/M/L
risk assessment
KISS (Keep It Simple,
Stupid)
Risk management in
practice
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk can be defined as:
An Uncertainty of Outcome
(whether a positive opportunity or
negative threat)
What is risk ?
What is risk?
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Major factors for effective risk management:
To manage risk to an acceptable level of tolerance
for the organisation
... “the organisation’s risk appetite”
To reduce risk exposure in a cost effective manner
.... or risk mitigation
Effective risk
management
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
“With the benefit of hindsight it can now be seen:
as the wrong price,
the wrong way to pay,
at the wrong time
and the wrong deal.”
Sir Philip Hampton, Chairman of RBS on the
ABN Amro deal.
A final thought……..
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT 5.0 for Risk
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
29Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
COBIT 5
Enabling Processes
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
COBIT 5 Process Identification Reasoning
EDM03, Ensure Risk Optimisation This process covers the understanding, articulation and communication of the
organisation’s risk appetite and tolerance and ensures identification and
management of risk to the enterprise value related to the use of IT and its impact.
Goal of this process is to
Define and communicate risk thresholds and make sure that key
IT-related risk is known;
Effectively and efficiently manage critical IT-related enterprise
risk;
Ensure IT-related enterprise risk does not exceed risk appetite.
APO12, Manage Risk This process covers the continuous identification, assessment and reduction of
IT-related risk within levels of tolerance set by enterprise executive management.
Management of IT-related enterprise risk should be integrated with overall ERM,
and the costs and benefits of managing IT-related enterprise risk should be
balanced. This is done by
Collecting appropriate data and analysing risk;
Maintaining the risk profile of the organisation and articulating
risk;
Defining the risk management action portfolio and responding to
risk.
COBIT 5
Enabling Processes
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Drivers
Copyright © 2012 ISACA® All rights reserved
& 123 Consultants GRC Ltd. 2013
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Drivers
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Can’t kill projects
Leads to..
Too many projects
Quality of
execution suffers
Underestimation
of risks and
costs
Projects not
aligned to strategy
Budget overruns
Project delays
Business needs
not met
Lack of
confidence (in IT)
Results in..
Benefits not
received
Increased
complexity
Sub-optimal use
of resources
Finger pointing
Situation
Reluctance to say
“no” to projects
Lack of strategic
focus
Projects are “sold” on
emotional basis—not
selected
No strong review
process
Overemphasis on
financial ROI
No clear
strategic
criteria for
selection
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Drivers
The main drivers for risk management include providing:
• Providing stakeholders with substantiated and consistent
opinions over the current state of risk throughout the
enterprise.
• Guidance on how to manage risk to levels within the
enterprise’s risk appetite.
• Guidance on how to set-up the right risk culture for the
enterprise.
• Wherever possible, quantitative risk assessments
enabling stakeholders to consider the cost of mitigation
and the required resources against the loss exposure.
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Benefits
• End-to-end guidance on how to manage risk
• A common and sustainable approach for assessment and
response
• A more accurate view of significant current and near-future risk
throughout the Enterprise – and the impact of this risk on the
Enterprise
• Understanding how effective IT risk management optimises
value by enabling process effectiveness and efficiency
• Opportunities for integration of IT risk management with the
overall risk and compliance structures within the enterprise
• Promotion of risk responsibility and its acceptance throughout
the enterprise
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Two Risk
perspectives
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Alignment
• COBIT 5 for Risk – much like COBIT 5 itself – is an umbrella
approach for the provisioning of risk and is positioned in
context with the following risk-related standards:
ISO 31000:2009 – Risk Management
ISO 27005:2011 – Information security risk management
COSO Enterprise Risk Management
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk scenarios using
COBIT 5 for Risk
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk scenarios
Definition
“A risk scenario is a description of a possible event
that, when occurring, will have an uncertain impact
on the achievement of the enterprise’s objectives. The
impact can be positive or negative”
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk scenarios
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk scenarios
• Top-down and Bottom-up – Both approaches are
complementary and should be used simultaneously.
• Risk scenarios must be relevant and linked to real business
risk.
• Specific risk items for each enterprise and critical business
requirements need to be considered in the enterprise risk
scenarios.
• COBIT 5 for Risk provides a comprehensive set of generic risk
scenarios – these should be used as a reference to reduce the
chance of overlooking major/common risk scenarios.
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk response
• To bring risk in line with the risk appetite for the enterprise.
• A response needs to be defined such that as much future
residual risk as possible (current risk with the risk response
defined and implemented) falls within accepted limits.
• When risk analysis has shown that risk is not aligned with the
defined risk appetite and tolerance levels, a response is
required.
• This response can be any of the four possible responses:
– Avoid, Mitigate, Share/Transfer, Accept
• Risk response evaluation is not a one-time effort – it is part
of the risk management process cycle.
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk mitigation
• COBIT 5 for Risk provides a number of examples on how the
COBIT 5 enablers can be used to respond to risk scenarios.
• Risk mitigation is equivalent to implementing a number of IT
controls.
• In COBIT 5 terms, IT controls can be any enabler, e.g.,
– putting in place an organisational structure, putting in place
certain governance or management practices or activities,
etc.
• For each of the 20 risk scenario categories, potential mitigating
actions relating to all seven COBIT 5 enablers are provided, with
a reference, title and description for each enabler that can help
to mitigate the risk.Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Take Aways
• When someone says I’ve got an opportunity for you, the first
question you ask is: “what is it”? before you say Yes!
• Do you want a successful business?
• Do you want IT to be an enabler for business success?
• If the answer to either of these questions is yes, then:
– Appropriate and effective IT governance and risk management are required
– COBIT 5.0 can help
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
In finishing
• To learn more – www.isaca.org/COBIT5
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Member Free .pdf
Member Free .pdf
Member Free .pdf
Member Free .pdf
Member $35
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Questions?
Mike [email protected]
www.isaca-central.org.uk
www.isaca.org