cobit 5 & cobit 5 for risk an overview - isaca · • cobit 5.0 sme reviewer • cobit for risk...

Copyright © 2012 ISACA® All rights reserved

& HWgrc Ltd. 2015

COBIT 5 & COBIT 5 for Risk –

An overview


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015Copyright © 2012 ISACA® All rights reserved

& HWgrc Ltd. 2015

Agenda

• Introduction

• Introduction to COBIT 5.0

• Introduction to COBIT 5.0 for Risk



& HWgrc Ltd. 2015

Introduction

• ISACA involvement – past and present

• Central UK Chapter founding Board member and Immediate Past President

• International Membership Board

• International Membership Growth & Retention Committee

• International Finance Committee

• Cobit 5.0 SME Reviewer

• Cobit for Risk development workshop and SME reviewer

• Cobit for Risk Scenarios Guide Task Force

• Professional Career

• HWgrc, Principal Director (2014-…)

• 123 Consultants, Principal Director (2008-…)

• KPMG, Senior Manager (1988-2008)

• Britannic Assurance, IT Auditor (1986-1988)

• Data Sciences International, IT Operations (1979-1986)

• CSB Data Processing, IT Operations (1978-1979)

Mike Hughes

[email protected]



& HWgrc Ltd. 2015

Introduction

• Qualifications

• CISA

• CGEIT

• CRISC

Mike Hughes

[email protected]


& HWgrc Ltd. 2015

What is IT Governance?


& HWgrc Ltd. 2015



& HWgrc Ltd. 2015

“IT governance is the term used to describe how those

persons entrusted with governance of an entity will

consider IT in their supervision, monitoring, control and

direction of the entity. How IT is applied will have an

immense impact on whether the entity will attain its

vision, mission or strategic goals”

ISACA & ITGI

What is IT Governance


& HWgrc Ltd. 2015

Enterprises that actively design their top-level IT governance arrangements make and implement better IT-related decisions.Gartner

Firms with focused strategies and above-average IT governance had more than 20 percent higher profits than other firms following the same strategies.Peter Weill and Jeanne W. Ross, IT Governance

Enterprises focused on converging their business and technology disciplines exhibited superior revenue growth and net margins relative to their industry groups and exhibited consistently greater rates of return than those of their competitors.BTM Institute


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015



& HWgrc Ltd. 2015

COBIT Framework

Member Free .pdf

Member Free .pdf

Member Free .pdf


& HWgrc Ltd. 2015

The strategic question

The architecture question

The value question

The delivery question

• Many organisations practice elements of COBIT already

• COBIT provides a consistent, repeatable and comprehensive approach

• IT and business become equal shareholders because COBIThelps

management to answer these key questions:


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

The strategic question. Is the investment:

In line with our vision?

Consistent with our business principles?

Contributing to our strategic objectives?

Providing optimal value, at affordable cost, at an

acceptable level of risk?

The value question. Do we have:

• A clear and shared understanding of the expected

benefits?

• Clear accountability for realising the benefits?

• Relevant metrics?

• An effective benefits realisation process over the

full economic life cycle of the investment?

The architecture question. Is the investment:

• In line with our architecture?

• Consistent with our architectural principles?

• Contributing to the population of our architecture?

• In line with other initiatives?

The delivery question. Do we have:Effective and disciplined delivery and change management processes?Competent and available technical and business resources to deliver:

The required capabilities?The organisational changes required to leverage the capabilities?

Are we

doing

the right

things?

Are we

doing

the right

things?

Are we

doing them

the right

way?

Are we

doing them

the right

way?

Are we

getting

them done

well?

Are we

getting

them done

well?

Are we

getting

the

benefits?

Are we

getting

the

benefits?

Are we

getting

the

benefits?

Are we

doing

the right

things?

Are we

doing

the right

things?

Are we

doing

the right

things?

Are we

doing

the right

things?

Are we

doing them

the right

way?

Are we

doing them

the right

way?

Are we

doing them

the right

way?

Are we

doing them

the right

way?

Are we

getting

them done

well?

Are we

getting

them done

well?

Are we

getting

them done

well?

Are we

getting

them done

well?

Are we

getting

the

benefits?

Are we

getting

the

benefits?

Are we

getting

the

benefits?

Are we

getting

the

benefits?

Are we

getting

the

benefits?

Are we

getting

the

benefits?Some

fundamental

questions

about the

value enabled

by IT


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

• COBIT 5 helps enterprises to create optimal value from IT by

maintaining a balance between realising benefits and

optimising risk levels and resource use.

• COBIT 5 enables information and related technology to be

governed and managed in a holistic manner for the whole

enterprise, taking in the full end-to-end business and

functional areas of responsibility, considering the IT-related

interests of internal and external stakeholders.

The COBIT 5

Framework


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

2

The COBIT 5 Principles


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

COBIT 5 enablers


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

17

• The COBIT 5 process reference model subdivides the IT-

related practices and activities of the enterprise into two

main areas—governance and management— with

management further divided into domains of processes:

• The GOVERNANCE domain contains five governance

processes; within each process, evaluate, direct and

monitor (EDM) practices are defined.

• The four MANAGEMENT domains are in line with the

responsibility areas of plan, build, run and monitor

(PBRM).

COBIT 5

Enabling Processes


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

18Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

COBIT 5

Enabling Processes


& HWgrc Ltd. 2015

• COBIT 5 aligns with the latest relevant other standards

and frameworks:

– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000

– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK,

PRINCE2, CMMI, etc.

• This allows COBIT 5 to be used as the overarching

governance and management framework integrator.

• COBIT 5 also integrates all major ISACA guidance:

COBIT 4.1, Risk IT, Val IT, BMIS, ITAF.

2

COBIT 5

Integrated Framework


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

• Simply stated: COBIT 5 helps enterprises create optimal

value from IT by maintaining a balance between realising

benefits and optimising risk levels and resource use

– COBIT 5 enables information and related technology to be

governed and managed in a holistic manner for the entire

enterprise.

– The COBIT 5 principles and enablers are generic and useful for

enterprises of all sizes, whether commercial, not-for-profit or in

the public sector.

1

In summary ……


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

COBIT 5.0 for Risk

…… Introduction to risk management


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015



& HWgrc Ltd. 2015

You want to achieve your

objectives

You want to be in control - no

surprises

The world is also changing rapidly

and expectations are increasing

Managing risk is about maximising opportunities,not about introducing layers of bureaucratic control.

Why is risk management important?

Why is risk management

important?



& HWgrc Ltd. 2015

Evangelists:

Senior management

should receive a new risk

report every morning.

Risks should be on the

agenda for every

management meeting.

Risks can be accurately

assessed to the nth level

of detail through use of

specialist algorithms.

Pragmatists (the real world):

Senior management should

be aware of the most

significant/urgent risks.

Risks are inherently

uncertain therefore not

predictable with absolute

certainty.

Likelihood/impact, H/M/L

risk assessment

KISS (Keep It Simple,

Stupid)

Risk management in

practice



& HWgrc Ltd. 2015

Risk can be defined as:

An Uncertainty of Outcome

(whether a positive opportunity or

negative threat)

What is risk ?

What is risk?



& HWgrc Ltd. 2015

Major factors for effective risk management:

To manage risk to an acceptable level of tolerance

for the organisation

... “the organisation’s risk appetite”

To reduce risk exposure in a cost effective manner

.... or risk mitigation

Effective risk

management



& HWgrc Ltd. 2015

“With the benefit of hindsight it can now be seen:

as the wrong price,

the wrong way to pay,

at the wrong time

and the wrong deal.”

Sir Philip Hampton, Chairman of RBS on the

ABN Amro deal.

A final thought……..


& HWgrc Ltd. 2015

COBIT 5.0 for Risk


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

29Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.

COBIT 5

Enabling Processes


& HWgrc Ltd. 2015

COBIT 5 Process Identification Reasoning

EDM03, Ensure Risk Optimisation This process covers the understanding, articulation and communication of the

organisation’s risk appetite and tolerance and ensures identification and

management of risk to the enterprise value related to the use of IT and its impact.

Goal of this process is to

Define and communicate risk thresholds and make sure that key

IT-related risk is known;

Effectively and efficiently manage critical IT-related enterprise

risk;

Ensure IT-related enterprise risk does not exceed risk appetite.

APO12, Manage Risk This process covers the continuous identification, assessment and reduction of

IT-related risk within levels of tolerance set by enterprise executive management.

Management of IT-related enterprise risk should be integrated with overall ERM,

and the costs and benefits of managing IT-related enterprise risk should be

balanced. This is done by

Collecting appropriate data and analysing risk;

Maintaining the risk profile of the organisation and articulating

risk;

Defining the risk management action portfolio and responding to

risk.

COBIT 5

Enabling Processes


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Drivers


& 123 Consultants GRC Ltd. 2013


& HWgrc Ltd. 2015

Drivers


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Can’t kill projects

Leads to..

Too many projects

Quality of

execution suffers

Underestimation

of risks and

costs

Projects not

aligned to strategy

Budget overruns

Project delays

Business needs

not met

Lack of

confidence (in IT)

Results in..

Benefits not

received

Increased

complexity

Sub-optimal use

of resources

Finger pointing

Situation

Reluctance to say

“no” to projects

Lack of strategic

focus

Projects are “sold” on

emotional basis—not

selected

No strong review

process

Overemphasis on

financial ROI

No clear

strategic

criteria for

selection


& HWgrc Ltd. 2015

Drivers

The main drivers for risk management include providing:

• Providing stakeholders with substantiated and consistent

opinions over the current state of risk throughout the

enterprise.

• Guidance on how to manage risk to levels within the

enterprise’s risk appetite.

• Guidance on how to set-up the right risk culture for the

enterprise.

• Wherever possible, quantitative risk assessments

enabling stakeholders to consider the cost of mitigation

and the required resources against the loss exposure.


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Benefits

• End-to-end guidance on how to manage risk

• A common and sustainable approach for assessment and

response

• A more accurate view of significant current and near-future risk

throughout the Enterprise – and the impact of this risk on the

Enterprise

• Understanding how effective IT risk management optimises

value by enabling process effectiveness and efficiency

• Opportunities for integration of IT risk management with the

overall risk and compliance structures within the enterprise

• Promotion of risk responsibility and its acceptance throughout

the enterprise


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Two Risk

perspectives


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Alignment

• COBIT 5 for Risk – much like COBIT 5 itself – is an umbrella

approach for the provisioning of risk and is positioned in

context with the following risk-related standards:

ISO 31000:2009 – Risk Management

ISO 27005:2011 – Information security risk management

COSO Enterprise Risk Management


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Risk scenarios using

COBIT 5 for Risk


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Risk scenarios

Definition

“A risk scenario is a description of a possible event

that, when occurring, will have an uncertain impact

on the achievement of the enterprise’s objectives. The

impact can be positive or negative”


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Risk scenarios


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Risk scenarios

• Top-down and Bottom-up – Both approaches are

complementary and should be used simultaneously.

• Risk scenarios must be relevant and linked to real business

risk.

• Specific risk items for each enterprise and critical business

requirements need to be considered in the enterprise risk

scenarios.

• COBIT 5 for Risk provides a comprehensive set of generic risk

scenarios – these should be used as a reference to reduce the

chance of overlooking major/common risk scenarios.


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Risk response

• To bring risk in line with the risk appetite for the enterprise.

• A response needs to be defined such that as much future

residual risk as possible (current risk with the risk response

defined and implemented) falls within accepted limits.

• When risk analysis has shown that risk is not aligned with the

defined risk appetite and tolerance levels, a response is

required.

• This response can be any of the four possible responses:

– Avoid, Mitigate, Share/Transfer, Accept

• Risk response evaluation is not a one-time effort – it is part

of the risk management process cycle.


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Risk mitigation

• COBIT 5 for Risk provides a number of examples on how the

COBIT 5 enablers can be used to respond to risk scenarios.

• Risk mitigation is equivalent to implementing a number of IT

controls.

• In COBIT 5 terms, IT controls can be any enabler, e.g.,

– putting in place an organisational structure, putting in place

certain governance or management practices or activities,

etc.

• For each of the 20 risk scenario categories, potential mitigating

actions relating to all seven COBIT 5 enablers are provided, with

a reference, title and description for each enabler that can help

to mitigate the risk.Copyright © 2012 ISACA® All rights reserved

& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

Take Aways

• When someone says I’ve got an opportunity for you, the first

question you ask is: “what is it”? before you say Yes!

• Do you want a successful business?

• Do you want IT to be an enabler for business success?

• If the answer to either of these questions is yes, then:

– Appropriate and effective IT governance and risk management are required

– COBIT 5.0 can help


& HWgrc Ltd. 2015


& HWgrc Ltd. 2015

In finishing

• To learn more – www.isaca.org/COBIT5


& HWgrc Ltd. 2015

Member Free .pdf

Member Free .pdf

Member Free .pdf

Member Free .pdf

Member $35

http://www.isaca.org/COBIT5


& HWgrc Ltd. 2015

Questions?

Mike [email protected]

www.isaca-central.org.uk

www.isaca.org

mailto:[email protected]

cobit 5 & cobit 5 for risk an overview - isaca · • cobit 5.0 sme reviewer • cobit for risk...

Documents