it auditing principles of risk management - tu/e it auditing principles of risk management ......

Dept of Mathematics and Computer Science

1

Seminar Information Systems

IT auditingPrinciples of Risk Management

Conducted by

Prof. dr K.M. van HeeA.W. Kisjes RE RA

semester 1 2007


2

What is risk management?Risk objects

• Definition of riskmanagement scope

• Risk Analysis/Risk Evaluation

• Identification of risks• Estimation of their likelihood of

occurrence• Estimation of their causes and

the magnitude of their potentialimpact

• Developmentof mitigationplans

• Identification of potentialcauses

• Development of mitigationplans

Riskmanagementobjectives

• Not to eliminate risks• But, to identify them and

minimize their effectsthrough:* improved awareness oftheir likelihood ofoccurrence and potentialimpact and;*development andimplementation ofappropriate mitigationplans


3risk

identification

qualitativeanalysis

quantitativeanalysis

risk mitigation

risk monitoringand control

action plans

risk objects

risk registerEvidence

Root cause


4

Source: IRM/Airmic


5


6Risks relate tobusiness artefacts

All rights reserved, 2007 Pulinco/Agilos


7

Stakeholdermap

Validationpoint

Validationobject

Validationtopic

questions

Measurement

ProcedureActivity

EmpowermentEmpowerment

Checklist

IntegrationIntegration

St ep 1

St ep A1

St ep A2

St ep A3

Sequence A

S tep C11

S tep C22

Step C1

Branch C

Fork A

St ep 2

Sequence value

InstructionDefinition

Rule set

Businessrule (control )

Assessment

Selfassessment

Benchmark3 SECURITY POLICY 3.1 ESTABLISH AN Do you have an information yes Does your information security yes 3.1.1 DEVELOP AN Does your information policy yes Does your information policy no 3.1.2 REVIEW AND Do you carry out periodic other We've a

Topic / Question Answer Note

Questionnaire

Risk

The risk eco system



8

Charateristics of a Risk Template


9

Link with Measures/Internal controls(through business rules)


10

Risk Action Template


11



12

Risk Management: a cyclic proces with “the Big Picture” scope

Rule Engine

Business ProcessManagement

Enterprise-, Librarymodel

Mod

els,

guid

elin

es

MIS & Cockpit

Num

bers

Continuousimprovement

Analyzing Monitoring

DevelopmentWorkbench Repository

Test Generator Simulation

Developing

Business ProcessManagement

Rule Engine DWH

BusinessApplication

Monitoring

BusinessIntelligence

ERP BusinessApplication CRM

EnterpriseContent

ManagementFa

cts

& F

igur

es

Discovery

Running

ApplicationService

Mod

els,

Gui

delin

es

Sources


Analy-zing

Deve-loping

Run-ning

Moni-toring


13

Definitions (1)• Decisions to accept exposure or to reduce vulnerabilities by either mitigating the risks or applying cost effective controls.

www.utmb.edu/is/security/glossary.htm• Decisions about whether an assessed risk is sufficiently high to present a public health concern and about the appropriate means for control of a risk judged

to be significant. The process of evaluating and selecting alternative regulatory and non-regulatory responses to risk. The selection process necessarilyrequires the consideration of legal, economic, and behavioral factors.www.nsc.org/ehc/glossar2.htm

• The process of evaluating and selecting alternative regulatory and non-regulatory responses to risk. The selection process necessarily requires theconsideration of legal, economic, and behavioral factors.www.entrix.com/resources/glossary.aspx

• Risk management is the decision-making process involving considerations of political, social, economic and engineering factors with relevant riskassessments relating to a potential hazard so as to develop, analyse and compare regulatory options and to select the optimal regulatory response for safetyfrom that hazard. Essentially risk management is the combination of three steps: risk evaluation; emission and exposure control; risk monitoring.www.bio.hw.ac.uk/edintox/glossall.htm

• The identification and acceptance or offsetting of the risks threatening the profitability or existence of an organisation. With respect to foreign exchangeinvolves among others consideration of market, sovereign, country, transfer, delivery, credit, and counterparty risk.www.fx-forex-trading.com/glossary.htm

• the employment of financial analysis and trading techniques to reduce and/or control exposure to various types of risk.www.fibo-forex.lt/forex_glossary.htm

• Clinical and administrative activities undertaken to identify, evaluate, and reduce the risk of injury to patients, staff, and visitors and the risk of loss to theorganization itself.www.jcaho.org/accredited+organizations/sentinel+event/glossary.htm

• The systematic application of management policies, procedures and practices to the tasks of identifying, analysing, evaluating, treating and monitoring risk.www.yeronga.tafe.qld.gov.au/tools/glossary/glossary_r.shtml

• The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects.www.riskmanagement.qld.gov.au/info/guide/gls.htm

• To hedge one’s risk they will employ financial analysis and trading techniques.www.forextips.com/forex-terms-p.htm

• A systematic approach used to identify, evaluate, and reduce or eliminate the possibility of an unfavorable deviation from the expected outcome of medicaltreatment and thus prevent the injury of patients as a result of negligence and the loss of financial assets resulting from such injury.www.thedoctors.com/glossary/glossaryR.asp

• The quantifiable likelihood of loss or less-than-expected returns.• Examples: currency risk, inflation risk, principal risk, country risk,economic risk,mortgage risk, liquidity risk, market risk, opportunity risk, income risk, interest

rate risk, prepayment risk, credit risk, unsystematic risk, call risk, business risk, counterparty risk, purchasing-power risk, event risk.

http://www.utmb.edu/is/security/glossary.htm

http://www.nsc.org/ehc/glossar2.htm

http://www.entrix.com/resources/glossary.aspx

http://www.bio.hw.ac.uk/edintox/glossall.htm

http://www.fx-forex-trading.com/glossary.htm

http://www.fibo-forex.lt/forex_glossary.htm

http://www.jcaho.org/accredited

http://www.yeronga.tafe.qld.gov.au/tools/glossary/glossary_r.shtml

http://www.riskmanagement.qld.gov.au/info/guide/gls.htm

http://www.forextips.com/forex-terms-p.htm

http://www.thedoctors.com/glossary/glossaryR.asp


14

Definitions (2)• The use of various management practices to reduce the production and financial risk of the business. Commonly used practices include diversification,

purchasing insurance, hedging or forward contracting, maintaining cash reserves and maintaining flexibility in the operation.www.extension.iastate.edu/agdm/wholefarm/html/c1-05.html

• The process of actively monitoring /controlling exposure to various types of risks while attempting to maximize returns. Typically involves utilizing a variety oftrading techniques, models and financial analyses.fxtrade.oanda.com/help/glossary/glossaryL_R.html

• Having identified the business risks through the Business Continuity Plan, it is essential that a full risk management programme is introduced and maintainedat all times.www.business-continuity-online.com/Content/Pages/Glossary.aspx

• Risk management is a system for decreasing the chance for injury or accidents in a given area, in this case a fraternity or sorority house. These RiskManagement policies are to protect our fraternity and sorority members from issues relating to illegal drinking and substance use and abuse, fire coderegulations, hazing, legal implications of fraternity and sorority affairs, and social events such as parties and socials.studentaffairs.shu.edu/phikaps/html/recruitment/glossary.html

• The active identification, evaluations, and management of all the potential hazards and exposures to loss a risk may experience. The handling of thoseexposures is not limited to insurance options, but includes a variety of methods such as alternative financing, retention, reduction, elimination, transfer, and/orany combination of methods.www.apmc.us/IndustryGlossary

• The process of identifying, assessing, and controlling risks arising from operational factors and making decisions that balance risk cost with mission benefits.www.rotc.monroe.army.mil/helpdesk/definitions-1/terms.htm

• The total process of identifying, controlling, and eliminating or minimizing uncertain events that may affect system resources. It includes risk analysis, costbenefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review. [8]www.ee.oulu.fi/research/ouspg/sage/glossary/

• Management tool for the comprehensive identification and assessment of risks based on knowledge and experience in the fields of natural sciences,technology, economics and statistics.www.swissre.com/INTERNET/pwswpspr.nsf/vwRobotCrawlLU/ABOD-5UCLEM

• Process of identifying, assessing, and reducing the risk to an acceptable level and implementing the right mechanisms to maintain that level of risk.www.michigan.gov/cybersecurity/0,1607,7-217-34415---,00.html

• The identification, assessment, allocation, mitigation and monitoring of risks associated with a project.www.vgpb.vic.gov.au/CA256C450016850B/0/073B1893942AC1C9CA256C5C0006AC1D

• The total process to identify, control, and minimize the impact of uncertain events. The objective of the risk management program is to reduce risk and obtainand maintain DAA (Designated Approving Authority) approval.www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html

http://www.extension.iastate.edu/agdm/wholefarm/html/c1-05.html

http://www.business-continuity-online.com/Content/Pages/Glossary.aspx

http://www.apmc.us/IndustryGlossary

http://www.rotc.monroe.army.mil/helpdesk/definitions-1/terms.htm

http://www.ee.oulu.fi/research/ouspg/sage/glossary/

http://www.swissre.com/INTERNET/pwswpspr.nsf/vwRobotCrawlLU/ABOD-5UCLEM

http://www.michigan.gov/cybersecurity/0

http://www.vgpb.vic.gov.au/CA256C450016850B/0/073B1893942AC1C9CA256C5C0006AC1D

http://www.tsl.state.tx.us/ld/pubs/compsecurity/glossary.html


15

UK• IRM Institute of Risk Management• AIRMIC The Association of Insurance and Risk

Managers


16

Corporate governance• is the set of processes, customs, policies, laws

and institutions affecting the way in which acorporation is directed, administered orcontrolled.

• Corporate governance also includes– the relationships among the many players

involved (the stakeholders)– the goals for which the corporation is governed.

• The principal players are– the shareholders,– management– the board of directors.

• Other stakeholders include– employees,– suppliers,– customers,– banks and other lenders,– regulators, the environment– the community at large.

• Corporate governance is a multi-facetedsubject.

• An important theme of corporate governancedeals with issues of

– accountability– fiduciary duty,

• essentially advocating the implementation ofpolicies and mechanisms

• to ensure good behaviour and protectshareholders.

• Another key focus is the economic efficiencyview, through which the corporate governancesystem

– should aim to optimize economic results,– with a strong emphasis on shareholders welfare.


17

Enterprise Risk Management (ERM) -1• refers to the methods and processes• used by organizations• to manage risks (or seize opportunities)• related to the achievement of their objectives.

ERM provides a framework for risk management, which typicallyinvolves

• identifying particular events or circumstances relevant to theorganization's objectives (risks and opportunities),

• assessing them in terms of likelihood and magnitude of impact,• determining a response strategy, and• monitoring progress.


18

Enterprise Risk Management (ERM) -2By identifying and proactively addressing risks and opportunities, business enterprises

protect and create value for their stakeholders, including– owners,– employees,– customers,– regulators, and– society overall.

• ERM can also be described as a risk-based approach– to managing an enterprise, integrating concepts of

• strategic planning,• operations management,• internal control.

• ERM is evolving to– address the needs of various stakeholders,

• who want to understand the broad spectrum of risks facing complex organizations• to ensure they are appropriately managed.

• Regulators and debt rating agencies have increased their scrutiny on the riskmanagement processes of companies.


19

Monitoring

Information & Communication

Control Activities

Risk Response Entit

y-Le

vel

Div

isio

nB

usin

ess

Uni

tSu

bsid

iary

Strateg

ic

Operatio

ns

Reportin

g

Compliance

Risk Assessment

Event Identification

Objective Setting

Internal Environment

The COSO "Enterprise RiskManagement-Integrated Framework"published in 2004 defines ERM as:

"A process,• effected by an entity's board of

directors, management, and otherpersonnel,

• applied in strategy setting and acrossthe enterprise,

• designed to• identify potential events that may

affect the entity,• manage risk to be within its risk

appetite,• to provide reasonable assurance

regarding the• achievement of entity objectives."


20

The COSO ERM Framework has eight Components andfour objectives categories.It is an expansion of the COSO Internal Control-Integrated Frameworkpublished in 1992 and amended in 1994

The eight components - additionalcomponents highlighted - are:

• Internal Environment• Objective Setting• Event Identification• Risk Assessment• Risk Response• Control Activities• Information and Communication• Monitoring

The four objectives categories –additional componentshighlighted - are:

• Strategy– high-level goals,– aligned with and supporting the

organization's mission• Operations

– effective and efficient use ofresources

• Financial Reporting– reliability of operational and

financial reporting• Compliance

– compliance with applicablelaws and regulations

Monitoring

Information & Communication

Control Activities

Risk Response Entit

y-Le

vel

Div

isio

nB

usin

ess

Uni

tSu

bsid

iary

Strateg

ic

Operatio

ns

Reportin

g

Compliance

Risk Assessment

Event Identification

Objective Setting

Internal Environment


21

RIMS Risk Maturity Model for Enterprise RiskManagement• Enterprise Risk Management (ERM) as defined by the Risk and

Insurance Management Society (RIMS) is– the culture, processes and tools– `to identify strategic opportunities and reduce uncertainty.– ERM is a comprehensive view of risk from both operational and strategic

perspectives– a process that supports the reduction of uncertainty and promotes the

exploitation of opportunities.• According to the RIMS Risk Maturity Model for ERM, the following

seven core competencies, or attributes, measure– how well enterprise risk management is embraced by management– ingrained within the organization.

• A maturity level is determined for each attribute• ERM maturity is determined by the weakest link.


22

Primary risk functions in large corporations include:• Strategic planning –

– identifies external threats and competitiveopportunities, along with strategic initiatives toaddress them

• Marketing –– understands the target customer to ensure

product/service alignment with customerrequirements

• Compliance & Ethics –– monitors compliance with code of conduct and

directs fraud investigations• Accounting / Financial compliance –

– directs the Sarbanes-Oxley Section 302 and 404assessment, which identifies financial reportingrisks

• Law Department –– manages litigation and analyzes emerging legal

trends that may impact the organization• Insurance –

– ensures the proper insurance coverage for theorganization

• Treasury –– ensures cash is sufficient to meet business

needs, while managing risk related to commoditypricing or foreign exchange

• Operational Quality Assurance –– verifies operational output is within tolerances

• Operations management –– ensures the business runs day-to-day and that

related barriers are surfaced for resolution• Credit –

– ensures any credit provided to customers isappropriate to their ability to pay

• Customer service –– ensures customer complaints are handled

promptly and root causes are reported tooperations for resolution

• Internal audit –– evaluates the effectiveness of each of the above

risk functions and recommends improvements


23

Common ERM topics and challenges include• Identifying executive sponsors for ERM.• Establishing a common risk language or glossary.• Identifying and describing the risks in a "risk inventory".• Implementing a risk-ranking methodology to prioritize risks within and across

functions.• Establishing a risk committee and/or Chief Risk Officer (CRO) to coordinate

certain activities of the risk functions.• Establishing ownership for particular risks and responses.• Demonstrating the cost-benefit of the risk management effort.• Developing action plans to ensure the risks are appropriately managed.• Developing consolidated reporting for various stakeholders.• Monitoring the results of actions taken to mitigate risk.• Ensuring efficient risk coverage by internal auditors, consulting teams, and

other evaluating entities.


24

7 Competenties / Attributes in Risk Maturity asdefined by RIMS

• 1. ERM-based approach –– Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory

compliance across all processes, functions, business lines, roles and geographies. Degree of integration,communication and coordination of internal audit, information technology, compliance, control and riskmanagement.

• 2. ERM process management –– Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, assess,

evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods,analysis, tools and models.

• 3. Risk appetite management –– Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to

guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary ofacceptable risk and risk tolerance defines the variation of measuring risk appetite that management deemsacceptable.

• 4. Root cause discipline –– Degree of discipline applied to measuring a problem’s root cause and binding events with their process sources to

drive the reduction of uncertainty, collection of information and measurement of the controls’ effectiveness. Thedegree of risk from people, external environment, systems, processes and relationships is explored.

• 5. Uncovering risks –– Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities.

Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft®Word, Excel®, etc) to uncover dependencies and correlation across the enterprise.

• 6. Performance management –– Degree of executing vision and strategy, working from financial, customer, business process and learning and

growth perspectives, such as Kaplan’s balanced scorecard, or similar approach. Degree of exposure to uncertainty,or potential deviations from plans or expectations.

• 7. Business resiliency and sustainability –– Extent to which the ERM Process’s sustainability aspects are integrated into operational planning. This includes

evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recoveringtechnology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramaticmarket pricing changes, cash flow volatility, business liquidity, etc


25

Business Continuity Planning (BCP)and Business Continuity management (BCM)

• is an interdisciplinary peermentoring methodology

• used to create and validate apracticed logistical plan

• for how an organization willrecover and restore– partially or completely

interrupted critical function(s)– `within a predetermined time

after a disaster or extendeddisruption.

• The logistical plan is called aBusiness Continuity Plan.

• In plain language, BCP is• how an organization prepares• for future incidents that could

jeopardize– the organization's core mission– its longterm health.

• Incidents include– local incidents like building fires,– regional incidents like earthquakes,– national incidents like pandemic

illnesses.

http://www.thebci.org/

http://www.thebci.org/


26

British Standard 25999• BCP may be a part of an organizational learning effort

– that helps reduce operational risk associated with lax informationmanagement controls.

– This process may be integrated with• improving information security• corporate reputation risk management practices.

• In December 2006, the British Standards Institute released a newindependent standard for BCP — BS 25999.– Prior to the introduction of BS25999, BCP professionals relied on BSI

information security standard BS7799, which only peripherally addressedBCP to improve an organization's information security compliance.

– BS25999's applicability extends to organizations of all types, sizes, andmissions whether governmental or private, profit or non-profit, large orsmall, or industry sector.


27

Operational Risk Management (ORM)

• is the oversight of many forms of day-to-dayoperational risk including– the risk of loss resulting from inadequate or failed

• internal processes,• people• systems,• from external events.

• Operational risk does not include market risk orcredit risk

• Specifc in use in financial services industry


28

Benefits of ORM

• Reduction of operational loss.• Lower compliance/auditing costs.• Early detection of unlawful activities.• Reduced exposure to future risks.


29

The Basel Committee on Banking Supervision breaksdown loss events into seven general categories• Internal Fraud• Loss due to acts of a type intended to defraud,

misappropriate property or circumventregulations, the law or company policy,excluding diversity, discrimination events,which involves at least one internal party.

• External Fraud• Losses due to acts of a type intended to

defraud, misappropriate property or circumventthe law, by a third party. These activitiesinclude theft, robbery, hacking or phishingattacks.

• Employment Practices and WorkplaceSafety

• Losses arising from acts inconsistent withemployment, health or safety laws oragreements, from payment of personal injuryclaims, or from diversity / discrimination.

• Clients, Products & Business Practice• Losses arising from unintentional or negligent

failure to meet a professional obligation tospecific clients (including fiduciary andsuitability requirements), or from the nature ofdesign of a product.

• Damage to Physical Assets• Losses arising from loss or damage to physical

assets from natural disaster or other events.See disaster recovery or business continuityplanning

• Business Disruption & Systems Failures• Losses arising from disruption of business or

system failures. This includes loss of due tofailure of computer hardware, computersoftware, telecommunications failure or utilityoutage and disruptions.

• Execution, Delivery & Process Management• Losses from failed transaction processing or

process management, from relations with tradesuppliers and vendors.

http://www.bis.org/bcbs/index.htm

http://www.bis.org/bcbs/index.htm


30

Execution, Delivery & Process ManagementLosses from failed transaction processing or processmanagement, from relations with trade suppliers andvendors. This includes

– Transaction Capture,– Execution & Maintenance

Miscommunication,– Data entry, maintenance or loading error– Missed deadline or responsibility,– Model / system misoperation– Accounting error, entity attribution error,– Delivery failure,– Collateral management failure– Reference data maintenance,– Monitoring & Reporting– Failed mandatory reporting obligation

– Inaccurate external report (loss incurred),– Customer Intake & Documentation– Client permissions / disclaimers missed– Legal documents missing / incomplete,– Customer / Client Account Management– Unapproved access given to accounts,– Incorrect client records (loss incurred),– Negligent loss or damage of client assets,– Trade partners, non-client vendor

misperformance– vendor disputes.


31

Value at risk (VaR)in economics and finance

• a measure• of how the market value of

– of an asset or of a portfolio of assets• is likely to decrease over a certain time period (usually over 1 day or 10 days)• under usual conditions.VaR:• is typically used by security houses or investment banks to measure the

market risk of their asset portfolios (market value at risk),• but is actually a very general concept that has broad application.• Other measures of risk include

– volatility/standard deviation,– semi variance (or downside risk)– expected shortfall.


32

Value at Risk


33

VaR : Three parameters and Three common calculation modelsThree parameters :• The time horizon (period) to be analyzed

– (i.e., the length of time over which one plans to hold the assets in the portfolio - the "holdingperiod").

• The confidence level at which the estimate is made.– Popular confidence levels usually are 99% and 95%.

• The unit of the currency which will be used to denominate the value at risk(VaR).

Three common calculation models• (a) variance-covariance (VCV),

– assuming that risk factor returns are always (jointly) normally distributed and that the change inportfolio value is linearly dependent on all risk factor returns,

• (b) the historical simulation,– assuming that asset returns in the future will have the same distribution as they had in the past

(historical market data),• (c) Monte Carlo simulation,

– where future asset returns are more or less randomly simulated

variance-covariance (VCV),


34

Homeland Security (1)

• Homeland security is officially defined by theNational Strategy for Homeland Security as– a concerted national effort to

• prevent terrorist attacks within the United States,• reduce America's vulnerability to terrorism, and• minimize the damage and recover from attacks that do occur,“

– Because the US Department of Homeland Security (DHS)includes the Federal Emergency Management Agency(FEMA) it has responsibility for preparedness, responseand recovery to natural disasters as well.


35

Homeland Security (2)The scope of homeland security includes:

• Emergency preparedness and response (for both terrorism and naturaldisasters), including volunteer medical, police, EmergencyManagement and fire personnel;

• Domestic intelligence activities, largely today within the FBI;• Critical infrastructure protection;• Border security, including both land and maritime borders;• Transportation security, including aviation and maritime transportation;• Biodefense;• Detection of nuclear and radiological materials;• Research on next-generation security technologies


36

Social risk management (SRM)• new conceptual framework assigned and designed by the

World Bank• The objective of SRM is to extend the traditional framework of

social policy to the non-market based social protection ofwhich its three primary strategies include– prevention,– mitigation, and– coping.It is now well understood that social unrest is positively parallel to

the poverty. Assisting individuals, households and communitiesto elevate living standard above the poverty level will harmonizeglobal economy and strengthen the social security.


37

Main Sources of Social Risks(adapted from Holzmann and Jorgensen, 2000 by wikipedia)

it auditing principles of risk management - tu/e it auditing principles of risk management ......

Documents