it risk management - the right posture
DESCRIPTION
Keynote presentation at IBM seminar on IT Risk Management at Bangalore 27 July 2012TRANSCRIPT
ENTERPRISE IT RISK MANAGEMENT“EXPLORING THE RIGHT POSTURE”
PARAG DEODHAR27 JULY 2012 BANGALORE27 JULY 2012 ‐ BANGALORE
EVOLUTION OF IT WITHIN THE ORGANISATIONEVOLUTION OF IT WITHIN THE ORGANISATION
TRANSFORMERENABLER
TRANSFORMER
SUPPORT TEAM
27 July 2012 PARAG DEODHAR 2ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM
ENTERPRISE RISK & ITENTERPRISE RISK & IT
• IT is now CORE to Business• Top 3 areas which Audit Committees want to spend more time on (Source: KPMG Survey)
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 3
IT RISK MANAGEMENT IS MUCH MORE THANIT SECURITY
N li i d i f i i I ll IT l d• Not limited to information security. It covers all IT‐related risks, including:• Late project deliveryLate project delivery• Not achieving enough
value from ITC li• Compliance
• Misalignment• Obsolete or inflexible
IT architecture• IT service delivery
problemsp
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 4
IT RISK DOES NOT EMANATE FROM THE IT DEPARTMENT ALONE
• Mergers and Acquisitions• Purchasing software as a service• Investing in application enhancements• Outsourcing and offshoring• Outsourcing and offshoring• Integrating diverse applications
i S li k C– Business Partners, Suppliers, Banks, Customers…
• End Users• Consultants and Auditors!!!
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 5
WHO OWNS IT RISK?WHO OWNS IT RISK?
• IT Risk Management ‐ Organisation Structure & Reporting line– IT team– Risk Management Team– External Vendors– Group Team
WHO’S NECK IS ON THE LINE WHENDISASTER STRIKES?
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 6
CIO REPORT TO THE AUDIT COMMITTEECIO REPORT TO THE AUDIT COMMITTEE(Source: KPMG Survey)
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 7
IT RISK UNIVERSEIT RISK UNIVERSE
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 8
EMERGING IT RISKS IN THE BORDERLESSENTERPRISE
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 9
MANAGING IT RISKSMANAGING IT RISKS
N h i d• New threats are emerging every day• Basic measures like – Anti‐Virus, Firewalls are no longer
enoughenough• Tools like SIEM, IPS, DLP, DRM… are now standard
requirementrequirement • Only tools are not enough, continuous updates, 24x7
monitoring and response is requiredmonitoring and response is required• Do you have the resources – money, time, human
resources???• What is your risk posture? What do you tell the Board? • How do you manage compliance?
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 10
y g p
GUIDING PRINCIPLESGUIDING PRINCIPLESSource: ISACA
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 11
IT RISK MANAGEMENT FRAMEWORKIT RISK MANAGEMENT FRAMEWORK•Responsibility and accountability for risk
Source: ISACA
accountability for risk•Risk appetite and tolerance•Awareness and communicationRi k lt•Risk culture
• Key risk indicators (KRIs)•Risk response definition and prioritisationprioritisation
• Risk scenarios• Risk scenarios•Business impact descriptions
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 12
IT RISK MATURITY MODEL TO ASSESS POSTUREIT RISK – MATURITY MODEL TO ASSESS POSTURESource: ISACA
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 13
Its not a Goal But a journeyIts not a Goal – But a journey…
THANK YOUTHANK YOU27 July 2012 PARAG DEODHAR 14ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM