Transcription
COBIT 2019 ANDRISKMANAGEMENTISACA RISK EVENT2019, AMSTERDAM, 11APRIL 2019
OPENINGTHOUGHTS –THINGS WE DON’TWANT TO HAPPENWHEN PRACTISINGRISK MANAGEMENT
AGENDA COBIT 2019 - Why? COBIT 2019 – What is new and what has changed? COBIT 2019 – how is this relevant for Risk Management Q&A
COBIT 2019 –WHY?ConfirmingI&TGovernanceStayingrelevant in ectionsTHE MAINDRIVERSFOR THENEWVERSIONOF COBIT
COBIT 2019 – STAYING RELEVANT COBIT 5 was published in 2012, making it almost 7 years old. New technology and business trends in the use of IT (e.g. digitization, new paradigms) havenot been incorporated into COBIT, requiring re-alignment The need for the integration of new insights from practitioners, science and academia in thedomain of I&T governance creation Other standards have evolved, resulting in a different standards/frameworks landscape,requiring a re-alignment More fluid, flexible and frequent updates of COBIT required
COBIT 2019ADDRESSING COBIT 5 IMPERFECTIONS COBIT users found it hard to locate relevant contents for their needs Perceived as complex and challenging to apply in practice The enabler model was incomplete in terms of development and guidance, and thus oftenignored A challenging process capability model and general lack of support of performancemanagement for other enablers The perceived reputation of IT governance itself as an inhibitor of change and(administrative) overhead – not per se a COBIT weakness but an IT governance problem atlarge
COBIT’S PURPOSE:ENTERPRISE GOVERNANCE TO SUPPORT VALUE CREATIONEnterpriseGovernance ofI&TBusiness/ITAlignmentValue CreationIT - used to refer to the organizational department with main responsibility fortechnology – versus I&T – all the information the enterprise generates, processesand uses to achieve its goals, as well as the technology to support that throughoutthe enterprise.
COBIT 2019VALUE DELIVERYResourceOptimisation appropriate capabilities are inplace to execute the strategic planand sufficient, appropriate andeffective resources are providedRiskOptimisation addressing the business risk associatedwith the use, ownership, operation,involvement, influence and adoption ofI&T within an enterpriseBenefits Realisation delivery of fit-for-purpose servicesand solutions, on time and withinbudget, that generate the intendedfinancial and nonfinancial benefits
COBIT 2019 –WHAT IS NEW?NEW ANDCHANGEDIN COBIT2019
OVERVIEW COBIT2019 PRODUCTFAMILYThe COBIT 2019 productfamily is open-ended. Thefollowing publications arenow available
COBITOVERVIEW
COBIT 2019 GOALSCASCADE &GOVERNANCE /MANAGEMENTOBJECTIVES
Known as theProcess ReferenceModel, or PRM inCOBIT 5, COBIT 2019 identifies thisas the COBIT CoreModel.Reference:COBIT COBIT onandandMethodology,Methodology,ChapterChapter4 4.24.2Reference:and
KEY CONCEPTS - GOVERNANCE AND MANAGEMENT OBJECTIVES HIGH LEVELINFORMATION Domain name Focus area Governance ormanagement objectivename RELATEDCOMPONENTS GOALS CASCADE Applicable Alignment goals Applicable Enterprise goals Example metrics Processes, practices andactivities Organizational structures Information flows and items People, skills andcompetencies Description Policies and frameworks Purpose statement Culture, ethics andbehavior Services, infrastructure andapplicationsRELATED GUIDANCE Where applicable linksand cross references areprovided to otherstandards andframeworks for each ofthe governancecomponents within eachgovernance andmanagement objective
DESIGN FACTORSIN COBIT 2019: Influence the design of anenterprise’s governancesystem Position it for success in theuse of I&T More information and detailedguidance on how to use thedesign factors for designing agovernance system can befound in the COBIT DesignGuide publication
DESIGN FACTORS IN COBIT 2019: EXAMPLESEnterpriseStrategy Growth/Acquisition Innovation/Differentiation Cost Leadership Client Service/StabilityThreatLandscapeRole of IT Normal High Support Factory Turnaround Strategic
DESIGNING A TAILORED GOVERNANCE SYSTEMGOVERNANCE SYSTEM DESIGN WORKFLOW The different stages andsteps in the design processwill result inrecommendations forprioritizing governance andmanagement objectives orrelated governance systemcomponents, for targetcapability levels, or foradopting specific variants ofa governance systemcomponent.Reference: COBIT 2019 Framework: Introduction and Methodology, Chapter 7 Designing aTailored Governance System, Figure 7.2
PERFORMANCE MANAGEMENT IN COBIT 2019 – PROCESSCAPABILITY LEVELS COBIT 2019 supports a CMMI-basedprocess capability scheme The process within each governance andmanagement objective can operate atcapability levels, between 0 to 5 The capability level is a measure for howwell a process is implemented andperforming Each process activity is associated witha capability level
WHAT IS COBIT AND WHAT IT IS NOT: SETTING THE RIGHTEXPECTATIONSCOBIT ISCOBIT IS NOT A framework for the governance and management A full description of the whole IT environment of an COBIT defines the components to build and sustain A framework to organize business processesof enterprise I&Ta governance system COBIT defines the design factors that should beconsidered by the enterprise to build a best fitgovernance system, including risk COBIT is flexible and allows guidance on new topicsto be addedenterprise An (IT-) technical framework to manage alltechnology COBIT does not make or prescribe any IT-relateddecisions, e.g. sourcing strategies, technology choices,
MAJOR DIFFERENCES - ALIGNMENT TO COBIT 5COBIT 5FRAMEWORKCOBIT 5 ENABLINGPROCESSESCOBIT 2019FRAMEWORKCOBIT 2019FRAMEWORKCOBIT Introduction &MethodologyCOBIT Governance &Management ObjectivesCOBIT 5IMPLEMENTATIONGUIDECOBIT 2019DESIGN GUIDEDesigning YourInformation &Technology GovernanceSystemFocus Area - DEVOPSFocus Area - SMEFocus Area - RISKFocus Area - SECURITYCOBIT 5 FOR RISK(Planned)COBIT 5 FOR ISCOBIT 2019IMPLEMENTATIONGUIDEImplementing and Optimizing YourInformation & TechnologyGovernance System
COBIT 2019 AND RISKMANAGEMENTWHAT IS MOST RELEVANT INCOBIT 2019 FOR RISKMANAGEMENT?
COBIT 2019 AND RISK MANAGEMENT(NOW AND UPCOMING) COBIT 2019 integrates risk governance andmanagement with overall I&T governance andmanagement. COBIT 2019 provides the hooks for more detailedand technical guidance beyond the scope of COBIT. COBIT 2019 includes integrated process capabilityassessment, based on CMMI COBIT 2019 has updated the generic risk scenariosto support management efforts The COBIT Core Model contains specific riskgovernance & management objectives, withsupporting processes: EDM03-Ensured Risk Optimisation APO12—Managed Risk Specific Org.anisational Structures, Skills, Cultureaspects, etc. are described as well Detailed focus area guidance will be available soon forinformation security and I&T risk.
COBIT 2019 AND RISK MANAGEMENT – EDM03 – ENSURED RISKOPTIMISATION AND APO12 – MANAGED RISKEDM03APO12
COBIT 2019 AND RISKMANAGEMENT: DESIGNFACTORS – RISK PROFILE The risk profile identifiesthe sort of IT-related risk towhich the enterprise iscurrently exposed andindicates which areas of riskare exceeding the riskappetite. The risk categories listed infigure 2.7 meritconsideration
COBIT 2019 AND RISKMANAGEMENT: DESIGNFACTORS – RISK PROFILE The risk profile identifiesthe sort of IT-related risk towhich the enterprise iscurrently exposed andindicates which areas of riskare exceeding the riskappetite. The risk categories listed infigure 2.7 meritconsideration
COBIT 2019 AND RISKMANAGEMENT: DESIGNFACTORS – I&T ISSUES A related method for an I&Trisk assessment for theenterprise is to consider whichI&T-related issues it currentlyfaces, or, in other words, whatI&T-related risk hasmaterialized. The most common of suchissues are listed in figure 2.8
COBIT 2019 AND RISK MANAGEMENT: MAPPING RISK & ISSUESWITH GOVERNANCE AND MANAGEMENT OBJECTIVES
COBIT 2019: IN CONCLUSION
WHY COBIT 2019?GENERALLY ACCEPTED,BUSINESS FRAMEWORKFOR IT, USED ANDUSEABLE BYBUSINESS/ASSURANCE /RISK MANAGEMENT‘PLAYS WELL WITHOTHERS’, I.E. ALIGNSWITH OTHERFRAMEWORKS, CAN BECOMPLEMENTED WITHMISSING BITS & PIECES,E.G. FOR QUANTITATIVERISK ANALYSISSTRUCTURED FROMBEGINNING TO ENDCAN BE TAILORED TOSPECIFIC ENTERPRISENEEDS THANKS TO THE(NEW) DESIGNFACTORS, WHICHINCLUDE RISK PROFILEAND IT ISSUES ANORGANISATION ISFACED WITHINCLUDES INTEGRATEDPERFORMANCEMANAGEMENTFEATURES – CAPABILITYLEVELS, METRICS ATDIFFERENT LEVELS,ALLOWING TO SETTARGETS AND TOMEASURE TARGETSIS OPEN AND FREELYAVAILABLE, NOTPROPRIETARY HENCENO LOCK-INS ORIMPORTANT IPINVESTMENTS
Risk Governance and Risk management objectives and processesare spelled out and can be implemented at different and evolvingcapability levels The Performance management system for these processes allows tomeasure and adjust them to targetWHY COBIT2019 FOR RISKMANAGEMENT?WHAT’S IN THECOBITTOOLBOX? Design Factors (Risk Profile, IT Issues, threat landscape, ) allowto design the governance process taking into account risk factors The updated list with Generic Risk Scenarios is a valuable tool forvalidation of an organisation’s own risk register Mapping between Risk Scenarios and Governance andManagement Objectives , aka ‘controls’, allows more reliable riskassessment and better risk response, whilst saving on the need toidentify controls for each new risk Performance monitoring for those ‘controls’ is provided through theprocess capability scheme Definition of relevant information items for risk management risk profile, risk register, Designated focus area guidance for information security,information risk management is under development, other areaswill be planned COBIT has attention for ‘non-process’ related guidance as well
IS COBIT 2019 PERFECT FOR RISK MANAGEMENT? I would love to say yes But COBIT does not include technical risk guidance (but all of that can be made to fit underCOBIT) COBIT does not include risk taxonomies (or ontology as some would say) nor does itprescribe risk assessment methodologies (although we provide recommendations on therequirements for such methods) And as soon as you start using COBIT you will probably discover more
OBSERVED PAIN POINTS WITH IT RISK MANAGEMENT COBIT CAN(PARTIALLY) HELP TO SOLVE Suboptimal organisation within enterprises – overall responsibility is not assigned, or isassigned at too low levels in the hierarchy; risk management is organised in very fragmentedways, e.g. per risk type and often incomplete in scope Widespread confusion between risk management and controls (compliance) monitoring Lack of involvement of senior management, triggered by often perceived or assumed conflictbetween risk management and performance Quality of risk assessments – inconsistent methods for risk identification and riskassessment are used throughout an organisation, often aggravated by a lack of (decent) risktaxonomy and clearly defined risk appetite. Inadequate incentives setting for desired (well, from a good risk management standpoint) riskmanagement behaviours35
CLOSINGTHOUGHTSDespite what one wouldsometimes hope, riskalways exists, whether ornot it is detected orrecognised by anorganisation
COBIT 2019 AND RISKQ&A
COBIT 2019 –STAYING RELEVANT COBIT 5 was published in 2012, making it almost 7 years old. New technology and business trends in the use of IT (e.g. digitization, new paradigms) have not been incorporated into COBIT, requiring re-alignment The need for the integration of new insights from practitioners, science and academia in the domain of I&T governance creation
