COBIT 5 FOR IT RISK MANAGEMENT - ISACA
2y ago
55 Views
1 Downloads
2.60 MB
56 Pages
Report/dmca
Download PDF

Transcription

COBIT 5 FORIT RISK MANAGEMENTProf. dr. Wim Van GrembergenUniversity of Antwerp (UA)IT Alignment and Governance (ITAG) Research Institutewim.vangrembergen@ua.ac.be

-2

AGENDA-COBIT 5 overviewIT risk definedRisk function perspectiveRisk management perspectiveRisk scenarios-3

COBIT 5 overview4

Enterprise Governance of ITEnterprise governance of IT (EGIT) is an integral part ofenterprise governance exercised by the Board overseeing thedefinition and implementation of processes, structures andrelational mechanisms in the organisation enabling bothbusiness and IT people to execute their responsibilities insupport of business/IT alignment and the creation ofbusiness value from IT-enabled business investments.(Van Grembergen & De Haes, 2009 and 2015)5

COBIT and VALIT as frameworks forEnterprise Governance of ITEnterprise Governance of ITCOBITFocus on IT processesVal ITFoucsFocus- on IT related business processes6

COBIT evolutionEvolution of scopeGovernance of Enterprise ITIT GovernanceVal IT 2.0Management(2008)ControlRisk 0/4.1 COBIT 52005/7 20127

COBIT 5COBIT 5 brings together the five principles thatallow the enterprise to build an effectivegovernance and management framework basedon a holistic set of seven enablers that optimisesinformation and technology investment and usefor the benefit of stakeholders.8

1. Meeting stakeholder needs Stakeholder needs have to betransformed into an enterprise’sactionable strategy. The COBIT 5 goals cascade translatesstakeholder needs into specific,actionable and customised goals withinthe context of the enterprise, ITrelated goals and enabler goals.99

2. Covering the Enterprise End-to-end10

3. Applying a Single Integrated FrameworkCOBIT 5 aligns with the latest relevant other standards andframeworks used by enterprises: Enterprise: COSO, COSO ERM, ISO/IEC 9000, ISO/IEC 31000 IT-related: ISO/IEC 38500, ITIL, ISO/IEC 27000 series, TOGAF,PMBOK/PRINCE2, CMMI Etc. This allows the enterprise to use COBIT 5 as the overarchinggovernance and management framework integrator. ISACA plans a capability to facilitate COBIT user mapping ofpractices and activities to third-party references.1111

4. Enabling a Holistic Approach1212

Principle 4: Enabling a holisticapproach(continued) EGIT research (Van Grembergen and DeHaes) shows that organizations can deployEGIT by using a mixture of various structures,processes, and relational mechanisms COBIT 5 builds on these insights andincorporates the “enablers” in its framework13

IT GOVERNANCE MODEL(Van Grembergen – De Haes)14

5. Separating Governance From ManagementGovernance of Enterprise IT5 governance processesManagement of Enterprise ITAlign, plan & organize processesBuild, acquire & implementprocessesMonitor,evaluate &assessprocessesDeliver, service & support processes15

Governance in COBIT 5Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.16

IT RISK DEFINED17

IT RISK DEFINED18

Definition of riskRisk can be defined as the combination of the probability of an event and itsconsecquences that enterprise objectives are not met.COBIT 5 defines IT risk as business risk specifically the business riskassociated with the use, ownership, operation, involvement, influence andadoption of IT within an enterprise.IT risk consists of IT-related events that potentially impact the businesscreating challenges in meeting strategic goals and objectives.19

IT risk categories20

Benefits Risk Non-alignment with commercial policies or strategyNon-alignment with technical standards, architecture, etc.Compliance with security guidelines/policyClarity and credibility of desired business outcomesMeasurability of outcomes (lead and lag indicators)Benefits monitoring processesSensitivity of outcomes to timing or external dependencies, includingchanges in the economy, market conditions or a specific industry sector.Extent of organisational change required (depth and breadth)Clarity of the scope of organisational change requiredQuality of the change management planPreparedness and capability of business to handle the changeLevel of business organisational understanding of and commitment tothe programmeQuality and availability of business sponsorshipSenior business department staff engagement‘Big bang’ programme or ‘do-able chunks’21

Delivery Risk Quality of the programme and project plans (completeness andreasonability)Clarity of scope and deliverablesUnproven technologyCompliance with technology architecture and standardsProject durationSize of the project in relation to earlier successful projectsLevel of interface required to existing systems and processesSenior business department staff involvementKey staff availability during project deploymentExperience/quality of project managersExperience/quality of project teamsReliance on vendorsDependency on factors outside control of project teamsQuality of risk control mechanismsAbility to provide ongoing operational support22

TWO PERSPECTIVES ON RISK23

RISK MANAGEMENTPERSPECTIVE24

ENABLER RISK FUNCTION: PRINCIPLES, POLICIES & FRAMEWORKS25

26

ENABLER RISK FUNCTION: PROCESSES27

28

ENABLER RISK FUNCTION: ORGANISATIONAL STRUCTURES29

ENABLER RISK FUNCTION: CULTURE, ETHICS & BEHAVIOUR30

ENABLER RISK FUNCTION: INFORMATION31

ENABLER RISK FUNCTION: INFORMATION32

ENABLER RISK FUNCTION: SERVICES, INFRASTRUCTURES & APPLICATIONS33

ENABLER RISK FUNCTION: PEOPLE, SKILLS & COMPETENCIES34

ENABLER RISK FUNCTION: PEOPLE, SKILLS & COMPETENCIES35

ENABLER RISK FUNCTION: PEOPLE, SKILLS & COMPETENCIES36

RISK MANAGEMENTPERSPECTIVE37

Risk Management in COBIT 5Source: COBIT 5, figure 16. 2012 ISACA All rights reserved.38

RISK GOVERNANCE & MANAGEMENT PROCESS All enterprise activities have associated risk exposuresresulting from environmental threats that exploitenabler vulnerabilities EDM03 Ensure risk optimisation ensures thatthe enterprise stakeholders approach to risk isarticulated to direct how risks facing the enterprisewill be treated. APO12 Manage risk provides the enterprise riskmanagement (ERM) arrangements that ensure thatthe stakeholder direction is followed by theenterprise. All other processes include practices andactivities that are designed to treat related risk(avoid, reduce/mitigate/control,share/transfer/accept).39

Scoring rmatiearchitectuurCompetitiefvoordeel isico &organisatorischrisicoWaardecategorieNaam dossierAansluiting opstrategieTrekk. DONDDoorlopendeMKT 0020OND 399RET0403RET0406OND 0442RET0449OND 0456OND 0479OND 0501RET0518NieuweRET0308OND 0480RET0884OND 0887OND 0899dossiers in 2004Intrest and liquidity risk (ALM TDI)Quantitative Credit Risk Management (QCR)KBD : Multikanalen krediettoep. aan particulierenKITOleander (totaaloplossing Leven Ondernemingen)Collateral Management Fase 2Bankwijd Web-enablen van ICMtoepassingenIPE / EBOBAVerwerking OTC DerivatenVA Front-end LevenProduct fabriek SchadeverzekeringenOperationeel RisicobeheerHerwerken cliënten outputIAS VerzekeringenBeperking van de volatiliteit onder IASERP voor ondersteunende diensten B VOFS (Ontwikkeling Financiele Services)Migratie CenteaReconciliatietoolPleander Voorstudie Particulieren leven andersEuropese SpaarfiscaliteitERP - Fase 2Geel35Groen Rood40

41

42

43

44

»Quality of the programme and project plans (completeness and reasonability)45

46

47

48

49

RISK SCENARIOS50

111 risk scenarios51

RISK MITIGATIONIt is possible to identify for any given risk scenario that would exceed riskappetite, a set of COBIT 5 enablers that mitigate the risk scenario.COBIT 5 enablers:Process enablersOrganisational structures enablersCulture, ethics and behavior enablersInformation enablersServices, infrastructures and applications enablersPeople, skills and competencies enablers52

RISK MITIGATIONPROCESS ENABLERS53

RISK MITIGATIONSTRUCTURE ENABLERS54

RISK MITIGATIONCULTURE, INFORMATION,SERVICES, PEOPLE ENABLERS55

The knowing-doing gap While organisations do recognise the importance of IT riskgovernance/management, they are still struggling with gettinggovernance practices implemented and embedded into theirorganisations (‘knowing-doing gap’)Need for an organizational system, i.e. “the way a firm gets its people towork together to carry out the business”. (De Wit and Meyer, 2005).56

COBIT 5 defines IT risk as business risk specifically the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that potentially impact the business creating challenges in meeting strategic goals and objectives. Definition of risk . 20 IT risk categories . 21 Non-alignment with .

Related Books

COBIT 2019 and Risk Management - ISACA

COBIT 2019 and Risk Management - ISACA

COBIT 5 - IT Governance

COBIT 5 - IT Governance

COBIT 5 - VOQUZ

COBIT 5 - VOQUZ

Die COBIT 5 Produktfamilie (Kurzvorstellung)

Die COBIT 5 Produktfamilie (Kurzvorstellung)

Cobit 5 - Gunadarma

Cobit 5 - Gunadarma

Fundamentos de COBIT 5 - CEDIA

Fundamentos de COBIT 5 - CEDIA

S5: Enterprise Governance of IT COBIT 5 - CRUE

S5: Enterprise Governance of IT COBIT 5 - CRUE

Using COBIT 5 Framework for Cybersecurity Assessment

Using COBIT 5 Framework for Cybersecurity Assessment

A Tool Design of Cobit Roadmap Implementation

A Tool Design of Cobit Roadmap Implementation

COBIT 5 as IT Governance Framework and Implementation .

COBIT 5 as IT Governance Framework and Implementation .

Introduction to COSO & COBIT

Introduction to COSO & COBIT

IT GOVERNANCE IN DIGITAL TRANSFORMATION A COBIT 5

IT GOVERNANCE IN DIGITAL TRANSFORMATION A COBIT 5

PopularTags

Recent Views