IT RISK

BAA-Audit & Information Systems

By
Winston Phethi
IT Risk Terms
 Business risk -A probable situation with uncertain
frequency and magnitude of loss (or gain)
 Enterprise risk management - The discipline by
which an enterprise in any industry assesses,
controls, exploits, finances and monitors risks from
all sources for the purpose of increasing the
enterprise’s short- and long-term value to its
stakeholders.
 Event - Something that happens at a specific place
and/or time.
 Inherent risk - The risk level or exposure without
taking into account the actions that management has
taken or might take (e.g.,
 implementing controls)
 IT Risk Terms…Cont..
 IT risk - The business risk associated with the use,
ownership, operation, involvement, influence and
adoption of IT within an enterprise
 IT risk profile - A description of the overall
(identified) IT risk to which the enterprise is
exposed
 IT risk register - A repository of the key attributes
of potential and known IT risk issues. Attributes
may include name, description, owner,
expected/actual frequency, potential/actual
magnitude, potential/actual business impact,
disposition.
 IT risk scenario - The description of an IT-related
event that can lead to a business impact
IT Risk Terms…Cont..
 IT-related incident - An IT-related event that
causes an operational, developmental and/or
strategic business impact
 Loss event - Any event where a threat event
results in loss
 Residual risk- The remaining risk after
management has implemented risk response.
 Risk aggregation - The process of integrating
risk assessments at a corporate level to obtain a
complete view on the overall risk for the
enterprise
 Risk analysis -A process by which frequency
and magnitude of IT risk scenarios are estimated
 IT Risk Terms…Cont..
 Risk appetite -The amount of risk, on a broad
level, that an entity is willing to accept in pursuit
of its mission
 Risk culture-The set of shared values and beliefs
that governs attitudes towards risk-taking, care
and integrity, and determines how openly risks
and losses are reported and discussed.
 Risk factor- Condition that can influence the
frequency and/or magnitude and, ultimately, the
business impact of IT-related events/scenarios.
 Risk map - A (graphic) tool for ranking and
displaying risks by defined ranges for frequency
and magnitude
 IT Risk Terms…Cont..
 Risk portfolio view –(1) A method to identify
interdependencies and interconnections amongst
risks, as well as the effect of risk responses on
multiple risks; (2) A method to estimate the
aggregate impact of multiple risks (e.g., cascading
and coincidental threat types/scenarios, risk
concentration/correlation across silos) and the
potential effect of risk response across multiple
risks
 Risk statement - A description of the current
conditions that may lead to the loss, and a
description of the loss. a statement must include a
description of the current conditions that may lead
to the loss and a description of the loss.
 IT Risk Terms…Cont..
 Risk tolerance -The acceptable level of variation that
management is willing to allow for any particular risk as
it pursues objectives
 Threat-Anything (e.g., object, substance, human) that is
capable of acting against an asset in a manner that can
result in harm
 Threat event - Any event where a threat element/actor
acts against an asset in a manner that has the potential
to directly result in harm
 Vulnerability - A weakness in design, implementation,
operation or internal control
 Vulnerability event - Any event where a material
increase in vulnerability results. Note that this increase
in vulnerability can result from changes in control
conditions or from changes in threat capability/force.
IT RISK
 IT risk is business risk—specifically, the
business risk associated with the use,
ownership, operation, involvement,
influence and adoption of IT within an
enterprise.
 It consists of IT-related events that could

potentially impact the business. It can

occur with both uncertain frequency and
magnitude, and it creates challenges in
meeting strategic goals and objectives. IT
risk can be categorised in different ways.
IT Risk…Cont..
 IT risk is a component of the overall risk universe
of the enterprise.
 Other risks an enterprise faces include strategic
risk, environmental risk, market risk, credit risk,
operational risk and compliance risk. In many
enterprises, IT-related risk is considered to be a
component of operational risk, e.g., in the
financial industry in the Basel II framework.
 However, even strategic risk can have an IT
component to it, especially where IT is the key
enabler of new business initiatives. The same
applies for credit risk, where poor IT (security) can
lead to lower credit ratings.
 IT Risk…Cont..
IT risk can be categorised in different ways:
 IT benefit/value enablement risk —Associated with

(missed) opportunities to use technology to improve

efficiency or effectiveness of business processes, or as
an enabler for new business initiatives
 IT programme and project delivery risk —
Associated with the contribution of IT to new or
improved business solutions, usually in the form of
projects and programmes. This ties to investment
portfolio management (as described in the Val IT
framework).
 IT operations and service delivery risk —
Associated with all aspects of the performance of IT
systems and services, which can bring destruction or
reduction of value to the enterprise
IT Risk…Cont..
 Many IT risk issues can occur because of third-party
problems (service delivery as well as solution
development)—both IT third parties and business
partners (e.g., supply chain IT risk caused at a major
supplier can have a large business impact).
Therefore, good IT risk management requires
significant dependencies to be known and well
understood.

 IT risk always exists, whether or not it is detected or

recognised by an enterprise. In this context, it is
important to identify and manage potentially
significant IT risk issues, as opposed to every risk
issue, as the latter may not be cost effective.
 IT Risk…Cont..
 Practice has shown that the IT function and IT risk
are often not well understood by an enterprise’s key
stakeholders, including board members and
executive management.
 Yet, these are the people who depend on IT to
achieve the strategic and operational objectives of
the enterprise and, by consequence, should be
accountable for risk management.
 Without a clear understanding of the IT function and
IT risk, senior executives have no frame of reference
for prioritizing and managing IT risk.
 IT Risk…Cont..
 Effective management of IT risk
promotes fair and open communication
of IT risk:
 Open, accurate, timely and transparent
information on IT risk is exchanged and serves as
the basis for all risk-related decisions.
Risk issues, principles and risk management
methods are integrated across the enterprise.
Technical findings are translated into relevant
and understandable business terms.
 IT Risk…Cont..
Effective management of IT risk establishes the right tone from the top
while defining and enforcing personal accountability for operating within
acceptable and well-defined tolerance levels:

 Key people, i.e., influencers, business owners and the board of

directors, are engaged in IT risk management.
 There is a clear assignment and acceptance of risk ownership,
including assuming accountability, doing performance measurement
and integrating risk management in the (performance) reward system.
Direction is demonstrated from the top by means of policies,
procedures and the right level of enforcement.
 A risk-aware culture is actively promoted, starting with the tone from
the top. This helps ensure that those involved with operational risk
management are operating on consistent risk assumptions.
 Risk decisions are made by authorised individuals, with a focus on
business management, e.g., for IT investment decisions, project
funding, major IT environment changes, risk assessments, and
monitoring and testing controls.
 IT Risk…Cont..
Effective management of IT risk promotes continuous
improvement and is part of daily activities:
◦ Because of the dynamic nature of risk, management of IT
risk is an iterative, perpetual, ongoing process.
◦ Every change brings risk and/or opportunity, and the
enterprise prepares for this by giving advance consideration
to changes in the organisation itself (mergers and
acquisitions), in regulations, in IT, in the business, etc.
 Attention is paid to consistent risk assessment methods, roles

and responsibilities, tools, techniques, and criteria across the

enterprise, noting especially:
◦ – Identification of key processes and associated risks
◦ – Understanding of impacts on achieving objectives
◦ – Identification of triggers that indicate when an update of the
framework or components in the framework is required
IT Risk
 IT Risk Communication
 IT risk communication covers a broad array of
information flows. Risk IT distinguishes amongst the
following major types of IT risk communication, as
shown in below
 IT Risk Communication…Cont..
 Information on expectations from risk management: risk
strategy, policies, procedures, awareness training, continuous
reinforcement of principles, etc. This is essential communication on the
enterprise’s overall strategy towards IT risk, and it drives all
subsequent efforts on risk management. It sets the overall expectations
from risk management.
 Information on current risk management capability. This
information allows monitoring of the state of the ‘risk management
engine’ in the enterprise, and is a key indicator for good risk
management. It has predictive value for how well the enterprise is
managing risk and reducing exposure.
 Information on the actual status with regard to IT risk. This
includes information such as:
– Risk profile of the enterprise, i.e., the overall portfolio of (identified)
risks to which the enterprise is exposed
– KRIs to support management reporting on risk
– Event/loss data
– Root cause of loss events
– Options to mitigate (cost and benefits) risks
IT Risk Communication…Cont..
 To be effective, all information exchanged,
regardless of its type, should be: Clear;
Concise; Useful; Timely; Aimed at the
correct target audience; Available on a
need-to-know basis.
 Communication does not always need to be

formal, through written reports or

messages. Timely face-to-face meetings
between stakeholders are just an important
a communication means for IT-risk-related
information.
 Risk Culture
 A risk-aware culture characteristically offers a
setting in which components of risk are
discussed openly, and acceptable levels of risk
are understood and maintained.
 A risk-aware culture begins at the top, with

board and business executives who set

direction, communicate risk-aware decision
making and reward effective risk management
behaviours. Risk awareness also implies that all
levels within an enterprise are aware of how
and why to respond to adverse IT events.
 Risk Culture…Cont..
Risk culture includes:
◦ Behaviour towards taking risk—How much risk
does the enterprise feel it can absorb and
which risks is it willing take?
◦ Behaviour towards following policy—To what
extent will people embrace and/or comply with
policy?
◦ Behaviour towards negative outcomes—How
does the enterprise deal with negative
outcomes, i.e., loss events or missed
opportunities? Will it learn from them and try
to adjust, or will blame be assigned without
treating the root cause?
 Risk Culture…Cont..
Some symptoms of an inadequate or problematic risk
culture include:
◦ • Misalignment between real risk appetite and translation into
policies. Management’s real position towards risk can be
reasonably aggressive and risk taking, whereas the policies that
are created reflect a much more strict attitude.
◦ • The existence of a ‘blame culture’. This type of culture should by
all means be avoided; it is the most effective inhibitor of relevant
and efficient communication. In a blame culture, business units
tend to point the finger at IT when projects are not delivered on
time or do not meet expectations. In doing so, they fail to realise
how the business unit’s involvement up front affects project
success. In extreme cases, the business unit may assign blame for
a failure to meet the expectations that the unit never clearly
communicated. The ‘blame game’ only detracts from effective
communication across units, further fuelling delays. Executive
leadership must identify and quickly control a blame culture if
collaboration is to be fostered throughout the enterprise.
 Essentials of Risk Evaluation
1. Describing business impact
2. Risk scenarios

Describing Business Impact

 Meaningful IT risk assessments and risk-based decisions

require IT risk to be expressed in unambiguous and clear,

business-relevant terms.
 Effective risk management requires mutual understanding

between IT and the business over which risk needs to be

managed and why. All stakeholders must have the ability
to understand and express how adverse events may
affect business objectives. This means that:
 An IT person should understand how IT-related failures or events
can impact enterprise objectives and cause direct or indirect loss
to the enterprise.
 A business person should understand how-IT related failures or
events can affect key services and processes.
 Essentials of Risk Evaluation….Cont..
 The link between IT risk scenarios and ultimate business
impact needs to be established to understand the effects of
adverse events. Several techniques and options exist that can
help the enterprise to describe IT risk in business terms. i.e.
 Westerman 4 ‘A’s—An Alternative Approach to Express Business
Impact A fourth means of expressing IT risk in business terms is based on
the 4A framework6, which defines IT risk as the potential for an unplanned
event involving IT to threaten any of four interrelated enterprise
objectives:
 • Agility—Possess the capability to change with managed cost and
speed.
 • Accuracy—Provide correct, timely and complete information that meets
the requirements of management, staff, customers, suppliers and
regulators.
 • Access —Ensure appropriate access to data and systems, so that the
right people have the access they need and the wrong people do not.
 • Availability —Keep the systems (and their business processes) running,
and recover from interruptions.
 Essentials of Risk Response
 The purpose of defining a risk response is to bring risk in line
with the defined risk appetite for the enterprise after risk
analysis.

 A response needs to be defined such that future residual risk

(current risk with the risk response defined and implemented) is,
as much as possible (usually depending on budgets available),
within risk tolerance limits.
Risk Responses includes;
1. Risk Avoidance
2. Risk Reduction/Mitigation
3. Risk Transfer/Sharing
4. Risk Acceptance
 Risk Response –Risk Avoidance
 Avoidance means exiting the activities or conditions that
give rise to risk. Risk avoidance applies when no other risk
response is adequate.
 This is the case when:
There is no other cost-effective response that can
succeed in reducing the frequency and magnitude below
the defined thresholds for risk appetite.
The risk cannot be shared or transferred.
The risk is deemed unacceptable by management.
 Some IT-related examples of risk avoidance may include
relocating a data centre away from a region with
significant natural hazards, or
 declining to engage in a very large project when the
business case shows a notable risk of failure.
 Risk Response –Risk Reduction/Mitigation
 Reduction means that action is taken to
detect the risk, followed by action to reduce
the frequency and/or impact of a risk.
 The most common ways of responding to risk

include:
Strengthening overall IT risk management
practices, i.e., implementing sufficiently mature IT
risk management processes as defined by the Risk
IT framework
Introducing a number of control measures intended
to reduce either frequency of an adverse event
happening and/or the business impact of an event,
should it happen. This is discussed in the remainder
of this section.
 Risk Response –Risk Sharing/Transfer
 Sharing means reducing risk frequency or impact
by transferring or otherwise sharing a portion of the
risk.
 Common techniques include insurance and
outsourcing. Examples include taking out insurance
coverage for IT-related incidents, outsourcing part
of the IT activities, or sharing IT project risk with
the provider through fixed price arrangements or
shared investment arrangements.
 In both a physical and legal sense these techniques
do not relieve an enterprise of a risk, but can
involve the skills of another party in managing the
risk and reduce the financial consequence if an
adverse event occurs.
 Risk Response –Risk Acceptance
 Acceptance means that no action is taken relative to a
particular risk, and loss is accepted when/if it occurs.
 This is different from being ignorant of risk; accepting risk
assumes that the risk is known, i.e., an informed decision
has been made by management to accept it as such.
 If an enterprise adopts a risk acceptance stance, it should
carefully consider who can accept the risk—even more so
with IT risk.
 IT risk should be accepted only by business management
(and business process owners) in collaboration with and
supported by IT, and acceptance should be communicated
to senior management and the board.
 If a particular risk is assessed to be extremely rare but
very important (catastrophic) and approaches to reduce it
are prohibitive, management can decide to accept it.
 Risk Response Selection and Prioritisation…Cont..
 The following parameters need to be taken into account in this
process:
◦ Cost of the response, e.g., in the case of risk transfer, the cost
of the insurance premium; in the case of risk mitigation, the
cost (capital expense, salaries, consulting) to implement
control measures
◦ Importance of the risk addressed by the response, i.e., its
position on the risk map (which reflects combined frequency
and magnitude levels)
◦ The enterprise’s capability to implement the response. When
the enterprise is mature in its risk management processes,
more sophisticated responses can be implemented; when the
enterprise is rather immature, some very basic responses may
be better.
◦ Effectiveness of the response, i.e., the extent to which the
response will reduce the frequency and impact of the risk
◦ Efficiency of the response, i.e., the relative benefits promised
by the response
References
 The Risk IT Framework; Summary,
Purpose, Principles, Essentials. Risk IT
Based on COBIT, ISACA.