LECTURE 17

Review (Building Blocks) – First 14 Lectures

REVIEW

Understating Current (Efficiency and Effectiveness)

▪ Organization and Information
▪ Manager and Management (Information based
Decision-Making) Operational and
▪ Information System, its Type, and Role (structuring, Managerial Use of
communicating, and coordinating people and/or Information
process) System
▪ System Approach and Problem-solving
▪ Information systems and Organizational ‘Fit’
Understanding Future (Sustainability and Competitive
Advantage)
▪ Information Systems and Organizational Change
(structure, culture, people, process, technology) Strategic Use
▪ Information Systems and Strategic Use
3/5/2019 Business Information System 2
 REVIEW

Information =
Data,
Information,
Knowledge,
Wisdom

3/5/2019 Business Information System 3

 REVIEW
Leavitt’s System Model VERY IMPORTANT
• First published in 1958 and in 1965,
“Managerial Psychology: An
Introduction to Individuals, Pairs, and
Groups in Organizations”. The work
introduces the Leavitt diamond model.

• Leavitt’s OD Model is founded on the

interactive nature of the various sub-
systems in a change process. In an
organizational system, there are four
interacting sub-systems- tasks,
structure, people and technology. Due
to their interacting nature, change in
any one of the sub-systems tends to
have consequences for the other sub-
systems also.
3/5/2019 IT Risk Management 4
 REVIEW

Data
Information
Knowledge
Wisdom(AI)

3/5/2019 IT Risk Management 5

 REVIEW
Perceive data, information, knowledge, wisdom as resources

Resources of the
Organization

3/5/2019 IT Risk Management 6

 Organization from Data Management perspective REVIEW
Governance People
(Organization Structure and Policies, (Change Management)
such as Data Privacy, Data Security)

Database Management
System* (Data as Resource)

Technology Process
(SQL Server, Oracle)

3/5/2019 IT Risk Management 7

 Organization from IS perspective REVIEW
Governance
People
Organization Structure and Policies, such as IT
Governance, Business and IT Alignment, (Change Management)
Planning IT Enabled Organization, IT Risk
Management
IT Strategy Formulation and Implementation)

Business Information System*

(Information as Resource)

Technology
Process
(Business Process Modeler, ERP)
(Business Process Management)

3/5/2019 IT Risk Management 8

 Organization from “Knowledge Management” perspective REVIEW

Governance
People
(Organization Structure and Policies) (Change Management)

Knowledge Management
System (Knowledge as
Resource)

Technology
(Microsoft SharePoint) Process

3/5/2019 IT Risk Management 9

 Organization from AI perspective REVIEW

Governance People

Artificial Intelligence
System (Wisdom as
resource)

Technology Process

3/5/2019 IT Risk Management 10

Agenda
1. Corporate Governance and Management
2. GRC Areas
3. IT GRC
4. IT Governance
5. IT Governance Models – Classic, Caldwell, and Routh
6. IT Risk Management
6.1. Traditional Risk Management
6.2. Enterprise Risk Management
6.2.1. Where is ERM Now?
6.2.2. Where is ERM headed?
6.2.3. Key Trends and Developments
7. IT Compliance
3/5/2019 IT Risk Management 11
 1. Corporate Governance and Management
Essentially, IT governance provides a
structure for aligning IT strategy
with business strategy. By following
a formal framework, organizations
can produce measurable results
toward achieving their strategies
and goals. A formal program also
takes stakeholders' interests into
account, as well as the needs of
staff and the processes they follow.
In the big picture, IT governance is
an integral part of overall enterprise
governance.
What is the current scene of IT
Governance in India?
3/5/2019 IT Risk Management 12
LET US ZOOM IN

3/5/2019 IT Risk Management 13

 Governance

3/5/2019 IT Risk Management 14

 Management

3/5/2019 IT Risk Management 15

2. GRC Areas

When reviewed as individual GRC areas, the three most common individual headings are considered
to be Financial GRC, IT GRC, and Legal GRC.

1. Financial GRC relates to the activities that are intended to ensure the correct operation of all
financial processes, as well as compliance with any finance-related mandates.

2. Legal GRC focuses on tying together all three components via an organization's legal
department and chief compliance officer.

3. IT GRC relates to the activities intended to ensure that the IT (Information Technology)
organization supports the current and future needs of the business and complies with all IT-
related mandates.

4. HR GRC

5. Operation GRC

3/5/2019 IT Risk Management 16

 Corporate Governance or Enterprise Corporate Management or
Governance Enterprise Management

IT Governance:
(Cobit 5, or Cobit 2019,
or ISO/IEC 38500) Enterprise Risk
Management
IT Risk Management Coso ERM 2017 or
(Cobit 5 for Risk IT) ISO 31000

IT
Management

IT Governance

NOTE: COLOR CODING

3/5/2019 17
IT Risk Management
 Mapping of COBIT 5 or Cobit 2019 with Other Standards

3/5/2019 IT Risk Management 18

 PDSA CYCLE OR PDCA CYCLE
LET US ZOOM IN PLAN, DO, CHECK/STUDY, ACT/AMEND
FURTHER
PDCA was made popular by W.
Edwards Deming, who is
considered by many to be the
father of modern quality control;
however, he always referred to
it as the "Shewhart cycle". Later
in Deming's career, he modified
PDCA to "Plan, Do, Study, Act"
(PDSA) because he felt that
"check" emphasized inspection
over analysis. The PDSA cycle
was used to create the model of
know-how transfer process, and
other models.

3/5/2019 IT Risk Management 19

3. IT GRC

▪ IT GRC relates to the activities intended to

ensure that the IT (Information Technology)
organization supports the current and future
needs of the business and complies with all
IT-related mandates.
▪ IT GRC is often perceived to have two
meanings:
• Using IT to manage the various
Governance, Risk Management and
Compliance Management processes of an
organization.
• Ensuring proper governance, risk
management and compliance
management of all IT systems and
processes that support the business
operations.
3/5/2019 IT Risk Management 20
 The “IT GRC" and "Integrated IT
GRC" concepts are the basis of
our understanding of the
advanced management
philosophy of today's IT
organizations. And will focus on
three major issues:
• IT Governance
• IT Risk Management
• IT Compliance

IT GRC as a Subset of GRC

3/5/2019 IT Risk Management 21

 GRC and IT context
3/5/2019 IT Risk Management 22
 Process Model for Integrated IT GRC management
3/5/2019 IT Risk Management 23
 Details are covered in IT Governance Course
4. IT Governance
• Information and Technology (IT) governance is a subset discipline of corporate
governance, focused on information and technology (IT) and
its performance and risk management.

• The interest in IT governance is due to the ongoing need within organizations to

focus value creation efforts on an organization's strategic objectives and to better
manage the performance of those responsible for creating this value in the best
interest of all stakeholders.

• Information technology governance (IT governance) is the collective tools,

processes and methodologies that enable an organization to align business
strategy and goals with IT services, infrastructure or the environment.

• IT governance uses manages and optimizes IT in such a way that it supports,

complements or enables an organization to achieve its goals and objectives.

3/5/2019 IT Risk Management 24

 IT Governance and IT Management (LET US NARROW OUR SCOPE)

IT Governance
• Primarily concerned with facilitating
(strategic) decision making
• Organization specific and cannot be
delegated to the market

IT Management
• More focused on the operational
excellence of the IT function
• Focused on the effective and efficient
internal supply of IT services and
• products
• Focused on the management of present
IT operations
• Elements can be commissioned to an
external provider

3/5/2019 IT Risk Management 25

 IT Governance and IT Management

• IT governance is often confused with IT management, compliance, and IT controls.

• The problem is increased by terms such as "governance, risk and compliance

(GRC)" that establish a link between governance and compliance.

• The primary focus of IT governance is the stewardship of IT resources on behalf of

various stakeholders whose ranking is established by the organization's governing
body.

• A simple way to explain IT governance is: what is to be achieved from the

leveraging of IT resources. While IT management is about "planning, organizing,
directing and controlling the use of IT resources" (that is, the how), IT governance
is about creating value for the stakeholders based on the direction given by those
who govern.

3/5/2019 IT Risk Management 26

5. IT Governance Models

▪ The Classical Model

▪ The Caldwell Model
▪ The Routh Model

3/5/2019 IT Risk Management 27

The Classical Model

Principles for Good Governance:

1. Limit the number of decision-making structures
2. Create overlapping responsibilities for IT decisions
3. Involve senior management in major IT decisions
4. Design exception processes into governance processes
5. Change governance only when desirable behaviors change
6. Provide transparency and education.

3/5/2019 IT Risk Management 28

The Caldwell Model

▪ Step 1: Convene the executive leadership team of the company and

ask them to find their best answer to this question: “What specific
behavioral change would be most strategic to this company?”
(consider among the following: customer behaviors, vendor behaviors,
partner behaviors, employee behaviors.
▪ Step 2: Envision, design and then build an IT system that compels (or
encourages) that behavioral change.

3/5/2019 IT Risk Management 29

 Planning IT Enabled Organization
The Routh Model – PITEO Course

Fully engage the executive leadership team of the company in each step of
the I.T. Alignment process:
Step 1: Get a list of the strategic goals of the company
Step 2: Get a list of the strategic business initiatives that each CXO proposes
to help achieve the stated strategic business goals
Step 3: Brainstorm to find hidden opportunities for IT to help accomplish the
goals and initiatives from Steps 1 & 2
Step 4: Prioritize and select the winners from the suggestions and then
redeploy IT resources to develop them
Step 5: Plan for, institute and execute a serious post project audit policy.

3/5/2019 IT Risk Management 30

Sample Model of PITEO

3/5/2019 IT Risk Management 31

6. IT Risk Management
• Risk Concept - What, Why, and How
• Risk Management – What, Why, and How
• Risk Management – What and Why
• Risk Management Approach - How
• Traditional Risk Management
• Contemporary Risk Management
• Governance, Risk and Compliance (GRC)
• Framework and Standards
• Enterprise Risk Management
o Strategic Risk Management
o Tactical Risk - Project Risk, Program Risk, Portfolio Risk
o Operational Risk Management

3/5/2019 IT Risk Management 32

 Corporate Governance or Enterprise Corporate Management or
Governance Enterprise Management

IT Governance:
(Cobit 5, or Cobit 2019,
or ISO/IEC 38500) Enterprise Risk
Management
IT Risk Management Coso ERM 2017 or
(Cobit 5 for Risk IT) ISO 31000

IT
Management

IT Governance

NOTE: COLOR CODING

3/5/2019 33
IT Risk Management
3/5/2019 IT Risk Management 34
Risk Management
at various levels

Country
Individual Family/Group/Community Organizations (people and culture)

3/5/2019 IT Risk Management 35

 Risk Management

Traditional Risk Management

Siloed, Organization Proprietary Contemporary Risk Management
Framework Standards

GRC ERM
OCEG Framework COSO ERM

Financial
GRC IT GRC Strategic Risk Tactical Risk Operational Risk
Legal GRC
Cobit 5 Management Management Management
Basel I, II, III

IT IT Risk IT
Governance Management Compliance
Cobit 5 for IT Risk

3/5/2019 IT Risk Management 36

3/5/2019 IT Risk Management 37
3/5/2019 IT Risk Management 38
6.1. Traditional Risk Management
▪ Traditional risk management is a reactive model that can be defined either as a
managerial or administrative process or as a decision-making process.

▪ Regarded as a process, risk management includes the four functions of

management:
▪ planning,
▪ organizing,
▪ leading, and
▪ controlling the organization’s activities
to minimize the adverse effects of accidental and business losses of that organization
at reasonable cost (George L. Head, 1972).

3/5/2019 IT Risk Management 39

3/5/2019 IT Risk Management 40
 • Regarded as a decision-making process, risk management is a sequence of the
following 5 steps:
o identifying and analyzing exposures to accidental losses,
o examining feasible alternative risk management techniques for dealing with
those exposures,
o selecting the best risk management technique,
o implementing the chosen risk management technique, and
o monitoring the results of the chosen technique to ensure that the risk
management program remains effective.

• Traditional risk management is a risk approach which is the managed by various

responsible departments. According to risk management structures, risk is
managed in each business unit, adapted to each strategy, level of profitability,
products, prices, and relationship with the management.

• Traditional risk management focuses on pure risk (hazard risk where

consequences may or may not be losses) and refers to individual risks as if they
don’t interact.

3/5/2019 IT Risk Management 41

 • As the focus is on pure risk, management emphasizes identification and
management process of insurable natural hazards and has five components:
o risk identification (risk classification, identification and measurement);
o risk analysis through:
o qualitative assessment – classification of exposures (frequency and
potential loss assessment, identification of organization assumptions,
contractual and compliance exposures, and alternatives proposals) and
o quantitative assessments – information on accounts receivables,
personnel and third party's exposure, deductions and contractual
transfers, measurement of risk cost;
o risk control – retrospective actions and prospective actions;
o risk financing by keeping small and medium risks (programs for losses or
budget allocation for such losses when they occur, transfer of severe risks with
low frequency, calling for insurers’ enhanced services, contractual transfers
etc.);
o risk administration by specific risk management activities, monitoring the flow
of information and databases

3/5/2019 IT Risk Management 42

 Let us discuss:
In the above light, to your understanding what kind of
problem an organization may face
• Traditional risk approach does not align with the company’s risk management
requirements according to which risk should be treated as a whole, and therefore
results are satisfactory due to increased independence of different types of risks
to be managed.

• Risks cannot be segmented and managed by individual departments, this being

the reason why a fragmented approach to risk does not fit within the aggregated
approach to risk throughout the company.

3/5/2019 IT Risk Management 43

6.2. Enterprise Risk Management
▪ Enterprise: A unit of economic organization or activity; especially: a business
organization
▪ The main feature that distinguishes ERM from what might be considered more
traditional risk management is the more integrated or holistic approach that is taken
in ERM.
▪ In many ways, it can be considered to be a unifying philosophy that draws together
management of all types of risks, rather than a new or different approach.
▪ When an organization considers all of the risks that it faces and how these risks
could impact its strategy, projects and operations, then the organization is
embarking on an enterprise risk management approach.
▪ The US risk management association, the Risk and Insurance Managers Society
(RIMS) defines enterprise risk management as: “Enterprise Risk Management (‘ERM’)
is a strategic business discipline that supports the achievement of an organization’s
objectives by addressing the full spectrum of its risks and managing the combined
impact of those risks as an interrelated risk portfolio.”
3/5/2019 IT Risk Management 44
3/5/2019 IT Risk Management 45
 • What is Enterprise risk management (ERM)?
• Enterprise risk management (ERM) is the process of planning, organizing, leading, and
controlling the activities of an organization in order to minimize the effects of risk on
an organization's capital and earnings. By identifying and proactively addressing risks
and opportunities, we can protect and create value for our stakeholders.

• ERM supports value creation by enabling management to:

• Deal effectively with potential future events that create uncertainty.
• Respond in a manner that reduces the likelihood of downside outcomes and increases
the upside.

• The Risk Management Association (RMA) ERM Definition: “the management capability to
manage all business risks in pursuit of acceptable returns.” According to RMA:
• Enterprise Risk Management, essential for any financial institution, encompasses all
relevant risks.
• An ERM framework supports management competency to manage risks well,
comprehensively, and with an understanding of the interrelationship/correlation
among various risks.
• The successful institution incorporates a robust ERM capability as part of its culture by
integrating what already exists to create a comprehensive and integrated view of the
institution’s risk profile in the context of its business strategy.

3/5/2019 IT Risk Management 46

6.2.1. Where is ERM Now?

▪ The numbers show that corporations around the world are recognizing risk
management as a priority and moving toward integrated ERM

▪ As a management framework, ERM has been more widely adopted than other
management frameworks (e.g., reengineering, balanced scorecard, total quality
management)

▪ Outside the financial sector, it’s a different story, however. A 2012 paper produced
by McKinsey & Company pointed out that, unlike financial institutions, most
corporates still do not have a CRO, leaving the de facto role of risk manager to the
CFO.

3/5/2019 IT Risk Management 47

6.2.2. Where is ERM headed?

▪ With ERM’s role increasing within organizations and across industries, the roles of
the board and upper management have to adapt. Certainly, the CRO bears the brunt
of this change, but the CEO, CFO, and board of directors all find that ERM is taking a
more prominent position in their priorities.

▪ ERM is providing value for a large number of corporations despite its current
challenges.

▪ In less than a decade, risk management has risen to the top of corporate agendas
for senior management and the board across all industry sectors.

3/5/2019 IT Risk Management 48

6.2.3. Key Trends and Developments

• The world of risk management fundamentally changed in late 2007 with the onset of the
global financial crisis. Longstanding financial institutions such as Lehman Brothers and
Washington Mutual were left to fail, while many other banks and non-banks received
bailouts from nervous national governments around the world.

• It was clear that excessive debt and fatally compounded risks were the primary drivers of
the crisis. What’s more, a relatively strong global economy had disguised the fact that
many institutions were betting on unsustainable levels of growth in pursuit of greater
market share and increased profitability.

• The economic landscape that emerged following the Great Recession was vastly different
from what existed prior to the 2007–2008 period.

• Regulators demanded that banking institutions increase capital and liquidity reserves,
enhance transparency, curb risk appetite, and tighten controls.

3/5/2019 IT Risk Management 49

 • This had positive as well as negative effects. On the positive side, the regulations
provided a basis for forward-looking analysis such as stress testing and scenario
modeling. On the downside, however, many companies failed to take these hard-
won lessons to heart, focusing exclusively on meeting regulatory requirements
without considering ERM in a broader, more strategic context.

• In addition, many firms effectively overreacted to the economic hardship that

followed the crisis. Rather than becoming risk-smart, they became risk-averse.
Without risk, of course, there can be no reward, so these companies stumbled on
without much of a strategic outlook beyond mere survival.

• In all, seven fundamental trends emerged after the financial crisis that together
have shaped the practice of risk management for the past decade:
1. Much stricter compliance requirements
2. Increased board-level risk oversight
3. Greater risk management independence
4. Focus on enterprise-wide risk management
5. Improved board and management reporting
6. Creation of objective feedback loops
7. Better incentive compensation systems

3/5/2019 IT Risk Management 50

7. IT Compliance

▪ “Enterprise” compliance is the application of methods and practices to enforce and

apply regulatory, statutory, and other legal compliance across large organizations.
Compliance is the application of that practice to meet a third party’s regulatory or
contractual requirements.
▪ Compliance:
▪ Is practiced to satisfy external requirements and facilitate business operations
▪ Is driven by business needs rather than technical needs
▪ Is “done” when the third party is satisfied
▪ Enterprise Compliance provides an wide compliance framework to reduce the risk of
penalties, damages or imprisonment on account of Non Compliance, Contract
breaches and Control failures and Regulatory Compliance Management
▪ Software which tracks 5000+ compliances across 500+ Central, State & Industry
Specific Laws. It provides visibility on compliance status for all offices, branches &
factories etc. through intuitive dashboards.
3/5/2019 IT Risk Management 51
References for GRC (Further Reading)

▪ The Open Compliance and Ethics Group (OCEG) has published one of the most
comprehensive GRC definitions. https://www.oceg.org/, https://go.oceg.org/grc-
capability-model-red-book
▪ There are many GRC solutions on the market. IBM OpenPages GRC Platform,
MetricStream and Rsam's Enterprise GRC are a few examples of highly rated
solutions.
▪ ISACA website
▪ COSO website

3/5/2019 IT Risk Management 52

 More will be discussed in courses:

• IT Governance

• Planning IT enabled Organization

60 Hours
• IT Risk Management

3/5/2019 IT Risk Management 53

 Class Exercise #17

▪ Please justify why ERM is

suitable in pharmaceutical
industry over traditional
risk management.
▪ Please explain the diagram.

3/5/2019 IT Risk Management 54

 Class Exercise:
Please explain

Major emphasis was on:

(1) Information Security

(2) Business Security

(3) Cybersecurity

(4) Business Continuity

3/5/2019 IT Risk Management 55

3/5/2019 Business Information System 56