DISCLAIMER

The views expressed in this presentations may contain statements that involve
risks, uncertainties and assumptions. If any such uncertainties materialise or if any
of the assumptions proves incorrect, the results are nothing to do with the author,
or ISACA, or the ISACA Ireland Chapter as they are personal views expressed by the
author.

The information upon which this presentation is based comes from the author’s
own experience, knowledge and research from numerous sources including the
Internet. The opinions expressed in this presentation are those of the authors and
presenters and no-one else. We do not guarantee their fairness, completeness or
accuracy, we will however, do our professional best. The opinions, as of this date,
are subject to change. The authors or ISACA, or ISACA Ireland Chapter does not
accept any liability for your reliance upon them.
“Risk and time are opposite sides of the
same coin, for if there were no tomorrow,
there would be no risk. Time transforms
risk, and the nature of risk is shaped by
the time horizon: The future is the playing
field”

Bernstein, P. L.; Against the Gods: The Remarkable Story of Risk,

Wiley, USA, 1998
RISK REGISTER
 In the fields of observation
chance favors only the prepared
mind"
- Louis Pasteur

RISK REGISTER
• Risk register is a master document for all identified risks.
• Created and amended during the risk management cycle
process.
• It is prepared using a two dimensional approach
(Impact & probability)
• Often supported by a heatmap.
• Often used to support and drive risk based audits of
controls
• Support informed decision making
 In the fields of observation
chance favors only the prepared
mind"
- Louis Pasteur

RISK REGISTER DATA FIELDS

• Risk Id
• Risk name
• Risk description
• Risk owner
• Risk category
• Impact (Inherent)
• Probability (Inherent)
• Proposed responses
• Impact (Residual)
• Probability (Residual)
• Risk Score
RISK PROBABILITY AND IMPACT MATRIX
• One of the Qualitative Risk Analysis tools
• Occurrence & its impact is the main
measure of a risk. Tabulated based on
Probability x Impact scale format to get a
risk score
• Analysis of impact based on specific
objectives like cost, schedule, quality, etc.
• Organizations that use P x I matrices often
have scale ratings
• This risk register captures the main element of a risk
register.
• The Risk id is auto generated and no data should be filled
in
• Details should be entered as per the column headings.
• Some of the columns use dropdowns and these are
identified by a colour
• If a risk becomes an issue the column next to the status
column will have the date added
• The Risk Heat map identifies risks that in progress (i.e only
the open risks)
RISK REGISTER HEAT MAP - BENEFITS
• A visual, big picture, holistic view
• Improved management of risks and
governance
• Supports more precision
• Identification of gaps in the risk and
control process
• Greater integration of risk management
across the enterprise and
• Supports embedding of risk management
in operations.
RISK REGISTER CHALLENGES
What does High Risk mean to you?

Is High Risk:
75%
51%
35%
20%

Estimated at 51% - 70%

RISK REGISTER BIASES
• Over attention to rare events with large potential
damage
• Under attention to inconsequential risks with large
consequences
• Underestimating - Big picture or fine detail
• Over confidence and surprised that solution doesn't
solve problem
RISK REGISTER ASSUMPTIONS
• Risk is a matter of execution and prioritization- part of
the day to day job.
• Resources are experts- they have thought of
everything, including risks and issues
• Everyone understands the risks because they were
shared
• Resources are watching for new risks and issues
• Understanding of risks versus information
This is an example of a risk register

Risk ID Risk Description Probability Impact Risk Response Risk Status

1 As part of the assessment phase additional items Medium High Tolerate IN PROGRESS
may be identified
2 Resource availability will impact on the ability to Unlikely Low Tolerate IN PROGRESS
deliver the project against the agreed timeline.
3 Project scope is poorly defined Medium Medium Treat IN PROGRESS
4 The project will be competing for resources and Unlikely Low Terminate IN PROGRESS
may be impacted by other pioritised items.
5 Supplier quality problems may cause program Possible Medium Tolerate IN PROGRESS
delays.
6 Poor data quality Unlikely Low Treat IN PROGRESS
7 Project estimates are very optimistic Unlikely Low Tolerate IN PROGRESS
8 Tasks outside the project may be added to Possible Medium Treat IN PROGRESS
workload
9 Projects funding withheld due to poor UAT test Possible Very High Treat IN PROGRESS
results
10 Lack of Stakeholders support Unlikely Low Tolerate IN PROGRESS
This is an example of a risk register
This is a statement – not a
Risk ID Risk Description
risk. This is anImpact
Probability
issue, not a
Risk Response Risk Status
1 As part of the assessment phase additional itemsrisk.
Medium High Tolerate IN PROGRESS
may be identified
2 Resource availability will impact on the ability to Unlikely Low Tolerate IN PROGRESS
deliver the project against the agreed timeline.
3 Project scope is poorly defined Medium Medium Treat IN PROGRESS
4 The project will be competing for resources and Unlikely Low Terminate IN PROGRESS
may be impacted by other pioritised items.
5 Supplier quality problems may cause program Possible Medium Tolerate IN PROGRESS
delays.
6 Poor data quality Unlikely Low This is a totally IN PROGRESS
Treat
7 Project estimates are very optimistic Unlikely Low Tolerate
unqualified IN PROGRESS
statement
8 Tasks outside the project may be added to Possible Medium Treat IN PROGRESS
workload
9 Projects funding withheld due to poor UAT test Possible Very High Treat IN PROGRESS
results This is a statement and if
10 Lack of Stakeholders support true is anUnlikely
issue not aLow
risk. Tolerate IN PROGRESS
• Risk Management Frameworks Standards and
guidance
• COSO 2017
• Project Management
• ISO’s
• NIST
• Risk Governance and Management (Two/Three tiers)
• COBIT 5/2019
• CGEIT CISA & CISM
• CRISC
Risk Trends (2017) - COSO
Dealing with the proliferation of data: As more and more data becomes
available and the speed at which new data can be analysed increases,
enterprise risk management will need to adapt.
Leveraging artificial intelligence and automation: Many people feel that
we have entered the era of automated processes and artificial
intelligence.
Managing the cost of risk management: A frequent concern expressed
by many business executives is the cost of risk management, compliance
processes, and control activities in comparison to the value gained.
Building stronger organizations: As organizations become better at
integrating enterprise risk management with strategy and performance,
an opportunity to strengthen resilience will present itself.
COSO 2017 Risk Map
COSO Components and Principles
Risk Profile - COSO
Introduces a new depiction referred
to as a risk profile
• Incorporates:
– Risk
– Performance
– Risk appetite
– Risk capacity
• Offers a comprehensive view of risk
and enables more risk aware decision
making
• The framework provides a complete
depiction of how to build a risk
profile in an appendix in the
publication.
COSO AND RISK
3. Defines Desired Culture
7. Defines Risk Appetite
10. Identifies Risk
11. Assesses Severity of Risk
12. Prioritises Risk
13. Implements Risk Responses
16. Reviews Risk and Performance
17. Perseus Improvement in Enterprise Risk Management
19 Communicates Risk Information
20. Reports on Risk, Culture, and Performance
PROJECT MANAGEMENT & RISK PRINCE 2:2017
Seven Principles and Seven Themes
Risk Theme – The purpose of the risk theme is to identify, assess and
control uncertainty, and as a result improve the ability of the project to
succeed
The purpose of this theme is to identify, assess and control uncertain
events during a project. These are recorded in a risk log. Negative risks are
called threats and positive ones are called opportunities.
The project as a minimum should:
Maintain some form of risk register to record identified risks and decisions
relating to their analysis, management and review
Two products to be produced and maintained;
• Risk Management Approach (processes etc.)
• Risk Register
ISO 27000
This is in many ways the Standard for (of) the Standards
Bringing information security deliberately under overt management control is a
central principle throughout the ISO/IEC 27000 standards - ISO 27000 Wiki

Scope of the standard

The standard ‘provides guidelines for information security risk management’ and
‘supports the general concepts specified in ISO/IEC 27001 and is designed to assist the
satisfactory implementation of information security based on a risk management
approach.’

ISO/IEC 27000 is cited as a normative (essential) standard, and references ISO/IEC

27001, ISO/IEC 27002 and ISO 31000 in the content.

NIST Standards are referenced in the bibliography.

ISO 27000 (DEFINITIONS)
Managing information security risks requires a suitable risk assessment and risk
treatment method
• Risk assessments should identify, quantify, and prioritize risks against criteria
for risk acceptance and objectives relevant to the organization.
• Risk assessment should include the systematic approach of estimating the
magnitude of risks (risk analysis) and the process of comparing the estimated
risks against risk criteria to determine the significance of the risks (risk
evaluation).
• Risk assessments should be performed periodically to address changes in
the information security requirements and in the risk situation, e.g. in the
assets, threats, vulnerabilities, impacts, the risk evaluation, and when
significant changes occur.
• Risk assessments should be undertaken in a methodical manner capable of
producing comparable and reproducible results.
ISO 27005:2018
ISO 27005 Edward Humphreys, convener of the working group that developed both the ISO
27001 and ISO 27005, said in a press release that the ISO 27005“provides the ‘why, what
and how’ for organizations to be able to manage their information security risks effectively
in compliance with ISO/IEC 27001.”

The previous version of ISO 27005 was released in 2011 and had become somewhat out of
alignment with the ISO 27001:2013.

Unlike ISO 31000:2018 Risk Management Guidelines, which were written to be easily
understood by top executives and board directors, the ISO 27005:2018 is longer, denser and
more technically targeted to chief information security officers (CISOs), chief risk officers and
auditors. It emphasizes the importance of a systematic approach to developing and
maintaining an information security risk management (ISRM) process — and reminds
stakeholders that risk management must be continual and subject to regular review to
ensure continued effectiveness.
ISO31000:2018
NIST
NIST Special Publication 800-30 - Guide to Conducting Risk Assessments

• Addresses the Assessing Risk component of Risk Management (from SP 800-39)

• Provides guidance on applying risk assessment concepts to: – All three tiers in the
risk management hierarchy – Each step in the Risk Management Framework

• Supports all steps of the RMF

• A 3-step Process – Step 1: Prepare for assessment – Step 2: Conduct the

assessment – Step 3: Maintain the assessment

Also NIST 800 53 & 53A Security and Privacy Controls for Federal Information
Systems and Organizations
• Six Principles
• Enablers have become Components with process's now at 40
• Maturity has returned to the fold
• Two levels of Risk Management/Governance
Risk
Processes
Risk Categories
EDM 03 ENSURE RISK OPTIMISATION
Description - Ensure that the enterprise’s risk appetite and tolerance
are understood, articulated and communicated, and that risk to
enterprise value related to the use of I&T is identified and managed.
Purpose - Ensure that I&T-related enterprise risk does not exceed the
enterprise’s risk appetite and risk tolerance, the impact of I&T risk to
enterprise value is identified and managed, and the potential for
compliance failures is minimized.
• EDM03.01 Evaluate risk management.
• EDM03.02 Direct risk management.
• EDM03.03 Monitor risk management.
Each Governance Practice has activities
that have a progressive capability rating
APO12 MANAGE RISK
Description Continually identify, assess and reduce I&T-related risk within tolerance levels
set by enterprise executive management.
Purpose Integrate the management of I&T-related enterprise risk with overall enterprise
risk management (ERM) and balance the costs and benefits of managing I&T-related
enterprise risk.
APO12- 02 ANALYSE RISK
 BUG
Business IT Risk
Perspective
RISK MANAGEMENT IS NOT NEW………..

However !

Strengthened regulations and a

constantly evolving threat landscape means
risk management impacts everyone
BUSINESS IT RISK
Anything that threatens an organization's
ability to achieve its business objectives.

Assessing IT risk impacting business

objectives.
 Central Bank of
Ireland
Cross Industry Guidance in
respect of Information Technology
and Cybersecurity Risks
https://centralbank.ie/docs/default-
source/Regulation/how-we-
regulate/policy/cross-industry-guidance-
information-technology-cybersecurity-risks.pdf
European Banking
Authority
Guidelines on the Security
measures for Operational Risks of
Payment Services under Directive
(EU) 2015/2366 (PSD2)
https://www.eba.europa.eu/-/eba-publishes-
final-guidelines-on-security-measures-under-
psd2
Central Bank of Ireland

“Firms should
assume that they will
be subject to
successful cyber-
attack or business
interruption.”
 Central Bank of Ireland

IT related risk management must be comprehensive,

robust and must address key risk areas such as:
Business strategy alignment

Outsourcing

Change Management

Business Continuity

Cyber Security, Disaster Recovery

 Central Bank of Ireland

• Business Strategy Alignment

– Board approved comprehensive IT strategy aligned with
overall business strategy, including a well defined,
comprehensive and functioning IT risk management
framework.

• Outsourcing
– A framework with clear lines of responsibility for ongoing
management, operational oversight, risk management and
regular review of outsourced service providers.
 Central Bank of Ireland
• Change Management
– Formal IT change management processes that include approval
requirements are in place.
– IT project plans are documented, risk and impact analysis are
performed, documented, and established within firms risk
appetite.

• Business Continuity & Disaster Recovery

– Resourcing provided to support effective Disaster Recovery and
Business Continuity Management.
– Documented Business Impact Analysis and rehearsals.
 Central Bank of Ireland

• Cyber Security
– Cyber risk is managed within the context of overall IT
risk management.
– Strategy reviewed and approved by the Board.
– Documented policies and procedures, and monitoring.
– Awareness training programs.
 Central Bank of Ireland

Cyber
Security
Example of
CBI
expectations
 Central Bank of Ireland

“.... the incident management approach needs to

deal with cyber threats and resilience to reduce
both the probability of occurrence and the impact
when it does.”

“Risk Management“
European Banking Authority

Article 95 of PSD2 requires the

EBA to develop, in close
cooperation with the European
Central Bank (ECB), Guidelines on
the security measures for
operational and security risks of
payment services.
 European Banking Authority

• Governance. Establish an effective operational and

security risk management framework.

• This framework should focus on security measures to

mitigate operational and security risks and should be
fully integrated into the overall risk management
processes.
 European Banking Authority

• Establish three effective lines of defense, or an

equivalent internal risk management and control
model to identify and mange operational and security
risks.

• Risk Management framework is properly documented

and updated.
3 lines of Defence Model example
3 lines of Defence Model example
 THE BUG

Bad Ugly Good

Bad
• Risk Management is perceived as a ‘tick box’
exercise, not considered at Board level.

• Is just an ‘Audit’ requirement

• Is owned by the ‘risk manager’ not by the

business.
Ugly
• Customer Dissatisfaction

• Regulator Sanctions / Fines

• Reputational / Brand Damage

• Investor / Shareholder Damage

Good
• Customer Focused

• Better Business Decision Making

• Protects Investor and Shareholder Value

• Business Growth

• Meet Regulator Expectations

Keep It SSimple
• Make it Business Relevant – tone from the top.
• Use common business language (not risk jargon).
• Utilize SME’s to perform risk assessments and
reviews.
• Keep abreast of upstream risks.
• Link events / incidents with business risk profile
• Create a culture of risk management – link with
performance management.
 Risk Management
Special Interest Group (SIG)
In May 2018 the ISACA Ireland Chapter delivered two Risk Management ‘101’ courses
to members as part of the Chapters Professional Education and Development
activates.

SIG identified with a focus on Risk Management.

• Key objective of the Ireland Group is to support the management of risk through
COBIT and promote CRISC as the key IT risk methodology.
• Secondary objective to engage with the wider risk community.

SIG meets on a regular basis (approx. every 4-6 weeks). More information on SIG and
how to participate at the ISACA stand.
 How to win a prize
Enter during the break and
prize winner announced after
the next session

Simple tick which presenter

you think was independently
selected by ISACA as
The GOOD The BAD The UGLY
Domain 1 — IT Risk Identification (27%)
Domain 2 — IT Risk Assessment (28%)
Domain 3 — Risk Response and Mitigation (23%)
Domain 4 — Risk and Control Monitoring and Reporting (22%)

Identify potential or realized impacts of IT risk to the

organization’s business objectives and operations.
Identify potential threats and vulnerabilities to the
organization’s people, processes and technology to enable IT
risk analysis.
Develop a comprehensive set of IT risk scenarios based on
available information to determine the potential impact to
business objectives and operations.
Identify key stakeholders for IT risk scenarios to help establish
accountability.
Risk Management Process is the co-
ordinated activities to direct and IT Risk
control an enterprise with regard to Identification
risk Risk and
Control
Monitoring IT Risk
Whether conducted as part of a Assessment
and
broad-based enterprise risk
Reporting
management process or more Risk
narrowly focused internal control Response and
process, risk assessment is a critical Mitigation
step in risk management. It involves
evaluating the likelihood and
potential impact of identified risks.
• Historical including audits Identify Assets
• Threat landscape
• Systemic approaches Identify Threats

• Vulnerability Assessments Identify Existing Controls

• Review of BCP/DRP plans
• Interviews Identify Vulnerabilities

• Inductive – Pen Testing as an Identify Consequences

example Feeds Into
• Make use of Frameworks
Risk Estimation Process
ASSETS
• How important is the asset – What is its value?
• Good starting point is to consider if its no longer
available or compromised in some way.
• Idea of Business Impact Analysis - This is a
systematic process to determine and evaluate the
potential effects of an interruption to critical business
operations as a result of a disaster, accident or
emergency.
• Confidentiality
• Availability
• Integrity
THREATS
• Internal – Disgruntled Staff, poorly trained and working in a
risk adverse yet blame game culture. Big HR responsibility
– vetting, on-boarding, reorganisation…..termination.
• External – We could start with everyone and work
backwards
• Natural Events
• Supply Chain
• Third Part Suppliers
• Hackers
VULNERABILITIES
These are weaknesses, gaps or holes in Security that provide an
opportunity for a threat or create consequences that may impact
the organisation
• Networks
• Physical Access
• Applications and web facing Services
• Utilities
• Supply Chain
• Processes
• Equipment (MTBF)
• Cloud Computing
• Big Data
INFOSEC RISK CONCEPTS AND PRINCIPLES
• Good Starting point is to think of the CIA Triad
• Confidentiality Need to know and least privilege
Data Loss. Need to know V Nice to know (is a no-no)
• Integrity This is a rigorous process error checking
and verification
• Availability – two facets
• 1. Data wiped
• 2. System down – 99.8 99.98 Five Nines
• Non Repudiation – Positive guarantee that we can
trace responsibility and accountability
IT CONCEPTS AND AREAS OF CONCERN
• A risk manager/practitioner does not have to be a technical expert
but should have an understating of (it’s a long list )
• Hardware
• Software
• Operating systems
• Applications
• Environmental controls
• Network Components – Cabling Routers, Hubs, Switches, repeaters
• Firewalls Different - Generations and SIEM appliances
• Wireless Access Points
• Architecture inc VPN’s
• Encryption
Use of Standards and Frameworks (Good Practice)

ISO 31000:2009 COBIT5 FOR RISK ISO 31000:2009

PRINCIPLES AND RISK ASSESSMENT
GUIDELINES TECHNIQUES

ISO 27001 ISO 27005:2018 NIST 800 SERIES 30

& 39
IT RISK SCENARIOS
• This is the description of a possible event whose occurrence
will have an uncertain impact on the achievement of the
enterprises objectives be they positive or negative.
• The key to developing effective scenarios is to focus on real
and relevant potential risk events.
• Two good sources:
• COBIT 5 for Risk
• Risk Scenarios Using COBIT 5 for Risk (this document
expands on COBIT 5 for Risk)
BENEFITS OF RISK SCENARIOS
• You cannot beat a plausible narrative – inspires people to take
action
• Good tool to help a risk team to understand and explain risk
to the business process owners and other stakeholders
• Provides a realistic and practical view of risk that is more
aligned with business objectives, historic events and
emerging threats (no generic checklist)
• Valuable as a means of gathering and framing information
used in subsequent steps in the risk management process
OWNERSHIP AND ACCOUNTABILITY
• When a risk has been identified who own the risk –
who is accountable?
• The OWNER is accountable – budget, authority and
mandate to select the appropriate risk response
based on analyses
• Idea of SIRO - introduced in UK Government 2004
• Direct link between Risk and control – Risk is
addressed through appropriate controls and all
controls are justified by the risk that mandates their
existence. (Think SABSA and Traceability)
RISK ASSESSMENT PROCESS
• Risk assessment is a process used to identify and
evaluate risk and its potential effects
• Critical functions necessary for an enterprise to
continue business operations
• Risk associated with the critical functions
• Controls in place to reduce exposure and their cost
• Prioritisation of the risk on the basis of their
likelihood and potential impact Relationship
between the risk and the enterprise risk appetite
and tolerance
RISK ASSESSMENT METHODS
• Business impact • Bow tie analysis
analysis • Reliability centered
• Root cause analysis maintenance
• Failure mode and • Sneak circuit analysis
effects analysis (FMEA) • Markov analysis
• Fault tree analysis • Monte Carlo
• Event tree analysis simulation
• Cause and • Bayesian statistics and
consequence analysis Bayes nets
• Cause-and-effect • FN curve
analysis • Risk index
• Layer protection • Consequence/probabi
analysis (LOPA) lity matrix
• Decision tree • Cost/benefit analysis
• Human reliability • Multi-criteria decision
analysis (HRA) analysis (MCDA)
CONTROLS
• Must be taken into consideration when assessing control
environment
• Controls are implement to reduce or maintain risk at an
acceptable level and need to be monitored as they can be
• Poorly maintained
• Unsuitable
• Incorrectly configured
• Unbalanced – need to be balanced between technical,
physical, operational and managerial
• Lead to a false sense of security (training, configuration,
responsibility for monitoring, testing schedules)
INTERACTION BETWEEN CONTROLS
PROJECT AND PROGRAM MANAGEMENT
A key risk as there are considerable risks associated with the
management of projects and programs. Projects fail for may
reasons
• Unclear or changing requirements
• Scope creep
• Lack of budget
• Lack of skilled resources
• Problems with technology
• Delays in delivery of supporting elements or equipment
• Unrealistic timelines
• Lack of reporting
PROJECT AND PROGRAM MANAGEMENT
A key risk as there are considerable risks associated with the
management of projects and programs. Projects fail for may
reasons
• Unclear or changing requirements
• Scope creep
• Lack of budget
• Lack of skilled resources
• Problems with technology
• Delays in delivery of supporting elements or equipment
• Unrealistic timelines
• Lack of reporting
RISK AND CONTROL ANALYSIS
Examples of analysis
• Cause and Effect analysis
• Root Cause
• Ishikawa diagram
• Fault Tree Analysis
• Hardware and Human Failures
• Sensitivity Analysis Quantitate
Risk Analysis technique
Typically displayed in the form
of a Tornado diagram
RISK AND CONTROL ANALYSIS

Need to be based on data and questions you need

to ask:
• When was the data Analysed
• Is all the data available
• Has any of the Data been altered or changed
• Is the data in the correct format
• Is the data based on measuring important
Factors?
QUALITATIVE AND QUANTATIVE ANALYSIS
• Qualitative Risk as “The process of prioritizing individual risks for
further analysis or action by assessing their probability of o ccurrence
and impact as well as other characteristics.” (PMI Definition). Using a
scale or comparative values High/Medium /Low It is based on
judgement, intuition and experience rather than on financial values
• Quantitative risk Analysis as “The process of numerically analysing the
combined effect of identified individual project risks and other sources
of uncertainty on overall project objectives.” (PMI Definition). The use
of numerical and statistical techniques to calculate the likelihood and
impact of risk. It uses financial data, percentages, and ratios to provide
an appropriate measure of the magnitude of impact in financial terms
• Semiquantitative - Combines the value of above two
RISK REPORT
At the conclusion of the IT risk assessment phase the risk assessment
report is produced. The report should:
• Indicate any gaps between the current risk environment and the
desired state of IT Risk
• Advise whether these gaps are within acceptable levels
• Provide some basis to judge the severity of the identified risk
• The risk assessment should be performed in a consistent manner
• that supports future risk assessment efforts
• provide predictable results.
• Avoid using terminology and avoid blaming the IT function
• IT risk is a form of business risk – not because it is a nuisance to IT Staff
• Do not forget to update the Risk Register.
• Keep an eye on Bypassed Risk
FINALLY ….. ASSESSMENT
The Risk Practitioner has a responsibility to assess each risk facing
the organisation in terms of both likelihood and impact and rank
the results for appropriate response. Much of this work is based
on the results of the risk identification phase, but the risk
practitioner should also validate the work of the previous phase
(IT Risk Identification) and ensure that as much as possible all risk
are:
• Identified
• Assessed
• Documented
• Reported to Senior Management
Overview
• This domain focuses on the decisions made regarding
the correct way to respond to risk
• Based on the information provided in the earlier steps
of risk identification and risk assessment.
• Cognizance taken of constraints - budget – time
resources – strategic plans – regulations – customers
expectations and other business factors.
• Undertaken in a way that protects operations without
unduly impairing them
• Job here is that of a CISM – keep the show on the
road
RISK RESPONSE
From Risk identification (Domain 1) and Risk Assessment (Domain 2)
we should have a Risk Report and Risk Register with priorities - The
Risk of Risks
Job of Management to respond to and prioritise risks – taking into
consideration the risk appetite and risk tolerance.
• Determine the best response
• Action Plan
• Implementation Strategy
Organisation has a mission – will the response inhibit the mission.
Careful balancing act of aligning Risk Response with business
priorities with an overarching driver of Compliance and Regulations.
RISK RESPONSE OPTIONS 1
Risk Acceptance – No mitigation – Taken within risk appetite
and risk tolerance – Can be dangerous – easily forgotten about
where assets increase or decrease in value and new threats
emerge. Organisation is suddenly in the cross hairs of a newly
motivated and capable adversity
Risk Mitigation – typically achieved through security controls.
Having in place a good BCP – New access control system –
Policies and operational procedures- compensating controls.
Something that can influence frequency and/or impact of risk
RISK RESPONSE OPTIONS 2
Risk Transfer Normal vehicle used is insurance but of real value
for tangible items such as physical infrastructure. Is the risk
transfer the complete absolution of blame – Probably not in the
eyes of stakeholders. Needs regular review and reputation is not
something to insure for.
Risk Avoidance – No other choice as we could have:
• Exposure level deemed unacceptable
• The Risk cannot be transferred
• Mitigation is way too expensive
What advice would the Risk Practitioner give? Timely accurate risk
evaluations with solid supporting data needed.
Example of a Business case does not stack up.
ANALYSIS TECHNIQUES
What response is warranted and how is the decision made?
Factors taken into consideration include:
• Priority of the risk as indicated in the risk assessment report
• The recommended controls from the risk assessment report
• The cost of various options
• Requirements for compliance with regulations or legislation
• Alignment of response option with strategy of organisation
• Compatibility with other controls in place
• Time , resources, budget available
IN SUMMARY
The risk practitioner must understand the business and
its environment and the risk the business faces.
• What are the best cost effective controls to put in
place
• Can these controls be managed effectively
• Do the controls lend themselves to effective
monitoring
• As an example we have encrypted our data in a data
crypt somewhere.
• But who has the keys?
RISK MONITORING DOMAIN DEFINITION

“Continuously monitor and report on IT risk and

controls to relevant stakeholders to ensure continued
efficiency and effectiveness in the IT risk
Management strategy and its alignment to business
objectives”.
RISK MONITORING 1
• Part of the IT Risk Management Life Cycle
• Monitoring and identification of risks
• Indicators – KPI and KRI
• Periodic assessments
• Testing
• Continuous identification of new risks
RISK MONITORING 2
• As the environment is changing monitoring is essential –
but ability to report is critical
• Repeatable
• Support investment in risk management
• Assist with due care and diligence in protecting assets
• Support regulatory requirements
• Dynamic – include as part of strategic planning (Proactive
versus reactive)
• Strategy and goals evolve
• Risk environment evolves
KEY RISK INDICATORS
• Measure risks levels versus defined risk thresholds
• Delivers an alert when risk levels approach
unacceptable levels
• Opportunity to respond before unacceptable
outcome is produced
• A set of risk indicators that
• Are highly relevant
• Process a high probability of predicting or
indicating important risks
KEY RISK INDICATOR APPROACH

• Selection
• Effectiveness
• Optimisation
• Maintenance
SELECTION
• Carefully selected and a limited in number
• Clearly specified – are complete and accurate [SMART]
• Measurable
• Linked to specific risks - to specific goals and objectives
• Provide results that can be monitored over time
• Are balanced between
• Lead indicators (indicating controls in place to prevent risk)
• Lag indicators (indicating risk after even occurred)
• Indicator Trends (analysing indicators over time to gain
additional insight)
EFFECTIVENESS
• Takes into consideration
• Impact - Indicators with high business impact more
likely to be KRI’s
• Effort - Use the easiest to measure indicator
• Reliability - must possess a high correlation with risk
and be a good predictor of the outcome
• Sensitivity - must be representative of risk and capable
of accurately indicating risk variances
• Repeatable – repeatable and measurable on a regular
basis to show trends
OPTIMISATION
• To ensure accurate and timely report KPI’s must
ensure that :
• The correct data is being collected and reported
on
• The KRI thresholds are set correctly

• If KPI’s are hard to measure or not triggering

indicators of events they need to be
modified/adjusted to more accurate, reliable and
relevant values.
MAINTENANCE
Organisations operate in a constantly changing and highly dynamic
environment requiring:
• Regular evaluation of KRI’s to verify they continue to be
related to risk appetite and tolerance levels
• triggers levels are correctly set in order to enable
stakeholders respond in a timely manner
• If a KRI’s are no longer relevant they should be replaced
• If KRI’s are out of alignment they should be optimised
SUCCESS UNSUCCESSFUL
• Common process, terminology and • Inadequate risk recognition
practices across the organisation • Insufficient risk analysis
• Risk tolerances which are fully • Poor risk responses activities
understood, communicated and
monitored
• Risk management is incorporated into
key business processes
• Risk decisions are based on quality risk
information
RISK REGISTER
• This risk register captures the main element of a risk
register.
• The Risk id is auto generated and no data should be
filled in
• Details should be entered as per the column headings.
• Some of the columns use dropdowns and these are
identified by a colour
• If a risk becomes an issue the column next to the status
column will have the date added
• The Risk Heat map identifies risks that in progress (i.e
only the open risks)
• The Introduction section is used to add company details and
Department or Project.
• It also give a summary of risk numbers

Enter the Company Name

Enter the Department or Project

The counts will be generated

automatically
• The following are some of the data entry fields in the Register

Do not enter any data in this field as it will be generated

automatically

Select from the drop down list

Select from the drop down list

Select from the drop down list

Select from the drop down list

If “Moved to Issue” is selected the date field will

open and add the current date
• The following are details of the drop down lists to support the
data entry fields in the Register

Risk Action Risk Consequence Risk Probability Risk Status

Terminate Insignificant Remote In Progress
Tolerate Minor Unlikely Closed
Transfer Moderate Possible Moved to Issue
Treat Major Probable
Critical Certain
The Heat map identifies the number of open risks by their risk rating. The
overall risk ratings form the risk profile for the company.
RISK REGISTER OBJECTIVES

Necessary to list objective in order to support the

identification of relevant risks
Select the key objectives (or deliverables for projects)
RISK IDENTIFICATION
 RISK REGISTER ASSESSMENT

The risk assessment element includes

• A description of the impact the risk may have in the
event it materialises
• An assessment of the likelihood of the risk
materialising ( based on a rating from remote to
certain)
• An assessment of the Impact in the event the risk
materialises (based on a rating from Very Low to
Very High)
RISK REGISTER TREATMENT

The risk treatment element includes

• A risk response category
• Risk response description
• Risk Actionee
• Due date
• An assessment of the likelihood of the risk
materialising ( based on a rating post risk
response from remote to certain)
• An assessment of the Impact in the event the
risk materialises (based on a rating post risk
response from Very Low to Very High)
RISK REGISTER MONITORING

The risk monitoring element includes

• The reference for the control used to
mitigate the risk
• Date of the last test of the control
• Result of the last control test

The risk rating is used to select between

the inherent risk and residual risk. This is
selected based on the risk, the control and
control results.