Documente Academic
Documente Profesional
Documente Cultură
MANAGEMENT
OPENING
THOUGHTS –
THINGS WE DON’T
WANT TO HAPPEN
WHEN PRACTISING
RISK MANAGEMENT
AGENDA
• The need for the integration of new insights from practitioners, science and academia in the
domain of I&T governance creation
• Other standards have evolved, resulting in a different standards/frameworks landscape,
requiring a re-alignment
• More fluid, flexible and frequent updates of COBIT required
COBIT 2019
ADDRESSING COBIT 5 IMPERFECTIONS
COBIT users found it hard to locate relevant contents for their needs
Perceived as complex and challenging to apply in practice
The enabler model was incomplete in terms of development and guidance, and thus often
ignored
A challenging process capability model and general lack of support of performance
management for other enablers
The perceived reputation of IT governance itself as an inhibitor of change and
(administrative) overhead – not per se a COBIT weakness but an IT governance problem at
large
COBIT’S PURPOSE:
ENTERPRISE GOVERNANCE TO SUPPORT VALUE CREATION
Enterprise
Business/IT
Governance of Value Creation
Alignment
I&T
Risk
Optimisation
• addressing the business risk associated
with the use, ownership, operation,
involvement, influence and adoption of
I&T within an enterprise
Benefits Realisation
Reference:COBIT®
Reference: COBIT®2019
2019Framework:
Framework:Introduction
Introductionand
andMethodology,
Methodology,Chapter
Chapter4 4Basic
BasicConcepts:
Concepts:Governance
GovernanceSystems
Systems andComponents,
and Components,Figure
Figure4.2
4.2
KEY CONCEPTS - GOVERNANCE AND MANAGEMENT OBJECTIVES
RELATED
HIGH LEVEL COMPONENTS
RELATED GUIDANCE
INFORMATION • Where applicable links
GOALS CASCADE • Processes, practices and
• Domain name activities and cross references are
• Applicable Alignment goals
• Focus area • Organizational structures provided to other
• Applicable Enterprise goals standards and
• Governance or • Information flows and items
• Example metrics frameworks for each of
management objective • People, skills and the governance
name competencies components within each
• Description • Policies and frameworks governance and
• Purpose statement • Culture, ethics and management objective
behavior
• Services, infrastructure and
applications
DESIGN FACTORS
IN COBIT 2019:
• Growth/Acquisition
• Innovation/Differentiati
Enterprise on
Strategy • Cost Leadership
• Client Service/Stability
Threat • Normal
Landscape • High
• Support
• Factory
Role of IT • Turnaround
• Strategic
DESIGNING A TAILORED GOVERNANCE SYSTEM
GOVERNANCE SYSTEM DESIGN WORKFLOW
COBIT 2019
COBIT 2019 COBIT 2019 COBIT 2019
DESIGN GUIDE IMPLEMENTATION
FRAMEWORK FRAMEWORK
Designing Your GUIDE
COBIT Introduction & COBIT Governance & Implementing and Optimizing Your
Methodology Information &
Management Objectives Technology Governance Information & Technology
Governance System
System
COBIT 2019 integrates risk governance and The COBIT Core Model contains specific risk
management with overall I&T governance and governance & management objectives, with
management. supporting processes:
COBIT 2019 provides the hooks for more detailed EDM03-Ensured Risk Optimisation
and technical guidance beyond the scope of COBIT.
APO12—Managed Risk
COBIT 2019 includes integrated process capability
Specific Org.anisational Structures, Skills, Culture
assessment, based on CMMI
aspects, etc. are described as well
COBIT 2019 has updated the generic risk scenarios
Detailed focus area guidance will be available soon for
to support management efforts
information security and I&T risk.
COBIT 2019 AND RISK MANAGEMENT – EDM03 – ENSURED RISK
OPTIMISATION AND APO12 – MANAGED RISK
EDM03 APO12
COBIT 2019 AND RISK
MANAGEMENT: DESIGN
FACTORS – RISK PROFILE
GENERALLY ACCEPTED, ‘PLAYS WELL WITH STRUCTURED FROM CAN BE TAILORED TO INCLUDES INTEGRATED IS OPEN AND FREELY
BUSINESS FRAMEWORK OTHERS’, I.E. ALIGNS BEGINNING TO END SPECIFIC ENTERPRISE PERFORMANCE AVAILABLE, NOT
FOR IT, USED AND WITH OTHER NEEDS THANKS TO THE MANAGEMENT PROPRIETARY HENCE
USEABLE BY FRAMEWORKS, CAN BE (NEW) DESIGN FEATURES – CAPABILITY NO LOCK-INS OR
BUSINESS/ASSURANCE / COMPLEMENTED WITH FACTORS, WHICH LEVELS, METRICS AT IMPORTANT IP
RISK MANAGEMENT MISSING BITS & PIECES, INCLUDE RISK PROFILE DIFFERENT LEVELS, INVESTMENTS…
E.G. FOR QUANTITATIVE AND IT ISSUES AN ALLOWING TO SET
RISK ANALYSIS ORGANISATION IS TARGETS AND TO
FACED WITH MEASURE TARGETS
Risk Governance and Risk management objectives and processes
are spelled out and can be implemented at different and evolving
capability levels
The Performance management system for these processes allows to
measure and adjust them to target
Design Factors (Risk Profile, IT Issues, threat landscape, …) allow
WHY COBIT to design the governance process taking into account risk factors
2019 FOR RISK The updated list with Generic Risk Scenarios is a valuable tool for
validation of an organisation’s own risk register
MANAGEMENT? Mapping between Risk Scenarios and Governance and
Management Objectives , aka ‘controls’, allows more reliable risk
WHAT’S IN THE assessment and better risk response, whilst saving on the need to
identify controls for each new risk
COBIT Performance monitoring for those ‘controls’ is provided through the
process capability scheme
TOOLBOX? Definition of relevant information items for risk management →
risk profile, risk register, …
Designated focus area guidance for information security,
information risk management is under development, other areas
will be planned
COBIT has attention for ‘non-process’ related guidance as well
IS COBIT 2019 PERFECT FOR RISK MANAGEMENT?
Q&A