Documente Academic
Documente Profesional
Documente Cultură
RISK MANAGEMENT
PETER C. TESSIN, MSA, CISA, CISM, CRISC, CGEIT, SR. MANAGER
DISCOVER FINANCIAL SERVICES
2 OCTOBER 2019
WELCOME
Dial-in numbers and codes were provided in the email that CPE
was sent SUBMISSION
Have a question for the speaker? Access the Q&A section and An EMAIL will be sent
select Submit to Host next week with steps
on accessing your
Questions or suggestions? Visit https://support.isaca.org CPE Certificate for
today’s webinar.
A PDF Copy of today’s presentation is available in your
ISACA Classroom
TODAY’S SPEAKER
Peter C. Tessin
MSA, CISA, CISM, CRISC, CGEIT
• Risk management is the identification, evaluation and treatment of risk such that greater control is
brought to business activity in the face of those risks.
• The purpose of performing risk management is to create and protect value for stakeholders.
• Risk management optimizes risk exposure and the potential impact of incidents. Risk
management does not minimize risk or maximize benefit!
Definition of Risk
What is risk?
Source Definition
ISACA Combination of the probability of an event and its consequence. (Previous ISO).
Managing Successful An uncertain event or set of events which, should it occur, will have an effect on the
Programmes (Axelos) / achievement of objectives; a risk is measured by a combination of the probability of a
PRINCE2 perceived threat or opportunity occurring and the magnitude of its impact on objectives.
Rational Unified Process (RUP) An ongoing or upcoming concern that has a significant probability of adversely affecting
the success of major milestones.
Risk Analysis and Management The likelihood of variation in the occurrence of an event, which may have either positive
of Projects (RAMP) or negative consequences.
ITIL A possible event that could cause harm or loss, or affect the ability to achieve
objectives. A risk is measured by the probability of a threat, the vulnerability of the asset
to that threat, and the impact it would have if it occurred. Risk can also be defined as
uncertainty of outcome, and can be used in the context of measuring the probability of
positive outcomes as well as negative outcomes.
PT The intersection of vulnerabilities and threats.
Definition of Risk
• Key points:
• Definitions abound
• Can be industry-specific
Opportunity risk – When different options exist, choosing one means giving up the potential
benefits of the other.
Examples include choosing a product mix or choosing a location for a
company.
Uncertainty risk – Some events are not predictable but if they occur can cause great damage.
Examples include catastrophic loss due to severe weather (e.g.,
hurricanes) or legal action.
Audit risk – The chance that an audit examination will not uncover a significant or material fact.
Examples include information security vulnerabilities or unsuccessful remediation
of past control deficiencies.
Data quality – Lack of data hygiene can be result in unreliable reporting or analytics.
Examples include process or control ineffectiveness or diminished customer
experience.
Strategy Description
The impact of the rick materializing will not cause harm that can’t be
adsorbed. The cost of any foreseeable courses of action exceed the
benefit.
Avoid Take a different course of action.
Mitigate Develop contingency plans that are designed to reduce the risk’s
likelihood, impact or both.
Common measures of risk are key performance indicators (KPI) and key risk indicators
(KRI).
• KPI measures performance of an activity (or control)
• KPI may become KRI
• KRI is an early warning of the potential for an adverse event
• KRI is central to operational risk management
Risk Measurement
Risk Rating
Probability
Application servers no longer available per schedule, must find new vendor,
will delay go-live three months. 100% 100 100.0
Source Definition
COSO ERM
Risk Frameworks
You assume the entire risk for the use of the content and acknowledge that: ISACA has
designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls that
are not included may not be appropriate; ISACA does not claim that use of the content
will assure a successful outcome and you are responsible for applying professional
judgement to the specific circumstances presented to determining the appropriate
procedures, tests, or controls.
Copyright © 2019 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR