INTRODUCTION TO

RISK MANAGEMENT
PETER C. TESSIN, MSA, CISA, CISM, CRISC, CGEIT, SR. MANAGER
DISCOVER FINANCIAL SERVICES

2 OCTOBER 2019
WELCOME

Audio is streamed over your computer

Dial-in numbers and codes were provided in the email that CPE
was sent SUBMISSION
Have a question for the speaker? Access the Q&A section and An EMAIL will be sent
select Submit to Host next week with steps
on accessing your
Questions or suggestions? Visit https://support.isaca.org CPE Certificate for
today’s webinar.
A PDF Copy of today’s presentation is available in your
ISACA Classroom
TODAY’S SPEAKER

Peter C. Tessin
MSA, CISA, CISM, CRISC, CGEIT

Sr. Manager, BT Risk

Discover Financial Services

AGENDA

What we’ll cover today:

1.Definitions of risk and risk types

2.Risk responses and measurement

3.Risk frameworks and development

4.Overview of risk management

 Introduction

• IT risk exists whether an organization recognizes it or not.

• IT risk accompanies all business opportunities.

• Treating IT risk is a matter of acknowledging and choosing costs and benefits.

• IT risk is dynamic and ever changing.

DEFINITION OF RISK
 Definition of Risk

• Risk management is the identification, evaluation and treatment of risk such that greater control is
brought to business activity in the face of those risks.

• The purpose of performing risk management is to create and protect value for stakeholders.

• Risk management optimizes risk exposure and the potential impact of incidents. Risk
management does not minimize risk or maximize benefit!
 Definition of Risk

What is risk?

Source Definition

ISO 31000, ISO Guide 73 Effect of uncertainty on objectives.

ISACA Combination of the probability of an event and its consequence. (Previous ISO).

Managing Successful
Programmes (Axelos) /
PRINCE2
Rational Unified Process (RUP)
Risk Analysis and Management
of Projects (RAMP)
ITIL
PT
An uncertain event or set of events which, should it occur, will have an effect on the
achievement of objectives; a risk is measured by a combination of the probability of a
perceived threat or opportunity occurring and the magnitude of its impact on objectives.
An ongoing or upcoming concern that has a significant probability of adversely affecting
the success of major milestones.
The likelihood of variation in the occurrence of an event, which may have either positive
or negative consequences.
A possible event that could cause harm or loss, or affect the ability to achieve
objectives. A risk is measured by the probability of a threat, the vulnerability of the asset
to that threat, and the impact it would have if it occurred. Risk can also be defined as
uncertainty of outcome, and can be used in the context of measuring the probability of
positive outcomes as well as negative outcomes.
The intersection of vulnerabilities and threats.
 Definition of Risk

• Key points:

• Definitions abound

• Common elements include uncertainty and impact

• Can be industry-specific

• Generally negative, but can be positive

 Definition of Risk

• A risk is something that has not yet occurred.

• A materialized risk is an event or incident.

T YPES OF RISK
 Types of Risk

Opportunity risk – When different options exist, choosing one means giving up the potential
benefits of the other.
Examples include choosing a product mix or choosing a location for a
company.

Uncertainty risk – Some events are not predictable but if they occur can cause great damage.
Examples include catastrophic loss due to severe weather (e.g.,
hurricanes) or legal action.

Hazard risk – An event can be accompanied by inherent danger.

Examples include manufacturing processes involving toxic chemicals or very high
noise levels (e.g., aircraft operations)
 Types of Risk

Audit risk – The chance that an audit examination will not uncover a significant or material fact.
Examples include information security vulnerabilities or unsuccessful remediation
of past control deficiencies.

Data quality – Lack of data hygiene can be result in unreliable reporting or analytics.
Examples include process or control ineffectiveness or diminished customer
experience.

Project risk – Projected benefits can be in peril or come at elevated cost.

Examples include scope creep, inadequate quality reviews or inaccurate
requirements elaboration.
 Risk Appetite

Defines the pursuit of risk

• Institute of Risk Management (IRM) defines risk appetite as “the amount and type of risk that an organisation
is willing to take in order to meet their strategic objectives”

Appetite varies by industry, culture, enterprise objectives

Risk appetite statement brings clarity but can be difficult to write

“Don’t stay out late!”

 Risk Tolerance

• How much the enterprise can cope with

• Tolerance must be clearly defined and measureable

• Provides guard rails to risk framework

• “10 minutes late is okay!”

RISK RESPONSE
 Risk Response Strategies

There are four risk response strategies

Strategy Description

Accept The “do nothing” option.

The impact of the rick materializing will not cause harm that can’t be
adsorbed. The cost of any foreseeable courses of action exceed the
benefit.
Avoid Take a different course of action.

Plot out alternative actions that will produce the same, or

substantially similar, outcomes

Transfer (Share) Pass risk to, or share with, a third party.

Purchase insurance, contractual clauses.

Mitigate Develop contingency plans that are designed to reduce the risk’s
likelihood, impact or both.

Internal control environment mitigates risk. Risk is not eliminated

and the presence of residual risk must be understood.
 Risk Response

Risk Traditional Contemporary

Inherent Risk that exists in the Current risk level given

absence of controls. existing control
environment.
Residual Risk that remains after Risk that remains after
controls are accounted application of additional
for. controls.

Something to consider – In contemporary, is residual risk the “new” inherent risk?

RISK MEASUREMENT
 Risk Measurement

Common measures of risk are key performance indicators (KPI) and key risk indicators
(KRI).
• KPI measures performance of an activity (or control)
• KPI may become KRI
• KRI is an early warning of the potential for an adverse event
• KRI is central to operational risk management
 Risk Measurement

• The measurement of risk is dependent on the quality of estimates

made of probability and likelihood of impact (money, days, other
qualitative or comparative measure). (GIGO)

• Reasonable estimates of probability and impact lead to risk ranking.

• Risk rank is the product of the probability and impact.

 Risk Measurement

Risk Rating

Probability

Low Medium High

0-30% 31-60% 61-100%

Impact

Low Low Low

Low 10

Low Moderate High

Medium 50

High Very High Very High

High 100
 Risk Measurement

Risk Probability Impact Score

Application servers no longer available per schedule, must find new vendor,
will delay go-live three months. 100% 100 100.0

Servers delayed 30 days. 75% 50 37.5

Servers delayed 10 days. 50% 10 5.0

Off shore resource doesn't provide QA assurance. 50% 50 25.0

RISK FRAMEWORKS
 Risk Frameworks

What is a risk management framework?

Source Definition

ISO Guide 73 Set of components that provide the foundations

and organizational arrangements for designing,
implementing, monitoring, reviewing and
continually improving risk management throughout
the organization.
NIST 800-37 rev 2 RMF A disciplined and structured process that integrates
information security and risk management
activities into the system development life cycle.
ISACA

COSO ERM
 Risk Frameworks

A risk framework permits a systematic approach to handling risk,

more predictable outcomes

Common language and common understanding

Fit for purpose

Contributes to value creation and protection

 Risk Frameworks

IT risk management frameworks have several attributes in common. They:

• are systematic, cover the entire enterprise wherever IT assets are employed,
• use an iterative approach,
• involve stakeholders for all significant activities and assessments,
• align business objectives with available resources
 Risk Frameworks

Implementing an IT risk management framework:

• Can be done piece-meal, whole enterprise rollout is not necessary initially
• Is driven by the organizations risk appetite and risk tolerance
• Is dynamic, as risk and risk appetite change the framework must be amended
 Risk Frameworks

Example risk management frameworks:

• NIST RMF
• FAIR
• COBIT 2019 (sort of)
• ISO 31000 (significant standard, not quite a framework)
RISK FRAMEWORK DEVELOPMENT
 Risk Framework Development

Make risk management part of the organizational structure

• Crosses between governance and management

• Evolve risk management in concert with changes in governance structure and
organizational models
• Make culture risk aware, “Risk management is everyone’s business”
 Risk Framework Development

Design the framework structure in alignment with

• Business drivers, regulatory requirements, organizational capabilities

• Ensure upper management and key oversight bodies are committed, use a tone at the
top approach
• Carefully assign roles and processes, use RACI charts to clarify
• Formally allocate roles to risk management processes
• Schedule risk reporting meetings and reports
 Risk Framework Development

Putting a risk management framework structure in place requires

• A dedicated team, must include competent risk practitioners

• Codify how risk decisions will be made and communicated
• Maintain key stakeholder involvement
 Risk Framework Development

Periodically measure the frameworks effectiveness

• Report current performance against planned measures

• Compare structure of framework against changes in governance structure or
organization objectives
 Risk Framework Development

Update risk management framework

• Updates to the risk management framework should be done judiciously

• Use risk reporting to define potential improvements
• Confirm improvement suggestions with stakeholders (maintain their commitment)
RISK MANAGEMENT OVERVIEW
 Risk Management Overview

Establish the risk management framework

• Align with governance and organization objectives

• Design performance measures
• Embed risk reporting and communication
• Adapt the framework periodically
 Risk Management Overview

Perform risk assessments

• Risk assessments can be done on small or enterprise scopes

• Identify risk and gain agreement as to impact and likelihood
• Analyze risk against internal control environment
• Evaluate risk and potential response
 Risk Management Overview

Align risk, policies, standards, procedures and controls

• Determine most appropriate risk response

• Include non-monetary factors when evaluating risk response, reputation, etc.
• Simulate risk response and determine whether selected treatment could create new
risk
 Risk Management Overview

Measure and monitor risk management performance

• Regularly scheduled risk reporting provides early indicators of potential negative

impact
• Push risk reporting results back up to governance and risk management stakeholders,
risk data are part of decision making
• Security may override many other factors, including cost
 Introduction

“Growth and comfort do not coexist.”

~ Gini Rometty, CEO IBM

QUESTIONS?
This training content (“content”) is provided to you without warranty, “as is” and “with all
faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA has
designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls that
are not included may not be appropriate; ISACA does not claim that use of the content
will assure a successful outcome and you are responsible for applying professional
judgement to the specific circumstances presented to determining the appropriate
procedures, tests, or controls.

Copyright © 2019 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR