Build an Organization-Driven IT Risk Management Program

Home , IT risk, IT risk management, Management

CLASS MATERIALS

IN ASSOCIATION WITH

Chiat

CI 343

Standing Strong Standing www.csacinstitute.org

LEARN . GROW . ACHIEVE

Today’s Strategy for Risk Management

LEARN • The right questions to ask of your peers to identify the critical importance of organizational risk management. • The knowledge required to build a formal risk management process, best practices for mitigating risks identified, and examples of internal controls to establish to achieve compliance with mitigation plans.

DO • Develop the core risk management processes and skills necessary to be effective risk leaders through a series of activities and discussions. • Discuss and uncover the current state of risk management in government agencies with fellow county peers, examples of risk management practices, and strategies for overcoming roadblocks.

GET • IT risk management tools, templates, frameworks, and process documents. • IT Risk Management Participant Workbook

Info-Tech Research Group 2 Seize the potential of risk management to better align IT with organizational goals

IT creates value CIOs CEOs IT keeps the for the lights on organization 63%

of CIOs and CEOs disagree about the objectives of IT. 1

IT risk management is an opportunity to enhance IT’s profile in the eyes of the CEO, and to align IT with the organization’s strategic direction.

Risk is money, and minimizing risk is money saved. Use your risk-management program to illustrate how IT creates value for the business.

Proactive risk management that translates IT risk into business language illustrates that IT decision making is focused on how IT can add to and avoid detracting from business value.

1: Info-Tech Research Group, 2015.

Info-Tech Research Group 3 Poor IT risk management is expensive

IT RISK IS HEADLINE NEWS

Equifax data breach to cost insurers $125M The Guardian Yahoo Finance

The Wall Street Journal

Hackers steal Zomato Data on 17 Million users

CNN Money The Australian

Computer Business Review

The Wall Street Journal

Info-Tech Research Group 4 Discussion Debrief: The risk mindset requires an awareness of the organization’s attitude toward risk

Risk tolerant Risk averse

Risk-tolerant organizations embrace the Risk-averse organizations prefer consistent, potential of accelerating growth and the gradual growth and goal-attainment by attainment of business objectives by taking embracing a more cautious stance towards calculated risks. risk.

Additional Notes

______

Info-Tech Research Group 5 Discussion Debrief: The risk mindset requires an awareness of the organization’s attitude toward risk

Risk conscious Unaware

Risk-conscious organizations place a high Organizations that are largely unaware of the priority on being aware of all risks impacting impact of risk generally believe there are few business objectives major risks impacting business objective.

Additional Notes

______

Info-Tech Research Group 6 What do different risk management cultures look like?

Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly.

Risk Tolerant Moderate Risk Averse

• You have no compliance • You have some compliance • You have multiple, strict requirements. requirements, e.g.: compliance and/or regulatory • You have no sensitive data. o HIPAA requirements. • Customers do not expect you to o PIPEDA • You house sensitive data, such as have strong security controls. • You have sensitive data, and are medical records. • Revenue generation and required to retain records. • Customers expect your innovative products take priority • Customers expect strong security organization to maintain strong and risk is acceptable. controls. and current security controls. • The organization does not have • Information security is visible to • Information security is highly remote locations. senior leadership. visible to senior management and • It is likely that your organization • The organization has some remote public investors. does not operate within the locations. • The organization has multiple following industries: • Your organization most likely remote locations. o Finance operates within the following • Your organization operates within o Health care industries: the following industries: o Telecom o Government o Finance o Government o Research o Healthcare o Research o Education o Telecom o Education

Info-Tech Research Group 7 This is rooted in best practice; benefit from industry-leading best practices

The Government of the United Kingdom’s M_o_R The NIST framework provided best practices for IT risk governance, identification, RiskIT’s IT Risk Framework and assessment. was modified to create Info-Tech’s IT Risk Management Framework.

Info-Tech Research Group 8 Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness

Risk IT Risk Management Risk Governance Framework Identification Communication

Business Objectives

Monitoring Risk Risk Response Assessment

Info-Tech Research Group 9 66% of organizations lack a formal risk management program 1

If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk.

Ad hoc approaches to managing risk fail because… The results:

Ad hoc risk management is often reactionary. • Increased business risk exposure caused • Without formalized procedures for managing IT risk, risk events by a lack of understanding of the impact of 1 are often “managed” after they have occurred. IT risks on the business. • IT departments that spend most of their time putting out fires • Increased IT non-compliance, resulting in receive the lowest ratings for satisfaction and perceived value by costly settlements and fines. business stakeholders. • IT audit failure. Ad hoc risk management is often focused • Ineffective management of risk caused by only on IT security. poor risk information and wrong risk 2 • Organizations must respond to the entire spectrum of IT risk. response decisions. • A client who recently completed Info-Tech’s methodology for risk identification and assessment found that only 15 of the 135 IT • Increased unnecessary and avoidable IT risks identified were related to security and compliance. failures and fixes.

Ad hoc risk management lacks alignment Most IT departments aren’t thinking with business objectives. about formal risk management, and if 3 • Many IT risk assessments fail to communicate IT risks in a way they are, it’s back-of-the-napkin that compels the business to take action. planning. • 63% of CEOs indicate they want IT to provide better risk Ken Piddington, CIO & Executive Advisor, metrics (CIO-CEO Alignment survey data, Info-Tech Research Group). MRE Consulting

1: ESI International

Info-Tech Research Group 10 PHASE 1 Review IT Risk Fundamentals and Governance

Build a Business-Driven IT Risk Management Program

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Info-Tech Research Group 11 Create an IT risk governance framework that integrates with the business

WhyKey Ad Considerations: hoc risk management fails: • Key stakeholders are left out or consulted once risks have already occurred. • Failure to employ consistent risk identification methodologies Risk Governance results in omitted and unknown risks. Identify Potential • Risk assessments do not reflect organizational priorities and Challenges may not align with thresholds for acceptable risk. • Risk assessment occurs sporadically or only after a major risk event has already occurred. Manage Measure the Stakeholders & Success of Assign the Program In this section: Accountability 1. Identify potential organizational challenges and discuss. 2. Set clear risk management accountabilities and responsibilities for IT and business stakeholders. Key metrics to consider: • Number of risk management processes done ad hoc. • Frequency that IT risk appears as an agenda item at IT steering committee meetings. • Percentage of IT employees whose performance evaluations reflect risk management objectives. • Percentage of IT risk council members who are Info-Tech Insight trained in risk management activities. IT risk is business risk. Every IT risk has business • Number of open positions in the IT risk council. implications. Create an IT risk management program that • Cost of risk management program operations per shares accountability with the business. year.

Info-Tech Research Group 12 Stakeholder buy-in is crucial to risk management success

Anticipate potential challenges and blind spots by determining which of these success factors are missing from your current situation.

IT Risk Management Success Factors

Support and sponsorship from senior leadership • IT risk management has more success when initiated by a member of the senior leadership team or the board. • Sponsorship increases the likelihood that risk management is prioritized and receives the necessary resources and attention. • Sponsorship also ensures that IT risk accountability is assumed by senior leadership.

Info-Tech Research Group 13 Identify stakeholders and map them according to their influence over, and interest in, IT risk management

Manage Stakeholders

Meet their Key needs stakeholder Relevant stakeholders can include individuals, groups, or entire business units. Least Consider Influence Influence stakeholders of important their input

Interest of stakeholders

Occasionally, groups or individuals outside of IT that have low interest in IT risk management should be highly interested, but are unaware of the impact that IT risk has on their objectives. For the sake of this exercise, map stakeholders according to how interested they should be.

Stakeholder Map from Eden and Ackerman, p. 121–125, 344–346

Info-Tech Research Group 14 Anticipate challenges to formalizing IT risk management

Be sure to consider these additional success factors as well, when investigating your current situation.

Additional IT Risk Management Success Factors

Organization size Risk culture and awareness • Smaller organizations can often • A risk-aware organizational culture institute a mature risk management embraces new policies and processes that program much more quickly than reflect a proactive approach to risk. larger organizations. • An organization with a risk-aware culture is • It is common for key personnel within better equipped to facilitate communication smaller organizations to be vertically within the organization. responsible for multiple roles, making • Risk-awareness can be embedded by it easier to integrate IT and business revising job descriptions and performance risk management. assessments to reflect IT risk management • Larger organizations may find it more responsibilities. difficult to integrate a dispersed network of individuals responsible for risk management.

Info-Tech Research Group 15 Attach metrics to your goals to gauge the success of the IT risk management program

Sample Metrics Measure or Create a Determine approximate concrete checkpoints to track Include the the current deadline that progress and record frequency and Identify the location state and affords you the final unit of of the relevant data determine a enough time measurement at the measurement or the methodology goal for each to realize deadline. where for obtaining it. metric. project gains. applicable.

Name Method Baseline Target Deadline Checkpoint Checkpoint Final 1 2 Number of risks identified (per Risk register 0 100 Dec. 31 year) Number of business units Meeting minutes 0 5 Dec. 31 represented (risk identification) Assessments recorded in risk Frequency of risk assessment 0 2/yr. Year 2 management program manual Percentage of identified risk Ratio of risks assessed in the risk events that undergo expected costing tool to risks assessed in the risk 0 20% Dec. 31 cost assessment register Number of top risks without an Risk register 5 0 March 1 identified risk response Cost of risk management Meeting frequency and duration, $2,000 $5,000 Dec. 31 program operations per year multiplied by the cost of participation

Info-Tech Research Group 16 PHASE 2 Identify and Assess IT Risk

Build a Business-Driven IT Risk Management Program

What you don’t know CAN hurt you. In this section: 1. Engage the right stakeholders in risk identification. Risk Identification Engage By encouraging the participation of relevant business units Stakeholder and senior leadership in risk identification exercises, you Participation significantly decrease the chances of omitting a key risk. 2. Employ a categorized approach to risk identification. The nine risk categories introduced in this section serve as Use Risk Compile Identification IT-Related useful signposts to guide brainstorming activities and Frameworks Risks organize risks according to IT’s core functions. 3. Identify and discuss county-specific risk factors Public sector risk can be different from traditional business risk in meaningful ways. Consider the unique risks that Key metrics to consider: government sector is exposed to. • Total risks identified • New risks identified • Frequency of updates to the Risk Register Tool • Level of business participation in enterprise IT risk Info-Tech Insight identification What you don’t know CAN hurt you. How do you identify IT- o Number of business units represented related threats and vulnerabilities that you are not already o Number of meetings attended in person aware of? Now that you have created a strong risk governance o Number of risk reports received framework that formalizes risk management within IT and connects it to the enterprise, follow the steps outlined in this section to reveal all of IT’s risks.

Info-Tech Research Group 18 Partnering with the business is essential to risk identification success

Instructions: 1. Reach out to key business stakeholders identified in exercise 1.2.6 Organizations that were able to to participate in risk identification exercises. 79% engage the business in risk 2. If they are unable to attend, request that they review your identification were 79% more completed risk register and provide feedback. successful in identifying all 3. Document participants in section 5.1 of the Risk Management risks than organizations where Program Manual. business participation was minimal.

100% 79% Benefits of obtaining business involvement during the 86% risk identification stage: 90% 80%

You will identify risk events that you had not considered or that 70% you weren’t aware of. 60% ◦ The business can offer perspectives on risks that IT may have No Bus. 48% overlooked. 50% Involvement

identifying risk (%) risk identifying Business You will identify risks more accurately. 40% Involvement ◦ The business can reinforce IT’s knowledge about particular 30%

risks, and their overall impact on the organization. in successful were who Respondents Risk identification is an opportunity to raise awareness of IT 20% risk management early in the process. 10%

◦ IT will raise its credibility by actively addressing the business’ 0% concern about risk. Survey: Info-Tech Research Group, N = 76

Info-Tech Research Group 19 Ensure that all key risks are identified by engaging key business stakeholders

Alternative Perspectives Info-Tech Insight All business units rely on the services and technologies that IT Obtaining business involvement when identifying provides. They likely possess alternative perspectives on: risk is important because it is often a pre-cursor to future business involvement during the risk 1. The value that IT provides to the business. assessment and risk response phases. 2. The corresponding business risk associated with the inability of IT to support business activities.

Prioritizing and Selecting Stakeholders Obtaining the participation of every business unit may be a challenge. Prioritize stakeholders from the business using the following criteria: 1. Reliance on IT services and technologies to achieve business objectives. 2. Relationship with IT, and willingness to engage in risk management activities. Info-Tech Insight 3. Unique perspectives, skills, and experiences that IT may not possess. While IT personnel are better equipped to identify IT risk than anyone, IT does not always have an accurate view of the business’ exposure to IT risk. Strive to maintain a 3 to 1 ratio of IT to non-IT personnel involved in the process.

Info-Tech Research Group 20 Take a top-down approach to risk identification to guide brainstorming

Info-Tech’s risk categories are consistent with a risk identification method called Risk Prompting.

A risk-prompt list is a list that categorizes risks into types or areas. The nine risk categories encapsulate the services, activities, responsibilities, and functions of most IT departments. Use these categories and the example risk scenarios provided as prompts to guide brainstorming and organize risks.

Risk Event: Specific threats and vulnerabilities that Risk Scenario: An abstract profile representing fall under a particular risk scenario. Organizations common risk groups that are more specific than are able to identify anywhere between 1 and 20 risk categories. Typically, organizations are able events for each scenario. to identify 2–5 scenarios for each category.

Risk Category Risk Scenario Risk Event Risk Category: High-level groupings Data Integrity Data recovery/loss within system that describe risk Data Risk pertaining to major Data Theft Loss of data due to stolen/lost device IT functions. See the following slide for all IT Staffing High turnover in key roles nine of Info-Tech’s Personnel Risk IT risk categories. IT Skills & Experience Poorly defined roles and responsibilities

Vendor performance requirements are Vendor Management improperly defined Vendor Risk Vendors are improperly selected to meet the Vendor Selection defined use case

Info-Tech Research Group 21 Add risk scenarios to the examples provided under each risk category

See below the nine risk categories with sample risk scenarios for each. This list is not exhaustive, but it provides a solid foundation.

• Enterprise architecture • Hardware implementation errors • Software implementation errors • Hardware configuration errors • Technology evaluation & • Software configuration selection • Hardware maintenance errors • Software maintenance • Capacity planning • Hardware performance • Software performance • Operational errors • Theft • Software obsolescence • Damage/destruction Software Software Risks Hardware Hardware Risks Operations Operations Risks • Hardware obsolescence

• Project scoping • Data theft • Project quality • IT staffing • Data integrity • Project time over-runs • IT skills and experience • Data confidentiality • Project cost over-runs

Data Risks • Data availability Project Risks Personnel Risks

• Regulatory compliance • Acts of nature (hurricane, etc.) • Vendor selection • Malware • Utility performance • Vendor management • Externally originated attack • Industrial action • Contract termination • Internally originated attack • System failure Vendor Risks Vendor Compliance & SecurityRisks ContinuityRisks Disaster Disaster Business&

Info-Tech Research Group 22 Activity: Identifying risk events in the counties

Identify risk events

Operations Hardware Software

______

Info-Tech Research Group 23 Activity: Identifying risk events in the counties

Identify risk events

Project Personnel Data

______

Info-Tech Research Group 24 Activity: Identifying risk events in the counties

Identify risk events

Vendor Disaster & Business Compliance & Continuity Security ______

______

Info-Tech Research Group 25 Discussion Debrief: Identifying risk events in the counties

Additional Notes ______

______

Info-Tech Research Group 26 Carefully assess the severity of each risk event to reveal the organization’s greatest IT threats and vulnerabilities

In this section: Follow the steps to assess and prioritize IT risks. 1. Establish business-aligned risk thresholds for acceptable Risk Assessment Establish and unacceptable risk. Thresholds for 2. Conduct a streamlined assessment of all risks to separate Unacceptable Risk acceptable and unacceptable risks. 3. Understand risk assessment methodologies. Learn Risk Determine Risk Assessment Severity & Fundamentals Prioritize IT Risks

Key metrics:

• Frequency of IT risk assessments • Assessment rigour o (Annually, bi-annually, etc.) o Percentage of identified risk events that undergo • Assessment accuracy first-level assessment (severity scores) o Percentage of risk assessments that are o Percentage of identified risk events that undergo substantiated by later occurrences or testing second-level assessment (expected cost) o Ratio of cumulative actual costs to expected costs • Stakeholder oversight and participation • Assessment consistency o Level of executive participation in IT risk o Percentage of risk assessments that are assessment (attend in person, receive report, etc.) substantiated by third-party audit o Number of business stakeholder reviews per risk assessment

Info-Tech Research Group 27 Review risk assessment fundamentals

Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and make robust risk response decisions.

Calculating risk severity Which must be evaluated Produces a dollar value against thresholds for How much you expect a risk Calibrated by how likely or severity level for acceptable risk and the event to cost if it were to occur: the risk is to occur: comparing risks: cost of risk responses. Risk Tolerance Probability Probable Risk of Risk Response Impact X = Severity Occurrence

e.g. $250,000 or High e.g. 10% or Low e.g. $25,000 or Medium CBA

Cost-benefit analysis

Info-Tech Research Group 28 Info-Tech recommends a two-level approach to risk assessment Review the two levels of risk assessment offered in this blueprint. Risk severity-level assessment (mandatory)

Assess Probability Assess Impact Output

Negligible Negligible Risk Severity Level:

Moderate Low Low

Moderate X Moderate =

High High Chart risk events according to risk severity as this allows you to Very High Very High organize and prioritize IT risks.

Assess all of your identified risk events with a risk severity-level assessment.

• By creating a probability and impact assessment scale divided into 3–9 levels (sometimes referred to as “buckets”), you can evaluate every risk event quickly while being confident that risks are being assessed accurately.

• In the following activities, you will create probability and impact scales that align with your organizational risk appetite and tolerance.

• Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed in greater detail by incorporating expected cost into your evaluation.

Info-Tech Research Group 29 Incorporate reputational cost into risk assessments

It is common for public sector or not-for-profit organizations to have difficulty putting a price tag on intangible reputational costs. • For example, a government organization may be unable to directly quantify the cost of losing confidence and/or support of the public. • A helpful technique is to reframe how reputation is assigned value.

Technique #1

Calculate the value of avoiding reputational cost:

1. Imagine that the particular risk event you are assessing has occurred. Describe the resulting reputational cost using qualitative language. For example: • A data breach which caused the unsanctioned disclosure of 2,000 client files has inflicted high reputational costs on the organization. These have impacted the organization in the following ways: o Loss of organizational trust in IT o IT’s reputation as a value provider to the organization is tarnished o Loss of client trust in the organization o Potential for a public reprimand of the organization by the government to restore public trust 2. Then, determine (hypothetically) how much money the organization would be willing to spend to prevent the reputational cost from being incurred.

Info-Tech Research Group 30 Incorporate reputational cost into risk assessments (continued)

Realized risk events may have profound reputational costs that can impair your ability to meet your goals.

Technique #2 Create a parallel scale for reputational impact: Example: Visibility is a useful metric for measuring reputational impact. Visibility has two main dimensions: External, High Amp. Extreme • Internal vs. External (regulators, lawsuits) • Low Amplification vs. High Amplification External, High Amp. High (media) Internal/External: The further outside of the External, Low Amp. (competitors) Moderate organization that the risk event is visible, the higher the reputational impact. Internal, High Amp. (CEO) Low

Low/High Amplification: The greater the ability of the Internal, Low Amp. Negligible actor to communicate and amplify the occurrence of a (IT) risk event, the higher the reputational impact.

Info-Tech Research Group 31 Employ common techniques to evaluate probability and impact

Refine your risk assessment process by developing more accurate measurements of probability and impact. Intersubjective Probability Justifying Your Estimates: The goal of the expected cost assessment When asked to explain the numbers you arrived at during the risk is to develop robust intersubjective assessment, pointing to an assessment methodology gives greater estimates of probability and financial credibility to your estimates. impact. • Assign one individual to take notes during the assessment exercise. • Have them document the main rationale behind each value and the By aggregating a number of expert opinions of level of consensus. what they deem to be the “correct” value, you will arrive at a collectively determined value that better reflects reality than an individual opinion. 25%

Example: The Delphi Method The Delphi Method is a common technique to produce a judgement Info-Tech Insight that is representative of the collective opinion of a group. The underlying assumption behind intersubjective • Participants are sent a series of sequential questionnaires forecasting is that group judgements are more (typically by email). accurate than individual judgements. However, this • The first questionnaire asks them what the probability, probable may not be the case at all. impact, and expected cost is for a specific risk event. Sometimes a single expert opinion is more valuable • Data from the questionnaire is compiled and then communicated than many uninformed opinions. Defining whose in a subsequent questionnaire, which encourages participants to opinion is valuable and whose is not is an unpleasant restate or revise their estimates given the group’s judgements. exercise – therefore, selecting the right personnel to • With each successive questionnaire, responses will typically participate in the exercise is crucial. converge around a single intersubjective value.

Info-Tech Research Group 32 Debrief: Identify impact and probability for risk events

Additional Notes ______

______

Info-Tech Research Group 33 PHASE 3 Monitor, Communicate, and Respond to IT Risk

Build a Business-Driven IT Risk Management Program

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Info-Tech Research Group 34 Select the most effective response to your high-priority risks

In this section: 1. Actively monitor threats and vulnerabilities. 2. Identify risk response actions that will address Risk Response Establish top risks. Monitoring Responsibilities 3. Explore county-specific risk incidents.

Explore Identify Risk County-Specific Response Risks Actions Organizations with a formal program for managing IT risk were 31% more successful in mitigating risk than organizations with an ad hoc Key metrics: approach. 31% Info-Tech Research Group, N=76 • Number of top risks without an identified risk response. • Percentage of risk events with a positive expected cost. • Number and severity of realized risk events that were Info-Tech Insight accepted by the business. • Total number of risk responses assigned. Merely being aware of your greatest risks is not enough. IT • Percentage of risk responses funded and turned into departments with a formal program for managing risk are more projects. successful because they possess mechanisms that turn risk • Expected cost of implementing risk responses. priorities into fully funded projects that have the support of the • True cost of implementing risk responses. business. • Number of risk event action plans reviewed by senior leadership.

Info-Tech Research Group 35 KRI metrics are a key tool to keep in your threat monitoring toolbox

What are KRIs?

• KRI stands for “Key Risk Indicator.” • KRIs should be observable metrics that alert the IT risk council and management when risk severity exceeds acceptable risk thresholds. • KRIs should serve as trip-wires or early-warning indicators that trigger further actions to be taken on the risk.

Ensure that you clearly document the risk owner and the individual(s) carrying out risk monitoring activities (delegates).

The risk owner should be held accountable for monitoring their assigned risks, but may delegate responsibility for these tasks.

Info-Tech Research Group 36 Example: KRI metrics are a key tool to keep in your threat monitoring toolbox

Example

Risk Event: Cloud vendor being acquired or going out of business

Escalate KRI Metric Method Escalation Threshold To:

Financial health Share price Monitor share prices Falls below $X CIO

Number of recent More than one industry Potential for merger or mergers or acquisitions Market research consolidation in the last CIO acquisition in the industry year Potential for merger or Indication from the Two or more vendor staff Intel from vendor reps CIO acquisition vendor predicting acquisition Consult with strategic Dependence on Number of alternative Fewer than two alternative sourcing/vendor CIO vendor vendors identified vendors management personnel Consult with strategic Dependence on Estimated cost to sourcing/vendor Greater than $X CIO vendor transition to new vendor management personnel

Once an escalation threshold is breached, risk owners must report to a senior member of the IT risk council or to the leadership team, who determines the next action to be taken.

Info-Tech Research Group 37 Take actions to avoid the risk entirely

1 Risk Avoidance

Risk Avoidance 101

• Risk avoidance involves taking evasive maneuvers to avoid the risk event. • Risk avoidance targets risk probability, decreasing the likelihood of the risk event occurring. o Since risk avoidance measures are fairly drastic, the probability is often reduced to negligible levels. • However, risk avoidance response actions often sacrifice potential benefits in order to eliminate the possibility of the risk entirely. • Typically, risk avoidance measures should only be taken for risk events with extremely high severity, and when the severity (expected cost) of the risk event exceeds the cost (benefits sacrificed) of avoiding the risk.

Example Risk event: Information security vulnerability from third-party cloud services provider. • Risk avoidance action: Store all data in-house. • Benefits sacrificed: Cost-savings, storage flexibility, etc.

Info-Tech Research Group 38 Pursue projects that reduce the likelihood or impact of the risk event

2 Risk Mitigation Example 2 However, some risk responses will have a greater effect on decreasing the probability of a risk event with little effect on Risk Mitigation 101 decreasing impact.

• Risk mitigation actions are risk responses that reduce Example the probability and impact of the risk event. Mitigation: Create policies that restrict which personnel can • Risk mitigation actions can either be to implement new access sensitive data on mobile devices. controls or enhance existing ones. • This mitigation decreases the number of corporate phones that have access to (or are storing) sensitive data, thereby decreasing the probability Risk Event: Data compromised by loss of mobile device. that a device is compromised. Example 1 Example 3 Most risk responses will reduce both the probability of the Others will reduce the potential impact without decreasing risk event occurring and its potential impact. its probability of occurring. Example Example Mitigation: Purchase and implement Enterprise Mobility Mitigation: Utilize robust encryption for all sensitive data. Management (EMM) software with remote wipe capability. • Corporate-issued mobile phones are just as likely • EMM reduces the probability that sensitive data is to fall into the hands of nefarious actors, but the accessed by a nefarious actor. financial impact they can inflict on the organization • The remote-wipe capability reduces the impact by is greatly reduced. closing the window that sensitive data can be accessed from.

Info-Tech Research Group 39 Pursue projects that reduce the likelihood or impact of the risk event (continued)

Use the following IT functions to guide your selection of risk mitigation actions:

A Process Improvement Key processes that would most directly improve the risk profile: • Change Management • Project Management • Vendor Management B Personnel • Greater staff depth in key areas • Increased discipline around documentation • Knowledge Management • Training C Infrastructure Management • Disaster Recovery Plan/Business Continuity Plan • Redundancy & Resilience • Preventative Maintenance • Physical Environment Security D Rationalization and Simplification This is a foundational activity, as complexity is a major source of risk: • Application Rationalization – reducing the number of applications • Data Management – reducing the volume and locations of data

Info-Tech Research Group 40 Transfer risks to a third party

To… Insurance Co.

Risk Transfer Cc… 3 Send Subject IT Risk Transfer

Risk transfer is the exchange of uncertain future costs for fixed present costs.

Insurance Other Forms of Risk Transfer

The most common form of risk transfer is the purchase of insurance. Other forms of risk transfer include: o The uncertain future cost of an IT risk event can be • Self-insurance transferred to an insurance company who assumes the risk o Appropriate funds can be set aside in exchange for insurance premiums. in advance to address the financial o The most common form of IT-relevant insurance is cyber- impact of a risk event should it insurance. occur. Not all risks can be insured. Insurable risks typically possess the • Warranties 1 following 5 characteristics: • Contractual transfer 1. The loss must be accidental (the risk event cannot be insured if it o The financial impact of a risk event could have been avoided by taking reasonable actions). can be transferred to a third party 2. The insured cannot profit from the occurrence of the risk event. through clauses agreed to in a contract. 3. The loss must be able to be measured in monetary terms. o For example, a vendor can be 4. The organization must have an insurable interest (it must be the contractually obligated to assume party that incurs the loss). all costs resulting from failing to 5. An insurance company must offer insurance against that risk. secure the organization’s data.

1: M_o_R, 2007

Info-Tech Research Group 41 Accept risks that fall below established thresholds or are prohibitively expensive to address

Accepting a risk means tolerating the 4 Risk Acceptance expected cost of a risk event. It is a conscious and deliberate decision to retain the threat. You may choose to accept a risk event for one of the following 3 reasons:

1. The risk severity (expected cost) of the risk event falls below acceptability thresholds and does not justify an investment in a risk avoidance, mitigation, or transfer measure. 2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive. 3. The risk severity (expected cost) exceeds acceptability thresholds but there are no feasible risk avoidance, mitigation, and transfer measures to be implemented.

Constant monitoring and the assignment of responsibility and accountability for accepted risk events is crucial for effective management of these risks. No IT risk should be accepted without detailed documentation outlining the reasoning behind that decision and evidence of approval by senior management.

Info-Tech Research Group 42 Activity: Identify risk responses and assess their effectiveness

Notes ______

______

Info-Tech Research Group 43 Activity: Identify risk responses and assess their effectiveness

Notes ______

______

Info-Tech Research Group 44 Debrief: Identify risk responses and assess their effectiveness

Notes ______

______

Info-Tech Research Group 45 Reflection: My Takeaways on the Day

Most Important Things I Heard Things I Plan to Do 1. ______1. ______

2. ______2. ______

3. ______3. ______

4. ______4. ______

5. ______5. ______

6. ______6. ______

Info-Tech Research Group 46 A preview of your Post-Read Package…

Tool Name and Description Info-Tech Tools and Templates IT Risk Event Analysis Use the IT Risk Profile Tool to continuously document, 1 track, and report risk events as part of your risk IT Risk Profile Tool management strategy. Use risk dashboards and reporting as part of your ongoing communication plan with business leaders.

Defined and enforced thresholds for (un)acceptable risk 2 This is a dynamic tool that captures identified risks, Risk Register assesses their severity based on your organization's risk Tool appetite, and documents risk response actions. Use this tool to actively manage your IT risk portfolio and conduct periodic risk assessments.

Cost-benefit analysis It’s impossible to make intelligent decisions about risks 3 without knowing what they’re worth. Use Info-Tech’s Risk Costing Tool to calculate the expected cost of IT’s Risk Costing Tool greatest risks.

Info-Tech Research Group 47 A preview of your Post-Read Package…

Tool Name and Description Info-Tech Tools and Templates

Ongoing This blueprint seizes the momentum you created by building 4 a robust IT risk management program, and creates a See Info-Tech’s Revive Your Risk process for conducting periodic health checks and Management Program With a Regular embedding ongoing risk management into every aspect of Health Check blueprint. IT.

Business alignment Risk Report: 5 Create a succinct, impactful document that summarizes Risk Report the outcomes from the risk assessment and highlights Risk Event Action Plan the IT risk council’s top recommendations to the senior leadership team.

Risk Event Action Plan: Use this template to ensure that high-priority risks are closely monitored and that changes in risk severity are detected and reported. This tool also provides support so that critical information is shared with management so they can make informed risk decisions.

Info-Tech Research Group 48 A preview of your Post-Read Package…

Tool Name and Description Info-Tech Tools and Templates Risk Management Program Management Program Improvement Risk Management Program Improvement Plan: Plan 6 Jump-start operational improvements to your IT risk management program by generating a risk management Risk Management Program Manual program improvement plan. Use this template to: • Document challenges faced by the risk management program since the last assessment period. • Document initiatives generated and assign the liable action owner and the expected timeframe for completion. • Communicate your IT risk management program’s successes and accomplishments.

Risk Management Program Manual: Formalizing a risk management program requires creating repeatable and iterative processes, and documenting best practices. Create a comprehensive manual to serve as the cornerstone of your risk management program – a single reference point for how IT governs, identifies, assesses, and responds to risk.

Info-Tech Research Group 49

ABOUT CSAC INSTITUTE The California State Association of Counties (CSAC) is the voice of California’s 58 counties at the state and federal level. The Association’s long-term objective is to significantly improve the fiscal health of all California counties – from Alpine County with a little more than 1,200 people to Los Angeles County with more than 10 million – so they can adequately meet the demand for vital public programs and services. CSAC also places a strong emphasis on educating the public about the value and need for county programs and services. The CSAC Institute for Excellence in County Government is a professional, practical continuing education program for county officials operated by the California Counties Foundation, a 501(c)(3) charity, on behalf of CSAC. The Institute is designed to expand the capacity and capability of county elected officials, senior executives and managers to provide extraordinary services to their communities. Nearly 5,000 county officials and senior staff have participated in classes since the Institute was established in 2008. For more information, please visit www.csacinstitute.org.