DOCSLIB.ORG

Build an Organization-Driven IT Risk Management Program

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Build an Organization-Driven IT Risk Management Program CLASS MATERIALS Build an Organization-Driven IT Risk Management Program IN ASSOCIATION WITH Chiat m © W © CI 343 Standing Strong www.csacinstitute.org LEARN . GROW . ACHIEVE Today’s Strategy for Risk Management LEARN • The right questions to ask of your peers to identify the critical importance of organizational risk management. • The knowledge required to build a formal risk management process, best practices for mitigating risks identified, and examples of internal controls to establish to achieve compliance with mitigation plans. DO • Develop the core risk management processes and skills necessary to be effective risk leaders through a series of activities and discussions. • Discuss and uncover the current state of risk management in government agencies with fellow county peers, examples of risk management practices, and strategies for overcoming roadblocks. GET • IT risk management tools, templates, frameworks, and process documents. • IT Risk Management Participant Workbook Info-Tech Research Group 2 Seize the potential of risk management to better align IT with organizational goals IT creates value CIOs CEOs IT keeps the for the lights on organization 63% of CIOs and CEOs disagree about the objectives of IT. 1 IT risk management is an opportunity to enhance IT’s profile in the eyes of the CEO, and to align IT with the organization’s strategic direction. Risk is money, and minimizing risk is money saved. Use your risk-management program to illustrate how IT creates value for the business. Proactive risk management that translates IT risk into business language illustrates that IT decision making is focused on how IT can add to and avoid detracting from business value. 1: Info-Tech Research Group, 2015. Info-Tech Research Group 3 Poor IT risk management is expensive IT RISK IS HEADLINE NEWS Equifax data breach to cost insurers $125M The Guardian Yahoo Finance The Wall Street Journal The Wall Street Journal Hackers steal Zomato Data on 17 Million users CNN Money The Australian Computer Business Review The Wall Street Journal Info-Tech Research Group 4 Discussion Debrief: The risk mindset requires an awareness of the organization’s attitude toward risk Risk tolerant Risk averse Risk-tolerant organizations embrace the Risk-averse organizations prefer consistent, potential of accelerating growth and the gradual growth and goal-attainment by attainment of business objectives by taking embracing a more cautious stance towards calculated risks. risk. Additional Notes _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Info-Tech Research Group 5 Discussion Debrief: The risk mindset requires an awareness of the organization’s attitude toward risk Risk conscious Unaware Risk-conscious organizations place a high Organizations that are largely unaware of the priority on being aware of all risks impacting impact of risk generally believe there are few business objectives major risks impacting business objective. Additional Notes _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Info-Tech Research Group 6 What do different risk management cultures look like? Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly. Risk Tolerant Moderate Risk Averse • You have no compliance • You have some compliance • You have multiple, strict requirements. requirements, e.g.: compliance and/or regulatory • You have no sensitive data. o HIPAA requirements. • Customers do not expect you to o PIPEDA • You house sensitive data, such as have strong security controls. • You have sensitive data, and are medical records. • Revenue generation and required to retain records. • Customers expect your innovative products take priority • Customers expect strong security organization to maintain strong and risk is acceptable. controls. and current security controls. • The organization does not have • Information security is visible to • Information security is highly remote locations. senior leadership. visible to senior management and • It is likely that your organization • The organization has some remote public investors. does not operate within the locations. • The organization has multiple following industries: • Your organization most likely remote locations. o Finance operates within the following • Your organization operates within o Health care industries: the following industries: o Telecom o Government o Finance o Government o Research o Healthcare o Research o Education o Telecom o Education Info-Tech Research Group 7 This is rooted in best practice; benefit from industry-leading best practices The Government of the United Kingdom’s M_o_R The NIST framework provided best practices for IT risk governance, identification, RiskIT’s IT Risk Framework and assessment. was modified to create Info-Tech’s IT Risk Management Framework. Info-Tech Research Group 8 Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness Risk IT Risk Management Risk Governance Framework Identification Communication Business Objectives Monitoring Risk Risk Response Assessment Info-Tech Research Group 9 66% of organizations lack a formal risk management program 1 If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk. Ad hoc approaches to managing risk fail because… The results: Ad hoc risk management is often reactionary. • Increased business risk exposure caused • Without formalized procedures for managing IT risk, risk events by a lack of understanding of the impact of 1 are often “managed” after they have occurred. IT risks on the business. • IT departments that spend most of their time putting out fires • Increased IT non-compliance, resulting in receive the lowest ratings for satisfaction and perceived value by costly settlements and fines. business stakeholders. • IT audit failure. Ad hoc risk management is often focused • Ineffective management of risk caused by only on IT security. poor risk information and wrong risk 2 • Organizations must respond to the entire spectrum of IT risk. response decisions. • A client who recently completed Info-Tech’s methodology for risk identification and assessment found that only 15 of the 135 IT • Increased unnecessary and avoidable IT risks identified were related to security and compliance. failures and fixes. Ad hoc risk management lacks alignment Most IT departments aren’t thinking with business objectives. about formal risk management, and if 3 • Many IT risk assessments fail to communicate IT risks in a way they are, it’s back-of-the-napkin that compels the business to take action. planning. • 63% of CEOs indicate they want IT to provide better risk Ken Piddington, CIO & Executive Advisor, metrics (CIO-CEO Alignment survey data, Info-Tech Research Group). MRE Consulting 1: ESI International Info-Tech Research Group 10 PHASE 1 Review IT Risk Fundamentals and Governance Build a Business-Driven IT Risk Management Program Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Info-Tech Research Group 11 Create an IT risk governance framework that integrates with the business WhyKey Ad Considerations: hoc risk management fails: • Key stakeholders are left out or consulted once risks have already occurred. • Failure to employ consistent risk identification methodologies Risk Governance results in omitted and unknown risks. Identify Potential • Risk assessments do not reflect organizational priorities and Challenges may not align with thresholds for acceptable risk. • Risk assessment occurs sporadically or only after a major risk event has already occurred. Manage Measure the Stakeholders & Success of Assign the Program In this section: Accountability 1. Identify potential organizational challenges and discuss. 2. Set clear risk management accountabilities and responsibilities for IT and business stakeholders. Key metrics to consider: • Number of risk management processes done ad hoc. • Frequency that IT risk appears as an agenda item at IT steering committee meetings. • Percentage of IT employees whose performance evaluations reflect risk management objectives. • Percentage of IT risk council members who are Info-Tech Insight trained in risk management activities. IT risk is business risk. Every IT risk has business • Number of open positions in the IT risk council. implications. Create an IT risk management program that • Cost of risk management program operations per shares accountability with the business. year. Info-Tech Research Group 12
Load more

Recommended publications
  • Mitigate Cyber Attack Risk Solution Brief
    SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations extend technology deeper into their day-to-day business HIGH operations, their risk profiles evolve. DIGITAL RISK New digital risks—those unwanted and often unexpected outcomes that stem MEDIUM from digital transformation, digital business processes and the adoption RISK of related technologies—represent a LOW larger portion of potential obstacles to TRADITIONAL BUSINESS RISK achieving business objectives. While the digital technology creates new DIGITAL ADOPTION business opportunities, it frequently leads to higher levels of cybersecurity, FIGURE 1: Digital risk increasing the overall business risk as organizations embrace digital transformation. third-party, compliance and business resiliency risk. The impacts from these growing digital risks may be more disruptive than the operational risks that businesses have historically managed. In fact, many organizations are finding that as digital adoption accelerates, digital risk becomes the greatest facet of risk they face, especially growing cyber risks. AS ORGANIZATIONS EXPAND DIGITAL OPERATIONS, CYBER SECURITY RISKS MULTIPLY Organizations need to evolve to stay in front of rising cyber threats and their wide-reaching impact across increasingly digitized operations. Attackers continue to advance and use sophisticated techniques to infiltrate organizations which no longer have well defined perimeters. At the same time, responsibilities for detecting and responding to security It’s arguably impossible incidents are expanding beyond the security operations center (SOC). Business stakeholders continue to digitize their operations, elevating the risk and potential to prevent all cyber impact of cyber attacks.
    [Show full text]
  • Historical Evolution of Management Accounting
    1990's: Value Based Management Focus shifted to include the creation of customer value, strategy, balanced scorecards, EVA, and other related concepts. 1980's: Lcan Enterprise CA M-I Cost Management Focus shifted to the reduction of waste, JTT, teamwork, ABC, target costing, quality, investment & product life cycle management. 1951 - 1980's: Managerial Accounting Focus shifted to providinginformation for management planning & control. 1920 - 1950: Cost Accounting Matching concept developed. Focus on cost determination and financial control. 1812 - 1920: Accountingfor Processes Prior to the matching concept. Focus on operating cost and efficiency of processes. Shah Kamal Historical Evolution of Assistant Relationship Manager Management Accounting Bank Alfalah [email protected] Abstract The obsolescence of most companies' cost accounting and management control systems is particularly unfortunate for the global competition of the 1980s (Johnson & Kaplan, 1987). During the past two decades, conventional cost and management accounting practices have been under extensive criticism for their malfunction to instigate change and their inability to support management accounting innovations in coping with the requirements of a changing environment. The academic literature has been crucial of conventional management accounting systems particularly for their lack of efficiency and capability to present comprehensive and the latest information and to assure decision makers and potential users of such information. Focusing on this debate, current study reviews the evolution of cost and management accounting innovations over the past century around the world and to examine whether there has been a significant impact of management accounting in the organization. The analyses suggest that management accounting is changing. However, these changes do not have much bearing upon the type of management accounting techniques.
    [Show full text]
  • Trade Management Guidelines
    Trade Management Guidelines TRADE MANAGEMENT TASK FORCE Theodore R. Aronson, CFA, Chairman Aronson + Partners Gregory H. Bokach, CFA Damian Maroun American Century Investment Management G.E. Asset Management Corporation Eugene K. Bolton Jean Margo Reid G.E. Asset Management Corporation Paul Richards* Michael H. Buek, CFA Financial Services Authority The Vanguard Group H. Paul Reynolds Richard A. Carriuolo Frank Russell Securities, Inc. R.M. Davis, Inc. George U. Sauter Gene A. Gohlke, Ph.D., CPA* The Vanguard Group U.S. Securities and Exchange Commission Erik R. Sirri Paul S. Gottlieb Babson College Merrill Lynch Wayne H. Wagner Joanne M. Hill Plexus Group Goldman, Sachs & Co. Jessica L. Mann, CFA Donald B. Keim CFA Institute The Wharton School Maria J. A. Clark, CFA Anthony J. Leitner CFA Institute Goldman, Sachs & Co. Ananth Madhavan ITG, Inc. * Observer. 1 CFA INSTITUTE TRADE MANAGEMENT GUIDELINES Recognizing the ambiguities and complexities surrounding the concept of Best Execution,1 CFA Institute Trade Management Task Force has developed the CFA Institute Trade Management Guidelines (Guidelines) for investment management firms (Firms). The recommendations contained herein stem from the obligations Firms have to clients regarding the execution of their trades and provide Firms with a demonstrable framework from which to make consistently good trade-execution decisions over time. The Guidelines formalize processes, disclosures, and record-keeping suggestions that, together, form a systematic, repeatable, and demonstrable approach to seeking Best Execution. It is important to note that the Guidelines are a compilation of recommended practices and not standards. CFA Institute encourages Firms worldwide to adopt as many of the recommendations as are appropriate to their particular circumstances.
    [Show full text]
  • Customer Relationship Management, Customer Satisfaction and Its Impact on Customer Loyalty
    Customer Relationship Management, Customer Satisfaction and Its Impact on Customer Loyalty Sulaiman, Said Musnadi Faculty of Economic and Business, University of Syiah Kuala, Banda Aceh, Indonesia Keywords: Customer Relationship Management, Satisfaction, Customer Loyalty. Abstract: This study aims to determine the effect of Customer Relationship Management (CRM) on Customer Satisfaction and its impact on Customer Loyalty of Islamic Bank in Aceh’s Province. The study population is all customers in in the Islamic Bank. This study uses convinience random sampling with a sample size of 250 respondents. The analytical method used is structural equation modeling (SEM). The results showed that the Customer Relationship Management significantly influences both on satisfaction and its customer loyalty. Furthermore, satisfaction also affects its customer loyalty. Customer satisfaction plays a role as partially mediator between the influences of Customer Relationship Management on its Customer Loyalty. The implications of this research, the management of Islamic Bank needs to improve its Customer Relationship Management program that can increase its customer loyalty. 1 INTRODUCTION small number of studies on customer loyalty in the bank, as a result of understanding about the loyalty 1.1 Background and satisfaction of Islamic bank’s customers is still confusing, and there is a very limited clarification The phenomenon underlying this study is the low about Customer Relationship Management (CRM) as a good influence on customer satisfaction and its
    [Show full text]
  • Vaccine Management Plan
    Vaccine Management Plan KEEP YOUR MANAGEMENT PLAN NEAR THE VACCINE STORAGE UNITS Practices must maintain a vaccine management plan for routine and emergency situations to protect vaccines and minimize loss due to negligence. The Vaccine Coordinator and Backup are responsible for implementing the plan. Instructions: Complete this form and make sure key practice staff sign and acknowledge the signature log whenever your plan is revised. Ensure that all content (including emergency contact information and alternate vaccine storage location) is up to date. Keep the plan in a location easily accessible to staff and available for review by VFC Field Representatives during site visits. (For practices using mobile units to administer VFC vaccines: Complete the VFC “Mobile Unit Vaccine Management Plan” to itemize equipment and record practice protocols specific to mobile units.) Section 1: Important Contacts KEY PRACTICE STAFF & ROLES Office/Practice Name VFC PIN Number Address Role Name Title Phone # Alt Phone # E-mail Provider of Record Provider of Record Designee Vaccine Coordinator Backup Vaccine Coordinator Immunization Champion (optional) Receives vaccines Stores vaccines Handles shipping issues Monitors storage unit temperatures USEFUL EMERGENCY NUMBERS Service Name Phone # Alt Phone # E-mail VFC Field Representative VFC Call Center 1-877-243-8832 Utility Company Building Maintenance Building Alarm Company Refrigerator/Freezer Alarm Company Refrigerator/Freezer Repair Point of Contact for Vaccine Transport www.eziz.org 1 IMM-1122 (12/20)
    [Show full text]
  • Cybersecurity in a Digital Era.Pdf
    Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.
    [Show full text]
  • Earned Value Management: What Is It? Who Needs
    Franklin Training Group EARNED VALUE MANAGEMENT: WHAT IS IT? WHO NEEDS IT? Capturing Opportunities for Performance Excellence Earned Value Management 1 Chet Franklin ASQ 711 July 2008 What is EVM? Franklin Training Group • EVM; Earned Value Management • For the management of projects • It is called: – A concept – A discipline – An approach – A program • A set of tools Capturing Opportunities for Performance Excellence Earned Value Management 2 Chet Franklin ASQ 711 July 2008 Who needs it? Franklin Training Group • No one NEEDS it • Who can use it? – Program Managers – Project Managers – Project Teams – Budget Analysts – Planners Capturing Opportunities for Performance Excellence Earned Value Management 3 Chet Franklin ASQ 711 July 2008 Project Managers Need Franklin Training Group • Plan – What is to be done? – When is it to be done? – What will it cost? • Tracking – What has been done? – When was it done? – What did it cost? Capturing Opportunities for Performance Excellence Earned Value Management 4 Chet Franklin ASQ 711 July 2008 What will EVM do? Franklin Training Group • Provide Project Status – Financial performance – Schedule performance • Provide information – Identify risks – Predict future performance • Financial – Cost-to-Complete • Schedule – Variance from plan Capturing Opportunities for Performance Excellence Earned Value Management 5 Chet Franklin ASQ 711 July 2008 Is EVM New? Franklin Training Group • NO! • The basic concepts? – They’ve been around for a 100 years, or so – PVA (Planned Value of Work Accomplished) – BCWP
    [Show full text]
  • IT Risk Management and Control Frameworks
    IT Risk Management and Control Frameworks Guðjón Viðar Valdimarsson CIA, CFSA, CISA Product Manager and Internal Auditor Summary • Introduction or the “art” of Risk Management • The objectives, risks and controls • Risk Management Methodology • The control frameworks • IT Risk Management Introduction or the “art” of Risk Management “Risk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.” Or how to stop bad things from happening by figuring out what can happen and do something about it ! What do you need ? To do a risk assessment you need : Objectives/assets • What does management and the board want to aim for in terms of risk appetite and risk tolerance. • What are the critical assets and processess you want to protect Risks • What are the relevant risks for the subject/assets at hand Controls • What generally accepted control framework is appropriate for the subject matter. Risk Management Methodology There are a number areas of risk management areas depending on the industry or subject at hand. Risk Risk Risk Financial risk management Enterprise management management management activities as risk regarding of (VaR and applied to management natural information CVaR) project disasters technology management IT Risk Management The Certified Information Systems Auditor Review Manual provides the following definition of
    [Show full text]
  • The Reputational Impact of It Risk
    FALLOUT THE REPUTATIONAL IMPACT OF IT RISK IN ASSOCIATION WITH: CONTENTS Executive Summary ..............................................................................................................................................2 Introduction: The Black Friday data breach .................................................................................................3 Where the Risks Are: From Human Error to System Failure ................................................................ 5 Sidebar: The Promise and Perils of the Cloud............................................................................................11 Protecting Your Reputation in the Always-On World ............................................................................12 Conclusion ..............................................................................................................................................................18 Acknowledgments...............................................................................................................................................19 EXECUTIVE SUMMARY U.S. retailers were not the first to su!er a massive data breach. Nor will they be the last, as cyber attacks, security breaches and system outages proliferate. Shadow technology and expanding supply chains bring more risks. How can companies better protect their reputation by ensuring the continuous—and secure—flow of information to support their business? After all, a major part of the brand experience for most customers comes through the
    [Show full text]
  • Bs /Organizational Management
    ORGANIZATIONAL MANAGEMENT- B.S. /ORGANIZATIONAL MANAGEMENT- B.P.S. Primary Faculty, New York State: Dr. Claire Henry (Assessment Faculty), Julie Hood-Baldomir (Dept. Chair), Dr. Douglas LePelley, Dr. Elena Murphy (Assessment Faculty) Mission The Bachelor of Science in Organizational Management is an upper division degree program. Through a cohort-based model of learning, the program prepares students to create positive change both organizationally and individually, through developing their ability to assess organizations and utilize innovative and strategic solutions to help organizations achieve extraordinary results. Student Learning Goals The OM Student Learning Goals are categorized within the framework of the Nyack College core values. Through an academically rigorous interdisciplinary curriculum, adult students in the Organizational Management program will be able to: Academically Excellent: o Demonstrate the ability skills in the use of technology, communication, and research as it relates to scholarship. o Develop analytical thinking skills as tools for problem solving in the workplace. Globally Engaged: o Demonstrate fluency in using ethical theories as a framework for positioning organizations as responsible, global citizens Intentionally Diverse: o Demonstrate the ability to utilize diverse perspectives as a, means to solving problems and initiating change within an organizational context Personally Transforming: o Develop process in which to assess and promote personal growth, development and life-long learning Socially Relevant:
    [Show full text]
  • Software Security Total Risk Management
    Software Security Total Risk Management SECURITY INNOVATION’S BLUEPRINT FOR EFFECTIVE PROGRAM DEVELOPMENT 187 Ballardvale Street, Wilmington, MA 01887 +1.978.694.1008 www.securityinnovation.com Software Security Total Risk Management 2 Table of Contents Introduction ......................................................................................................................................3 Why Software Security Risk Management Matters .............................................................................3 Why Software Security Risk Management Gets Overlooked ................................................................4 Foundations of IT Risk Management ...................................................................................................5 Operational Integration, Availability and Security Risk Management ...................................................6 From ITSRM to Software Security Total Risk Management ..................................................................7 The Steps of the SSTRM......................................................................................................................8 Summary ......................................................................................................................................... 10 www.securityinnovation.com Software Security Total Risk Management INTRODUCTION 3 Introduction Current challenges of the financial services sector aside, risk management has a long and venerable tradition of practical success in the world of insurance
    [Show full text]
  • The Case for Enterprise Risk Management in Insurance Manage Risk, Change Your Business, Create Value, Achieve Your Objectives
    Research partner Independent research by The Case for Enterprise Risk Management in Insurance Manage risk, change your business, create value, achieve your objectives March 2017 About Chartis Chartis Research is the leading provider of research and analysis on the global market for risk technology. It is part of Incisive Media, which owns market-leading brands such as Risk and Waters Technology. Chartis’s goal is to support enterprises as they drive business performance through improved risk management, corporate governance and compliance and to help clients make informed technology and business decisions by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. Areas of expertise include: • Credit risk • Operational risk and governance, risk and compliance (GRC) • Market risk • Asset and liability management (ALM) and liquidity risk • Energy and commodity trading risk • Financial crime including trader surveillance, anti-fraud and anti-money laundering • Cyber risk management • Insurance risk • Regulatory requirements including Basel 2 and 3, Dodd-Frank, MiFID II and Solvency II Chartis is solely focussed on risk and compliance technology, which gives it a significant advantage over generic market analysts. The firm has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses. Visit www.chartis-research.com for more information. Join our global online community at www.risktech-forum.com. © Copyright Chartis Research Ltd 2017. All Rights Reserved. Chartis Research is a wholly owned subsidiary of Incisive Media Ltd.
    [Show full text]