Risk Assessment Worksheet
Total Page:16
File Type:pdf, Size:1020Kb
IT Governance Risk Assessment Worksheet
This table was developed through a series of discussion with the various business and IT stakeholders. It represents an assessment of the various risk events that may occur if current issues are left unaddressed. It employs the risks assessment framework adopted by the Enterprise Risks Management initiative, where each risk is assessed from both an impact and likelihood perspective. The approach to collecting these risks was not overly scientific, but attempts to provide an overall view of the risks in relation to each other. The root causes of these risks are often shared, so that focus on certain risks will clearly help reduce other risks. The intent of this exercise was to identify the key risks that constitute ongoing threat to the University, so that we can mobilize management and staff attention to identifying and taken action towards risk mitigation. The Mitigation Strategies column here identifies only a few suggestions. Others will clearly be identified as each risk is, in turn, assessed and addressed.
Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies 1. Failure to Extreme Access Controls Very High – have also Some steps have been taken Comply with Major Loss of Reporting had 1 small project that - Reorg/rebuild and retrain Research agency Funding Capabilities got shut down and staff requirements Inability to meet Data Quality recent CFI monitoring - Get extra resources strategic goals Timeliness/Currency report was Need to look at E2E work flows and Potential Executive of Information unsatisfactory supporting systems Action 6 months to ensure - Need to identify, communicate and Collateral impact to significant visible track what system improvements faculty – attract and progress to address Tri- have been made to address these retain – and student Council Audit issues issues growth and have a strong plan Should ensure that supporting Impact to University in place for those that systems are defined with appropriate reputation aren’t addressed useability, availability and security characteristics to support the administrative needs of researchers. 2. Failure to meet High/Extreme User/Systems Very High Need to have marked improvements committed Loss of associated Interface - Student Have already had by December to support next student growth funding– access, frustration with several critical events admissions process needs (2400 by tuition and useability and Will review admissions Supporting systems should provide 2010 – with performance envelope timeliness of data in September to the analytical and reporting incremental - increasing response for student determine how many capabilities in a timely fashion to increases each incrementally over admin. processes - students have gone support the admissions process term) – loss of time admissions, student elsewhere new and existing Inability to meet awards, registration Will be perceived as students strategic goals etc. issues in next Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 1 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies Impact to University Data/system Admissions cycle in 5 reputation Integration months Collateral impacts to Workflow Issues – research, donations, Causing delays due etc. to manual effort/ Potential Executive workload for staff Action Data Quality
3. (revised) High Limited power Very High Each business process would need to Failure to support Potential loss of capacity Have had some near assess the appropriate mitigation key business revenue, penalties, Systems / misses strategies and to define manual or processes due to loss of customer sat., infrastructure As systems are added, communication mitigation plans to systems outages etc. depending on the stability and support with existing staff, and provide some peace of mind and support nature of the failure issues insufficient Establish Service Availability and issues (Eg. Payroll failure Level of maintenance, and Recovery Plan for each services to (operational risks) may result in late Data/systems sustaining of currency document response procedures penalties from integration –Eg. HR of infrastructure, the Harden IT infrastructure in line with Revenue Canada of @ with Parking, Cont. risk increases the service criticality as established $200K per day if late Ed, Campus Rec. , Multiple instances of in the Service Availability and Student and etc. poor documentation, Recovery Plans. Employee retention single (or limited) Improve systems monitoring Impact to University points of staff capability to provide early reputation dependency, and identification of issues insufficient off-hours Establish on-call process to ensure arrangements still exist that support staff and escalation channel are in place in case of outage An overarching Capacity and Availability Plan would help define the investments required to meet current and evolving availability needs 3 (old). Inability Medium (if we take Systems / High Need to define manual or to pay staff due to some actions to infrastructure Have had some near communication mitigation plans to system issues mitigate the impact of stability and support misses provide some peace of mind a failure) Data/systems Existence of 5 pays a Establish Service Availability and Employee retention integration – month increases Recovery Plan Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 2 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies Impact to University parking, cont. ed, likelihood of Determine what Job Scheduling reputation Campus Rec, etc. occurrence product can do to ensure jobs run Compliance with and Risk is particularly high smoothly potential late penalties with the 2 back-to-back Establish on-call process to ensure from Revenue pays at the end of the that support staff and escalation Canada month channel are in place in case of outage (@ $200K per day if late) 4. Poor data – Extreme Data Quality Very High – this is Some of this will be addressed by quality, Decisions resulting in Timeliness/currency happening today in focusing on other priority areas timeliness and tactical and strategic issues many areas where units integration errors Data/systems do not have accurate between systems - eg. admissions integration – information to make numbers synchronization is decisions Over/under often done manually - Student Awards, trust expenditures – eg. Raiser’s Edge accounts, unit - eg. researchers and and Peoplesoft decisions, partner/donor units Limited reporting activities Lack of a unified Capabilities view of activity with Availability and partners and donors access to critical business systems 5. External bodies Extreme Reporting Very Low Key aspects of this risk will be take action Loss of funding or Capabilities Reports will get done – addressed by addressing more critical against the related penalties Data Quality perhaps late, with some risks University due to Impact to University Data/systems inaccuracies and/or inaccurate reputation integration with much manual external reporting Timeliness/currency effort issues (to a lesser degree as most reporting has some lag period) 6. Failure to Medium Access Controls High Key aspects of this risk will be address Impact to University Data Quality some issues have been addressed by addressing more critical Provincial reputation raised repeatedly risks Auditor Potential for there is some progress Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 3 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies requirements – Executive Action being made in some Financial and Impacts our ability to areas, not in others, Research and associated costs Management of getting Crime Insurance for the University
7. Reduced High Data Quality Medium Manual efforts to ensure that donor donations due to Funding impact Reporting Will increase over time information is provided our inability to Impact to University Capabilities as we are unable to provide required reputation Timeliness/ provide sufficient donor donor reporting. Collateral loss of responsiveness reporting students due to loss of scholarships and program/facility funding 8. Loss of Faculty Medium User/Systems Low Key aspects of this risk will be due to frustration Reduced quality of Interface Likely decreasing for addressed by addressing more critical with programs Workflow issues now as people are risks administrative Increased recruitment Data/systems adjusting Business process education – offer systems/processes costs and challenges integration This is only one of and ensure participation Loss of associated Data Quality multiple reasons for Admin support for infrequently used research Timeliness/Currency why people may leave processes Impact on student of Information satisfaction Impact to University reputation 9. Loss of Staff Medium User/Systems Low Key aspects of this risk will be due to frustration Reduced staff Interface There was likely some addressed by addressing more critical with productivity Workflow issues of this during initial risks administrative Increased recruitment Data/systems implementation Business process education – offer systems/processes costs and challenges integration Likely decreasing for and ensure participation Increased business Data Quality now as people are Admin support for infrequently used exposures Timeliness/Currency adjusting processes Impact on student of Information This is only one of
Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 4 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies satisfaction multiple reasons for Collateral impact on why people may leave data quality and timeliness 10. Loss of Medium User/Systems Low Key aspects of this risk will be Researchers due Reduced research Interface Likely decreasing for addressed by addressing more critical to frustration with productivity Workflow issues now as people are risks administrative Loss of research Data/systems adjusting Business process education – offer systems/processes dollars integration This is only one of and ensure participation Inability to meet Data Quality multiple reasons for Admin support for infrequently used strategic goals – Timeliness/Currency why people may leave processes research growth of Information Impact on academic quality and collateral losses Impact to University reputation 11. Lost Extreme Systems Interface Very High Providing interim administrative opportunities due Significant drain on Workflow issues This is happening in all staffing options to offload low-value to poor overall resources in all units Poor systems units and faculties today tasks administrative and faculties to deal integration Focus on areas that will have efficiency with operational Data Quality significant work reducing impact in issues is detrimental Reporting critical areas to focusing on more Capabilities strategic and value- Timeliness/Currency adding activities of Information 12. Units and High Data Quality Very High Effective Governance faculties create Increased costs – one Timeliness/Currency This is already Increase analytical and architectural duplicate time and ongoing of information happening with capabilities information Reduced productivity Reporting expectation of much systems due to integration capabilities more as issues remain issues Workflow issues unaddressed and Impact to University Data/systems units/faculties push to reputation Integration meet strategic goals Collateral impacts to User/Systems Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 5 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies reporting capabilities Interface
13. System High Access Controls High Need to establish metric capability misuse and fraud Lost funds and over- Reporting There have already Access and authorization process and due to ineffective expenditure capabilities been a couple of systems improvement system Impact to University Data Quality incidents resulting in Improved policies and transactional reputation terminations communication authorization Compliance with laws Unsure how many controls and conditions of instances may be funding agencies and occurring, but the donors potential is there to be FOIP issues abused 14. Inability to High Lack of power and Extreme Limited near-term mitigations are support growth in Inability to meet associated Power and many available without funding demand for new strategic goals and environmental infrastructure elements - Need to investigate alternative and existing IT associated funding systems available to are currently at or very sourcing strategy to off-load near services – implications: data centre close to capacity term power demand and/or infrastructure - Student Limited Limited funding rationalize servers where possible focus growth infrastructure available for to reduce existing loads - Research capacity infrastructure - Little opportunity exists to Growth Lack of currency in investments address processing capacity - Student applications and Capacity growth for issues without turning other experience infrastructure limits existing services could services off or down - Improved ability to respond to use up all available Longer term quality of teaching new requests capacity - Power expansion project has been and learning Limited metrics exist to approved for summer 08 - Capital support ongoing implementation program continuous - Need to have plans, with Impact to University improvement/ resource supporting funding, in place to reputation optimization expand capacity in line with demand. A Capacity and Availability Plan would help to address this. 15. Inability to Extreme Limited power Low Continue with work on IT Disaster restore University Potential loss of capacity U of C not significantly Recovery Plans in conjunction with systems in the revenue, penalties, Systems / vulnerable to most the Enterprise Risk Management Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 6 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies event of a major loss of customer sat., infrastructure disaster scenarios, but initiatives IT disaster etc. depending on the stability and support the likelihood of some Service Availability and Recovery scope, timing and issues types of disasters (eg. Plans support that initiative length of the Level of pandemic, power Hardening of infrastructure and associated outage. Data/systems outage, terrorist/activist creation of redundancies help to Student and integration –Eg. HR event) are increasing improve the situation Employee retention with Parking, Cont. Infrastructure is not Implementing on-call policies will Impact to University Ed, Campus Rec. , designed for high help ensure that people will be reputation etc. resilience and sustain responsive in case of actual disaster Insufficient dollars are insufficient documentation for to keep infrastructure at key systems peak maintenance Multiple instances of poor documentation and single (or limited) points of staff dependency still exist
16. Inability to High Workload issues Extreme Compensation review retain/attract Impacts ability to Funding issues There is a lack of Can reallocate staff resources to a necessary skill support technology Limited staff sufficient resourcing in limited degree to focus on key sets - staff and systems in capacity and key skill areas priorities capacity/capabilit support of functional capability to assess, Increasing staff Need to attract, contract or grow y needs of the design, build and departures required human resource University support the services Unable to attract key capacity/capability Impacts ability to and supporting roles - Hire consultants where needed address the other risks infrastructure - Provide mentoring Significantly Single points of staff compromises both dependency ability and latency to Inability to deliver respond to evolving on significant information initiatives due to technology needs of skills limitations in the University key areas Staff retention Stress Staff in wrong roles Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 7 Risk Event Impact of Risk Supporting Symptoms Likelihood of Occurrence Mitigation Strategies Unfilled roles Project latency
17. Unwanted High Weak Access High Implement and maintain administrative, media attention as Impact to University controls 18 incidents of technical and physical safeguards: a result of reputation Security controls not “computer equipment Identity Management Security Breach - Potential loss of properly theft since 2005” Encryption technology Student, revenue, penalties, implemented Laptop theft generally Vulnerability Assessments Financial, loss of customer sat., No security on the rise (CHR Security & privacy training Medical, or etc. depending on the awareness training example) IDS/penetration testing Personal data scope, timing and for facility or staff 2007 CSI/FBI computer compromise severity of the Security metrics not crime survey estimates incident clearly defined cost of confidential data Potential inability to Security Incident compromise at Eg. Lost/Stolen meet strategic goals identification and $6,073,150 (494 Laptop Potential Executive response procedures institutions 11% Website Action not clearly defined educational) defacement Compliance with laws Confidentiality Critical Business and conditions of Integrity systems funding agencies and Availability becoming donors unavailable or FOIP issues untrustworthy
Implicit Risk – Lack of single (or manageable) accountability to ensure that these risks are addressed collectively with an enterprise focus to provide effective mitigation.
Enterprise Administrative Systems Risk Assessment Version 2 4/6/2018 Page 8