Questioning the Need for Separate IT Risk Management Frameworks

Questioning the need for separate IT risk management frameworks

Nicolas Racz1, Edgar Weippl1,Andreas Seufert2

1Institut fürSoftwaretechnik undInteraktive Systeme TU Wien Favoritenstr. 9-11/188 1040 Wien,Austria 2Institut fürBusiness Intelligence, Steinbeis Hochschule Berlin {racz, eweippl}@ifs.tuwien.ac.at; [email protected]

Abstract: Thegrowing importance of enterprise risk management andthe resultingintegration efforts put theneed for separate IT risk management frameworks in question. In this research we analysecommonand distinct elements of theCOSO enterprise risk management andISACA RiskITframeworks. The analysis affirmsthe hypothesis that separate IT risk managementframeworks are redundant.

1 Motivation

The alignment of IT with business objectives is an important part of contemporaryIT management. Ever sincethe creationofthe terms “enterprise risk management” (ERM) and “governance,risk, andcompliance” (GRC) the searchfor integration possibilities within these disciplines has been ongoing. Howeveras of todaydifferent frameworks are used forthe management of business risksand IT risks. The emergenceofhorizontal integration(across disciplines andacross departments) andvertical integration(across the organisationalhierarchyand across processlevels) has helped to realise that formerly separate approaches areoften redundant[Mi07],which provokes the authorstoestablish the hypothesis that a separate management of IT risksmight not be justified.

2 Status quo in research andpractice

A quick scan of the ACM, SpringerLinkand EmeraldInsight databases showsthat in research as of todayenterprise risk management andITriskmanagement (IT-RM) have hardlyevercrossedpaths. FoleyusesERM processestomanagesecurityrisks [Fo09].In their high-level processmodelfor IT GRCmanagement, Racz et al. [RWS10]use COSO ERM[CO04] as risk management standard, assumingthat the selectionofaframework that does not focusonITwould facilitate integrationwithnon-ITGRC in future research.

245 In practice enterprise risk management andITriskmanagementare also treated as separate topics. With ISO 31000:2009[ISO09] (superseding AS/NZS 4360:2004 [AS04])and ISO/IEC27005:2008[ISO08] the InternationalOrganizationfor StandardizationtreatsERM andinformation security risk management (including IT- RM)intwo distinct standards.ISO 31000 does not even referenceISO/IEC27005.The alignmentofITwithbusinessinpractice is mainly done throughthe IT governance and management frameworks COBIT(Control Objectives forInformationand related Technology [ITG07])and ITIL (IT Infrastructure Library [OGC07]). These frameworks suggest enablingalignment through deriving IT goals from business goals.

We canconcludethatwhile theconnectionofITrisks with business objectives is enforced at present, the merger of IT-RMwithERM on a processlevel is hardlylooked at. The frame of referencefor research of integrated GRC[Ra10]recommends identifying integration possibilities on the strategic, process, organisational and technology level. Strategically, throughthe alignment of IT goals with businessgoals, the integrationisalready ongoing. We suggest to take the next step andtoreview potential synergiesofERM andIT-RM on the processlevel.Following the claimof ERM to coverall risksofanenterprise, IT-RM should eitherbe completelycovered by ERM andtherefore be redundant; or it might enhancethe broaderERM throughdetailed considerationofITspecifics in the risk management process.

3 Methodology

As a first step in evaluating ourhypothesiswe decidedtocarry outanexemplary comparison of an ERM frameworkwithanIT-RM framework. Of course a comparison of twoframeworksisnot representative,but we selectedwidely-used frameworks (see below) that therefore suffice to provide afirst indicationabout the hypotheses’ validity. The results should then be discussedwithother expertsat the Informatik2010 GRC workshop before takingfurther action. The methodology applied consists of four steps. First, we selected aframework forERM andone forIT-RM.Second, the frameworks’ commonalitieswere identified.Third,weanalysedthe references of the ERM frameworktoITriskand vice versa. Finallywe discussedand summedupthe results.

In the selectionprocess foranERM framework we considered ISO 31000:2009 and COSO ERM, twowell-knownstandards forERM.Their processmodels are very similar.Onahigh level they only differ in theirwording.“Establishingthe context” in the ISO standard corresponds to the “internal environment” of COSO ERM,“risk evaluation” and“risk treatment” equal “riskresponse”and “control activities”,etc. Eventuallywe opted forCOSO ERM, as it is the successorofthe widely implemented COSO frameworkfor internal control[CO92], a de-factostandard explicitly acknowledgedinthe US Public CompanyAccounting Oversight BoardAuditing Standard No.5forfinancial reporting[PCA07].The standard is referenced in the Sarbanes OxleyAct of 2002, whichofall regulations passed in the newmillennium probablyhas thestrongest impact on risk management andinternal control systems.

246 ForITriskmanagement we chose the ISACARiskITFramework because it complementsCOBIT,which is arguablythe most appropriate control andgovernance frameworkusedbymanyorganisations world-wide to ensure alignmentofITand business goals [RYC04]. The framework’simportance is expected to grow sincethe new COBITversion 5, which is currently in development, planstoconsolidate andintegrate the Risk IT framework[ISA10]. ISO/IEC27005:2008 wasalsoconsidered. As it includes all aspects of informationsecurity(includingnon-ITaspects), its scope surpasses the ISACAframework,which is limited to information technology.Inour opinion Risk IT is more detailed,and it drawsout the specifics of IT-RM more clearly.

The identificationofthe frameworks’ commonalitiesinthe second phase of ourresearch wasdonethrough a mappingofthe described processesofISACA RiskITtothose of COSO ERM. The documentation of COSO ERM proved to be a hurdle. On the highest level the frameworkconsistsofseven processes andthe “internal environment” component. Unfortunatelythe processes are notbrokendown. Instead COSO just names the basic sub-components,suchas“risktolerance” or “inherent andresidual risk”. In ordertomap the processes of ISACARiskIT, we hadtogothrough the complete descriptionofthe COSO componentstofindifthe same processes were included.

The qualitativeanalysisofreferencesfromERM to IT-RM andvice versa in the third research step wasfollowedbyadescriptive discussion andsummary of the insights gained in the researchprocess.

4 Results and discussion

4.1Mapping of ISACA RiskITtoCOSOERM Ourcomparisonofriskmanagement frameworks is based on the assumptionthat “risk” in ERM has the same characteristics as “risk” in IT-RM. In COSO ERM, risk is “the possibilitythat an event will occurand adverselyaffect the achievement of objectives; events with a potentiallypositive impact mayoffset negative impactsortheymay represent opportunities” [Co04].Throughout the framework“risk” then also refers to upside risk (opportunities).According to ISACARisk-IT,ITriskis“acomponent of the overall risk universe of the enterprise [...]. IT risk is businessrisk[...]. It consists of IT- relatedeventsand conditions that couldpotentiallyimpactthe business” [ISA09].The twoframeworksconsequentlyshare a common understandingofthe term“risk”.

ISACARisk-IT consists of the threeprocessesriskgovernance, risk evaluation, andrisk response on level one, with threesub-processes each on level two. Level threecomprises 43 processes. COSO ERM on the otherhanddescribes 8highlevel processes with 41 sub-components.While theERM frameworkismoreprofound on the internal environment component andonriskaggregation, Risk IT is more specific when it comes to IT specific andcommunicationprocesses. Still,all but sevenofthe IT-RMprocesses caneasilybe mapped to COSO components (see appendix A).

247 Twoofthe exceptions deal with ERM integration: “RG2.2: Co-ordinate IT risk strategy andbusinessriskstrategy”,and “RG2.3: Adapt IT risk practices to enterprise risk practices”. They treatthe alignment of IT andbusinessrisks on astrategic andona processlevel; we will analysethemlater on in the sectionabout ERM references in the IT-RM framework. Threeother processesthat couldnot be mapped belong to the processgroup “RG3: Make risk-aware business decisions”: “RG3.1: Gain management buy-in forthe IT risk analysis approach”, “RG3.2: Approve IT risk analysis”,and “RG3.5: Prioritise IT risk response activities”.Management buy-in forriskanalysis approaches andtheir approval is notexplicitly mentionedinCOSO ERM, butit could seamlesslybe integrated with the “internal environment” component. Prioritisationof response activitiesisprobablysoself-evidentthat COSO ERM does not highlight it; in COSO the prioritisationcould be part of risk response.Furthermore the processes “RE2.4: Performapeer review of IT risk analysis” and “RE3.3: Understand IT capabilities” do not existinCOSO ERM. Peer reviewsare a control mechanismthat can be seamlesslyincludedin the ERM process. Understanding IT capabilities is an extremelygeneral “process” that is a prerequisite forany kind of IT activity, therefore suitable to be addedtothe “internal environment” component of COSO ERM.

As we cansee,drawing from the standards IT risksmay be treated like anyother risk,as the IT-RMframework is completelyabsorbedinCOSO ERM, apart from the ERM integrationspecifics (RG2.2,RG2.3)analysedbelow. The ISACAframework does not explain whyanIT-specific risk management frameworkinthe hierarchical relationship to ERM wouldbe necessary. It even disposes of the distinction by stating that “ITriskis business risk”, consisting of “IT-relatedeventsthat couldpotentiallyimpact the business” [ISA09]. Thus the need forseparate IT risk frameworks is questionable. It seemstobe owed more to the complexity of IT,tohabits andtothe separationofITand business responsibilities in modern organisationsthantoareal business reason.

4.2ReferencesofCOSOERM to ISACA RiskITand vice versa

In fact theRiskITFramework (RG1.1)recommendstakingatop-down,end-to-endlook at business services andprocessesand identifyingthe majorpointsofITsupport. Howeverit doeslittle to support this advice. The relationtoERM is explicitlytreatedin the framework. “Integrate with ERM” as a sub-processof“risk governance” states as goal to integrate the IT risk strategyand operations with the business strategic risk decisionsthat have been made at the enterprise level. Five keyactivities shall help achieve this goal. Threeofthemare governance processesindispensable forany risk domain: establishing andmaintaining accountabilityfor IT-RM(RG2.1), providing adequate resourcesfor IT-RM(RG2.4) andproviding independent assurance over IT- RM (RG2.5). RG2.1involvesbusinesswithITriskthrough risk ownershipand the abilitytoaddress IT risk issues. RG2.4weighsinvesting resourcesfor IT riskswith investmentsincompeting businessriskissues, thus surpassingthe IT risk domainand respecting all risk domainsofERM.RG2.5 actuallyisnot ERM-specific at all.

Consequently we are left with the twoother processesallegedly dealingwithERM integrationthatcould not be mapped to COSO ERMbefore: “co-ordinate IT risk

248 strategyand business riskstrategy” (RG2.2)and “adapt IT risk practices to enterprise risk practices” (RG2.3). RG2.2requires to “integrate anyITspecifics into one enterprise approach” andtodefine theITdepartment’srole in operational risk management. Existing ERM principlesand viewsofriskshouldbe used wherever possible. Howthis integrationworks is notexplained.RG2.3 demandsthatthe business context forIT, and ERM expectations,activitiesand methods relevant to IT-RMbe understood. IT-RM shouldbe enhanced with useful ERM activities, ERM expectations should be met, and methods of otherfunctionsshouldbe identified. The gaps betweenITriskand ERM shall be closed – but the frameworkowes a clearexplanationofhow this couldbe done.

The COSO ERM frameworkonthe otherhandgives even less advice on IT-RM. It is only high-level guidance as faras IT is concerned,but specifics of IT risk management maystill be considered on lowerprocess levels[Mo07].It mentions the importance of informationsystems controls due to the “widespread reliance on informationsystems” [CO04]. General controls shall ensure the continued, proper operationofinformation systems, while applicationcontrolsensure completeness,accuracyand validity of information. General controls arefurther subdividedintocontrolsfor information technology management, informationtechnology infrastructure,securitymanagement andsoftware acquisition, development andmaintenance.Apart from these control- relatedhints there is no detailed referenceinCOSO ERM to informationtechnology.IT risksare not even mentioned. Thus the COSO ERM documentremains on a very high level, not helpingpractitionersdeal with IT risksinthe ERMcontext.

4.3Discussion

Drawingonthe resultswesee thehypotheses that a separate frameworkfor IT-RM might not be necessary preliminarily affirmed.ISACA implies a hierarchical structure betweenERM andIT-RM,but ourresearch rather suggests that theIT-RM framework mightinhibit the integrationwithERM throughintroduction of a redundantframework into the process. Certainly thecomparisonoftwo frameworks is not sufficient to prove the hypothesis, but it is a hint that furtherefforts to confirmthe assertionare worthwhile. Future research wouldhave to provide real case studyexamples to prove the point.

In practice todayIT-RM is started within the IT organisationand it is alignedwith business mainly throughbusinessobjectives. ERMisatop-down approach,and IT-RM is top-down within IT,but bottom-up on the enterprise level, as IT risksare analysed and subsequently linkedtobusiness objectives andquantifications from operational risk management. Forexample an IT risk managermight look at a database andidentify the data therein,thenfindout which applications it is used in,nextlook at whichbusiness processes they support and, eventually, what the(financial)impact on these processes wouldbe if the data lost itsintegrity,validity, privacyoravailability[RS09]. Historically the coexistenceofERM andIT-RM canbe explainedbecause enterprise-wide approaches to risk have only emergedoverthe last decade (COSO ERM as the first ERMframework was only publishedin2004).IT-RM meanwhile has been aroundfor muchlonger due to ever-present IT security andoperational issues.

249 We argue that the more reasonable waytomanage riskswould be to followabusiness processtop-downtoall itsenablingresources,be they humanornatural resources, technology or information. Startingat the processlevel, businesswould have to consult IT as part of the ERM exercise to deliver theITresourceslinkedtoaspecific processon the application, data andinfrastructure level. Then theeventsand risks(e.g. data loss due to a virus) couldbe analysed hand-in-hand by business andIT. The main advantage of this end-to-end approach is that only relevant, value-creating business processes would be considered,and that they couldbe prioritised early-on.

5 Conclusion and future research

The analysis of the COSO ERM andISACA Risk IT frameworks hasshown that the need foraseparate IT-RMframework indeed is questionable. The majority of IT-RM processes match the ERM components;the fewremaining processes canbe integrated with ERM. We recommend future research to evaluate the possibilityofcreatingan integrated approach to IT riskswithinenterprise risk management that makesthe applicationofseparate IT-RM frameworks redundant.

Bibliography

[AS04] AS/NZS 4360:2004.Risk management.AS/NZS,2004. [CO92] COSO: Internal control – integrated framework. 1992. www.coso.org [CO04] COSO: Enterprise risk management framework. 2004.www.coso.org [Fo09] Foley,S.: SecurityRisk Management usingInternal Controls. WISG,2009. [ISA09]ISACA: TheRiskITFramework.ISACA,Rolling Meadows, 2009. [ISA10]ISACA: COBIT5DesignPaper ExposureDraft.2010. www.isaca.org [ISO08]ISO/IEC 27005:2008.Information technology – Securitytechniques – Information securityriskmanagement. ISO/IEC, 2008. [ISO09]ISO 31000:2009.Risk management – principles andguidelines. ISO, 2009. [ITG07] IT Governance Institute: COBIT 4.1. ISACA, RollingMeadows, 2007. [Mi07] Mitchell S.L.: GRC360: Aframework to help organisations driveprincipled performance. In: Int. Journal of Disclosure andGovernance, 4:4, 2007;S.279-296 [Mo07] Moeller, R.R.: COSO Enterprise Risk Management. Wiley, NewJersey, 2007. [OGC07]OfficeofGovernment Commerce: ITIL v3,2007. http://www.itil-officialsite.com [PCA07]Public CompanyAccountingOversight Board: Auditing Standard No.5. http://www.pcaobus.org/Rules/Rules_of_the_Board/Auditing_Standard_5.pdf [Ra10] Racz, N.; Weippl,E.; Seufert, A.: Aframe of referencefor research of integrated governance, risk &compliance(GRC). In (De Decker,B.; Schaumüller-Bichl, I.,Hrsg.): Communications andMultimedia Security. Springer, Berlin, 2010; S. 106-117 [RS09] Rath,M.; Sponholz, R.: IT-Compliance: Erfolgreiches Management regulatorischer Anforderungen,ESV Erich Schmidt Verlag,Berlin, 2009 [RWS10]Racz, N.; Weippl,E.; Seufert, A.: AProcessModelfor Integrated IT Governance, Risk &ComplianceManagement. Databases andInformationSystems VI.Selected Papers from theNinth InternationalBalticConference, DB&IS 2010. [RYC04] Ridley,G.; Young,J.; Carroll,P.: COBIT andits utilization. Aframework from the literature.37thHawaiiInternational Conference on SystemSciencesProceedings,2004.

250 Appendix A

Mapping of ISACA Risk IT processes to COSO ERMcomponents. “Risk communication” and“Risk culture” in the RITF are not part of the processmodel, but they are separatelydescribed in the frameworkdocument andhave therefore been added. The wordingoftwo mapped components mightbe very different, especially sincethe COSO components have very general namesand sometimesinclude a varietyof processes in their description. Each of the threeauthors first didthe mappingonhis own usingthe COSO ERM andISACARisk-IT processdescriptions.Results were then merged anddiscrepancieswerediscussed until a jointdecisioncould be taken.

COSO ERM Framework ISACA Risk IT Framework 01 Internalenvironment 01.01 Risk management philosophy 01.02 Risk appetite

01.03 Risk culture RG1.5Promote IT risk-aware culture Risk Culture 01.04 Board of directors 01.05Integrity and ethicalvalues 01.06 Commitment to competence 01.07 Management philosophy and operating style 01.08 Organisational structure 01.09Assignment of authority and RG2.1Establishand maintain accountability for responsibility IT risk management RG2.4Provide adequateresources forIT risk management 01.10 Humanresourcepoliciesand practices 01.11 Differences in environment 02 Objective setting RE2.1Define IT risk analysis scope 02.01 Strategic objectives 02.02 Related objectivesRG2.4 Provide adequate resources forIT risk management 02.03 Selectedobjectives 02.04 Risk appetite RG3.3EmbedIT risk considerations in strategic business decision making 02.05 Risk toleranceRG1.2 Propose IT risk tolerancethresholds RG1.3ApproveIT risk tolerance 03 Eventidentification 03.01 EventsRE3.4 UpdateITriskscenario components 03.02 Factors influencing strategyand RE3.5Maintainthe IT risk registerand IT risk objectives map 03.03 Methodologyand techniques RE3.6Develop IT risk indicators 03.04 Event interdependenciesRE1.3 Collectdataonriskevents 03.05 Event categories RE1.4Identifyriskfactors 03.06Risks and opportunities RR1.4 IdentifyIT-related opportunities 04 Risk assessment RG1.1Perform enterpriseIT risk assessment 04.01 Inherent and residual risk RG3.4Accept IT risk (= acceptresidual risk) 04.02 Likelihood and impact RE2.2EstimateITrisk

251 RE3.1Map IT resources to business processes RE3.2Determine business criticalityofIT resources 04.03Qualitative and quantitative RE1.1Establishand maintain amodel fordata methodologies and techniques collection RE1.2Collect dataonthe operatingenvironment 04.04 Correlation 05 Risk response 05.01 IdentifyriskresponsesRE2.3 Identifyriskresponseoptions 05.02 Evaluate possible risk responsesRR1.3 Interpretindependent IT assessment findings 05.03 Select responseRR3.1 Maintain incident responseplans RR3.3 Initiateincident response 05.04 Portfolioview 06 Control activities 06.01 Integration with risk responseRR2.1 Inventory controls 06.02Types of control activities RR2.3 Respond to discovered risk exposure and opportunity 06.03 General controlsRR2.4 Implement controls 06.04Application controls 06.05 Entity-specific RR3.2 MonitorITrisk RR2.2 Monitoroperational alignmentwithrisk tolerancethresholds 08 Monitoring 08.01 Ongoing 08.02 SeparateevaluationsRG2.5 Provide independent assuranceoverIT risk management 08.03 Reporting deficiencies 07 Information and communication 07.01 Information 07.02 Strategic and integrated systems 07.03 Communication RR2.5 Report IT risk action plan progress RR3.4 Communicate lessons learned from risk events RR1.1 Communicate IT risk analysis results RR1.2 Report IT risk management activities and state of compliance RG1.6Encourage effectivecommunication of IT risk RG1.4Align IT risk policy Risk Communication

252