CLASS MATERIALS Build an Organization-Driven IT Risk Management Program IN ASSOCIATION WITH Chiat m © W © CI 343 Standing Strong www.csacinstitute.org LEARN . GROW . ACHIEVE Today’s Strategy for Risk Management LEARN • The right questions to ask of your peers to identify the critical importance of organizational risk management. • The knowledge required to build a formal risk management process, best practices for mitigating risks identified, and examples of internal controls to establish to achieve compliance with mitigation plans. DO • Develop the core risk management processes and skills necessary to be effective risk leaders through a series of activities and discussions. • Discuss and uncover the current state of risk management in government agencies with fellow county peers, examples of risk management practices, and strategies for overcoming roadblocks. GET • IT risk management tools, templates, frameworks, and process documents. • IT Risk Management Participant Workbook Info-Tech Research Group 2 Seize the potential of risk management to better align IT with organizational goals IT creates value CIOs CEOs IT keeps the for the lights on organization 63% of CIOs and CEOs disagree about the objectives of IT. 1 IT risk management is an opportunity to enhance IT’s profile in the eyes of the CEO, and to align IT with the organization’s strategic direction. Risk is money, and minimizing risk is money saved. Use your risk-management program to illustrate how IT creates value for the business. Proactive risk management that translates IT risk into business language illustrates that IT decision making is focused on how IT can add to and avoid detracting from business value. 1: Info-Tech Research Group, 2015. Info-Tech Research Group 3 Poor IT risk management is expensive IT RISK IS HEADLINE NEWS Equifax data breach to cost insurers $125M The Guardian Yahoo Finance The Wall Street Journal The Wall Street Journal Hackers steal Zomato Data on 17 Million users CNN Money The Australian Computer Business Review The Wall Street Journal Info-Tech Research Group 4 Discussion Debrief: The risk mindset requires an awareness of the organization’s attitude toward risk Risk tolerant Risk averse Risk-tolerant organizations embrace the Risk-averse organizations prefer consistent, potential of accelerating growth and the gradual growth and goal-attainment by attainment of business objectives by taking embracing a more cautious stance towards calculated risks. risk. Additional Notes _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Info-Tech Research Group 5 Discussion Debrief: The risk mindset requires an awareness of the organization’s attitude toward risk Risk conscious Unaware Risk-conscious organizations place a high Organizations that are largely unaware of the priority on being aware of all risks impacting impact of risk generally believe there are few business objectives major risks impacting business objective. Additional Notes _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ _________________________________________________________________________ Info-Tech Research Group 6 What do different risk management cultures look like? Determine how your organization fits the criteria listed below. Descriptions and examples do not have to match your organization perfectly. Risk Tolerant Moderate Risk Averse • You have no compliance • You have some compliance • You have multiple, strict requirements. requirements, e.g.: compliance and/or regulatory • You have no sensitive data. o HIPAA requirements. • Customers do not expect you to o PIPEDA • You house sensitive data, such as have strong security controls. • You have sensitive data, and are medical records. • Revenue generation and required to retain records. • Customers expect your innovative products take priority • Customers expect strong security organization to maintain strong and risk is acceptable. controls. and current security controls. • The organization does not have • Information security is visible to • Information security is highly remote locations. senior leadership. visible to senior management and • It is likely that your organization • The organization has some remote public investors. does not operate within the locations. • The organization has multiple following industries: • Your organization most likely remote locations. o Finance operates within the following • Your organization operates within o Health care industries: the following industries: o Telecom o Government o Finance o Government o Research o Healthcare o Research o Education o Telecom o Education Info-Tech Research Group 7 This is rooted in best practice; benefit from industry-leading best practices The Government of the United Kingdom’s M_o_R The NIST framework provided best practices for IT risk governance, identification, RiskIT’s IT Risk Framework and assessment. was modified to create Info-Tech’s IT Risk Management Framework. Info-Tech Research Group 8 Info-Tech’s IT risk management framework walks you through each step to achieve risk readiness Risk IT Risk Management Risk Governance Framework Identification Communication Business Objectives Monitoring Risk Risk Response Assessment Info-Tech Research Group 9 66% of organizations lack a formal risk management program 1 If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk. Ad hoc approaches to managing risk fail because… The results: Ad hoc risk management is often reactionary. • Increased business risk exposure caused • Without formalized procedures for managing IT risk, risk events by a lack of understanding of the impact of 1 are often “managed” after they have occurred. IT risks on the business. • IT departments that spend most of their time putting out fires • Increased IT non-compliance, resulting in receive the lowest ratings for satisfaction and perceived value by costly settlements and fines. business stakeholders. • IT audit failure. Ad hoc risk management is often focused • Ineffective management of risk caused by only on IT security. poor risk information and wrong risk 2 • Organizations must respond to the entire spectrum of IT risk. response decisions. • A client who recently completed Info-Tech’s methodology for risk identification and assessment found that only 15 of the 135 IT • Increased unnecessary and avoidable IT risks identified were related to security and compliance. failures and fixes. Ad hoc risk management lacks alignment Most IT departments aren’t thinking with business objectives. about formal risk management, and if 3 • Many IT risk assessments fail to communicate IT risks in a way they are, it’s back-of-the-napkin that compels the business to take action. planning. • 63% of CEOs indicate they want IT to provide better risk Ken Piddington, CIO & Executive Advisor, metrics (CIO-CEO Alignment survey data, Info-Tech Research Group). MRE Consulting 1: ESI International Info-Tech Research Group 10 PHASE 1 Review IT Risk Fundamentals and Governance Build a Business-Driven IT Risk Management Program Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Info-Tech Research Group 11 Create an IT risk governance framework that integrates with the business WhyKey Ad Considerations: hoc risk management fails: • Key stakeholders are left out or consulted once risks have already occurred. • Failure to employ consistent risk identification methodologies Risk Governance results in omitted and unknown risks. Identify Potential • Risk assessments do not reflect organizational priorities and Challenges may not align with thresholds for acceptable risk. • Risk assessment occurs sporadically or only after a major risk event has already occurred. Manage Measure the Stakeholders & Success of Assign the Program In this section: Accountability 1. Identify potential organizational challenges and discuss. 2. Set clear risk management accountabilities and responsibilities for IT and business stakeholders. Key metrics to consider: • Number of risk management processes done ad hoc. • Frequency that IT risk appears as an agenda item at IT steering committee meetings. • Percentage of IT employees whose performance evaluations reflect risk management objectives. • Percentage of IT risk council members who are Info-Tech Insight trained in risk management activities. IT risk is business risk. Every IT risk has business • Number of open positions in the IT risk council. implications. Create an IT risk management program that • Cost of risk management program operations per shares accountability with the business. year. Info-Tech Research Group 12