Enterprise IT Governance and

Risk Mgmt with COBIT Part VI-b

COBIT 5 for Risk
Dr. Yue Jeff Zhang
California State University, Northridge
1

Outline of the Course

1. IT governance overview
2. Introduction to COBIT 4.1
3. COBIT 4.1 framework
& Val IT and RiskIT

4. COBIT 5
5. Process Assessment Model
6. COBIT 5 for Risk
2

What is risk management?

The
identification,
assessment, and
prioritization
of risks (as the effect of uncertainty on objectives,
whether positive or negative) followed by
coordinated and economical application of resources
to
minimize,
monitor, and
control
the probability and/or impact of unfortunate events
or to maximize the realization of opportunities.
Wikipedia

Who is a risk manager?

We all manage risk
Life and business are complex; but Risk management should be simple

Use risk management approaches to Make business simpler

Use the right tool for the job

Manage and Capitalize on Business Risk

Enterprises achieve return by
taking risks.
Some try to eliminate the very
risks that drive profit.
Guidance was needed on how to manage
risk effectively.

Risk management tenet

Managing risk to business performance
Against specific objectives

ENABLES businesses to achieve the obj

Changing situations may bring gain or loss
Risk management ENABLES businesses to stay
on right track, to seize opportunities

Risk management should improve agility,

making it safer to move in a changing
environment
Human immunity analogy
7

Two views of business-related IT risk

IT is a tool that can be used to enable
the business
To seek better outcomes by reducing risk
to the business
Through improving consistency,
complying w controls, and reducing errors

IT is a tool that can break, or used

inefficiently, or cause harm if
misused/exploited maliciously
8

IT-related Risk in the Risk Hierarchy

Covers IT-related Risk Management

IT-related business risks cover all IT-related risks,
including:
Late project delivery
Not achieving
enough value
from IT
Compliance
Misalignment
Obsolete or
inflexible
IT architecture
IT service delivery
problems

10

Comparison of RiskIT and COBIT 5 for Risk

RiskIT was organized around domains and
processes, just as COBIT 4.1
COBIT 5 for Risk is organized around the 5
principles and seven enablers, just as COBIT
5
For every enabler, COBIT 5 for Risk then
approaches from
Stakeholders (who participate/be impacted)
Goals
Life cycle
Good practices this is the part that is the
action/solution part
11

Comparison (cont)
The second uniqueness of COBIT 5 for
Risk is that it organizes the analyses and
practices from two perspectives:
Risk function
Risk management

Risk Function can be understood as

the principles, polices, processes, org
structure, [do they sound familiar? Yes,
theyre the 7 enablers!] that are in place to
strengthen the org so it is better able to
face and handle risks.
The preparedness of an org against risks

12

Comparison (cont)
While Risk Management can be understood
as
the principles, polices, processes, org structure,
[again, the 7 enablers!] that are being
employed to curb and fight and redirect the
risks inMed
the caseMilitary
of their happeningRemarks
Perspective
analogy

analogy

Risk
function

Prevention Readiness and

deterrence

Long-term improvement of orgs

overall fitness against risks

Risk mgmt

Treatment

Direct handling of risks: analyses/

evaluation, response, recovery

Battle plan;
tactics

13

COBIT 5 FOR RISK

1. UNDERSTAND THE DRIVERS,
BENEFITS AND
TARGET AUDIENCES
FROM A RISK PERSPECTIVE

14

Drivers for Risk

To provide:
Stakeholders with substantiated
and consistent opinions over the
current state of risk throughout
the enterprise
Guidance on how to manage
risk to levels within the
enterprises risk appetite
Guidance on how to set up the
appropriate risk culture for the
enterprise
Quantitative risk assessments
enabling stakeholders to
consider the cost of mitigation
and the required resources
against the loss exposure
2013 ISACA.

The COBIT 5 for Risk

professional guide provides:
Guidance on how to use the
COBIT 5 framework to
establish the risk governance
and management function(s)
for the enterprise
Guidance and a structured
approach on how to use the
COBIT 5 principles to
govern and manage IT risk
Understanding of the
alignment of COBIT 5 for
Risk with other relevant
standards

All rights reserved.

15

Benefits of the Guidance

+ / - effect on the achievement

of business objectives

End-to-end guidance on how to manage risk

A common and sustainable approach for assessment and
response
A more accurate view of significant current and near-future
risk throughout the enterpriseand the impact of this risk on
the enterprise
Understanding how effective IT risk management optimises
value by enabling process effectiveness and efficiency
Opportunities for integration of IT risk management with the
overall risk and compliance structures w/in the ERM
Promotion of risk responsibility and its acceptance
Within
throughout the enterprise
2013 ISACA.

All rights reserved.

16

Target Audiences
Risk professionals across the enterprise:
Assistance with managing IT risk and incorporating IT risk
into ERM
Enterprise Risk Management
Boards and executive management:
Understanding of their responsibilities and roles with regard
to IT risk management
The implications of risk in IT to enterprise strategic
objectives
How to better optimise IT use for successful strategy
execution
IT and business management:
Understanding of how to identify and manage IT risk and
how to communicate IT risk to business decision makers
2013 ISACA.

All rights reserved.

17

Overall Logic of COBIT 5 for Risk

18

Overall Logic of COBIT 5 for Risk (cont)

19

Overall Logic of COBIT 5 for Risk (cont)

20

Clarification of Risk in COBIT 5 for Risk

When risk is referenced in COBIT 5 for Risk,
it is the current risk.
Figure 7 shows how inherent, current and residual
risk interrelate.

21

COBIT 5 FOR RISK

2. UNDERSTAND
THE COMPONENTS OF
RISK ACTIVITIES.

22

Key Risk IT Content: The What

Risk management essentials
In Risk Governance: Risk appetite and tolerance,
responsibilities and accountability for IT risk
management, awareness and communication, and
risk culture
In Risk Evaluation: Describing business impact
and risk scenarios
In Risk Response: Key risk indicators (KRI) and
risk response definition and prioritisation
Process model sections that contain:
Descriptions

Input-output tables

RACI (Responsible, Accountable, Consulted, Informed)

table

Goals and Metrics Table

Maturity model is provided for each domain

23

Risk IT framework
Domain

Time

Manner

Governance

Before

Always

Evaluation

During

Periodical

Response

After

In incident

Roughly, not
exactly; to help w
understanding and
memory

24

Risk Governance Domain

Risk Governance Essentials:
Responsibility and accountability for risk
Risk appetite and tolerance
Awareness and communication
Risk culture

25

Risk Evaluation Domain

Risk Evaluation Essentials:
Risk scenarios
Business impact descriptions

26

Risk Response Domain

Risk Response Essentials:
Key risk indicators (KRIs)
Risk response definition and
prioritisation

27

Risk Perspectives

Risk Function Perspective

COBIT 5 for Risk provides guidance
and describes how each enabler
contributes to the overall governance
and management of the risk function.
For example:
Which Processes are required to define
and sustain the risk function, govern
and manage risk
What Information flows are required
to govern and manage riske.g., risk
universe, risk profile
The Organisational Structures that are
required to govern and manage risk
effectivelye.g., enterprise risk
committee, risk function
What People and Skills should be put
in place to establish and operate an
effective risk function
2013 ISACA.

All rights reserved.

29

Risk Function Perspective

COBIT 5 for Risk defines
seven risk principles to:
Provide a systematic,
timely and structured
approach to risk
management
Contribute to
consistent, comparable
and reliable results
The risk principles
formalise and standardise
policy implementation
both the core IT risk policy
and supporting policies
e.g., information security
policy, business continuity
policy.
These policies provide more
detailed guidance on how to
put principles into practice
and how they will influence
decision making within an
enterprise.

2013 ISACA.

All rights reserved.

30

Risk Function Perspective (cont)

COBIT 5 for Risk defines seven risk principles to:
Provide a systematic, timely and structured
approach to risk management
Contribute to consistent, comparable and
reliable results
The risk principles formalise and standardise
policy implementationboth the core IT risk
policy and supporting policiese.g., information
security policy, business continuity policy.
These policies provide more detailed guidance on
how to put principles into practice and how they
will influence decision making within an
enterprise.
2013 ISACA.

All rights reserved.

31

Risk Function Perspective

COBIT 5 for
Risk identifies
all COBIT 5
processes that
are required to
support the risk
function:
Key
supporting
processes
dark pink
Other
supporting
processes
light pink
Core risk
processes,
shown in light
blue are also
highlighted
these processes
support the risk
management
perspective:
EDM03
Ensure risk
optimisatio
n.
APO12
Manage
risk.
.

All rights reserved.

32

Risk Function Perspective

COBIT 5 for Risk identifies all COBIT 5 processes that are required
to support the risk function:
Key supporting processes dark pink
Other supporting processes light pink
Core risk processes, shown in light blue are also highlightedthese
processes support the risk management perspective:
EDM03 Ensure risk optimisation.
APO12 Manage risk.

33

Risk Management Perspective

COBIT 5 for Risk provides specific guidance related to all enablers for the effective
management of risk:
The core Risk Management process(es) used to implement effective and efficient risk
management for the enterprise to support stakeholder value
Risk Scenarios, i.e., the key information item needed to identify, analyse and respond to
risk; risk scenarios are the concrete, tangible and assessable representation of risk
How COBIT 5 enablers can be used to respond to unacceptable risk scenarios
2013 ISACA.

All rights reserved.

34

Risk Perspectives

2013 ISACA.

All rights reserved.

35

Risk Perspectives (cont)

36

COBIT 5 FOR RISK

3. UNDERSTAND HOW TO USE RISK
SCENARIOS FOR GEIT.

37

Risk Scenarios
Definition
A risk scenario is a description of a possible event
that, when occurring, will have an uncertain impact
on the achievement of the enterprises objectives.
The impact can be positive or negative.

2013 ISACA.

All rights reserved.

38

Risk Scenarios
Risk scenarios are
a key element of
the COBIT 5 risk
management
process APO12;
two approaches are
defined:
Top-down
approachUse
the overall
enterprise
objectives and
consider the
most relevant
and probable
IT risk
scenarios
impacting these
Bottom-up
approachUse
a list of generic
scenarios to
define a set of
more relevant
and customised
scenarios,
applied to the
individual
enterprise

39

Risk Scenarios (cont)

Risk scenarios are a key element of the
COBIT 5 risk management process APO12;
two approaches are defined:
Top-down approachUse the overall
enterprise objectives and consider the most
relevant and probable IT risk scenarios
impacting these
Bottom-up approachUse a list of
generic scenarios to define a SUBset of
more relevant and customised scenarios,
applied to the individual enterprise
2013 ISACA.

All rights reserved.

40

Risk Scenarios
Top-down and Bottom-up Both approaches are
complementary and should be used simultaneously.
Risk scenarios must be relevant and linked to real
business risk.
Specific risk items for each enterprise and critical
business requirements need to be considered in the
enterprise risk scenarios.
COBIT 5 for Risk provides a comprehensive set of
generic risk scenarios. These should be used as a
reference to reduce the chance of overlooking
major/common risk scenarios.
2013 ISACA.

All rights reserved.

41

Risk Scenarios

When a risk scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (Threat type +
Event). The frequency of the threat event is influenced by a vulnerability. The vulnerability is usually a state; it can be
increased/ decreased by vulnerability events, e.g., controls strength or by the threat strength.

42

Developing risk scenarios work flow

1. Use the list of example generic risk scenarios
(Fig 38, P67~; partial reprint in S#46) to
define a manageable set of tailored risk
scenarios for the enterprise;
2. Perform a validation against the business obj
of the entity;
3. Refine the selected scenarios base on the
validation;
4. Reduce the number of scenarios to a
manageable set (usually at least a few
dozen);
5. Keep all the scenarios in a list so they can be
re-evaluated.

43

Developing risk scenarios work flow (cont)

6. Once the set of risk scenarios is defined, it
can be used for risk analysis, where
frequency and impact of the scenarios are
assessed.
7. The enterprise can also consider
evaluating scenarios that have a chance of
occurring the stress testing.
. In 1 above, risk factors are those
conditions that influence the frequency
and/or the business impact of risk scenarios.
Fig 35, P. 61

44

Risk Scenarios

When a risk scenario materialises, a loss event

occurs.
The loss event has been triggered by a threat event (Threat
type + Event).
The frequency of the threat event is influenced by a vulnerability.

The vulnerability is usually a state;

it can be increased/ decreased by vulnerability events, e.g.,
controls strength or by the threat strength.

45

Risk Scenarios
COBIT 5 for Risk provides:
111 risk scenario examples * Across 20 scenario categories

46

Risk Response
Planned actions to bring risk in line with the risk
appetite for the enterprise:
A response needs to be defined such that as much
future residual risk as possible (current risk with
the risk response defined and implemented) falls
within accepted limits.
When risk analysis has shown that risk is not
aligned with the defined risk appetite & tolerance
levels, a response is required.

2013 ISACA.

All rights reserved.

47

Risk Capacity
Risk AppetiteThe broad-based amount of risk in
different aspects that an enterprise is willing to
accept in pursuit of its mission
Risk ToleranceThe acceptable level of variation
that management is willing to allow for any
particular risk as it pursues objectives
Risk CapacityThe cumulative loss an enterprise
can tolerate without risking its continued existence.
As such, it differs from risk appetite, which is more
on how much risk is desirable.
2013 ISACA.

All rights reserved.

48

Risk appetite
The amount of risk, on a broad level, an
entity is willing to accept in pursuit of its
mission.
When considering the risk appetite levels for
the enterprise, two major factors are important:
1. The enterprises objective capacity to absorb
loss, e.g., financial loss, reputation damage
2. The (management) culture or predisposition
towards risk takingcautious or aggressive.
What is the amount of loss the enterprise
wants to accept to pursue a return?
49

Risk appetite
Risk appetite
can be
defined in
practice in
terms of
combinations
of frequency
and
magnitude of
a risk.
Risk appetite
can and will
be
different
amongst
enterprises

50

Risk tolerance
Risk tolerance is the tolerable deviation from the level
set around the risk appetite, which (the deviation) the
mgmt. is willing to allow as it pursues the objectives.
For example, project overruns of 10 percent of budget or 20
percent of time are tolerated.

Risk appetite and risk tolerance go hand in hand.

Risk tolerance is defined at the enterprise level and is
reflected in policies set by the executives;
At tactical levels of the enterprise, exceptions can be
tolerated (or different thresholds defined) as long as
at the enterprise level the overall exposure does not
exceed the set risk appetite.
Cases and consequences of zero tolerance
51

Risk Capacity

Left diagramA relatively sustainable situation

Risk appetite is lower than risk capacity
Actual risk exceeds risk appetite in a number of situations, but always remains
below the risk capacity
Right diagramAn unsustainable situation
Risk appetite is defined at a level beyond risk capacity; this means that
management is prepared to accept risk well over its capacity to absorb loss
As a result, actual risk routinely exceeds risk capacity even when staying
almost always below the risk appetite level. This usually represents
unsustainable
situations
2013
ISACA.
All rights reserved.
52

Risk Response (cont)

This response can be any of the four possible
responses:
avoid,
mitigate,
share/transfer,
accept.

Risk response evaluation is not a one-time

effortit is part of the risk management
process cycle.
2013 ISACA.

All rights reserved.

53

Risk Mitigation
COBIT 5 for Risk provides a number of examples on how
the COBIT 5 enablers can be used to respond to risk
scenarios.
Risk mitigation is equivalent to implementing a number of
IT controls.
In COBIT 5 terms, IT controls can be any enabler, e.g.,
putting in place an organisational structure, putting in place
certain governance or management practices or activities.
For each of the 20 risk scenario categories, potential
mitigating actions relating to all seven COBIT 5 enablers
are provided, with a reference, title and description for each
enabler that can help to mitigate the risk.
2013 ISACA.

All rights reserved.

54

 2013 ISACA.

All rights reserved.

55

 2013 ISACA.

All rights reserved.

56

Risk response workflow

57

Risk response workflow (cont)

Two dimensions for prioritization: current

risk level, and benefit/cost ratio

58

Risk Culture

59

IMPORTANT REPRINTS FROM

COBIT 5 FOR RISK
I have selectively reprint some forty pages
from COBIT 5 for Risk. This section will briefly
introduce the contents of those pages. The
selected contents are very practical and can
be and should be used in risk analysis.

2013 ISACA.

All rights reserved.

60

Brief description of selected key contents

P12, Fig 3 COBIT 5 for Risk overview

P20, Fig 9 Two perspectives on risk
P31, Fig 16 Risk policy examples
P35, Fig 18/19 supporting processes for risk
function
P42, Fig 26 Behaviors for risk gov and
mgmt.
P48, Fig 28 Info items supporting risk gov &
mgmt.
P52, Fig 30 risk-mgmt.-related services
P56, Fig 32 risk mgmt. skill sets
61

Brief description of selected contents (cont)

PP 59-63, Risk scenarios
PP 195-204, Core COBIT 5 risk mgmt. processes
PP 206-209, 222-223, 235-236: Using COBIT 5
enablers to manage IT risk scenarios (selected)
PP 243-244: Comprehensive risk scenario
template
[Many of the materials in the above will be used
for your team project as well as individual project]
62

COBIT 5 FOR RISK

4. UNDERSTAND
HOW COBIT 5 FOR RISK RELATES TO AND
ALIGNS WITH OTHER STANDARDS

For
information
only; not
required
2013 ISACA.

All rights reserved.

63

Alignment
COBIT 5 for Riskmuch like COBIT 5 itselfis an umbrella approach for
the provisioning of risk management activities.
COBIT 5 for Risk is positioned in context with the following risk-related
standards:
ISO 31000:2009 Risk Management
ISO 27005:2011 Information security risk management
COSO Enterprise Risk Management
ISO 31000:2009 Risk Management
COBIT 5 for Risk addresses all ISO 31000 principles, through the:
COBIT 5 for Risk principles and enablers themselves
Enabler models
In addition, the framework and process model aspects are covered in greater
detail by the COBIT 5 for Risk process model.
All elements are included in COBIT 5 for Risk and are often expanded on or
elaborated in greater detail, specifically for IT risk management.
2013 ISACA.

All rights reserved.

64

Alignment
ISO 27005:2011 Information security risk management
COBIT 5 for Risk addresses all of the components described within ISO
27005. Some of the elements are structured or named differently.
COBIT 5 for Risk takes a broader view on IT risk management compared
with ISO 27005 which is focused on the management of security related risk.
There is a stronger emphasis in COBIT 5 for Risk on processes and practices
to ensure the alignment with business objectives, the acceptance throughout
the organisation and the completeness of the scope, amongst other factors.
COSO Enterprise Risk Management
COBIT 5 for Risk addresses all of the components defined in COSO ERM.
Although COBIT 5 for Risk focuses less on control, it provides linkages to
enablersmanagement practices in the COBIT 5 framework.
The essentials with regards to both control and general risk management
as defined in COSO ERM are present in COBIT 5 for Risk, either through the:
Principles themselves and the frameworks conceptual design
Process model and additional guidance provided in the framework
2013 ISACA.

All rights reserved.

65