applying riskrisk--basedbased techniques and tools to...

Report

Post on 28-Dec-2019

0 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Technology Risk ManagementTechnology Risk Management

Applying RiskApplying Risk--based Techniquesbased Techniquesand Tools to Provide Higher Leveland Tools to Provide Higher Level

of Assurance Over IT Environmentsof Assurance Over IT Environments

by Phil Leifermann, by Phil Leifermann, MBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEMBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEManaging Director, Insight ConsultingManaging Director, Insight Consulting

Technology Risk ManagementTechnology Risk ManagementTechnology Risk ManagementTechnology Risk Management

Insight Consulting2

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting3

§ Stakeholder needs

§ Enterprise wide

§ Single integrated framework

§ Holistic approach

§ Governance vs. management

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting4

Strategy

Execution

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting5

Strategy

Execution

Policy

Procedures

Systems

People

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting6

Strategy

Execution

Policy

Procedures

Systems

People

Risk

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting7

Strategy

Execution

Policy

Procedures

Systems

People

Risk

Control Control

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting8

Strategy

Execution

Policy

Procedures

Systems

PeopleAssurance

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting9

What is assurance ?

• Certainty

• Confidence

• Freedom from doubt

• Guarantee

• Warranty

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting10

Strategy

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting11

Strategy

Infrastructure DataPeople Applications Facilities

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting12

Strategy

Information

Infrastructure DataPeople Applications Facilities

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting13

Strategy

Information

Infrastructure DataPeople Facilities Applications

Risks

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting14

Strategy

Information

Infrastructure DataPeople Facilities Applications

Risks

Controls

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting15

Challenges:

§ How do we plan audits of technology ?

§ How do we conduct audits of technology ?

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting16

Challenges:

§How do we plan audits of technology ?

§ How do we conduct audits of technology ?

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting17

A B C

H I J

D E F G

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting18

§ Define audit universe

§ Conduct risk assessment

§ Select audits

§ Determine strategy for audits

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting19

Define Audit Universe

• Identify all auditable entities

• This becomes audit universe, i.e. all entities

which might be audited

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting20

A B C

H I J

D E F G

Define Audit Universe (cont.) Auditable Entities

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting21

A B C

H I J

D E F G

Define Audit Universe (cont.) Auditable Entities

Audit Universe

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting22

Risk Assessment

• Determine risk factors

• Determine weightings

• Assign scores

• Calculate risk scores

• Assign risk levels

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting23

Risk Assessment (cont.)

Risk Factors

• Determine risk factors:

ü Factor A : Financial Risk

ü Factor B : Operational Risk

ü Factor C : Reputational Risk

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting24

Risk Assessment (cont.)

Weightings

• For each risk factor, determine weighting:

ü Financial Risk : 50%

ü Operational Risk : 25%

ü Reputational Risk : 25%

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting25

Risk Assessment (cont.)

Scores

• For each risk factor, assign scores:

ü Financial Risk : 8/10

ü Operational Risk : 10/10

ü Reputational Risk : 5/10

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting26

Risk Assessment (cont.)

Risk Levels

• Multiple weightings and scores

• Calculate totals

• Add totals

• Calculate grand total

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting27

Risk Assessment (cont.)

Risk Factors Weightings Scores Totals

• Financial Risk 0.5 8 4

• Operational Risk 0.25 10 2.5

• Reputational Risk 0.25 3 0.75

Grand Total 7.25

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting28

Risk Assessment (cont.)

Risk Levels

• Convert grand total to risk level:

ü High risk : 6.5- 10

ü Medium risk : 3.5 – 6.5

ü Low risk : 1 – 3.5

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting29

Risk Assessment (cont.)

Risk Factors Weightings Scores Totals

• Financial Risk 0.5 8 4

• Operational Risk 0.25 10 2.5

• Reputational Risk 0.25 3 0.75

Grand Total 7.25

High Medium Low

Risk Levels

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting30

A B C

H I J

D E F G

Risk Assessment (cont.)

Audit Universe

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting31

High Risk Medium Risk Low Risk

A

J

D

G

B

H

F

C

I

E

Risk Assessment (cont.)

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting32

Challenges:

§ How do we plan audits of technology ?

§How do we conduct audits of technology ?

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting33

§ For each auditable entity, identify risks that might affect this auditable entity

§ Assess these risks

§ Measure level of inherent risk

RiskIdentification

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting34

§ Impact rating (i.e. 1 - 5)

§ Probability rating (i.e. 1 - 5)

§ Risk = impact x probability

- e.g. 4 x 3 = 12

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting35

Level ofInherent

RiskRisk Appetite

Reject

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting36

§ For these risks, assess controls that prevent, detect, correct and escalate these risks

§ Measure level of controlled risk

RiskAssessment

RiskIdentification

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting37

Level ofControlled

Risk

Level ofInherent

Risk

Reject

Risk Appetite

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting38

§ If level of controlled risk exceeds “risk appetite”, design action plans to further reduce level of risk

§ Measure level of residual risk

RiskAssessment

RiskMitigation

RiskIdentification

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting39

Level ofControlled

Risk

Level ofInherent

Risk

Level ofResidual

Risk

Accept

Risk Appetite

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting40

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting41

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Manage

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting42

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Contingency

Plan

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting43

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Housekeeping

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting44

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Monitor

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting45

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

A

A

Inherent Risk

Residual Risk

Controls

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting46

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting47

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

IncreaseResources

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting48

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Assess

Controls

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting49

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Not

Applicable

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting50

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Decrease

Resources

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting51

1stLin

e of Defen

ce

RiskManagement

InternalAuditManagement

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting52

2n

dLin

e of Defen

ce

1stLin

e of Defen

ce

RiskManagement

InternalAuditManagement

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting53

RiskManagement

InternalAuditManagement

2n

dLin

e of Defen

ce

1stLin

e of Defen

ce

3rd

Line of D

efence

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting54

RiskManagement

InternalAuditManagement

§ Management (with assistance from risk management) are responsible for designing, implementing and maintain controls

Control

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting55

RiskManagement

InternalAuditManagement

§ Internal audit (with assistance from risk management) are responsible for ensuring controls are effectively and efficiently designed, implemented and maintained

ControlAssurance

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting56

RiskManagement

InternalAuditManagement

Operate Support Validate

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting57

Further InformationFurther InformationFurther InformationFurther Information

Insight Consulting58

§ Phil Leifermann

§ President Director, Insight Consulting

§ Phone: +62 21 250-6696

§ Fax: +62 21 250-6697

§ Email: phil.leifermann@insight.co.id

mailto:phil.leifermann@insight.co.id

top related

applying patterns
Documents
@riskrisk/about/version/... · 2020. 12. 11. · novedades...
Documents
applying ea
Documents
applying iot
Devices & Hardware
applying vectors
Documents
applying bandages
Documents
bt applying
Technology
applying taxonomies
Education
applying similarity
Documents
applying directives
Documents
applying examiner
Documents
applying pdf
Documents
applying criteria
Documents
applying wireless
Documents
applying sohcahtoa
Documents
useuse asr taskk--basedbased e e op e t development of...
Documents
intra-horizon riskrisk horizon should match investment...
Documents
applying probability
Documents
understanding & applying to graduate school & applying to...
Documents
risk assessment & riskrisk assessment & risk … · chapter...
Documents