ISACA has designed and created The Risk IT Framework Excerpt (the 'Work') aracer.mobi The Risk IT Framework fills the gap between generic risk management frameworks and detailed (primarily security-related) IT risk management frameworks. THE RISK IT PRACTITIONER GUIDE. ISACA®. With more than 86, constituents in more than countries, ISACA (aracer.mobi) is a leading global.

Author:PAULINA GORDAN
Language:English, Spanish, Portuguese
Country:Slovakia
Genre:Academic & Education
Pages:452
Published (Last):14.12.2015
ISBN:890-4-52615-202-8
Distribution:Free* [*Registration needed]
Uploaded by: MARCELLA

56439 downloads 129586 Views 14.45MB PDF Size Report


The Risk It Framework Pdf

Assessing & Managing IT. Risks: Using ISACA's CobiT &. Risk IT Frameworks. 2ο InfoCom Security Conference. Anestis Demopoulos, Vice. PDF | The concept of governance has an already old contour: the system by which risk management and IT Governance, remain within the framework of old . COBIT 5 ISACA's new framework for IT Governance, Risk,. Security and Auditing. An overview. M. Garsoux. COBIT 5 Licensed Training Provider.

PDF , 1. Request an accessible format. If you use assistive technology such as a screen reader and need a version of this document in a more accessible format, please email enquiries monitor. Please tell us what format you need. It will help us if you say what assistive technology you use. However they will not lead to an automatic licence breach.

But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the — credit crisis. In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face.

Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control.

Sources of these risks include natural and political disasters and major macroeconomic shifts. Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions.

To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis. Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches.

We examine the individual and organizational challenges inherent in generating open, constructive discussions about managing the risks related to strategic choices and argue that companies need to anchor these discussions in their strategy formulation and implementation processes. We conclude by looking at how organizations can identify and prepare for nonpreventable risks that arise externally to their strategy and operations. Managing Risk: Rules or Dialogue? The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face.

Our field research shows that risks fall into one of three categories. Category I: Preventable risks. These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly.

But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. Identifying and Managing Preventable Risks Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter.

Mission statements should be communicated to and understood by all employees. The Values Companies should articulate the values that guide employee behavior toward principal stakeholders, including customers, suppliers, fellow employees, communities, and shareholders. The Boundaries A strong corporate culture clarifies what is not allowed. An explicit definition of boundaries is an effective way to control actions. Consider that nine of the Ten Commandments and nine of the first 10 amendments to the U.

Constitution commonly known as the Bill of Rights are written in negative terms. Companies need corporate codes of business conduct that prescribe behaviors relating to conflicts of interest, antitrust issues, trade secrets and confidential information, bribery, discrimination, and harassment. To counter the day-to-day pressures of organizational life, top managers must serve as role models and demonstrate that they mean what they say. Companies must institute strong internal control systems, such as the segregation of duties and an active whistle-blowing program, to reduce not only misbehavior but also temptation.

Category II: Strategy risks. A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities.

Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains.

BP accepted the high risks of drilling several miles below the surface of the Gulf of Mexico because of the high value of the oil and gas it hoped to extract. Strategy risks cannot be managed through a rules-based control model. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management. Category III: External risks.

Some risks arise from events outside the company and are beyond its influence or control. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification they tend to be obvious in hindsight and mitigation of their impact.

Companies should tailor their risk-management processes to these different categories. While a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions.

Why Risk Is Hard to Talk About Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance. We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur. We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future.

We often compound this problem with a confirmation bias, which drives us to favor information that supports our positions typically successes and suppress information that contradicts them typically failures. When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action—throwing good money after bad.

Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in groupthink: Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections—however valid—and fall in line. Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority.

Managing Risks: A New Framework

Collectively, these individual and organizational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance,as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.

Effective risk-management processes must counteract those biases. National Aeronautics and Space Administration. The rocket scientists on JPL project teams are top graduates from elite universities, many of whom have never experienced failure at school or work.

In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches. We start by examining how to identify and mitigate strategy risks. Which model is appropriate for a given firm depends largely on the context in which an organization operates.

Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information. Independent experts. Some organizations—particularly those like JPL that push the envelope of technological innovation—face high intrinsic risk as they pursue long, complex, and expensive product-development projects.

But since much of the risk arises from coping with known laws of nature, the risk changes slowly over time. For these organizations, risk management can be handled at the project level. The experts ensure that evaluations of risk take place periodically throughout the product-development cycle. Because the risks are relatively unchanging, the review board needs to meet only once or twice a year, with the project leader and the head of the review board meeting quarterly.

The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs. But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects.

At JPL, the risk review board not only promotes vigorous debate about project risks but also has authority over budgets. The board establishes cost and time reserves to be set aside for each project component according to its degree of innovativeness.

The reserves ensure that when problems inevitably arise, the project team has access to the money and time needed to resolve them without jeopardizing the launch date. JPL takes the estimates seriously; projects have been deferred or canceled if funds were insufficient to cover recommended reserves. Risk management is painful—not a natural act for humans to perform. Many organizations, such as traditional energy and water utilities, operate in stable technological and market environments, with relatively predictable customer demand.

In these situations risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time. Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers.

We observed this model in action at Hydro One, the Canadian electricity company. Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls.

The rankings are discussed in the workshops, and employees are empowered to voice and debate their risk perceptions. Hydro One strengthens accountability by linking capital allocation and budgeting decisions to identified risks. The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently.

At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives. But rules-based risk management will not diminish either the likelihood or the impact of a disaster such as Deepwater Horizon, just as it did not prevent the failure of many financial institutions during the — credit crisis. In this article, Robert S. Kaplan and Anette Mikes present a categorization of risk that allows executives to understand the qualitative distinctions between the types of risks that organizations face.

Preventable risks, arising from within the organization, are controllable and ought to be eliminated or avoided. Strategy risks are those a company voluntarily assumes in order to generate superior returns from its strategy. External risks arise from events outside the company and are beyond its influence or control.

Sources of these risks include natural and political disasters and major macroeconomic shifts. Companies should tailor their risk management processes to these different risk categories. A rules-based approach is effective for managing preventable risks, whereas strategy risks require a fundamentally different approach based on open and explicit risk discussions. To anticipate and mitigate the impact of major external risks, companies can call on tools such as war-gaming and scenario analysis.

Managing Risks: A New Framework

Among the new rules he instituted were the requirements that all employees use lids on coffee cups while walking and refrain from texting while driving. Despite all the rhetoric and money invested in it, risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. In this article, we present a new categorization of risk that allows executives to tell which risks can be managed through a rules-based model and which require alternative approaches.

We examine the individual and organizational challenges inherent in generating open, constructive discussions about managing the risks related to strategic choices and argue that companies need to anchor these discussions in their strategy formulation and implementation processes. We conclude by looking at how organizations can identify and prepare for nonpreventable risks that arise externally to their strategy and operations.

The first step in creating an effective risk-management system is to understand the qualitative distinctions among the types of risks that organizations face. Our field research shows that risks fall into one of three categories.

These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly.

But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on. This risk category is best managed through active prevention: Companies cannot anticipate every circumstance or conflict of interest that an employee might encounter. Mission statements should be communicated to and understood by all employees.

Companies should articulate the values that guide employee behavior toward principal stakeholders, including customers, suppliers, fellow employees, communities, and shareholders. A strong corporate culture clarifies what is not allowed. An explicit definition of boundaries is an effective way to control actions. Consider that nine of the Ten Commandments and nine of the first 10 amendments to the U.

Constitution commonly known as the Bill of Rights are written in negative terms. Companies need corporate codes of business conduct that prescribe behaviors relating to conflicts of interest, antitrust issues, trade secrets and confidential information, bribery, discrimination, and harassment.

To counter the day-to-day pressures of organizational life, top managers must serve as role models and demonstrate that they mean what they say.

Management and frameworks

Companies must institute strong internal control systems, such as the segregation of duties and an active whistle-blowing program, to reduce not only misbehavior but also temptation.

A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities. Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains.

BP accepted the high risks of drilling several miles below the surface of the Gulf of Mexico because of the high value of the oil and gas it hoped to extract. Strategy risks cannot be managed through a rules-based control model. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.

Some risks arise from events outside the company and are beyond its influence or control. External risks require yet another approach.

Because companies cannot prevent such events from occurring, their management must focus on identification they tend to be obvious in hindsight and mitigation of their impact.

Companies should tailor their risk-management processes to these different categories. While a compliance-based approach is effective for managing preventable risks, it is wholly inadequate for strategy risks or external risks, which require a fundamentally different approach based on open and explicit risk discussions.

Multiple studies have found that people overestimate their ability to influence events that, in fact, are heavily determined by chance.

We tend to be overconfident about the accuracy of our forecasts and risk assessments and far too narrow in our assessment of the range of outcomes that may occur. We also anchor our estimates to readily available evidence despite the known danger of making linear extrapolations from recent history to a highly uncertain and variable future.

We often compound this problem with a confirmation bias, which drives us to favor information that supports our positions typically successes and suppress information that contradicts them typically failures. When events depart from our expectations, we tend to escalate commitment, irrationally directing even more resources to our failed course of action—throwing good money after bad.

Organizational biases also inhibit our ability to discuss risk and failure. In particular, teams facing uncertain conditions often engage in groupthink: Once a course of action has gathered support within a group, those not yet on board tend to suppress their objections—however valid—and fall in line.

Groupthink is especially likely if the team is led by an overbearing or overconfident manager who wants to minimize conflict, delay, and challenges to his or her authority. Collectively, these individual and organizational biases explain why so many companies overlook or misread ambiguous threats. Rather than mitigating risk, firms actually incubate risk through the normalization of deviance, as they learn to tolerate apparently minor failures and defects and treat early warning signals as false alarms rather than alerts to imminent danger.

Effective risk-management processes must counteract those biases. National Aeronautics and Space Administration. The rocket scientists on JPL project teams are top graduates from elite universities, many of whom have never experienced failure at school or work.

In fact, they usually have the opposite effect, encouraging a checklist mentality that inhibits challenge and discussion. Managing strategy risks and external risks requires very different approaches. We start by examining how to identify and mitigate strategy risks. Which model is appropriate for a given firm depends largely on the context in which an organization operates.

Each approach requires quite different structures and roles for a risk-management function, but all three encourage employees to challenge existing assumptions and debate risk information.

Some organizations—particularly those like JPL that push the envelope of technological innovation—face high intrinsic risk as they pursue long, complex, and expensive product-development projects. But since much of the risk arises from coping with known laws of nature, the risk changes slowly over time. For these organizations, risk management can be handled at the project level.

The experts ensure that evaluations of risk take place periodically throughout the product-development cycle. Because the risks are relatively unchanging, the review board needs to meet only once or twice a year, with the project leader and the head of the review board meeting quarterly. The meetings, both constructive and confrontational, are not intended to inhibit the project team from pursuing highly ambitious missions and designs.

But they force engineers to think in advance about how they will describe and defend their design decisions and whether they have sufficiently considered likely failures and defects. At JPL, the risk review board not only promotes vigorous debate about project risks but also has authority over budgets. The board establishes cost and time reserves to be set aside for each project component according to its degree of innovativeness.

The reserves ensure that when problems inevitably arise, the project team has access to the money and time needed to resolve them without jeopardizing the launch date.

JPL takes the estimates seriously; projects have been deferred or canceled if funds were insufficient to cover recommended reserves. Many organizations, such as traditional energy and water utilities, operate in stable technological and market environments, with relatively predictable customer demand.

In these situations risks stem largely from seemingly unrelated operational choices across a complex organization that accumulate gradually and can remain hidden for a long time. Since no single staff group has the knowledge to perform operational-level risk management across diverse functions, firms may deploy a relatively small central risk-management group that collects information from operating managers.

We observed this model in action at Hydro One, the Canadian electricity company.

IRGC Risk Governance Framework

Employees use an anonymous voting technology to rate each risk, on a scale of 1 to 5, in terms of its impact, the likelihood of occurrence, and the strength of existing controls.

The rankings are discussed in the workshops, and employees are empowered to voice and debate their risk perceptions. Hydro One strengthens accountability by linking capital allocation and budgeting decisions to identified risks. The corporate-level capital-planning process allocates hundreds of millions of dollars, principally to projects that reduce risk effectively and efficiently. At the annual capital allocation meeting, line managers have to defend their proposals in front of their peers and top executives.

Managers want their projects to attract funding in the risk-based capital planning process, so they learn to overcome their bias to hide or minimize the risks in their areas of accountability. The financial services industry poses a unique challenge because of the volatile dynamics of asset markets and the potential impact of decisions made by decentralized traders and investment managers.