Applying RiskRisk--basedbased Techniques and Tools to Provide

58
Technology Risk Management Technology Risk Management Applying Risk Applying Risk-based Techniques based Techniques and Tools to Provide Higher Level and Tools to Provide Higher Level of Assurance Over IT Environments of Assurance Over IT Environments by Phil Leifermann, by Phil Leifermann, MBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFE MBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFE Managing Director, Insight Consulting Managing Director, Insight Consulting

Transcript of Applying RiskRisk--basedbased Techniques and Tools to Provide

Page 1: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk ManagementTechnology Risk Management

Applying RiskApplying Risk--based Techniquesbased Techniquesand Tools to Provide Higher Leveland Tools to Provide Higher Level

of Assurance Over IT Environmentsof Assurance Over IT Environments

by Phil Leifermann, by Phil Leifermann, MBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEMBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEManaging Director, Insight ConsultingManaging Director, Insight Consulting

Page 2: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk ManagementTechnology Risk ManagementTechnology Risk ManagementTechnology Risk Management

Insight Consulting2

Page 3: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting3

§ Stakeholder needs

§ Enterprise wide

§ Single integrated framework

§ Holistic approach

§ Governance vs. management

Page 4: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting4

Strategy

Execution

Page 5: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting5

Strategy

Execution

Policy

Procedures

Systems

People

Page 6: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting6

Strategy

Execution

Policy

Procedures

Systems

People

Risk

Page 7: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting7

Strategy

Execution

Policy

Procedures

Systems

People

Risk

Control Control

Page 8: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting8

Strategy

Execution

Policy

Procedures

Systems

PeopleAssurance

Page 9: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting9

What is assurance ?

• Certainty

• Confidence

• Freedom from doubt

• Guarantee

• Warranty

Page 10: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting10

Strategy

Page 11: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting11

Strategy

Infrastructure DataPeople Applications Facilities

Page 12: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting12

Strategy

Information

Infrastructure DataPeople Applications Facilities

Page 13: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting13

Strategy

Information

Infrastructure DataPeople Facilities Applications

Risks

Page 14: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting14

Strategy

Information

Infrastructure DataPeople Facilities Applications

Risks

Controls

Page 15: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting15

Challenges:

§ How do we plan audits of technology ?

§ How do we conduct audits of technology ?

Page 16: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting16

Challenges:

§How do we plan audits of technology ?

§ How do we conduct audits of technology ?

Page 17: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting17

A B C

H I J

D E F G

Page 18: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting18

§ Define audit universe

§ Conduct risk assessment

§ Select audits

§ Determine strategy for audits

Page 19: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting19

Define Audit Universe

• Identify all auditable entities

• This becomes audit universe, i.e. all entities

which might be audited

Page 20: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting20

A B C

H I J

D E F G

Define Audit Universe (cont.) Auditable Entities

Page 21: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting21

A B C

H I J

D E F G

Define Audit Universe (cont.) Auditable Entities

Audit Universe

Page 22: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting22

Risk Assessment

• Determine risk factors

• Determine weightings

• Assign scores

• Calculate risk scores

• Assign risk levels

Page 23: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting23

Risk Assessment (cont.)

Risk Factors

• Determine risk factors:

ü Factor A : Financial Risk

ü Factor B : Operational Risk

ü Factor C : Reputational Risk

Page 24: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting24

Risk Assessment (cont.)

Weightings

• For each risk factor, determine weighting:

ü Financial Risk : 50%

ü Operational Risk : 25%

ü Reputational Risk : 25%

Page 25: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting25

Risk Assessment (cont.)

Scores

• For each risk factor, assign scores:

ü Financial Risk : 8/10

ü Operational Risk : 10/10

ü Reputational Risk : 5/10

Page 26: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting26

Risk Assessment (cont.)

Risk Levels

• Multiple weightings and scores

• Calculate totals

• Add totals

• Calculate grand total

Page 27: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting27

Risk Assessment (cont.)

Risk Factors Weightings Scores Totals

• Financial Risk 0.5 8 4

• Operational Risk 0.25 10 2.5

• Reputational Risk 0.25 3 0.75

Grand Total 7.25

Page 28: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting28

Risk Assessment (cont.)

Risk Levels

• Convert grand total to risk level:

ü High risk : 6.5- 10

ü Medium risk : 3.5 – 6.5

ü Low risk : 1 – 3.5

Page 29: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting29

Risk Assessment (cont.)

Risk Factors Weightings Scores Totals

• Financial Risk 0.5 8 4

• Operational Risk 0.25 10 2.5

• Reputational Risk 0.25 3 0.75

Grand Total 7.25

High Medium Low

Risk Levels

Page 30: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting30

A B C

H I J

D E F G

Risk Assessment (cont.)

Audit Universe

Page 31: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting31

High Risk Medium Risk Low Risk

A

J

D

G

B

H

F

C

I

E

Risk Assessment (cont.)

Page 32: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting32

Challenges:

§ How do we plan audits of technology ?

§How do we conduct audits of technology ?

Page 33: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting33

§ For each auditable entity, identify risks that might affect this auditable entity

§ Assess these risks

§ Measure level of inherent risk

RiskIdentification

Page 34: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting34

§ Impact rating (i.e. 1 - 5)

§ Probability rating (i.e. 1 - 5)

§ Risk = impact x probability

- e.g. 4 x 3 = 12

Page 35: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting35

Level ofInherent

RiskRisk Appetite

Reject

Page 36: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting36

§ For these risks, assess controls that prevent, detect, correct and escalate these risks

§ Measure level of controlled risk

RiskAssessment

RiskIdentification

Page 37: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting37

Level ofControlled

Risk

Level ofInherent

Risk

Reject

Risk Appetite

Page 38: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting38

§ If level of controlled risk exceeds “risk appetite”, design action plans to further reduce level of risk

§ Measure level of residual risk

RiskAssessment

RiskMitigation

RiskIdentification

Page 39: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting39

Level ofControlled

Risk

Level ofInherent

Risk

Level ofResidual

Risk

Accept

Risk Appetite

Page 40: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting40

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Page 41: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting41

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Manage

Page 42: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting42

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Contingency

Plan

Page 43: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting43

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Housekeeping

Page 44: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting44

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

Monitor

Page 45: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting45

Impact

Pro

bab

ilit

y5

4

3

2

1 2 3 4 5

A

A

Inherent Risk

Residual Risk

Controls

Page 46: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting46

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Page 47: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting47

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

IncreaseResources

Page 48: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting48

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Assess

Controls

Page 49: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting49

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Not

Applicable

Page 50: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting50

Inherent Risk

Res

idu

al R

isk

5

4

3

2

1 2 3 4 5

Decrease

Resources

Page 51: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting51

1stLin

e of Defen

ce

RiskManagement

InternalAuditManagement

Page 52: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting52

2n

dLin

e of Defen

ce

1stLin

e of Defen

ce

RiskManagement

InternalAuditManagement

Page 53: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting53

RiskManagement

InternalAuditManagement

2n

dLin

e of Defen

ce

1stLin

e of Defen

ce

3rd

Line of D

efence

Page 54: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting54

RiskManagement

InternalAuditManagement

§ Management (with assistance from risk management) are responsible for designing, implementing and maintain controls

Control

Page 55: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting55

RiskManagement

InternalAuditManagement

§ Internal audit (with assistance from risk management) are responsible for ensuring controls are effectively and efficiently designed, implemented and maintained

ControlAssurance

Page 56: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting56

RiskManagement

InternalAuditManagement

Operate Support Validate

Page 57: Applying RiskRisk--basedbased Techniques and Tools to Provide

Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)

Insight Consulting57

Page 58: Applying RiskRisk--basedbased Techniques and Tools to Provide

Further InformationFurther InformationFurther InformationFurther Information

Insight Consulting58

§ Phil Leifermann

§ President Director, Insight Consulting

§ Phone: +62 21 250-6696

§ Fax: +62 21 250-6697

§ Email: [email protected]

mailto:[email protected]

Applying SOHCAHTOA

Applying SOHCAHTOA

NICA project at JINRnucloweb.jinr.ru/nica/reports/rep2010/Trubnikov_NICA_BDO...NICA project at JINR (Nuclotronuclotron--basedbased Ion Collider fAcility) G. Trubnikov for NICA CollaborationNICA

NICA project at JINRnucloweb.jinr.ru/nica/reports/rep2010/Trubnikov_NICA_BDO...NICA project at JINR (Nuclotronuclotron--basedbased Ion Collider fAcility) G. Trubnikov for NICA CollaborationNICA

Applying Sustainability

Applying Sustainability

Risk Assessment & RiskRisk Assessment & Risk … · Chapter II Basic Direction for Policy Fli ... retations of terms (ALOP, FSO, PO, PC) Predictive Microbiology DoseDose ... Dr. Fumiko

Risk Assessment & RiskRisk Assessment & Risk … · Chapter II Basic Direction for Policy Fli ... retations of terms (ALOP, FSO, PO, PC) Predictive Microbiology DoseDose ... Dr. Fumiko

Applying EA

Applying EA

Sample Size and Power - IPPCR Video and Handout Not to prove ‘final’ efficacy, usually – Efficacy basedbased onon surrogatesurrogate outcomeoutcome • Sufficient activity to

Sample Size and Power - IPPCR Video and Handout Not to prove ‘final’ efficacy, usually – Efficacy basedbased onon surrogatesurrogate outcomeoutcome • Sufficient activity to

Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Risk-Based Testing in Practice - Erik van Veenendaal Testing in Practice .pdf · RiskRisk--Based Testing In Practice Based Testing In Practice ... Practitioner” and many other books

Applying Criteria

Applying Criteria

BT Applying

BT Applying

Applying Usermod

Applying Usermod

Applying Heat Treating Processes Applying Heat Treating Processes.

Applying Heat Treating Processes Applying Heat Treating Processes.

Applying Thought

Applying Thought

Understanding & Applying to Graduate School & Applying to Graduate School Applying to Graduate School Part I: Understanding… Applying to Graduate School Know Yourself Do I …

Understanding & Applying to Graduate School & Applying to Graduate School Applying to Graduate School Part I: Understanding… Applying to Graduate School Know Yourself Do I …

@RISKRISK/About/Version/... · 2020. 12. 11. · Novedades de @RISK 8 Una nueva generación en el análisis de riesgo @RISK 8 es una actualización importante que representa la culminación

@RISKRISK/About/Version/... · 2020. 12. 11. · Novedades de @RISK 8 Una nueva generación en el análisis de riesgo @RISK 8 es una actualización importante que representa la culminación

AGATA PROJECTAGATA PROJECT...Emelec and are notand are not delivered yet (33%) The he riskrisk to to ggpo to production roduction withoutwithout pcbcb modification modification costscosts

AGATA PROJECTAGATA PROJECT...Emelec and are notand are not delivered yet (33%) The he riskrisk to to ggpo to production roduction withoutwithout pcbcb modification modification costscosts

Applying Newton

Applying Newton

Applying Directives

Applying Directives

Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques

Applying RiskRisk--basedbased Techniques and Tools to ...m.isaca.org/Indonesia/Documents/Technology-Risk-Management.pdfTechnology Risk Management Applying RiskRisk--basedbased Techniques

- RISK-INFORMED APPLICATIONS SCOPE Donnie …- RISK-INFORMED APPLICATIONS Donnie Harrison U.S. Nuclear Regulatory Commission Donnie.Harrison@nrc.gov 301.415.2470 RISKRISK- -INFORMED

- RISK-INFORMED APPLICATIONS SCOPE Donnie …- RISK-INFORMED APPLICATIONS Donnie Harrison U.S. Nuclear Regulatory Commission [email protected] 301.415.2470 RISKRISK- -INFORMED

Applying BF

Applying BF