Sessions 1, 2 & 3

Why is IT Risk Management important to companies?

 Why is IT Risk Management important to companies?

 Why is IT risk management important to you ?

Why is it important for companies
Why is it important for companies
Why is it important for companies
Why is it important for companies
Why is it important for companies
Why is it important for you
 Cost per Click paid by advertisers for certain search terms on Google:
Why is it important for you
 Risk Management Employee Salary
 Median Annual Salary: $127,990 ($61.53/hour)
 Top 10% Annual Salary: More than $208,000 ($100.00/hour)
 Bottom 10% Annual Salary: Less than $67,620 ($32.50/hour)
Source: U.S. Bureau of Labor Statistics, 2019
IT Risk Management – Good or Bad?
 Ability to manage risks better than competition is an important
advantage
 Top management rewards those who manage risks well
 Some times a risk may become an opportunity
Risks
Risk (ISO Definition)
Effect of Uncertainty on objectives

Can be Positive or Negative

Describing Risks
 What could happen?
 Why could it happen?
 Why do we care?
How to write a risk statement?
“ Customer data leakage, corruption or unavailability caused by defective
system changes resulting in financial fraud losses of UK £1 million”

 Cause
 Probability of Occurrence
 Consequence
How to write a risk statement?
“ Customer data leakage, corruption or unavailability caused by defective system
changes resulting in financial fraud losses of UK £1 million”

A well written risk statement contains three main components:

 Cause: The negative conditions that currently exist relative to the risk
 Identification of root cause(s) of the risk
 This provides justification that a risk exists
 Probability of Occurrence: The likelihood of the occurrence of the risk
 Within a future time frame
 Or a future event
 Consequence: The effect(s), negative impact(s) to the program(s) in case the risk occurs
 The consequence should be related to at least cost, schedule, scope and performance
 Consequence could also result in opportunities that may surface in correcting the problems
“Risk” and “Uncertainty”
“Uncertainty is deficiency of information related to an event, its
consequence”
Risk Management Process
“An ounce of prevention is worth a pound of cure”
- Benjamin Franklin
Sentiment of risk management.
Risk Management Process
Risk Management:
A proactive attempt to recognize and manage internal events and
external threats that affect the likelihood of a project’s success.

 What can go wrong (risk event)

 How to minimize the risk event’s impact (consequences).
 What can be done before an event occurs (anticipation).
 What to do when an event occurs (contingency plans).
Risk Management Process
Step 1: Risk Identification
Analyze the project to identify sources of risk
Known Risks
New Risks
Step 2: Risk Assessment
Assess risks in terms of:
 Severity of impact Likelihood of occurring
 Controllability

New Risks Risk Assessment

Step 3: Risk Response Development

 Develop a strategy to reduce possible damage
 Develop contingency plans
Risk Management Plan
New Risks
Step 4: Risk Response Control
 Implement risk strategy
 Monitor and adjust plan for new risks
 Change management
ISO Standard for Risk Management
Context
Establishment

Monitoring and Review

Risk
Identification
Communication

Risk Analysis

Risk
Evaluation

Risk
Treatment
Managing Risk
 Step 1: Risk Identification
 Generate a list of possible risks through brainstorming, problem
identification and risk profiling
 Macro risks first, then specific events
 Step 2: Risk Assessment
 Scenario analysis for event probability and impact
 Risk assessment matrix
 Failure Mode and Effects Analysis (FEMA)
 Probability Analysis
 Decision trees, NPV, PERT
 Semiquantitative scenario analysis
Managing Risk
 Step 3: Risk Response Development
 Mitigating Risk
 Reducing the likelihood an adverse event will occur.
 Reducing impact of adverse event.
 Avoiding Risk
 Changing the project plan to eliminate the risk or condition.
 Transferring Risk
 Paying a premium to pass the risk to another party.
 Requiring Build-Own-Operate-Transfer (BOOT) provisions.
 Retaining Risk
 Make a conscious decision to accept the risk.
Managing Risk
 Step 4: Risk Response Execution and Control
 Risk Control
 Execution of the risk response strategy.
 Monitoring of triggering events.
 Initiating contingency plans.
 Watching for new risks
 Establishing a Change Management System
 Monitoring, tracking and reporting risk.
 Fostering an open organization environment.
 Repeating risk identification/assessment exercises
 Assigning and documenting responsibility for managing risk
Risk Identification
 The Risk Breakdown Structure (RBS) – for Projects
External
Technical • Subcontractors and suppliers
• Requirements • Regulatory
• Technology • Market
• Complexity and interfaces • Customer
• Performances and reliability • Weather
• Quality
Projec
Organizational
• Project dependencies
t Project Management
• Estimation
• Resources • Planning
• Funding • Controlling
• Prioritization • Communication
Risk Identification Methods
 Evidence based methods, for example checklists and historical data
reviews
 Systematic team approaches (a team of experts systematically identifies
risks by means of a structured set of prompts or questions – interviews,
brainstorming, Delphi method)
 Scenario analysis (root -cause analysis, cause-consequence analysis)
 Statistical methods (Monte-Carlo analysis)
 Loss of information
Loss of premises and eqpt

Risk Assessment Order backlogs

Productivity losses
Safety, health risks and injuries Industrial action
Stress and trauma Wellbeing of people Reduced competitive capability
Low morale of staff Operational Inability to progress new
developments
Inability to meet service contracts
Stock market confidence Inability to progress new business
Competitors taking advantage Damage to third party relations
Customer perception Reputational Impaired management control
Industry and institutional Loss of customers to competitors
Impacts/Consequences
image
Confidential information made
public Legal and Regulatory Loss of current & future business
Increased cost of borrowing
Warnings or penalties from Financial Cancellation of contracts
sector regulator Contractual penalties
Fines for late submission of Loss of cash flow
company accounts Replacement & redevelopment costs
Fine for late payment of taxes Loss of share price
Breach of contract damages Increased insurance premiums
Fraud and other criminal acts Loss of tangible assets
Risk Assessment
Risk Assessment Form
Risk Event Likelihood Impact Detection Difficulty When
Interface Problems 4 4 4 Conversion
System Freezing 2 5 5 Start-up
User backlash 4 3 3 Post installation
Hardware malfunctioning 1 5 5 Installation

Failure Mode and Effects Analysis (FMEA)

Impact x Probability x Detection = Risk Value
Risk Assessment Matrix
Failure Mode and Effects Analysis (FMEA)
Impact x Probability x Detection = Risk Value
Managing Risk
 Step 3: Risk Response Development
 Mitigating Risk
 Reducing the likelihood an adverse event will occur.
 Reducing impact of adverse event.
 Avoiding Risk
 Changing the project plan to eliminate the risk or condition.
 Transferring Risk
 Paying a premium to pass the risk to another party.
 Requiring Build-Own-Operate-Transfer (BOOT) provisions.
 Retaining Risk
 Make a conscious decision to accept the risk.
 Risk Management Plan - Example
Risk Risk Likelihood Impact RM RM Action Responsibility When Verification
ID Desc Strategy Ready
What if Risk event occurs, despite of mitigation
action being taken????
…… Use Contingency Plan

----- Also called Plan B

Contingency Planning
 Contingency Plan
 An alternative plan that will be used if a possible foreseen risk event
actually occurs
 A plan of actions that will reduce or mitigate the negative impact
(consequences) of a risk event.
 Risks of not having a Contingency Plan
 Having no plan may slow managerial response
 Decisions made under pressure can be potentially dangerous and
costly
Mitigation Plan Vs Contingency Plan
 Mitigation Plan
 Will leave for airport early from institute, to avoid being held up in
traffic caused by road work at Padubidri
 Contingency Plan
 If still caught in traffic despite leaving early, will take train from
nearby station and travel with essential baggage, take auto from
railway station in Mangalore to airport
Contingency Plan - Example
 Plan A
 Have an additional server ready to take up extra load, when needed

 But……. Workload higher than enhanced capacity

 Contingency Plan
 Allow only high priority customer’s work to happen first. Others will
be considered only when free capacity is available.
ISO 31000 – ISO standard for Risk Management
 A set of Risk Management Terms and their definitions
 A set of Principles for guiding and informing effective risk management
for an Enterprise
 An outline and process for creating a Risk Management framework
 An outline and Process for creating a risk management process
The 11 Risk Management Principles
1. Risk management establishes and sustains value.
2. Risk management is an integral part of all organizational processes.
3. Risk management is part of decision making.
4. Risk management explicitly addresses uncertainty.
5. Risk management is systematic, structured, and timely.
6. Risk management is based on the best available information.
7. Risk management is tailored.
8. Risk management takes human and cultural factors into account.
9. Risk management is transparent and inclusive.
10.Risk management is dynamic, iterative, and responsive to change.
11.Risk management facilitates continual improvement of the organization
Risk Management Process – 3 broad areas
1. Risk Architecture – Roles,
Responsibilities - “Who”
2. Risk Strategy - Risk Appetite,
Philosophy - “What”
3. Risk Procedure - Rules and
Procedures, tools and
methodologies – “How”
ISO 31000 – What does it NOT cover?
 Detailed instruction on how to manage the risk
 A complete risk management framework
 A complete risk management process
 Templates
 Guidance on how to identify risks
 Advice on how to manage risks for a specific domain
The Basics…..
 What is IT risk ?
 What is “IT risk Management” ?
 Is IT Risk within the IT department/Function ?
 Types of IT risks
 Artefacts of IT risk Management
 Connection with Enterprise Risk Management
 Some unspoken issues in IT risk management
 Complementary topics – BCP/DRP, Incident management
IT Risk - Defined
“The business risk associated with the use, ownership, operation,
involvement, influence and adoption of IT, including its partners and service
providers”
IT Risk - Defined
“The business risk associated with the use, ownership, operation,
involvement, influence and adoption of IT, including its partners and service
providers”

IT Risk Management
“The process of applying Risk Management processes and procedures to
manage risks that arise while applying IT for business.”
Areas from which IT Risk arise and their impacts
 Hardware  Financial
 Software  HSSE
 Communication  Regulatory
 Security  Product Liability
 Data  Stock Market
 People  Fraud
 Projects  Customer Service
 Process  Reputation
 Interfaces  Credibility
 Third Party  Contractual
 Outsourced services  Competitive
 Partners
Typical IT setup in a large organization
Compliance DR System p
-u
Development
data/software Cloud App a c k
, B / Testing
nce
Function a
form
New Tech Trials specific
Per Mobile
E-mail /
ny,
c
workflow a
dLegacy
n
MES
e du Websites
y ,R
or
Product
ulat Customers
Suppliers Lifecycle R eg On –premise ERP
,BI/
y
Mgmt l it
ntia Analytics Finance
d e Consolidation
onfi
Data , C
r i
centrety DRP User
u Communication
Sec Devices
Instances
Consider Infrastructure of an Organisation and Implementation of a new IT
system

 Choice of Hardware and Software are Strategic Decisions

 They have a great impact; inappropriate selection will impact the
planned benefits
 Execution of the Project within time and budget for the agreed scope
also carries risks
 Once the systems are installed, running the systems as intended involve
operational risks
Which business is free of Risk?
 Which function is free of risk ?
 Which process is free of risk ?
 Which time of the year is free of risk ?
 Which part of the world is free of risk ?
Why should I be concerned about IT Risk?
 …I am not in IT
 …I am in Senior Management
 …I am in a start-up
 …I am in a Govt Organisation
 … I am in non-Profit
 ….I am in Education Sector
 …I am a Field Executive
 …I am too junior in the Organisation
Risk Categories
 Strategic – Corporation
 Strategic – CIO
 Operational – IT
 Operational – Other Functions
 Operational – External
IT Risk – Organizational Context
Changes galore: Pressures on IT:
 Projects  More services
 OS and SW changes  Lower costs
 Processes  Faster service
 Regulations  Simplify
 Competitive pressures  Extend reach of IT
 Technology  New Devices/systems
 Hardware Upgrades  Employee aspirations
 Hackers/espionage  Expectations of all Stakeholders
 People changes  More options for functions other than in-house IT
 Dissatisfied employees  New Partners
 M&A  Many Projects
 Corporate and BU strategy  New Customers of IT
 Hidden problems
Enterprise Risk Management
Definition :
“… a process, effected by an entity's board of directors, management
and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the
entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”

What can stop us from achieving our strategic objectives and meeting
stake-holder requirements ?
Enterprise Risk Management
How IT Risk Management links to ERM
Example : Risk Model
Environmental Risks Process Risks
 Capital Availability  Operations Risk
 Regulatory, Political & Legal  Empowerment Risk
 Financial Markets & Shareholder Relations  Integrity Risk
Information for Decision Making  Financial Risk
 Operational Risk  Information Processing/
 Financial Risk Technology Risk
 Strategic Risk
The importance of IT Risks in the overall ERM model has increased rapidly
Some artefacts in IT Risk Management
 Asset register  Data Dictionary/ x-references
 Change management request  Risk Reporting
 Issues register  Incident management document
 Risk register
 Enterprise Architecture
 RACI charts
 BCP / DRP Document
 Access Control List
 Check lists
 Process Flow charts
One pager on Risk
One pager on Risk
Risk – Business view Vs IT view
Business View IT View
 Impact on reputation /brand value  Control on IT
 Impact on customer life /business  Own reputation
 Legal Liabilities /regulations  IT Costs / uptime
 Impact on Financial Bottom-line  Prefer safer options
 Competitive position
 Can not play too safe
Risk – Corporate view Vs Business view
Corporate View Business View
 External obligations  Competitive differentiation
 M&A requirements  Flexibility and speed
 Experiment , innovation
 Standardise, simplify
 Revenue over costs
 Procurement Leverage
 No functional bureaucracy
 Re-organisation / consolidation
 Cross business synergies
 Ease of Management / Control
To ponder………
Are Business Leaders comfortable talking about IT Risk?

Do we need a common language to talk about risks?

To help people at all levels and in all functions to be able to understand

and contribute to the Risk Management Process
4A Framework
• Ability to change quickly as situation demands
Agility

• Correct, timely and complete info

Accuracy

• Authorised persons have authorised info

Access

• Systems run and recover quickly from interruptions

Availability
4A Framework - Availability

Executive Level Operational Level

Questions Questions

Which of our processes are most What is the cost of a particular

dependent on IT ? systems being down for an hour ?
Or minutes?

What are the consequences of What are our procedures for

the Systems not being available? recovering from disruption
4A Framework - Access

Executive Level Operational Level

Questions Questions

Which information , will cause

most damage, if an How do we control, protect and
unauthorised person accesses monitor access to these
it? information?

What categories of information How can we ensure that right

is most important for our people can access these
success? information when needed?
4A Framework - Accuracy

Executive Level Operational Level

Questions Questions

Which processes have highest How can we improve the way we

consequence for inaccuracy? gather and manage the
information?

Which area the areas where

having better quality information How can we create valuable new
is very beneficial? sets of information?
4A Framework - Agility
Executive Level Operational Level
Questions Questions
How does IT currently deliver on How can managers in IT and
new Projects? How should it Business Units improve project
deliver these in future? definition and delivery?

What are the strategic changes in What processes, skills and

business that need IT alignment? supporting systems are needed to
help those changes?

What is the opportunity cost of IT How should IT foundation change

not being able to support the to improve agility?
business in one area?
Using 4A Framework
 Frame the questions and measure KPIs from business stand-point
 Examples
 At Top Management level
 At Operational level

 Applying 4A framework for Decision making:

 Budget allocation
 Prioritization of work
 Involvement of right people
IT Risk Management – 3 Core principles
Some Pointers
 IT Risk is far wider that just Cybersecurity
 Career options in IT advisory are also wider than cybersecurity
 If you are very very focused on Cybersecurity as your preferred career
choice, you MAY want to use this book:
 “CISA: Certified Information Security Professional – Official Study
guide”
 Also prelude the book: IT Security by Indian Institute of Banking
Before we close……..
IT risk Management has been around for decades.

Incidents of “ IT failure” happen all the time . Why ?