View
3
Download
0
Category
Preview:
Citation preview
Technology Risk ManagementTechnology Risk Management
Applying RiskApplying Risk--based Techniquesbased Techniquesand Tools to Provide Higher Leveland Tools to Provide Higher Level
of Assurance Over IT Environmentsof Assurance Over IT Environments
by Phil Leifermann, by Phil Leifermann, MBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEMBA, CIA, CCSA, CFSA, CGAP, CRMA, CISA, CFEManaging Director, Insight ConsultingManaging Director, Insight Consulting
Technology Risk ManagementTechnology Risk ManagementTechnology Risk ManagementTechnology Risk Management
Insight Consulting2
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting3
§ Stakeholder needs
§ Enterprise wide
§ Single integrated framework
§ Holistic approach
§ Governance vs. management
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting4
Strategy
Execution
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting5
Strategy
Execution
Policy
Procedures
Systems
People
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting6
Strategy
Execution
Policy
Procedures
Systems
People
Risk
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting7
Strategy
Execution
Policy
Procedures
Systems
People
Risk
Control Control
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting8
Strategy
Execution
Policy
Procedures
Systems
PeopleAssurance
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting9
What is assurance ?
• Certainty
• Confidence
• Freedom from doubt
• Guarantee
• Warranty
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting10
Strategy
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting11
Strategy
Infrastructure DataPeople Applications Facilities
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting12
Strategy
Information
Infrastructure DataPeople Applications Facilities
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting13
Strategy
Information
Infrastructure DataPeople Facilities Applications
Risks
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting14
Strategy
Information
Infrastructure DataPeople Facilities Applications
Risks
Controls
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting15
Challenges:
§ How do we plan audits of technology ?
§ How do we conduct audits of technology ?
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting16
Challenges:
§How do we plan audits of technology ?
§ How do we conduct audits of technology ?
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting17
A B C
H I J
D E F G
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting18
§ Define audit universe
§ Conduct risk assessment
§ Select audits
§ Determine strategy for audits
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting19
Define Audit Universe
• Identify all auditable entities
• This becomes audit universe, i.e. all entities
which might be audited
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting20
A B C
H I J
D E F G
Define Audit Universe (cont.) Auditable Entities
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting21
A B C
H I J
D E F G
Define Audit Universe (cont.) Auditable Entities
Audit Universe
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting22
Risk Assessment
• Determine risk factors
• Determine weightings
• Assign scores
• Calculate risk scores
• Assign risk levels
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting23
Risk Assessment (cont.)
Risk Factors
• Determine risk factors:
ü Factor A : Financial Risk
ü Factor B : Operational Risk
ü Factor C : Reputational Risk
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting24
Risk Assessment (cont.)
Weightings
• For each risk factor, determine weighting:
ü Financial Risk : 50%
ü Operational Risk : 25%
ü Reputational Risk : 25%
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting25
Risk Assessment (cont.)
Scores
• For each risk factor, assign scores:
ü Financial Risk : 8/10
ü Operational Risk : 10/10
ü Reputational Risk : 5/10
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting26
Risk Assessment (cont.)
Risk Levels
• Multiple weightings and scores
• Calculate totals
• Add totals
• Calculate grand total
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting27
Risk Assessment (cont.)
Risk Factors Weightings Scores Totals
• Financial Risk 0.5 8 4
• Operational Risk 0.25 10 2.5
• Reputational Risk 0.25 3 0.75
Grand Total 7.25
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting28
Risk Assessment (cont.)
Risk Levels
• Convert grand total to risk level:
ü High risk : 6.5- 10
ü Medium risk : 3.5 – 6.5
ü Low risk : 1 – 3.5
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting29
Risk Assessment (cont.)
Risk Factors Weightings Scores Totals
• Financial Risk 0.5 8 4
• Operational Risk 0.25 10 2.5
• Reputational Risk 0.25 3 0.75
Grand Total 7.25
High Medium Low
Risk Levels
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting30
A B C
H I J
D E F G
Risk Assessment (cont.)
Audit Universe
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting31
High Risk Medium Risk Low Risk
A
J
D
G
B
H
F
C
I
E
Risk Assessment (cont.)
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting32
Challenges:
§ How do we plan audits of technology ?
§How do we conduct audits of technology ?
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting33
§ For each auditable entity, identify risks that might affect this auditable entity
§ Assess these risks
§ Measure level of inherent risk
RiskIdentification
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting34
§ Impact rating (i.e. 1 - 5)
§ Probability rating (i.e. 1 - 5)
§ Risk = impact x probability
- e.g. 4 x 3 = 12
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting35
Level ofInherent
RiskRisk Appetite
Reject
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting36
§ For these risks, assess controls that prevent, detect, correct and escalate these risks
§ Measure level of controlled risk
RiskAssessment
RiskIdentification
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting37
Level ofControlled
Risk
Level ofInherent
Risk
Reject
Risk Appetite
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting38
§ If level of controlled risk exceeds “risk appetite”, design action plans to further reduce level of risk
§ Measure level of residual risk
RiskAssessment
RiskMitigation
RiskIdentification
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting39
Level ofControlled
Risk
Level ofInherent
Risk
Level ofResidual
Risk
Accept
Risk Appetite
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting40
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting41
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Manage
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting42
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Contingency
Plan
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting43
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Housekeeping
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting44
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
Monitor
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting45
Impact
Pro
bab
ilit
y5
4
3
2
1 2 3 4 5
A
A
Inherent Risk
Residual Risk
Controls
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting46
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting47
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
IncreaseResources
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting48
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Assess
Controls
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting49
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Not
Applicable
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting50
Inherent Risk
Res
idu
al R
isk
5
4
3
2
1 2 3 4 5
Decrease
Resources
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting51
1stLin
e of Defen
ce
RiskManagement
InternalAuditManagement
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting52
2n
dLin
e of Defen
ce
1stLin
e of Defen
ce
RiskManagement
InternalAuditManagement
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting53
RiskManagement
InternalAuditManagement
2n
dLin
e of Defen
ce
1stLin
e of Defen
ce
3rd
Line of D
efence
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting54
RiskManagement
InternalAuditManagement
§ Management (with assistance from risk management) are responsible for designing, implementing and maintain controls
Control
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting55
RiskManagement
InternalAuditManagement
§ Internal audit (with assistance from risk management) are responsible for ensuring controls are effectively and efficiently designed, implemented and maintained
ControlAssurance
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting56
RiskManagement
InternalAuditManagement
Operate Support Validate
Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)Technology Risk Management (cont.)
Insight Consulting57
Further InformationFurther InformationFurther InformationFurther Information
Insight Consulting58
§ Phil Leifermann
§ President Director, Insight Consulting
§ Phone: +62 21 250-6696
§ Fax: +62 21 250-6697
§ Email: phil.leifermann@insight.co.id
Recommended