Embed Size (px)
Citation preview
September 2013
Vicky AmesIT Risk Manager
IT Risk Management Program
Purpose
The purpose of this training is to provide an introduction to:
Risk Management terminology
Risk Management concepts
IT Risk Management program
“Risk comes from not knowing what you are doing.”-Warren Buffett
2
Objectives
At the end of this training you will:Have a basic understanding of Risk Management terminology
Have a basic understanding of our IT Risk Management program
Understand your role and responsibilities within our IT Risk Management program
“Risk comes from not knowing what you are doing.”-Warren Buffett
3
Agenda
Introduction to risk management terminology
Introduction to our IT Risk Management process
Questions
“Risk comes from not knowing what you are doing.”-Warren Buffett
4
Risk Management Terminology
“Progress always involves risk; you can't steal second base and keep your foot on first.”
-Frederick Wilcox
5
What is Risk?
6
Risk Management Terminology
Risk is:A future event that will effect business objectives
Risk vs. IssueA risk is something that might happen. It has a probability (or likelihood) of happening and if it does there will be a certain impact (may be positive or negative).
An issue is something that has happened (or is happening right now). It does not have a probability but it will have an impact.
7
Risk Management Terminology
Impact is:The effect of an event to the organization
Likelihood is:The chance of something happening
8
Risk Management Terminology
Risk Analysis is:Evaluation of the likelihood and impact a risk would have on business objectives
9
Exercise – Risk Analysis
10
What is the Risk?
What could be done to increase or decrease likelihood?
What could be done to increase or decrease impact?
Risk Management Terminology
Gross Risk is:The initial assessment of the impact and likelihood of a risk prior to considering any existing controls.
Net Risk is:The assessment of the impact and likelihood of a risk that considers existing controls.
Target Risk is:The acceptable levels of impact and likelihood for a risk.
11
Risk Management TerminologyPossible Risk Responses are:Avoid
– Management decision not to be involved in, or to withdraw from, an activity based on the level or risk
Accept– Management decision that the controls currently in place are
sufficient and the current level of residual risk is acceptable
Exploit– Management decision to take actions to ensure an identified
opportunity is realized
Mitigate– Management decision to take actions to lessen the likelihood and/or
impact of a risk
Transfer– Management decision to share the burden of loss or benefit of gain
for a risk with another party.
12
Risk Management Terminology
Risk Management is:Coordinated activities to identify, assess and respond to risks
13
IT Risk Management Process
“One cannot refuse to eat just because there is a chance of being choked.”
- Chinese Proverb
14
IT Risk Management Lifecycle
15
IT Risk Management - Roles
IT Risk Manager– Manages the Risk Management Program
– Coordinates with other roles to ensure risk management activities occur
– Responsible for conducting risk analysis, maintaining the risk register, providing quarterly reports to management
– Interfaces with Enterprise Risk Management team
IT Process Owner– Responsible for managing risks that impact their processes
– Responsible and accountable for bringing risks that impact their processes to agreed upon target levels
– Provides data to Risk Manager for review
– Assigns Risk POCs and Analysts
– Supports risk management activities
16
IT Risk Management - Roles
ITLT– Supports Risk Management activities
– May be consulted during risk analysis
– Only role authorized to accept risk
Risk Point of Contact– Primary individual assigned by the Process Owner to participate in Risk
Management activities for a particular risk
Analyst– Any other individual assigned to participate in risk management activities
by the Process Owner
17
IT Risk Management - Identify
Collect data– Risk Manager will meet with targeted groups to review trends
and identify potential risks• Problem Management• Internal and External Audits and Assessments
– Risk Manager will review incidents and issues and will gather data to identify potential risks
• Incident Management• Change Management
Rationalize data– Identify potential risks
18
IT Risk Management - Analyze
Identify Process Owner– Risk Manager will identify the IT process most impacted by
the stated risk
Conduct Risk Analysis– Risk Manager will then meet with the Process Owner and
others as necessary to perform risk analysis– Gross Risk– Net Risk– Target Risk– Select initial Risk Response
Update Risk Register– Risk Manager will update the Risk Register
19
IT Risk Management - Respond Process Owner Develops Risk Action Portfolio
– Plan will identify activities and resources needed to bring Net Risk rating to Target Risk rating
• May require resources from multiple teams
– Process Owner reviews risk assessment and action plan with IT Leadership Team Process Sponsor
– Risk Manager will provide support as needed
– Process Owner completes Risk Action Portfolio document
Process Owner and Risk Manager review Action Plan– Ensure plan properly executes Risk Response strategy
– Ensure plan will bring Net Risk rating to stated Target Risk rating
Process Owner, Risk POC and Analysts implement Risk Action Plan
20
IT Risk Management - Monitor
Risk Manager will meet quarterly with Process Owner– Review progress of Risk Action Plan
– Review changes to likelihood and impact ratings
– Discuss issues and potential solutions
– Address any concerns
Risk Manager provides Quarterly report to the ITLT– Reports on top risks and Risk Action Plan status
21
Objectives
At the end of this training you will:Have a basic understanding of Risk Management terminology
Have a basic understanding of the IT Risk Management program
Understand your role and responsibilities within our IT Risk Management program
22
Questions
“You'll always miss 100% of the shots you don't take.”
- Wayne Gretzky
23
Appendices
“There are those who are so scrupulously afraid of doing wrong that they seldom venture to do anything.”
- Luc de Clapiers, Marquis de Vauvenargues
24
Appendix A – Risk Management Process Documents
APO12-SOP001 Managing Risk
APO12-SOP001-STD001 Standards for Managing Risk
APO12-SOP001-WI001 Risk Management Data Collection
APO12-SOP001-WI002 Risk Analysis and Assessment
APO12-SOP001-WI003 Maintain Risk Register
APO12-SOP001-WI004 Risk Articulation
APO12-SOP001-WI005 Responding to Risk
APO12-FRM001 Risk Acceptance Form
APO12-SOP001-TMP001 Risk Analysis and Assessment Template
APO12-SOP001-TMP002 Risk Register Template
APO12-SOP001-TMP003 ISLT Quarterly Risk Report Template
APO12-SPO001-TMP004 Risk Management Action Portfolio Template
25
Available in the GSF Library
Appendix B – Risk Management Process Links
IT Risk Management Sharepoint Site https://sharepointportal/Departments/InformationTechnology/InfoSecurity/riskmanagement/default.aspx– Shared Documents section houses IT Risk Register and other Risk
Management documents
GSF Library https://sharepointportal/Departments/InformationTechnology/GSF-Library/SharedDocuments/Forms/AllItems.aspx
26
Appendix C -IT Process Landscape with
27
EDM01 Ensure Governance Framework Setting and MaintenancePerson 1Person 2
EDM02 Ensure Benefits DeliveryPerson 3Person 4
EDM03 Ensure Risk OptimizationPerson 5Person 2
EDM04 Ensure Resource OptimizationPerson 3Person 4
EDM05 Ensure Stakeholder TransparencyPerson 4Person 6
APO01 Manage the IT Management FrameworkPerson 4Person 6
APO02 Manage StrategyPerson 4Person 6
APO03 Manage Enterprise ArchitecturePerson 7Person 8
APO04 Manage InnovationPerson 9Person 10
APO05 Manage PortfolioPerson 3Person 4
APO06 Manage Budget and CostsPerson 12Person 4
APO07 Manage Human ResourcesPerson 13Person 6
Evaluate, Direct and Monitor (EDM)
Align, Plan & Organize (APO)
APO08 Manage RelationshipsPerson 3Person 4
APO09 Manage Service AgreementsPerson 15Person 16
APO10 Manage SuppliersPerson 4Person 6
APO11 Manage QualityPerson 14Person 4
APO12 Manage RiskPerson 3Person 4
BAI01 Manage Programs and ProjectsPerson 17Person 18
BAI02 Manage Requirements DefinitionPerson 19Person 20
BAI03 Manage Solutions Identification and BuildPerson 21Person 22
BAI04 Manage Availability and CapacityPerson 23Person 24
BAI05 Manage Organizational Change EnablementPerson 25Person 4
BAI06 Manage ChangesPerson 26Person 27
BAI07 Manage Change Acceptance and TransitioningPerson 23Person 24
Build, Acquire & Implement (BAI)
BAI08 Manage KnowledgePerson 13Person 14
BAI09 Manage AssetsPerson 7Person 4
BAI10 Manage ConfigurationPerson 26Person 27
DSS01 Manage OperationsPerson 28Person 22
DSS02 Manage Service Requests and IncidentsPerson 26Person 27
DSS03 Manage ProblemsPerson 26Person 27
DSS04 Manage ContinuityPerson 3Person 4
DSS05 Manage Security ServicesPerson 26Person 27
DSS06 Manage Business Process ControlsPerson 3Person 4
Deliver, Service & Support (DSS)
Monitor, Evaluate, & Assess (MEA)
MEA01 Monitor, Evaluate, and Assess Performance and ConformanceTrish PaliniPete Buckwalter
MEA02 Monitor, Evaluate, and Assess the System of Internal ControlPete BuckwalterPete Buckwalter
MEA03 Monitor, Evaluate, and Assess Compliance with External RequirementsBill GoebelPete Buckwalter
APO13 Manage SecurityPerson 3Person 4
Process OwnerITLT Sponsor
