Академический Документы
Профессиональный Документы
Культура Документы
SCENARIOS
Using COBIT® 5 for Risk
About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust
in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge,
standards, networking, and career development for information systems audit, assurance, security, risk, privacy and
governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology.
ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified
Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of
Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. The association
has more than 200 chapters worldwide.
Disclaimer
ISACA has designed and created Risk Scenarios Using COBIT® 5 for Risk (“the Work”) primarily as an educational resource
for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive
of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, assurance, governance, risk and security professionals should
apply their own professional judgment to the specific circumstances presented by the particular systems or information
technology environment.
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this
publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and
must include full attribution of the material’s source. No other right or permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
2
Personal Copy of: Mr. Yonscun Yonscun
Acknowledgments
Acknowledgments
ISACA wishes to recognize:
Lead Developer
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Fischer IT GRC Beratung & Schulung, Switzerland
Development Team
Evelyn Anton, CISA, CISM, CGEIT, CRISC, UTE, Uruguay
Robert E Stroud, CGEIT, CRISC, CA, USA
Mike Hughes, CISA, CGEIT, CRISC, 123 Consultants GRC Ltd., United Kingdom
Elza Adams, CISA, CISSP, PMP HP, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria
Eduardo Ritegno, CISA, CRISC, QAR (IIA), Banco de la Nacion Argentina, Argentina
Andre Pitkowski, CGEIT, CRISC, APIT Informatica, Brazil
Expert Reviewers
Mohamed Tawfik Abul Farag, KPMG, Egypt
Mark Adler, CISA, CISM, CGEIT, CRISC, CCSA, CFE, CFSA, CIA, CISSP, CRMA, CRP, Wal-Mart Stores, Inc., USA
Gerardo H. Arancibia Vidal, CISM, CRISC, Ernst & Young, Chile
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK
Vilius Benetis , CISA, CRISC, PhD, NRD CS, Lithuania
Jean-Louis Bleicher, CRISC, France
Graham Carter, CISA, CGEIT, ABB Limited, Switzerland
Richard Cartwright, CGEIT, ISP/ITCP, ITIL, PMP, MZP Solutions, Canada
Katalina Coronel Hoyos, CISA, SASCURE Cia. Ltda., Ecuador
Gabriel Croci, CISA, CRISC, SOMOS Consultancy Services, Uruguay
Diego Patricio del Hoyo, CISM, CRISC, CISSP, Westpac Banking Corporation, Australia
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT Certified Assessor, COBIT 5 Accredited Trainer, PMP,
Venlee IT Consultancy LLP, India
Joseph Fodor, CISA, CPA, Ernst & Young, LLP, USA
Giovanni Guzman De Leon, CISM, ITIL, CFC, ISO 9001, PhD Candidate, Independent Consultant, Guatemala
Jason Hageman, CISA, ITIL V3, MGM Resorts International, USA
Tomas Hellum, LinkGRC, Denmark
Sharon Jones, CISA, MGM Resorts International, USA
Masatoshi Kajimoto, CISA, CRISC, Independent Consultant, Japan
Satish Kini, CRISC, CISSP, COBIT 5 Certified Assessor, Firstbest Consultants Pvt Ltd., India
Vaman Amarjeet Gokuldas Kini, CISA, CISM, CEH, CISSP, LPT, 27KLA, The World Bank Group, India
Shruti Shrikant Kulkarni, CISA, CRISC, CISSP, CPISI, CCSK, ITIL V3 Expert, Infosys Technologies Limited, India
John W. Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/U, IBM Global Business Services, USA
Michel Lambert, CISA, CISM, CGEIT, CRISC, Ministere de l’Agriculture, des Pecheries et de l’Alimentation du
Quebec, Canada
Romualdas Lecickis, CISA, CISM, CGEIT, CRISC, NRD CS, Lithuania
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA
Sebastian Marondo, CISA, CISM, NRD-EA, National Audit Office- Tanzania, Tanzania
John Simiyu Masika, CISA, CISM, Kenya Airways Ltd., Kenya
Radmila Mihajlovic, CISA, Consultant, Canada
Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, GovernaTI, Colombia
Oscar Moreno Mulas, CISA, OKY Consulting/Zelaya Rivas Asociados, El Salvador
Raphael Otieno Onyango, CISA, BCOM, CPA (K), Ecumenical Church Loan Fund – Kenya, Kenya
Abdul Rafeq, Wincer Infotech Limited, India
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India
Franco Rigante, CISA, CRISC, PMP, Grant Thornton Argentina, Argentina
Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico
Eddy J. Schuermans, CGEIT, ESRAS bvba, Belgium
Paras K. Shah, CISA, CGEIT, CRISC, CA, Vital Interacts, Australia
David Sheidlower, CISM, Health Quest, USA
Emil David Skrdla, CISA, CISM, CGEIT, CRISC, ITIL V3, PCI ISA, PCIP, The University of Oklahoma, USA
Gustavo A. Solís, Grupo Cynthus, S.A. de C.V., Mexico
Mark Stacey, CISA, FCA, BG Group, USA
3
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Acknowledgments (cont.)
Expert Reviewers (cont.)
Donald T. Steane, CIA, CMA, CPA, CRMA, DTS Consulting Services, Canada
Dirk Steuperaert, CISA, CGEIT, CRISC, ITIL, IT In Balance BVBA, Belgium
Louis C. Tinto, CISA, CRISC, CFE, CIA, Omnicom Media Group, USA
Alok Tuteja, CGEIT, CRISC, CIA, CISSP, Mazrui Holdings LLC, UAE
Orlando Tuzzolo, CISM, CGEIT, CRISC, World Pass IT Solutions, Brazil
Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany
4
Personal Copy of: Mr. Yonscun Yonscun
Table of Contents
Table of Contents
List of Figures............................................................................................................................................................................7
Chapter 1. Introduction............................................................................................................................................................9
Background.............................................................................................................................................................................9
Purpose of This Publication..................................................................................................................................................10
Who Should Use This Guide?..............................................................................................................................................10
Scope and Approach.............................................................................................................................................................11
Prerequisite Knowledge........................................................................................................................................................11
5
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Appendix 2. Glossary............................................................................................................................................................277
6
Personal Copy of: Mr. Yonscun Yonscun
List of Figures
Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits.....................................................................10
7
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
8
Personal Copy of: Mr. Yonscun Yonscun
Chapter 1
Introduction
Chapter 1
Introduction
Background
Risk scenario analysis is an important component of enterprise risk management (ERM) (figure 1). This technique is
a powerful tool because it helps describe risk in terms that are easier for business leaders to understand. ISACA has
issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals who are responsible for helping their
enterprises manage their risk portfolios.
Risk Scenarios Using COBIT 5 for Risk is a practical guide on how to use COBIT 5 for Risk to prepare IT-related risk scenarios
that can be used for risk analysis and assessment. Risk Scenarios Using COBIT 5 for Risk provides readers with potential
scenarios to consider in their own organizations—to allow the scenarios to be tailored—this will require that scenarios be
added, removed and amended to provide a focused set of relevant scenarios that fit organizations’ specific risk, risk appetite and
business needs.
Risk analysis is the process used to estimate the frequency and magnitude of IT-related risk scenarios. Risk assessment is a
process used to identify and evaluate risk, its potential effects and evaluation of the probabilities of a particular event. Risk
assessment is slightly broader, and includes the preliminary and ancillary activities of risk analysis, i.e., the identification
of detailed risk scenarios and the definition of responses such as mitigation plans and the description of existing controls.
Risk analysis and assessment is a core approach to bring realism, insight, organizational engagement, improved analysis and
structure to the complex matter of IT risk. Risk scenarios are the tangible and assessable representation of risk, and are one of
the key information items needed to identify, analyze and respond to risk (COBIT 5 Process APO12).
9
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
The main purpose of Risk Scenarios Using COBIT 5 for Risk is to give guidance on the development of IT-related risk
scenarios. These scenarios are based on the determination of the value of an asset or a business process. The potential threats
and vulnerabilities that can lead to a loss event should be considered as well as the potential benefits to more effective and
efficient achievement of business objectives and protection or increase of business value. The secondary purpose of this
publication is to provide guidance on how to respond to risk that exceeds the enterprise’s tolerance level. Special guidance is
given on how the COBIT 5 enablers can help in risk management activities.
The adoption of risk scenario analysis can help satisfy requirements from multiple stakeholders. Figure 2 describes the
potential stakeholder benefits that risk scenario analysis can provide.
Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits
Role/Function Benefits of Adopting Risk Scenarios Using COBIT 5 for Risk
Board and executive management Better understanding of the implications of IT risk to enterprise strategic objectives and how to better use IT for
successful strategy execution
Chief risk officer (CRO) and Assistance with managing IT risk, in line with generally accepted ERM principles, and incorporating IT risk into
corporate risk managers for enterprise risk
enterprise risk management (ERM)
Operational risk managers Linking their ERM framework to COBIT 5 for Risk; identification of operational losses or development of key risk
indicators (KRIs)
IT management Better understanding of how to identify and manage IT risk and how to communicate IT risk to business
decision makers
IT service managers Enhancement of their view of operational risk
IT security Positioning of security risk among other categories of IT risk
Information security/chief Positioning IT risk within the enterprise information risk management structure
information security officer (CISO)
Chief financial officer (CFO) Gaining a better view of IT risk and its financial implications
Business Better understanding and management of IT risk in line with business objectives
Internal auditors Better analysis of risk in support of audit plans and reports
Compliance Advise the risk function with regards to compliance requirements and their potential impact on the enterprise
General counsel Advise the risk function on regulation-related risk and potential impact or legal implications on the enterprise
Regulators Support assessment of regulated enterprises’ IT risk management approach and the impact of risk on
regulatory requirements
External auditors Additional guidance on exposure levels when establishing an opinion over the quality of internal control
Insurers Help establish adequate IT insurance coverage and obtain agreement on exposure levels
IT contractors and subcontractors Better alignment of utility and warranty of IT services provided; understanding of responsibilities arising from
risk assessment
10
Personal Copy of: Mr. Yonscun Yonscun
Chapter 1
Introduction
Prerequisite Knowledge
Risk Scenarios Using COBIT 5 for Risk builds on COBIT 5 for Risk. The key concepts about the use of scenarios from
COBIT 5 for Risk are repeated in this guide, making it a fairly stand-alone guide, in essence not requiring any prerequisite
knowledge. However, an understanding of COBIT 5 for Risk will accelerate the comprehension of the contents of this
guide. In addition, some risk-relevant items that are described in detail in COBIT 5 for Risk are not repeated in Risk
Scenarios Using COBIT 5 for Risk and may require the use of other guides in the COBIT 5 product family.
For risk mitigation, Risk Scenarios Using COBIT 5 for Risk refers mainly to the COBIT 5 enablers and also to the process
reference model and COBIT 5 processes described therein. If readers wish to know more about COBIT 5 enablers, e.g.,
to implement or improve some of them as part of a risk response (mitigation), they are referred to the following COBIT 5
product family guides: the COBIT 5 framework, COBIT 5: Enabling Processes and COBIT 5: Enabling Information.
11
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
12
Personal Copy of: Mr. Yonscun Yonscun
Chapter 2
High-Level Description of Risk Management Concepts
Chapter 2
High-level Description of Risk Management Concepts1
Risk is generally defined as the combination of the probability of an event and its consequence (ISO Guide 73).
Consequences are that enterprise objectives are not met. COBIT 5 for Risk defines IT risk as business risk, specifically,
the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an
enterprise. IT risk consists of IT-related events that could potentially impact the business. IT risk can occur with both
uncertain frequency and impact and creates challenges in meeting strategic goals and objectives.
Figure 4 shows that for all categories of downside IT risk (‘Fail to Gain’ and ‘Lose’ business value) there is an equivalent
upside (‘Gain’ and ‘Preserve’ business).
Business Value
Examples
Fail to Gain Gain
• Technology enabler for
IT Benefit/Value new business initiatives
Enablement • Technology enabler for
efficient operations
• Project quality
IT Programme
• Project relevance
and Project Delivery • Project overrun
• IT service interruptions
IT Operations and
• Security problems
Service Delivery • Compliance issues
Lose Preserve
Business Value
It is important to keep this upside/downside duality of risk in mind (see figure 5) during all risk-related decisions.
1
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.
13
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
COBIT 5 for Risk explains the following two perspectives on how to use COBIT 5 in a risk context (figure 6):
• Risk function perspective—Describes what is needed in an enterprise to build and sustain efficient and effective core
risk governance and management activities.
• Risk management perspective—Describes how the core risk management process of identifying, analysing, responding
to and reporting on risk can be assisted by the COBIT 5 enablers.
Figure 7 shows the scope of COBIT 5 for Risk and the relationship between risk scenarios and the risk management
perspective. Risk scenarios support this perspective by providing a link between the identified risk and the COBIT 5
enablers that can be used to mitigate it.
14
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained
Chapter 3
Risk Scenarios Explained2
A key information item used in the COBIT 5 core risk management process APO12 is the risk scenario (figure 8).
The core risk management process requires risk needs to be identified, analysed and acted on. Well-developed risk
scenarios support these activities and make them realistic and relevant to the enterprise.
Figure 8 also shows that risk scenarios can be derived via two different mechanisms:
• A top-down approach, where one starts from the overall enterprise objectives and performs an analysis of the most
relevant and probable IT risk scenarios impacting the enterprise objectives. If the impact criteria used during risk
analysis are well aligned with the real value drivers of the enterprise, relevant risk scenarios will be developed.
• A bottom-up approach, where a list of generic scenarios is used to define a set of more relevant and customised
scenarios, applied to the individual enterprise situation.
The approaches are complementary and should be used simultaneously. Indeed, risk scenarios must be relevant and linked
to real business risk. On the other hand, using a set of example generic risk scenarios could assist to identify risk and
reduce the chance of overlooking major/common risk scenarios and can provide a comprehensive reference for IT risk.
However, specific risk items for each enterprise and critical business requirements need to be considered in the enterprise
risk scenarios.
Note: Do not over rely on the list of example generic risk scenarios. The list, although quite comprehensive, broad and
covering most potential risk items, needs to be adapted to the enterprise specific situation. It is not intended that, going
forward, all IT risk management will use the same set of pre-defined IT risk scenarios. Rather, it is encouraged that this list
be used as a basis for the development of specific, relevant scenarios.
2
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.
15
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Once the set of risk scenarios is defined, it can be used for risk analysis, where frequency and impact of the scenario are
assessed. Important components of this assessment are the risk factors.
The enterprise can also consider evaluating scenarios that have a chance of occurring simultaneously. This is frequently
referred to as ‘stress’ testing and actually entails combining multiple scenarios and understanding what the extra impact
would be of them occurring together.
Risk Factors
Risk factors are those conditions that influence the frequency and/or business impact of risk scenarios. They can be of
different natures and can be classified into two major categories:
•C ontextual factors—Can be divided into internal and external factors, the difference being the degree of control an
enterprise has over them:
– I nternal contextual factors—To a large extent, are under the control of the enterprise, although they may not always be
easy to change
–E xternal contextual factors—To a large extent, are outside the control of the enterprise
• Capabilities—How effective and efficient the enterprise is in a number of IT-related activities. They can be
distinguished in line with the COBIT 5 framework:
– I T risk management capabilities—Indicate to what extent the enterprise is mature in performing the risk management
processes
– I T-related capabilities—Indicate the capability of the IT-related COBIT 5 enablers
The importance of risk factors lies in the influence they have on risk. They are heavy influencers on the frequency and
impact of IT scenarios and should be taken into account during every risk analysis.
Risk factors can also be interpreted as causal factors of the scenario that is materialising, or as vulnerabilities or
weaknesses. These are terms often used in other risk management frameworks.
Scenario analysis should not only be based on past experience and known current events, but should also look forward
to possible future circumstances. Future risk could be related to emerging technologies, new regulations, demographic
changes and new business initiatives.
Risk factors change over time; therefore, scenarios will also change. This change requires an enterprise to perform
continuous risk assessments and risk monitoring. Risk assessment that is based on the scenarios should be performed at
least on an annual basis, and when an important change in internal or external risk factors occurs.
Figure 9 depicts risk factors, which are discussed in more detail in the following paragraphs.
16
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained
Risk Factors
• Market and economic factors
• Rate of change in the market/product life cycle
• Industry and competition
External • Geopolitical situation
Context • Regulatory environment
• Technology status and evolution
• Threat landscape
External Context
Contextual IT risk factors, i.e., those circumstances that can increase the frequency or impact of an event and which are not
always directly controllable by the enterprise, include:
•M arket/economic factors—The industry sector in which the enterprise operates, i.e., operating in the financial sector
requires different IT requirements and IT capabilities than operating in a manufacturing environment. Other economic
factors can be included as well, e.g., nationalisation, mergers and acquisitions, consolidations.
• Rate of change in the market in which the enterprise operates—Are business models changing fundamentally? Is the
product or service at the end of an important life cycle moment?
• Competitive environment—Market, industry or region in which the enterprise operates
• Geopolitical situation—Is the geographic location subject to frequent natural disasters? Does the local political and
overall economic context represent an additional risk?
• Regulatory environment—Is the enterprise subject to new or more strict IT-related regulations or regulations
impacting IT? Are there any other compliance requirements beyond regulation, e.g., industry-specific, contractual?
•T echnology status and evolution—Is the enterprise using state-of-the art technology and, more important, how fast
are relevant technologies evolving?
•T hreat landscape—How are relevant threats evolving in terms of frequency of occurring and level of capability?
Risk factors in the external context are outside of an enterprise’s control. Therefore, the enterprise is limited in the direct
actions that it can take to manage such risk. However, the enterprise can deal with the risk by developing strategies
to prevent exposures, avoid risk and respond to an incident efficiently and effectively when the risk materialises, e.g.,
building dikes to prevent flooding, moving to an area not subject to flooding, and procuring insurance can all be used to
contend with natural disasters such as floods.
17
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Internal Context
Internal risk factors include:
• Enterprise goals and objectives—What are the needs of the stakeholders and how could these be impacted by risk?
• Strategic importance of IT in the enterprise—Is IT a strategic differentiator, a functional enabler or a supporting function?
•C omplexity of IT—Is IT highly complex (e.g., complex architecture, recent mergers) or is IT simple, standardised
and streamlined?
• Complexity of the enterprise (including geographic spread and value chain coverage, e.g., in a manufacturing
environment)—Does the enterprise manufacture and distribute parts, and/or is it also doing assembly activities?
•D egree of change—What degree of change is the enterprise is experiencing?
• Change management capability—To what extent is the enterprise capable of organisational change?
•T he risk management philosophy—What is the risk philosophy of the enterprise (risk averse or risk taking) and, linked
with that, the values of the enterprise?
•O perating model—The degree to which the enterprise operates independently or is connected to its clients/suppliers, the
degree of centralisation/decentralisation
• Strategic priorities—What are the strategic priorities of the enterprise?
• Culture of the enterprise—Does the existing culture of the enterprise require changing to be able to effectively embrace
risk management?
• Financial capacity—The capacity of the enterprise to provide financial support to enhance and maintain the IT
environment while optimising risk
When considering the internal risk factors during the development and/or refinement of the scenarios the following
considerations should be taken into account (figure 10):
Because an enterprise’s good reputation is so valuable, the standards of behavior must go beyond mere compliance with the
law. Management values must balance the concerns of the enterprise, employees, suppliers, customers, competitors and
the public. Managers of well-run enterprises increasingly have accepted the view that good ethics pay off, and that ethical
behavior is good for the business.
An enterprise that operates with a high degree of ethics may have a lower incidence of risk related to fraud or
misappropriation. Integrity and ethical values are essential elements of an enterprise’s internal environment and affect the
design, administration and monitoring of other enterprise risk management (ERM) components.
Role of Enterprise Top management—starting with the chief executive officer (CEO)—plays a key role in determining the corporate culture or,
Management in as some say, the “Tone at the Top.” As the dominant personality in an enterprise, the CEO often sets the ethical tone. Certain
Determining Enterprise organizational factors also can influence the likelihood of fraudulent and creative accounting. Those same factors are likely
Culture to influence ethical behavior. Individuals may engage in dishonest, illegal or unethical acts simply because the enterprise
gives them strong incentives or temptations to do so. Undue emphasis on results, particularly in the short term, can foster in
inappropriate internal environment.
Management Competence reflects the knowledge and skills needed to perform assigned tasks. Management decides how much to invest
Determination of in making sure that tasks are executed properly using skilled resources, equipment and defined processes.
Competency Levels
This requires weighing the enterprise’s strategy and objectives against plans for their implementation and achievement.
A trade-off often exists between competence and cost. The risk of failure is higher with untrained staff, poorly maintained or
old equipment, or undefined procedures.
Board of Directors An enterprise’s board of directors is a critical part of the internal environment and significantly influences its elements. The
Role in the Internal board’s role in risk governance through independent oversight of management, scrutiny of activities, and appropriateness of
Environment the enterprise’s risk appetite and strategy all play a role.
An active and involved board of directors should possess an appropriate degree of management, financial, technical and
other expertise, coupled with the mind-set necessary to perform its oversight responsibilities. This is critical to an effective
ERM environment as the board must be prepared to question and scrutinize management’s activities, present alternative
views, and act in the face of wrongdoing.
Impact of Enterprise An enterprise’s organizational structure provides the framework to plan, execute, control and monitor its activities.
Organizational Whatever the structure, an enterprise should be organized to enable effective ERM and to carry out its activities to achieve
Structure its objectives.
18
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained
This factor is correlated with the capability of the enterprise to recognise and detect risk and adverse events; therefore, it
should not be neglected.
Risk management capability is a very significant element in the frequency and impact of risk events in an enterprise
because it is responsible for management’s risk decisions (or lack thereof), as well as for the presence, absence and/or
effectiveness of controls that exist within an enterprise.
IT Related Capability
IT-related capabilities are associated with the capability level of IT processes and all other enablers. The generic enabler
model in COBIT 5 contains an enabler performance model supporting capability assessments. A high maturity with regard
to the different enablers is equivalent to high IT-related capabilities, which can have a positive influence on:
• Reducing the frequency of events, e.g., having good software development processes in place to deliver high-quality
and stable software, or having good security measures in place to reduce the number of security-related incidents
• Reducing the business impact when events happen, e.g., having a good business continuity plan (BCP)/disaster
recovery plan (DRP) in place when disaster strikes
19
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Assets can be critical or not, e.g., a client-facing web site of a major bank compared to the web site of the local garage
or the intranet of the software development group. Critical resources will probably attract a greater number of attacks or
greater attention on failure; therefore, the frequency of related scenarios will probably be higher. It takes skill, experience
and thorough understanding of dependencies to understand the difference between a critical asset and a non-critical asset.
• Time—Dimension, where the following could be described, if relevant to the scenario:
– The duration of the event, e.g., extended outage of a service or data centre
– The timing (Does the event occur at a critical moment?)
– Detection (Is detection immediate or not?)
– Time lag between the event and consequence (Is there an immediate consequence, e.g., network failure, immediate
downtime, or a delayed consequence, e.g., wrong IT architecture with accumulated high costs over a time span of
several years?)
It is important to stay aware of the differences between loss events, threat events and vulnerability events. When a risk
scenario materialises, a loss event occurs. The loss event has been triggered by a threat event (threat type plus event in
figure 11). The frequency of the threat event leading to a loss event is influenced by the risk factors or vulnerability.
Vulnerability is usually a state and can be increased/decreased by vulnerability events, e.g., the weakening of controls or
by the threat strength. One should not mix these three types of events into one big ‘risk list’.
Event
• Disclosure
• Interruption
• Modification
• Theft
• Destruction
• Ineffective design
Threat Type • Ineffective execution Asset/Resource
• Malicious • Rules and regulations • People and skills
• Accidental • Inappropriate use • Organisational structures
• Error • Process
• Failure • Infrastructure (facilities)
• Nature • IT infrastructure
• External requirement • Information
• Applications
Actor Time
• Internal (staff, contractor) • Duration
• External (competitor, outsider, Risk Scenario • Timing occurrence (critical or non-critical)
business partner, regulator, market) • Detection
• Time lag
Chapter 4 Generic Risk Scenarios and chapter 7 Detailed Example Risk Scenarios contain IT risk scenarios that are built
in line with the model described in the previous paragraphs. The sets of scenarios contain examples of negative outcomes,
but also examples where a risk, when managed well, can lead to a positive outcome.
Building a complete set of scenarios means—in theory—that each possible value of every component should be
combined. Each combination should then be assessed for relevance and realism and, if found to be relevant, entered into
the risk register. In practice, this is not possible; very quickly, an unfeasible number of different risk scenarios can be
generated. The number of scenarios to be developed and analysed should be kept to a relatively small number in order to
remain manageable.
20
Personal Copy of: Mr. Yonscun Yonscun
Chapter 3
Risk Scenarios Explained
Figure 12 shows some of the main areas of focus/issues to address when using the risk scenario technique.
For example, it is essential that the risk function develop a review schedule and the CIO works with the business
lines to review and update scenarios for relevance and importance. Frequency of this exercise depends on
the overall risk profile of the enterprise and should be done at least on an annual basis, or when important
changes occur.
Use generic risk scenarios as One technique of keeping the number of scenarios manageable is to propagate a standard set of generic scenarios
a starting point and build more through the enterprise and develop more detailed and relevant scenarios when required and warranted by the
detail where and when required. risk profile only at lower (entity) levels. The assumptions made when grouping or generalising should be well
understood by all and adequately documented because they may hide certain scenarios or be confusing when
looking at risk response.
For example, if ‘insider threat’ is not well defined within a scenario, it may not be clear whether this threat includes
privileged and non-privileged insiders. The differences between these aspects of a scenario can be critical when
one is trying to understand the frequency and impact of events, as well as mitigation opportunities.
Number of scenarios should Risk management helps to deal with the enormous complexity of today’s IT environments by prioritising potential
be representative and reflect action according to its value in reducing risk. Risk management is about reducing complexity, not generating it;
business reality and complexity. hence, another plea for working with a manageable number of risk scenarios. However, the retained number of
scenarios still needs to accurately reflect business reality and complexity.
Risk taxonomy should reflect There should be a sufficient number of risk scenario scales reflecting the complexity of the enterprise and the
business reality and complexity. extent of exposures to which the enterprise is subject.
Potential scales might be a ‘low, medium, high’ ranking or a numeric scale that scores risk importance from 0 to 5.
Scales should be aligned throughout the enterprise to ensure consistent scoring.
Use generic risk scenario Similarly, for risk reporting purposes, entities should not report on all specific and detailed scenarios, but could do
structure to simplify risk reporting. so by using the generic risk structure.
For example, an entity may have taken generic scenario 15 (project quality), translated it into five scenarios for its
major projects, subsequently conducted a risk analysis for each of the scenarios, then aggregated or summarised
the results and reported back using the generic scenario header ‘project quality’.
Ensure adequate people and Developing a manageable and relevant set of risk scenarios requires:
skills requirements for developing • E xpertise and experience, to not overlook relevant scenarios and not be drawn into highly unrealistic3 or irrelevant
relevant risk scenarios. scenarios. While the avoidance of scenarios that are unrealistic or irrelevant is important in properly utilising
limited resources, some attention should be paid to situations that are highly infrequent and unpredictable, but
which could have a cataclysmic impact on the enterprise.
• A thorough understanding of the environment. This includes the IT environment (e.g., infrastructure, applications,
dependencies between applications, infrastructure components), the overall business environment, and an
understanding of how and which IT environments support the business environment to understand the
business impact.
• The intervention and common views of all parties involved—senior management, which has the decision power;
business management, which has the best view on business impact; IT, which has the understanding of what can
go wrong with IT; and risk management, which can moderate and structure the debate amongst the other parties.
• The process of developing scenarios usually benefits from a brainstorming/workshop approach, where a
high-level assessment is usually required to reduce the number of scenarios to a manageable, but relevant and
representative, number.
Use the risk scenario building Scenario analysis is not just an analytical exercise involving ‘risk analysts’. A significant additional benefit of
process to obtain buy-in. scenario analysis is achieving organisational buy-in from enterprise entities and business lines, risk management,
IT, finance, compliance and other parties. Gaining this buy-in is the reason why scenario analysis should be a
carefully facilitated process.
Involve first line of defence in the In addition to co-ordinating with management, it is recommended that selected members of the staff who are
scenario building process. familiar with the detailed operations be included in discussions, where appropriate. Staff whose daily work is in the
detailed operations are often more familiar with vulnerabilities in technology and processes that can be exploited.
Do not focus only on rare and When developing scenarios, one should not focus only on worst-case events because they rarely materialise,
extreme scenarios. whereas less-severe incidents happen more often.
3
Unrealistic signifies not fixed in time or static. What used to be unthinkable, mainly because it never happened or because it happened too long ago,
becomes realistic as soon as it occurs again. A striking example is the 11 September 2001 terrorist attacks in the US. It is human nature for things that have
not yet happened, even when they are theoretically possible, to be estimated as not possible or extremely unlikely. Only when they occur will they be taken
seriously in risk assessments. This may be regarded as lack of foresight or lack of due care, but it is actually the essence of risk management—trying to
shape and contain the future based on past experience and future predictions.
21
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Generating scenarios and creatively thinking of what can go wrong will automatically raise and, hopefully, cause
response to, the question of detectability. Detectability of scenarios includes two steps: visibility and recognition.
The enterprise must be in a position that it can observe anything going wrong, and it needs the capability to
recognise an observed event as something wrong.
Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 37
22
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios
Chapter 4
Generic Risk Scenarios4
An IT risk scenario is a description of an IT-related event that can lead to a loss event that has a business impact, when
and if it should occur. The generic scenarios serve, after customization, as input to risk analysis activities, where the
ultimate business impact (among others) needs to be established. This chapter contains a set of generic IT risk scenarios
(figure 14), built in line with the model described in the previous sections of this guide. The set of generic scenarios
contains both negative and positive example scenarios.
A word of warning: The table with generic scenarios does not replace the creative and reflective phase that every
scenario-creating exercise should contain. In other words, it is not recommended that an enterprise blindly use this list
and assume that no other risk scenarios are possible, or assume that every scenario contained in the list is applicable to the
enterprise. Intelligence and experience are needed to derive a relevant and customized list of scenarios starting from this
generic list.
A ‘P’ indicates a primary (higher degree) fit and an ‘S’ represents a secondary (lower degree) fit. Blank cells indicate that
the risk category is not relevant for the risk scenario at hand.
• Example scenarios—For each scenario category, one or several small examples are given of scenarios with a negative
outcome, indicating whether it is more of a value destruction or a failure to gain, and/or positive outcome, indicating
value gain. In total, 111 risk scenario examples are included with possible negative and/or positive outcomes.
IT Programme
IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0101 Portfolio establishment Wrong programmes are selected for Programmes lead to successful new
and maintenance P P S implementation and are misaligned with business initiatives selected for execution.
corporate strategy and priorities.
0102 There is duplication between initiatives. Aligned initiatives have streamlined
P P S
interfaces.
0103 A new important programme creates long- New programmes are assessed for
P P S term incompatibility with the enterprise compatibility with existing architecture.
architecture.
0104 Competing resources are allocated and
P P S managed inefficiently and are misaligned to
business priorities.
4
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.
23
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
IT Programme
IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
0201 Programme/projects Failing (due to cost, delays, scope creep, Failing or irrelevant projects are stopped on
life cycle management P P S changed business priorities) projects are a timely basis.
(programme/projects not terminated.
initiation, economics,
0202 There is an IT project budget overrun. The IT project is completed within
delivery, quality and S P S
agreed-on budgets.
termination)
0203 There is occasional late IT project delivery Project delivery is on time.
S P
by an internal development department.
0204 Routinely, there are important delays in IT The project critical path is managed
P P S
project delivery. accordingly and delivery is on time.
0205 There are excessive delays in outsourced IT Communication with third parties ensures
P P S development projects. the timely delivery within agreed-on scope
and quality.
0206 Programmes/projects fail due to not Change management is conducted
obtaining the active involvement throughout appropriately throughout the life cycle of the
P P
the programme/project life cycle of all programme/project to inform stakeholders on
stakeholders (including sponsor). progress and train future users.
0301 IT investment Business managers or representatives are There is co-ordinated decision making over
decision making not involved in important IT investment IT investments between business and IT.
P S
decision making (e.g., new applications,
prioritisation, new technology opportunities).
0302 The wrong software, in terms of cost, Upfront analysis is performed and a
P S performance, features, compatibility, etc., business case is prepared to ensure the
is selected for implementation. adequate selection of software.
0303 The wrong infrastructure, in terms of cost, Upfront analysis is performed and a
P P performance, features, compatibility, etc., business case is prepared to ensure the
is selected for implementation. adequate selection of infrastructure.
0304 P P Redundant software is purchased.
0401 IT expertise and skills There is a lack of or mismatched Attracting the appropriate staff increases
P P P IT-related skills within IT, e.g., due to new the service delivery of the IT department.
technologies.
0402 There is a lack of business understanding Correct staff and skill mix supports project
P P P by IT staff affecting the service delivery/ delivery and value delivery.
projects quality.
0403 There are insufficient skills to cover the Correct skill mix and training ensures that
business requirements. there is a thorough understanding of the
P P P
business by staff and allows full coverage
of business requirements.
0404 There is an inability to recruit IT staff. The correct amount of IT staff, with
appropriate skills and competencies
S P P
is attracted to support the business
objectives.
0405 There is a lack of due diligence in the Candidates are screened to ensure that
S P P recruitment process. appropriate skills, competencies and
attitude are present.
0406 There is a lack of training leading to IT staff members are able to determine
IT staff leaving. their own training plan based on their
S P P
aspirations and domains of interest, in
collaboration with their superiors.
0407 There is insufficient return on investment Career development is made formal
regarding training due to early leaving of and individual paths are determined to
S P P
trained IT staff (e.g., MBA). ensure IT staff is motivated to stay for a
considerable amount of time.
24
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios
IT Programme
IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0408 IT expertise and skills There is an overreliance on key IT staff. Job rotation ensures that nobody alone
(cont.) S P P possesses the entire knowledge of the
execution of a certain activity.
0409 There is an inability to update the IT skills Training, attending seminars and reading
to the proper level through training. thought leadership ensures that IT staff is
S P P
up to date with the latest developments in
its area of speciality.
0501 Staff operations Access rights from prior roles are abused. HR and IT administration co-ordinate on a
(human error and frequent basis to ensure timely removal of
S S P
malicious intent) access rights, avoiding the possibility
of abuse.
0502 IT equipment is accidentally damaged
S P
by staff.
0503 There are errors by IT staff (during backup, The four-eyes principle is applied,
S P during upgrades of systems, during decreasing the possibility of errors before
maintenance of systems, etc.). moving to production.
0504 Information is input incorrectly by IT staff or The four-eyes principle is applied, decreasing
S P
system users. the possibility of incorrect information input.
0505 The data centre is destroyed (sabotage, Data centre is appropriately secured, only
S P
etc.) by staff. allowing access to authorised IT staff.
0506 There is a theft of a device with sensitive Office premises are secured and monitored
S P
data by staff. for irregular activity.
0507 There is a theft of a key infrastructure Key infrastructure components are
component by staff. monitored 24/7 for performance,
S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.
0508 Hardware components were configured An enterprisewide configuration
P S P erroneously. management system is set up, ensuring
aligned configuration across the enterprise.
0509 Critical servers in the computer room were Key infrastructure components are
damaged (e.g., accident, etc.). monitored 24/7 for performance,
P S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.
0510 Hardware was tampered with intentionally Key infrastructure components are
(security devices, etc.). monitored 24/7 for performance,
P S P availability, etc. Alarm bells are raised
in case of irregularities and acted on
immediately.
25
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
IT Programme
IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
0601 Information (data Hardware components are damaged, Backup procedures, aligned to the business
breach: damage, S P leading to (partial) destruction of data by criticality of the data, are established,
leakage and access) internal staff. ensuring key business data is always
retained at a second location.
0602 The database is corrupted, leading to
S S P
inaccessible data.
0603 Portable media containing sensitive data Portable media are appropriately secured
S S P (CD, USB drives, portable disks, etc.) is lost/ and encrypted to ensure protection of data.
disclosed.
0604 Sensitive data is lost/disclosed through Sensitive data residing in the enterprise
logical attacks. premises are protected appropriately
S S P
behind firewalls and through continuous
network monitoring.
0605 Backup media is lost or backups are not
S S P
checked for effectiveness.
0606 Sensitive information is accidentally Employees are encouraged continuously to
disclosed due to failure to follow be ambassadors of the enterprise culture,
P S P
information handling guidelines. ethics and good behaviours, including
practices around information handling.
0607 Data (accounting, security-related The four-eyes principle is applied for
data, sales figures, etc.) are modified specific data inputs/modifications to create
P S P
intentionally. a peer review and decrease the stimulus
for intentional modification.
0608 Sensitive information is disclosed through Employees are encouraged continuously
email or social media. to be ambassadors of the enterprise
culture, ethics and good behaviours,
P S P
including practices involving distribution
of information through email and social
media.
0609 Sensitive information is discovered due The data retention policy is updated
P S P to inefficient retaining/archiving/disposing regularly and strict compliancy is endorsed
of information. for all employees.
0610 IP is lost and/or competitive information is IP clauses are incorporated in every
leaked due to key team members leaving contract, allowing the enterprise to fully
P S P
the enterprise. reap the benefits of all IP created in the
enterprise.
0611 The enterprise has an overflow of data The enterprise has an effective process
and cannot deduct the business relevant in place to process the data it has into
P S P
information from the data (e.g., big data business relevant information and use that
problem). information to create business value.
0701 Architecture The enterprise architecture is complex Modern and flexible architecture supports
(architectural vision and inflexible, obstructing further evolution business agility/innovation.
P P P
and design) and expansion leading to missed business
opportunities.
0702 The enterprise architecture is not fit for
P S P purpose and not supporting the business
priorities.
0703 There is a failure to adopt and exploit new
P S S
infrastructure in a timely manner.
0704 There is a failure to adopt and exploit new
P S S software (functionality, optimisation, etc.) in
a timely manner.
26
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios
IT Programme
IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
0801 Infrastructure New (innovative) infrastructure is installed Appropriate testing is conducted before
(hardware, operating and as a result systems become unstable setting infrastructure into the production
P S P
system and controlling leading to operational incidents, e.g., Bring environment to ensure the availability and
technology) your own device (BYOD) programme. proper functioning of the entire system.
(selection/
0802 implementation, The systems cannot handle transaction
P S P
operations and volumes when user volumes increase.
0803 decommissioning) The systems cannot handle system load
P S P when new applications or initiatives
are deployed.
0804 Intermittently, there are failures of utilities Second line utilities are foreseen and
P S P (telecom, electricity). stand by 24/7 to support the continuous
execution of business critical transactions.
0805 The IT in use is obsolete and cannot satisfy IT is an innovator, ensuring a two-way
P S P new business requirements (networking, interaction between business and IT.
security, database, storage, etc.).
0806 P Hardware fails due to overheating.
0901 Software There is an inability to use the software The software in use stimulates the
to realise desired outcomes (e.g., failure generation of new ideas.
P S
to make required business model or
organisational changes).
0902 Immature software (early adopters, bugs,
P S
etc.) is implemented.
0903 The wrong software (cost, performance, Upfront analysis is performed and a
P S features, compatibility, etc.) is selected for business case is prepared to ensure the
implementation. adequate selection of software.
0904 There are operational glitches when new User adapted training and user acceptance
P S
software is made operational. testing is performed before the go-live
decision to ensure the smooth transition
0905 Users cannot use and exploit new to new software and that generation of
P S application software. business value continues.
0906 Intentional modification of software leading The four-eyes principle is applied for
P S
to wrong data or fraudulent actions. specific data inputs/modifications to
create a peer review and decrease the
0907 Unintentional modification of software leads stimulus for fraudulent actions or simply
P S to unexpected results. unexpected results.
0908 Unintentional configuration and change Enterprisewide configuration management
P S management errors occur. decreases resolution time for incident and
problem management.
0909 Regular software malfunctioning of critical Appropriate testing is conducted before the
P S
application software occurs. go-live decision to ensure the availability
and proper functioning of the software.
0910 Intermittent software problems with
P S
important system software occur.
0911 Application software is obsolete (e.g., old IT is an innovator, ensuring a two-way
technology, poorly documented, expensive interaction between business and IT.
P S
to maintain, difficult to extend, not
integrated in current architecture).
0912 There is an inability to revert back to former Backup and restore points are established
P S versions in case of operational issues with in accordance with business criticality of
the new version. software to ensure roll-back procedures.
27
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
IT Programme
IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
1001 Business ownership Business does not assume accountability Business assumes appropriate
of IT over those IT areas it should, e.g., accountability over IT and co-determines
P P S functional requirements, development the strategy of IT, especially application
priorities, assessing opportunities through portfolio.
new technologies.
1002 There is extensive dependency and use of
end-user computing and ad hoc solutions
for important information needs, leading
P S S
to security deficiencies, inaccurate data
or increasing costs/inefficient use of
resources.
1003 Cost and ineffectiveness is related to A business case is always prepared
P S S IT related purchases outside of the to ensure optimal cost and effective
procurement process. purchasing of software.
1004 Inadequate requirements lead to ineffective
P
service level agreements (SLAs).
1101 Supplier (selection/ There is a lack of supplier due diligence Third party acts as strategic partner.
performance, regarding financial viability, delivery
S P
contractual compliance, capability and sustainability of supplier’s
termination of service service.
and transfer)
1102 Unreasonable terms of business are
S P
accepted from IT suppliers.
1103 Support and services delivered by vendors Appropriate key performance indicators
S P
are inadequate and not in line with the SLA. (KPIs), linked to rewards and penalties,
ensure adequate service delivery and
1104 Outsourcer performance is inadequate
support.
S P in a large-scale long-term outsourcing
arrangement.
1105 There is non-compliance with software Contractual arrangements are agreed on
S P licence agreements (use and/or distribution concerning the use of third-party software
of unlicenced software, etc.). and proprietary software.
1106 There is an inability to transfer to A phase-out and knowledge transfer clause
alternative suppliers due to overreliance on is added to the contract with the supplier,
current supplier. requiring them to do a handover with
new suppliers.
S P
A mix of internal and external employees
is set up for each process, avoiding full
knowledge of the process only residing
with external employees.
1107 Cloud services are purchased by the business
without the consultation/involvement of IT,
S P
resulting in inability to integrate the service
with in-house services.
1201 Regulatory compliance There is non-compliance with regulations, Full compliance with regulations is
P S S e.g., privacy, accounting, manufacturing. exploited towards clients to generate extra
business value.
1202 Unawareness of potential regulatory The enterprise sets up a legal and
changes have an impact on the operational compliance department to follow up on
P S S
IT environment. regulatory changes and to ensure the
continuation of business value generation.
1203 The regulator prevents cross-border
P S S
dataflow due to insufficient controls.
28
Personal Copy of: Mr. Yonscun Yonscun
Chapter 4
Generic Risk Scenarios
IT Programme
IT Operations
Enablement
Ref. Risk Scenario Category Negative Example Scenarios Positive Example Scenarios
1301 Geopolitical There is no access due to disruptive Clear compliance with national policies and
P
incident in other premises. support of local initiatives ensures support
by local government and generation of
1302 Government interference and national
P business value.
policies limit service capability.
1303 Targeted action against the enterprise
P
results in destruction of infrastructure.
1401 Infrastructure theft or There is a theft of a device with Key infrastructure components are
S S P
destruction sensitive data. monitored 24/7 for performance,
availability, etc. Alarm bells are raised
1402 There is a theft of a substantial number of
S S P in case of irregularities and acted on
development servers.
immediately.
1403 Destruction of the data centre (sabotage, Data centre is appropriately secured, only
S S P
etc.) occurs. allowing access to authorised IT staff.
1404 There is accidental destruction of individual
S S P
devices.
1501 Malware There is an intrusion of malware on critical IT infrastructure will be appropriately
S P
operational servers. protected behind firewalls and through
continuous monitoring of the network
1502 Regularly, there is infection of laptops with
S P to ensure the execution of day-to-day
malware.
activities.
1503 A disgruntled employee implements a time
S P
bomb that leads to data loss.
1504 Company data are stolen through
S P unauthorised access gained by a
phishing attack.
1601 Logical attacks Unauthorised users try to break into
S P
systems.
1602 There is a service interruption due to
S P
denial-of-service attack.
1603 S P The web site is defaced.
1604 S P Industrial espionage takes place.
1605 S P There is a virus attack.
1606 S P Hacktivism takes place.
1701 Industrial action Facilities and building are not accessible A business continuity plan foresees action
because of a labour union strike. to be taken to always ensure the execution
S S P
of business critical tasks in case the
building is not accessible anymore.
1702 Key staff is not available through industrial A flexible work policy, allowing employees
action (e.g., transportation strike). to work from another location other than
S S P
the office building simulates freedom and
creates a positive work atmosphere.
1703 A third party is not able to provide services
S S P
because of a strike.
1704 There is no access to capital caused by a
S S P
strike of the banking industry.
29
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
IT Programme
IT Operations
Ref. Risk Scenario Category Enablement Negative Example Scenarios Positive Example Scenarios
1801 Environmental The equipment used is not environmentally Being awarded for environmental
friendly (e.g., power consumption, friendliness creates positive media
S S P
packaging). attention, attracts new customers and
employees, and ensures value creation.
1901 Acts of nature S S P There is an earthquake.
1902 S S P There is a tsunami.
1903 There are major storms and tropical
S S P
cyclones.
1904 S S P There is a major wildfire.
1905 S S P There is flooding.
1906 S S P The water table is rising.
2001 Innovation New and important technology trends are Innovation and trend watch are endorsed
not identified. and encouraged, ensuring new technology
P S S
(trends) are timely assessed for business
impact and adopted if required.
2002 There is a failure to adopt and exploit new Innovation and trend watch are endorsed
P S software (functionality, optimisation, etc.) in and encouraged, ensuring new technology
a timely manner. (trends) are timely assessed for business
impact and adopted if required.
2003 New and important software trends are not
P S
identified (consumerisation of IT).
Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 38
Chapter 5, Using COBIT 5 Enablers to Mitigate IT Risk Scenarios, provides a set of examples that show how COBIT 5
enablers can be used to respond to the risk scenarios described in figure 14. Other IT management frameworks, such as
Information Technology Infrastructure Library (ITIL), and International Organization for Standardization (ISO)
and International Electrotechnical Commission (IEC) 27001/2, can also be used for that purpose, but no detailed
links/mappings are included.
30
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios5
During the risk response process, risk mitigation is one of the options that can be used to respond to risk. IT-related risk
mitigation is equivalent to implementing a number of IT controls. In COBIT 5 terms, IT controls can be any enabler,
e.g., principles, policies and frameworks; processes; organisational structures; culture, ethics and behaviour; information;
services, infrastructure and applications; or people, skills and competencies.
This chapter provides examples that show how COBIT 5 enablers can be used to respond to risk scenarios. For each of
the risk scenario categories identified in chapter 4, potential mitigating actions relating to all seven COBIT 5 enablers are
provided, with a reference, title and description for each enabler.
When using the examples in this chapter, the reader should keep in mind that:
• The examples do not replace the risk analysis exercise. The risk scenario categories presented here are generic and, in
themselves, can cover many derived and varying scenarios. Every enterprise first needs to customize and define its own
set of risk scenarios.
• The examples need to be customized to include every risk and all surrounding risk factors that should be considered
before risk mitigation measures are defined.
• The suggested IT controls/enablers are not absolute. They need to be weighed in terms of cost and benefit, i.e.,
how effective they will be in addressing risk and the cost to implement them. The effect of the mitigating action on
potential impact and frequency of the risk should be estimated and depends on the maturity of the IT control/enabler
implementation, the context of the enterprise, etc. When effect on impact and frequency is estimated to be “high,” the
action can be considered “essential” for the enterprise.
• The suggested list of IT controls/enablers may not be complete for a particular situation, so the user should be prepared
to carefully analyze whether any controls need to be added or removed based on each situation. For some scenarios,
additional and more detailed guidance may be required. Examples are information security risk items and controls such
as vulnerability management or application security scanning.
Note: The tables linking each risk scenario category to a set of mitigating enablers stay at a very generic level, thus
providing a starting point for to prepare mitigation plans. Each enterprise will need to tailor the set of enablers required to
analyze and mitigate each specific risk scenario in scope.
5
Content in this chapter is based on the following publication: ISACA, COBIT® 5 for Risk, USA, 2013.
31
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
32
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
33
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
34
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
35
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
36
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
37
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
38
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
39
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
40
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
41
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
42
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
43
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
44
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
45
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
46
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
47
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
48
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
49
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
50
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
51
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
52
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
53
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
54
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
55
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
56
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
57
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
58
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
59
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
60
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
61
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
62
Personal Copy of: Mr. Yonscun Yonscun
Chapter 5
Using COBIT 5 Enablers to Mitigate IT Risk Scenarios
63
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
64
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk
Chapter 6
Expressing and Describing Risk6
Preparation of a Risk Scenario Analysis
Risk scenarios can be used to describe risk and document the risk factors needed to estimate frequency and impact. Appendix 1
contains a generic template that has been developed to facilitate the documentation of information useful for treatment of the
risk scenario under analysis. Chapter 7 provides practical and detailed examples of risk scenarios, which are based on this
template. In total, there are 60 detailed risk scenario examples derived from the 20 risk scenario categories.
6
Content in this chapter is based on the following publications: ISACA, COBIT® 5 (the framework), USA, 2012; ISACA, COBIT® 5 for Risk, USA, 2013;
ISACA, The Risk IT Practitioner Guide, USA, 2009.
65
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
– A sset/Resource
An asset is something of either tangible or intangible value that is worth protecting, including people, systems,
infrastructure, finances and reputation. A resource is anything that helps to achieve a goal. An asset/resource can be:
. Process
. People and skills
. Organizational structure
. Physical infrastructure (facilities, equipment, etc.)
. IT infrastructure, including computing hardware, networks, middleware
. Information
. Applications
Assets and resources can be identical. For example, IT hardware is an important resource because IT applications use it,
and it is an asset because it has a value to the enterprise.
– Time issues
. Timing of occurrence (critical, noncritical—Does the event occur at a critical moment?)
. Duration (short, moderate, extended—The duration of the event, e.g., extended outage of a service or data center)
. Detection (slow, moderate, instant)
. Time lag (immediate, delayed—Lag between the event and the consequence. Is there an immediate consequence,
e.g., network failure, immediate downtime, or delayed consequence, or an incorrect IT architecture with
accumulated high costs, over a time span of several years?)
• Risk Type
A description of the type of risk to which scenarios that are derived from the generic scenario fit, using the three risk
types explained previously.
A “P” indicates a primary (higher degree) fit, and an “S” a secondary (lower degree) fit. Blank cells indicate that the risk
category is not relevant for the risk scenario at hand.
– IT Benefit/Value Enablement
Associated with opportunities, or missed opportunities, to use technology to improve efficiency or effectiveness of
business processes, or as an enabler for new business initiatives:
. Technology enabler for new business initiatives
. Technology enabler for efficient operations
– IT Programme and Project Delivery
Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and
programs as part of investment portfolios:
. Project quality
. Project relevance
. Project overrun
– IT Operations and Service Delivery:
Associated with all aspects of the business as usual performance of IT systems and services, which can bring
destruction or reduction of value to the enterprise:
. IT service interruptions
. Security problems
. Compliance issues
• Risk Response
Description of how the enterprise will respond to the risk. The purpose of defining a risk response is to bring risk in line
with the defined risk appetite and tolerance for the enterprise. Risk response can be:
– Risk avoidance
– Risk acceptance
– Risk sharing/transfer
– Risk mitigation
• Risk Mitigation Using COBIT 5 Enablers
Description of how the enterprise will work to avoid the risk from materializing. For risk mitigation possibilities, see the
COBIT 5 enablers in chapter 5. Provide the following information:
– Reference, title and description of one or more relevant enablers that can help to mitigate the risk
– The estimated effect that implementing this enabler will have on the frequency and impact of the risk. Possible values
are low, medium or high.
– Based on the two parameters of frequency and impact, indicate whether or not this enabler is essential (a key
management practice to mitigate the risk). An enabler is considered essential if it has a high effect on reducing either
impact or frequency of the scenario.
• Key Risk Indicators
Identification of a number of metrics to detect and monitor the risk scenario and the risk response
66
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk
Chapter 7 provides 60 detailed examples of risk scenario analysis, which are based on the template in appendix 1.
Important: The detailed scenario examples do not replace the creative and reflective phase that every scenario-creating
exercise should contain. In other words, an enterprise should not blindly use the example scenarios and assume that
no other risk scenarios are possible or assume that every scenario contained in the list is applicable to the enterprise.
Intelligence and experience are needed to derive a relevant and customised list of scenarios, starting from the generic list.
Several methods for risk analysis exist, ranging between high-level and mostly qualitative to very detailed and/or
quantitative, with hybrid methods in between. Both forms may be needed at different stages of the risk management
process. For example, qualitative tends to be better at the initial risk assessment stage to establish priorities, and
quantitative can then provide the required rigour and accuracy for the selected high-risk areas.
The enterprise’s culture, resources, skills and knowledge of IT risk management, environment, risk appetite, and its
existing approach to ERM will determine which methodology should be used.
67
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Analysis based on subjective opinions or estimated data may be insufficient. There is still the question of uncertainty.
How certain can one be about the results of risk assessment? Some advanced methods exist to increase reliability of risk
assessments, but these require deep statistical skills. They include:
robabilistic risk assessment—Using a mathematical model to construct the qualitative risk assessment approach
•P
while using the quantitative risk assessment techniques and principles. In a simple way, the statistical models are used
and missing data to populate these models are collected using qualitative risk assessment methods (interviews, Delphi
method, etc.).
onte Carlo simulation—A powerful method for combining qualitative and quantitative approaches, which is based
•M
on normal deterministic simulation model described previously, but iteratively evaluates the model using sets of
random numbers as inputs. While deterministic models will provide the expected value, Monte Carlo simulation will
give the value as a probability distribution based on the quality of the information provided.
There are many sources of data that can be leveraged to support risk analysis. Some of these sources can exist already
in the enterprise; for example, business process improvement (BPI), project management office (PMO), enterprise
architecture (EA), quality control (QC) and other organisations that collect similar data to support their functions.
The following section of this chapter describes some suggested techniques that are mostly qualitative techniques and
will be most commonly used. Despite their inherently lower precision, they can provide very insightful and relevant data
because they provide a model by which all risk can be measured and described using the same language and reference
base, eliminating the most notorious cases of subjectivity and ambiguity. For example:
• If a time frame is not specified in a scenario, then a conclusion that the likelihood of an event is ‘high’ may be
interpreted differently by different people. One person might assume that it is highly likely to occur this year, while
another person might assume that it means it is highly likely to happen eventually.
• If scales are not defined for loss magnitude, then one person’s subjective interpretation of ‘severe loss’ can be
significantly different from someone else’s interpretation.
The link between IT risk scenarios and ultimate business impact needs to be established to understand the effects of
adverse events. Several techniques and options exist that can help the enterprise to describe IT risk in business terms,
and there is no right or wrong option. One has to choose the option that fits best with the enterprise and complement this
scheme with a range of scales to quantify the risk during risk analysis.
IT-related risk can be translated/expressed into business relevant terms, but a prescription for any single method does not
exist. Some available methods are discussed in the following sections.
68
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk
The following considerations need to be made, irrespective of the choice of impact description method:
• Define impact scales that are linked to the chosen impact description method so that they are clear and unambiguous
for everyone and truly represent business objectives.
• Ensure that the chosen method and scales allow for the risk appetite to be easily defined, e.g., the acceptable and
unacceptable risk, in the same terms, across the enterprise.
• Ensure that IT-related scenarios are clearly mapped to the business impact descriptions. This means that dependencies
between events (e.g., hardware failure) and ultimate business impact and consequence (e.g., customers cannot place
orders, resulting in customer dissatisfaction) need to be mapped and included in every risk analysis.
The business impact of any IT-related event lies in the consequence of not achieving the information criteria. By describing
impact in these terms, this remains a sort of intermediate technique, not fully describing the business impact, e.g., impact
on customers or in financial terms.
COBIT 5 defines 17 generic enterprise goals. Figure 15 includes the following information:
• The BSC dimension under which the enterprise goal fits
• The enterprise goal description
• The relationship to the three main governance objectives—benefits realisation, risk optimisation and resource
optimisation. (‘P’ stands for primary relationship and greater impact on achievement and ‘S’ for secondary relationship
and less impact on achievement).
For practical purposes, one can imagine that for each enterprise goal, a translation is possible to express the
non-achievement of the goal in terms of its impact on the overall business.
69
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
This set of criteria can be used selectively, and the user should be aware that there are still cause-effect relationships
included in this table (e.g., customer [dis]satisfaction can impact competitive advantage and/or market share). Usually a
subset of these criteria is used to express risk in business terms.
7
Westerman, G.; Hunter R.‚ IT Risk—Turning Business Threats Into Competitive Advantage, Harvard Business School Press, USA, 2007
70
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk
COSO ERM
The Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM)—
Integrated Framework lists the following criteria to express business impact:8
• Strategic—High-level goals, aligned with and supporting the enterprise mission. Strategic objectives reflect
management’s choice as to how the enterprise will seek to create value for its stakeholders.
• Operations—These pertain to the effectiveness and efficiency of the enterprise’s operations, including performance
and profitability goals and safeguarding resources against loss.
• Reporting—These pertain to the reliability of reporting. They include internal and external reporting and may involve
financial and non-financial information.
• Compliance—These pertain to adherence to relevant laws and regulations
The following example demonstrates how COBIT 5 Enterprise goals can be used to achieve the link between the ‘atomic’
IT scenario and enterprise goals, i.e., how this scenario can jeopardise one or several enterprise goals:
• Impact is expressed in business-relevant terms, using the words of the ‘enterprise goals’ as used in COBIT 5. For
example, the enterprise, running an online travel business, has as its major enterprise goals: ‘Customer-oriented
service culture’ and ‘Business service continuity and availability’.
• The COBIT 5 framework cascades the enterprise goals to IT-related goals (how the goals of the IT department support
the achievement of the enterprise goals), and this link can also be read in the other direction: Not achieving an
IT-related goal might have a negative impact on the achievement of an enterprise goal. In the example, the ‘Business
service continuity and availability’ enterprise goal implies that IT pays importance to some specific IT-related goals,
e.g., alignment of IT and business strategy, managed IT-related business risk, delivery of IT services in line with
business requirements, adequate use of applications, information and technology solutions.
• This cascade is continued down to the IT process level and IT management practice level, using the same principle
that not achieving a ‘lower-level’ goal will jeopardise the achievement of the ‘higher-level’ goal. The IT goals set in
the example would require a number of IT processes to be excellent, including COBIT 5 processes APO09 Manage
Service Agreements, APO11 Manage Quality, BAI02 Manage Requirements Definition, BAI04 Manage Availability
and Capacity and some others. This would require the activities (as described in the process model for each COBIT5
IT process) to be executed well.
• When analysing IT-related risk scenarios, each scenario can be linked to one or more IT processes, e.g., if the process
does not perform, the frequency and/or impact of the scenario will increase (refer also to Capability Risk Factors in part
Risk Factor section page). Applying this cascade backwards, it is possible to trace all potential impact paths that an event
can have on business goals, and use this information in risk analyses. In the example, this means that any disruption of
the mentioned IT processes, e.g., lack of project management (BAI01), inadequate software testing (BAI06), bad
third-party relationship management or service level management (APO09 and APO10), can have a negative impact
on the achievement of the stated service-oriented enterprise goals. However, when these processes are really mature and
being performed, this means that the enterprise is in good shape to achieve the stated enterprise goals.
8
dapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO); COSO Enterprise Risk Management Framework, USA,
A
2004, www.coso.org
9
Jones, Jack A., An Introduction to Factor Analysis of Information Risk (FAIR), Risk Management Insight LLC, 2005
71
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Expressing Frequency
Some risk management methods use the terms ‘likelihood’ or ‘frequency’. In Risk Scenarios Using COBIT 5 for Risk, the
term ‘probability’ is preferred, indicating a quantitative measure such as a percentage, frequency of occurrence, or other
numerical metric.
Figure 16 proposes a scheme that can be used for expressing the probability of risk scenarios occurring. The example
uses a 0 to 5 scale, with a probability threshold associated with each scale value. In the example, a logarithmic scale has
been used for probability although, in many cases, this is not mandatory; linear scales can be used as well. Alternatively,
an index scale can be used. Probability is then translated into a number from 0 to 100, e.g., based on a logarithmic scale or
any other sort of scale. The choice for either method depends on how the results of the risk analysis will be presented,
e.g., in a risk matrix. In figure 16, a risk scenario that is estimated to occur five times in a year gets the score of 3.
Some enterprises prefer a three-level scale instead of a five-level scale. The advantage of such a scale is that analyses will
go faster and might look a bit easier; however, there is a loss of precision, and using a three-level scale has a tendency to
create a lot of ‘middle’ values because of people being averse to creating extreme cases, leading to even more inaccuracies.
Some enterprises assign labels, e.g., ‘very frequent’, ‘frequent’, ‘infrequent, ‘rare’, to the scales mentioned in figure 16.
The use of only these labels as means of expressing frequency is not advisable because they can mean different things for
different risk scenarios and consequently can generate confusion. For example, an attempt for network intrusion through
the firewall might happen hundreds of times per day, which may be considered ‘average’; an ‘average’ frequency of a hardware
failure (e.g., disk crash) might be once every two or three years. So the word ‘average’ means different frequencies for two
different scenarios and, hence, is not well suited as an objective and unambiguous indicator of frequency.
This risk response evaluation is not a one-time effort; rather, it is part of the risk management process cycle. When risk
analysis of all identified risk scenarios, after weighing risk vs. potential return has shown that risk is not aligned with the
defined risk appetite and tolerance levels, a response is required. This response can be any of the four possible responses
explained in the following sub-sections.
Risk Avoidance
Avoidance means exiting the activities or conditions that give rise to risk. Risk avoidance applies when no other risk
response is adequate. This is the case when:
• There is no other cost-effective response that can succeed in reducing the frequency and impact below the defined
thresholds for risk appetite.
• The risk cannot be shared or transferred.
• The exposure level is deemed unacceptable by management.
Some IT-related examples of risk avoidance may include:
• Relocating a data centre away from a region with significant natural hazards
• Declining to engage in a very large project when the business case shows a notable risk of failure
• Declining to engage in a project that would build on obsolete and convoluted systems because there is no acceptable
degree of confidence that the project will deliver anything workable
• Deciding not to use a certain technology or software package because it would prevent future expansion
72
Personal Copy of: Mr. Yonscun Yonscun
Chapter 6
Expressing and Describing Risk
Risk Scenarios
Risk Exceeding
Risk Appetite
Risk Response Options Risk Response Parameters
Risk Responses
Risk Acceptance
Acceptance means that exposure to loss is recognised but no action is taken relative to a particular risk, and loss is accepted
when/if it occurs. This is different from being ignorant of risk; accepting risk assumes that the risk is known, i.e., an informed
decision has been made by management to accept it as such (e.g., when cost of remediation outweighs the risk).
If an enterprise adopts a risk acceptance stance, it should carefully consider who can accept the risk—even more so with
IT risk. IT risk should be accepted only by business management (and business process owners), in collaboration with and
supported by IT, and acceptance should be communicated (i.e., documented) to senior management and the board (Refer
to EDM3.02 detailed activities 5.3 and 5.4).
Self-insurance is another form of risk acceptance, although this manages only magnitude of the loss and has no
impact on frequency.
73
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Risk Sharing/Transfer
Sharing means reducing risk frequency or impact by transferring or otherwise sharing a portion of the risk. Common
techniques include insurance and outsourcing. Examples include taking out insurance coverage for IT-related incidents,
outsourcing part of the IT activities, or sharing IT project risk with the provider through fixed-price arrangements or
shared-investment arrangements. In both a physical and legal sense these techniques do not relieve an enterprise of the
risk ownership, but can involve the skills of another party in managing the risk and reduce the financial consequence
if an adverse event occurs. Also from a reputation point of view, risk transfer or sharing does not transfer ownership or
accountability over risk.
Risk Mitigation
Risk mitigation means that mitigating action is taken to reduce the frequency and/or impact of a risk. The most common
ways of mitigating risk include:
• Strengthening overall IT risk management practices, i.e., implement sufficiently mature IT risk management processes
as defined by the COBIT 5 framework
• Introducing a number of control measures intended to reduce either frequency of an adverse event happening and/or
the business impact of an event, should it happen. Controls are, in the context of risk management, employed to
mitigate a risk, e.g., the policies, procedures and practices, structures, information flows, etc. The COBIT 5 set of
interconnected enablers provides a comprehensive set of controls that can be implemented. It is possible to identify,
for any given risk scenario that would exceed risk appetite, a set of COBIT 5 enablers (processes, organisational
structures, behaviours, etc.) that can mitigate the risk scenario. For a comprehensive list of controls (expressed as
COBIT 5 enablers) that can mitigate risk (list of example generic risk scenarios as defined in chapter 4) refer
to chapter 5.
• Mitigation of risk is possible by other means or methods, e.g., there are well known IT management frameworks
and standards able to assist.
74
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Chapter 7
Risk Scenario Analysis Examples
This chapter contains 60 detailed risk scenario analysis examples that have been prepared using the generic risk scenario
categories and possible outcomes described in figure 14 in chapter 4. The template described in chapter 6 has been used
to conduct the analysis of each risk scenario, and the list of COBIT 5 enablers described in chapter 5 have been used to
complete the risk mitigation section.
*P
lease note that there is not one example for every risk scenario reference within a risk scenario category, therefore the
numbers are not sequential.
Risk Scenario—The examples used in this section are comprehensive versions of the generic positive or negative risk
scenarios described in figure 14. These examples have been prepared with more details to add context to the scenario and
help risk professionals explain risk in business terms.
Risk Scenario Components—This section provides examples of the information needed to calculate impact and
frequency and prepare possible risk responses (for detailed descriptions of the different sections in the risk scenario
analysis refer to chapter 6).
• Threat Type
• Actor
• Event
• Asset/Resource (Cause)
• Asset/Resource (Effect)
• Time issues
Risk Type—This describes the relationship between the risk scenario and the three different types of risk described in
COBIT 5 for Risk and chapter 2 of this publication (figure 4).
Possible Risk Responses—These are examples of risk responses that can be used to address the risk scenario.
Risk Mitigation Using COBIT 5 Enablers—This section offers a list of enablers that can be used to mitigate risk
impact or frequency.
Key Risk indicators—This section offers a list of KRIs that have been defined for the IT Goals that can be impacted by
the risk scenario and KRIs defined for the Process enabler included in the risk mitigation section. (The complete list of
KRIs for IT Goals can be found in the COBIT 5 framework, and the complete list of KRIs for the Process enabler can be
found in COBIT 5: Enabling Processes.)
12
isk scenario reference is used in the examples provided in this publication, but it is not included in the template. If necessary, the person preparing the
R
risk scenario analysis can include this section to specify risk scenario category and reference.
75
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Risk Scenario Title Selected programs are not optimizing business benefits
Risk Scenario Category 01 Portfolio establishment and maintenance
Risk Scenario Reference 0101
Risk Scenario
The individual accountable for the selection of programs (chief executive officer [CEO]) made a questionable decision when selecting programs to fund.
The decision was driven by unclear and biased information that was provided by one of the key stakeholders and the internal and external auditors who
put a focus on fostering security controls and formalizing processes rather than supporting business growth.
Risk Scenario Components
Threat Type
The nature of the event is a failure in the decision-making process to take into account all stakeholder requirements and the ineffective prioritization of
these requirements.
Actor
The actor who generates the threat that exploits a vulnerability is internal—the CEO.
Event
The event is the ineffective execution of the program selection process.
Asset/Resource (Cause)
The resource that leads to the business impact is the program selection process.
Asset/Resource (Effect)
The resources that are affected are various business processes.
Time
The duration of the event is extended lack of supporting business growth. The timing of occurrence is noncritical. The event cannot immediately be
detected, and, therefore, detection is slow. The consequence is delayed because the selected programs will be implemented over a longer time span.
Risk Type
IT Benefit/Value Enablement P The allocation of priorities leads to the assignment of resources to strengthen the security of
existing systems, and key resources are not available for developing new services supporting
business growth. Consequently, new business initiatives are not initiated.
IT Programme and Project Delivery P Ongoing projects need to be rescheduled due to the lack of resources.
IT Operations and Service Delivery S Security problems of (unimportant) services are being addressed.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The CEO is aware of the misalignment and accepts the impacts.
• Risk Sharing/Transfer: The enterprise request third-party service providers to reevaluate contracts and adjust timelines and resources without
additional cost.
• Risk Mitigation: Reprioritization of ongoing projects to optimize business benefit
76
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
77
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
78
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
79
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
EDM01.01 Evaluate the governance Continually identify and engage with the Medium Medium NO
system. enterprise’s stakeholders, document an
understanding of the requirements and make
a judgment on the current and future design of
governance of enterprise IT.
EDM01.02 Direct the governance Inform leaders and obtain their support, Medium Medium NO
system. buy-in and commitment. Guide the structures,
processes and practices for the governance of
IT in line with agreed-on governance design
principles, decision-making models and authority
levels. Define the information required for
adequate decision making.
EDM01.03 Monitor the governance Monitor the effectiveness and performance of the Medium Medium NO
system. enterprise’s governance of IT. Assess whether
the governance system and implemented
mechanisms (including structures, principles and
processes) are operating effectively and provide
appropriate oversight of IT.
APO05.01 Establish the target Review and ensure clarity of the enterprise Medium Medium NO
investment mix. and IT strategies and current services. Define
an appropriate investment mix based on cost,
alignment with strategy, and financial measures
such as cost and expected return on investment
(ROI) over the full economic life cycle, degree of
risk, and type or benefit for the programs in the
portfolio. Adjust the enterprise and IT strategies
where necessary.
APO05.03 Evaluate and select Based on the overall investment portfolio mix High High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Medium NO
report on investment performance of the investment portfolio and
portfolio performance. individual programs throughout the entire
investment life cycle.
APO05.05 Maintain portfolios. Maintain portfolios of investment programs and Medium Medium NO
projects, IT services and IT assets.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium Medium NO
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles
and standards, and the enterprise’s overall
procurement and contract procedures, quality
assurance (QA) requirements, and approval
standards. Ensure that all legal and contractual
requirements are identified and addressed by the
supplier.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Board of directors Require approval when programs surpass a certain value threshold and Medium Medium NO
risk level.
80
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
81
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
82
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO04.01 Create an environment Create an environment that is conducive to Low Medium NO
conducive to innovation. innovation, considering issues such as culture,
reward, collaboration, technology forums, and
mechanisms to promote and capture employee
ideas.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium High YES
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.03 Maintain the skills Define and manage the skills and competencies High Low YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief financial officer (CFO) Help with alignment of strategy and priorities, overall view on programs Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program selection includes Decisions should be objective, nonbiased and based on supported information. High Medium YES
data-driven decisions
Stakeholder engagement The full range of success factors will be taken into account when selecting High Medium YES
programs.
Focus on enterprise Ensure alignment with corporate strategy and priorities. High Medium YES
objectives
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program business case Improves the visibility of the relative value of programs (compared to each High Low YES
other)
Defined investment mix Improves the visibility of the relative value of programs (compared to High Low YES
each other)
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
83
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
84
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
85
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO05.04 Monitor, optimize and On a regular basis, monitor and optimize the Medium Low NO
report on investment performance of the investment portfolio and
portfolio performance. individual programs throughout the entire
investment life cycle.
APO05.06 Manage benefits Monitor the benefits of providing and maintaining Medium High YES
achievement. appropriate IT services and capabilities, based
on the agreed-on and current business case.
BAI01.11 Monitor and control Measure project performance against key project High High YES
projects. performance criteria such as schedule, quality,
cost and risk. Identify any deviations from the
expected. Assess the impact of deviations on the
project and overall program, and report results to
key stakeholders.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Take corrective action, if required. Medium Medium NO
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project monitoring Decisions should be objective, nonbiased and based on supported information. Low Low NO
includes data-driven
activities
Admitting to bad news Enables earlier decision making and minimizes impact. High High YES
is supported by senior
management
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program benefit realization This input will provide the necessary data to track the progress and estimate Medium Medium NO
plan potential overrun.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Performance to budget The correct analytical skills will allow estimating the consequences of failing Low Medium NO
control skills projects such as potential budget overruns
86
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
87
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
The risk is the possibility of not obtaining the certification, which has a negative impact on the enterprise’s image and ability to meet compliance
requirements. In addition, initial and ongoing costs for the ISMS and the time for successful delivery of the project results are unclear.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI01 Manage programme and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for the monitoring and the control of
projects, the Steering (Programmes/Projects) Committee.
Event
The event is an ineffective design or/and ineffective execution of the process BAI01 Manage programme and projects.
Asset/Resource (Cause)
The resources that lead to the business impacts are the process BAI01 Manage programme and projects and people and skills because the project
manager focuses on project content rather than on managing the project.
Asset/Resource (Effect)
The resource/asset that is affected is the process DSS05 Manage security services and the information because the security of information is
in danger.
Time
The duration of the event is extended because a long period of time passes before the project is on target. The timing of occurrence is noncritical. The
event is detected only after the project has been running for some time; therefore, detection is slow. The consequence is delayed because the project
runs over planned implementation and budget.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to achieve the planned enterprise benefits such as improved operation of
the enterprise and transparency in planning.
IT Programme and Project Delivery P Stranded costs for project delivery with no beneficial outcome
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Accepting the fact that the enterprise continues without business operation improvement can be a possible response. However, the
enterprise has to consider that accepting the fact that it continues without business operation improvement means that the enterprise also accepts the
risk of reputational damage.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Stop the project (earlier) and apply an agile/staged approach to delivery of processes and systems.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project Measuring visibility and true status for decision makers should be based on High High YES
management policy common language and methodology:
• Awareness regarding failing projects (in terms of cost, delays, scope creep,
changed business priorities, etc.) and create information flows to induce
corrective action.
• To prevent failure, scope changes to existing projects need to be
managed strictly
88
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO05.03 Evaluate and select Based on the overall investment portfolio mix Medium High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
BAI01.08 Plan projects. Establish and maintain a formal, approved Medium High YES
integrated project plan (covering business and IT
resources) to guide project execution and control
throughout the life of the project. The scope of
projects should be clearly defined and tied to
building or enhancing business capability.
BAI01.11 Monitor and control Measure project performance against key project High High YES
projects. performance criteria such as schedule, quality,
cost and risk. Identify any deviations from the
expected. Assess the impact of deviations on the
project and overall program, and report results to
key stakeholders.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Take corrective action, if required Medium High YES
officer (CIO)
Program/project sponsor Overall accountable for budget tracking and value demonstration Medium Medium NO
Program/project manager Overall responsible for budget tracking and value demonstration Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Admitting to bad news Enables earlier decision making and minimizes impact Medium High YES
is supported by senior
management
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program benefit This input will provide the necessary data to track the progress and estimate High Medium YES
realization plan potential overrun.
Program budget and This input will provide the necessary data to track the progress and estimate High Medium YES
benefits register potential overrun.
Program budget and Measuring visibility and true status for decision makers should be based on High Medium YES
benefits register common language and methodology.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Portfolio management tools Increase transparency on budgetary status High Low YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Performance to budget The correct analytical skills will allow estimating the consequences of failing Medium Medium NO
control skills projects such as potential budget overruns.
89
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
90
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
An external provider was hired to support the change of customer processes and the underlying technology, which was new for the enterprise. The
enterprise staff was not convinced of the new system’s adequacy, particularly because the legacy system provided specific functionalities to the business
users that were not considered in the initial program planning and had to be developed in parallel.
The IT assets delivered by the program need to be corrected/amended to meet full functionality. Functional specifications were created, but developers
deviated from those specifications without appropriate approval or feedback. The additional work and inefficiencies in service development caused
delays on the deliveries, exceeding costs on IT and on the provider’s services, and lower service quality to the customers, e.g., from incomplete
information for customer service and support staff. The delay of 200 percent and the excess of 100 percent of the project costs summarize the
performance of the program delivery.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI01 Manage programme and projects.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the function that is accountable for monitoring and control of projects, the
Steering (Programs/Projects) Committee or, specifically, the customer chief executive officer (CEO) and the chief information officer (CIO) in charge of
the project.
Event
The event is an ineffective design or/and ineffective execution of the process BAI01 Manage programme and projects.
Asset/Resource (Cause)
The resources that lead to the business impact are the processes BAI01 Manage programme and projects and BAI07 Manage change acceptance and
transitioning by poor testing of deliverables. Another resource is people and skills, because the project manager focuses on project content rather than
on managing the project. Another resource is IT infrastructure because the acquisition of IT assets did not work properly.
Asset/Resource (Effect)
The resources that are affected are business processes such as customer-facing connection and billing.
Time
The duration of the event is extended because a long period of time passes before the project is on target. The timing of occurrence is noncritical.
The event is detected only after the project has been running for some time. Therefore, detection is moderate. The consequence is delayed because the
project runs over planned implementation and budget.
Risk Type
IT Benefit/Value Enablement P Planned improvement on efficiency was not achieved and was delayed.
P Other initiatives had to be postponed because of the delays, and the corresponding
information systems could not be planned accordingly.
Programme and Project Delivery P Delayed delivery of project results
P Overrun of budget
P Incomplete functionality of the applications delivered and undetected errors in the systems
due to weak testing
IT Operations and Service Delivery S Incomplete/inaccurate information that is provided to customer service, support and customers
P Delays on the service provision to the end customers (e.g., connecting new customers) due to
incomplete/inaccurate information
P Information security problems that are caused by giving access to critical customer
(individuals and enterprises) information due to inadequate security in application
development
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Accept that the enterprise continues without business operation improvement and budget overrun.
• Risk Sharing/Transfer: Share responsibility for the project failure with the provider who prepared the estimate, and request a refund for some
of the cost of the project.
• Risk Mitigation: Use a proper project management office (PMO) and adequate processes to manage the program. Improved testing/quality assurance
(QA) and application security in early phases of the program. Apply a stringent functional and security requirement identification and testing of the
quality delivered.
91
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
92
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
93
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Program budget and Measuring visibility and true status for decision makers should be based on High Medium YES
benefits register common language and methodology.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Portfolio management tools Increase transparency on budgetary status High Low YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Performance to budget The correct analytical skills will allow to estimate the consequences of failing Medium Medium NO
control skills projects such as potential budget overruns
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (08) Percentage of business process owners satisfied with supporting IT products and services
• (08) Level of business user understanding of how technology solutions support their processes
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (12 ) Number of business processing incidents caused by technology integration errors
• (12 ) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12 ) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12 ) Number of applications or critical infrastructures operating in silos and not integrated
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
94
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
95
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
96
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Disregarding this fact, a client with an internal development department and staff, but without the necessary maturity in its processes for the software
development life cycle (SDLC) and its Quality Assurance (QA) department, decides to build its own solution. The client does not consider the advantage of
purchasing this software over developing the solution internally and is without a real understanding of business and compliance requirements.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI03 Manage solutions identification and build, but also could be classified as accidental/error
because an external solution was not considered.
Actor
The actors that generates the threat that exploits a vulnerability are internal—the Steering (Programme/Projects) Committee and the chief information
officer (CIO).
Event
The event can be classified as ineffective design and/or ineffective execution of the process BAI03 Manage solutions identification and build.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process BAI03 Manage solutions identification and build.
Asset/Resource (Effect)
The affected resources/assets are business processes, information and applications because the internally developed solution does not fit the
business and compliance requirements due to a lack of understanding.
Time
The timing of occurrence is critical because competitors already use solutions that fulfil the compliance requirements. The duration of the event is
extended because the internally developed solution must be amended to fit business and compliance requirements. The detection is slow because the
internally developed solution is misaligned with business and compliance requirements, which is not detected before final acceptance tests or before
the implementation is in production. The consequences are delayed because the internally developed solution must be improved or the external solution
must be implemented.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use state-of-the-art solution to improve efficiency and effectiveness,
IT Programme and Project Delivery S Lack of understanding of business and compliance requirements,
Operations and Service Delivery P Unduly tested systems because of insufficient maturity in QA
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The enterprise accepts that the costs derived from internal development are going to be higher due to the time needed to
understand and develop the SDLC and QA processes and governance framework. The company also accepts the risk that its competitors may gain a
competitive advantage by the early adoption of a package solution while the company designs and builds its own solution. The company also accepts
the risk of penalties imposed by its regulators for non-compliance.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Develop and maintain a standard approach for program and project management and for solution identification and build
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project The policy should define who needs to be involved in investment decisions High High YES
management policy and what the chain of approval is.
97
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO03.01 Develop the enterprise The architecture vision provides a high-level Low High YES
architecture vision. description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed
capability to stakeholders within the enterprise.
The architecture vision describes how the
new capability will meet enterprise goals and
strategic objectives and address stakeholder
concerns when implemented.
APO05.03 Evaluate and select Based on the overall investment portfolio mix High High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO06.04 Model and allocate costs. Establish and use an IT costing model based on Low Low NO
the service definition, ensuring that allocation of
costs for services is identifiable, measurable and
predictable, to encourage the responsible use of
resources, including those provided by service
providers. Regularly review and benchmark the
appropriateness of the cost/chargeback model
to maintain its relevance and appropriateness to
the evolving business and IT activities.
APO06.05 Manage costs. Implement a cost management process Low High NO
comparing actual costs to budgets. Costs
should be monitored and reported and, in the
case of deviations, identified in a timely manner
and their impact on enterprise processes and
services assessed.
BAI01.01 Maintain a standard Maintain a standard approach for program and High High YES
approach for program and project management that enables governance
project management. and management review and decision making
and delivery management activities focused on
achieving value and goals (requirements, risk,
costs, schedule, quality) for the business in a
consistent manner.
BAI03.03 Develop solution Develop solution components progressively High High YES
components. in accordance with detailed designs following
development methods and documentation
standards, QA requirements, and approval
standards. Ensure that all control requirements
in the business processes supporting IT
applications and infrastructure services, services
and technology products, and partners/suppliers
are addressed.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High High YES
compliance. contractual requirements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Decision making process is Decisions should be objective, nonbiased and based on supported information. High Medium YES
data-driven
98
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business cases Clarify the purpose, cost and return on investment (ROI) of IT initiatives. Medium Medium NO
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business case analysis Clarify the purpose, cost and ROI of IT initiatives. Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Level of stakeholder satisfaction with scope of the planned portfolio of programmes and services
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (02) Coverage of compliance assessments
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (06) Percentage of investment business cases with clearly defined and approved expected IT-related costs and benefits
• (06) Percentage of IT services with clearly defined and approved operational costs and expected benefits
• (06) Satisfaction survey of key stakeholders regarding the level of transparency, understanding and accuracy of IT financial information
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (09) Average time to turn strategic IT objectives into an agreed-on and approved initiative
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
Key Risk Indicators (KRIs) Related to Process Goals
• (APO03) Number of exceptions to architecture standards and baselines applied for and granted
• (APO03) Level of architecture customer feedback
• (APO03) Project benefits realised that can be traced back to architecture involvement (e.g., cost reduction through re-use)
• (APO03) Percentage of projects using enterprise architecture services
• (APO03) Level of architecture customer feedback
• (APO03) Number of identified gaps in models across enterprise, information, data, application and technology architecture domains
• (APO03) Level of architecture customer feedback regarding quality of information provided
• (APO03) Percentage of projects that utilise the framework and methodology to re-use defined components
• (APO03) Number of people trained in the architecture methodology and tool set
• (APO05) Degree to which enterprise management is satisfied with IT’s contribution to the enterprise strategy
• (APO05) Ratio between funds allocated and funds used
• (APO05) Ratio between funds available and funds allocated
• (APO05) Percentage of business units involved in the evaluation and prioritisation process
• (APO05) Level of satisfaction with the portfolio monitoring reports
• (APO05) Percentage of investments where realised benefits have been measured and compared to the business case
• (APO06) Number of budget changes due to omissions and errors
• (APO06) Number of deviations between expected and actual budget categories
99
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
100
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
The components of the branches’ IT infrastructures are diverse and require many providers to build the complete architecture. After the request for
proposal (RFP) is constructed, the company does not consider the different schedules that each provider needs to deliver the required hardware. When
the procurement process is initiated, the company finds out that a specific component cannot be provided, which hinders the entire infrastructure
implementation.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the management processes BAI03 Manage solutions identification and build, BAI02 Manage requirements
definition and APO03 Manage enterprise architecture and is a failure of the governance process EDM02 Ensure benefits delivery.
Actor
The actors that generate the threat that exploits a vulnerability are internal—overall, the Steering (Program/Projects) Committee and also the chief
information officer (CIO) and the head architect.
Event
The event can be classified as ineffective design and/or ineffective execution of the processes EDM02 Ensure benefits delivery, BAI03 Manage
solutions identification and build, BAI02 Manage requirements definition and APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process BAI03 Manage solutions identification and build.
Asset/Resource (Effect)
The affected resources/assets are business processes, information, infrastructure and applications because the company cannot update its
branches’ mission-critical systems, and people and enterprise because they must work with the out-of-date applications.
Time
Because the company needs the new systems for its branches to create higher revenues, the timing of occurrence is critical. The duration of the event
is extended because the infrastructure implementation is hindered. The detection is moderate because the event is detected during the procurement
process. The consequences are delayed because the company has to continue its business while using the incorrect IT architecture, with accumulated
high costs, over a time span of several years.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to create more revenue with the new systems for the branches
IT Programme and Project Delivery P Identified solutions do not match the requirements.
IT Operations and Service Delivery P Inflexible architecture with accumulated high costs
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The enterprise accepts and tolerates the inflexible architecture, does not achieve higher revenues and loses
business competitiveness.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: The enterprise considers alternative providers to deliver the required piece of hardware. Additional contracts will be considered, and
the time losses and cost of opportunity will be accepted. The program of work is re-prioritized to ensure that the prerequisites are completed, to allow
for success. The governance framework for the infrastructure upgrades process must be followed and department managers must be trained.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project The policy should define who needs to be involved in investment decisions Medium Medium NO
management policy and what the chain of approval is.
101
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
EDM02.01 Evaluate value Continually evaluate the portfolio of IT-enabled Low High YES
optimization. investments, services and assets to determine
the likelihood of achieving enterprise objective
and delivering value at a reasonable cost.
Identify and make judgment on any changes in
direction that need to be given to management
to optimize value creation.
EDM02.02 Direct value optimization. Direct value management principles and Low High YES
practices to enable optimal value realization
from IT-enabled investments throughout their full
economic life cycle.
BAI01.01 Maintain a standard Maintain a standard approach for program and Low High YES
approach for program and project management that enables governance
project management. and management review and decision making
and delivery management activities focused on
achieving value and goals (requirements, risk,
costs, schedule, quality) for the business in a
consistent manner.
BAI01.08 Plan projects. Establish and maintain a formal, approved Low High YES
integrated project plan (covering business and IT
resources) to guide project execution and control
throughout the life of the project. The scope of
projects should be clearly defined and tied to
building or enhancing business capability.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, Low High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles
and standards, and the enterprise’s overall
procurement and contract procedures, quality
assurance (QA) requirements, and approval
standards. Ensure that all legal and contractual
requirements are identified and addressed
by the supplier.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Accountable for proper investment decision making Medium Medium NO
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Decision making process is Decisions should be objective, nonbiased and based on supported information. Low Low NO
data driven
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
102
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
103
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
This particular purchase represented a lack of conformance with organizational processes and policies. The system was not considered in the enterprise
architecture (EA) and, therefore, lacked interoperability with other systems and software, and its functionality overlapped with other business functions.
The software was purchased by a key business user, and, because the procurement process was immature, the software was not included in the
enterprise strategy for business continuity and disaster recovery planning.
The new purchase required additional training for the department and investment and integration with existing systems.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation, APO05 Manage portfolio, APO06 Manage budget and cost and
BAI10 Manage configuration.
Actor
The actors that generate the threat that exploits a vulnerability are internal—overall, the Steering (Program/Projects) Committee, and also the key
business user who purchased the software.
Event
The event can be classified as ineffective design and/or ineffective execution of the processes APO04 Manage innovation, APO05 Manage portfolio,
APO06 Manage budget and cost and BAI10 Manage configuration.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are mainly the processes APO04 Manage innovation and BAI10 Manage configuration.
Asset/Resource (Effect)
The affected resources/assets are business processes, information, infrastructure and applications because the new software lacks interoperability
with other systems, and people and enterprise because they must use workarounds.
Time
The timing of occurrence is noncritical. The duration is extended, due to the cost associated with this inappropriate purchase and the overburden that
the company had to experience to guarantee interoperability with existing systems. The detection is slow because the redundancy was not detected
before the system was ready to use. The time lag is immediate because of the immature procurement process.
Risk Type
IT Benefit/Value Enablement P Immature procurement process
IT Programme and Project Delivery N/A
IT Operations and Service Delivery S Lack of interoperability with other systems
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Train all department heads on a centralized software catalogue for the enterprise. Governance frameworks for the software
procurement process must be improved to be mature and they must be followed. The department managers will be trained. All software purchases
have to be added to the business continuity (BCP) and disaster recovery plan (DRP).
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Program/project The policy should define who needs to be involved in investment decisions High Medium YES
management policy and what the chain of approval is.
104
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO02.05 Define the strategic plan Create a strategic plan that defines, in Low High YES
and road map. cooperation with relevant stakeholders, how
IT-related goals will contribute to the enterprise’s
strategic goals. Include how IT will support
IT-enabled investment programs, business
processes, IT services and IT assets. Direct IT
to define the initiatives that will be required
to close the gaps, the sourcing strategy and
the measurements to be used to monitor
achievement of goals, then prioritize the
initiatives and combine them in a high-level
road map.
APO05.03 Evaluate and select Based on the overall investment portfolio mix Low High YES
programs to fund. requirements, evaluate and prioritize program
business cases, and decide on investment
proposals. Allocate funds and initiate programs.
APO06.05 Manage costs. Implement a cost management process Low High YES
comparing actual costs to budgets. Costs
should be monitored and reported and, in the
case of deviations, identified in a timely manner
and their impact on enterprise processes and
services assessed.
APO08.04 Coordinate and Work with stakeholders and coordinate the Low High YES
communicate. end-to-end delivery of IT services and solutions
provided to the business.
BAI10.05 Verify and review integrity Periodically review the configuration repository High High YES
of the configuration and verify completeness and correctness against
repository. the desired target.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Accountable for proper investment decision making High Medium YES
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business cases Clarify the purpose, cost and return on investment (ROI) of IT initiatives. Medium Low NO
Prioritization and ranking of Overview of IT initiatives to facilitate selection Medium Low NO
IT initiatives
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business case analysis Clarify the purpose, cost and ROI of IT initiatives. Medium Low NO
105
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
106
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Currently, the enterprise is expecting that, in the next five years, 35 percent of its specialized professionals are going to retire. The minimum standard
knowledge that is required is the base to start next-level internal training. Due to the complexity of the systems in production, the training process for
new staff to get the necessary expertise to be able to run the daily operations historically has taken three years.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process APO07 Manage human resources, especially the management practices of maintaining adequate and
appropriate staffing and maintaining the skills and competencies of personnel.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the HR function.
Event
The event is an ineffective design of the process APO07 Manage human resources.
Asset/Resource (Cause)
The resource that leads to the business impact is the process APO07 Manage human resources.
Asset/Resource (Effect)
The resources that are affected are the IT processes in the technical area because of a lack of competent staff, and the IT architecture (information and
applications) because it cannot be maintained and improved adequately due to the lack of expertise and skills.
Time
The duration of the event is moderate because the policy can easily be changed. The timing of occurrence is noncritical. The lack of skills and expertise
will be detected in moderate time. The consequence can easily be delayed because the right staff has to be recruited, and this process can take quite a
long time.
Risk Type
IT Benefit/Value Enablement P Lack of skills and expertise for using technology for new business initiatives
IT Programme and Project Delivery P Lack of skills and expertise may lead to bad quality of projects.
IT Operations and Service Delivery P The technical environment cannot be adequately maintained.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The enterprise accepts the risk that it may be unable to recruit the right skills and experience, which will limit the enterprise’s
ability to design, build and deliver IT solutions to help deliver business goals. In addition, the enterprise may have to pay a premium for potential
recruits with the required skills and experience.
• Risk Sharing/Transfer: HR and IT are to share their responsibilities for the risk that the enterprise is taking by being unable to hire the right personnel.
• Risk Mitigation: IT can outsource and use contractors to cover critical skills shortages.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR policy Describes the requirements development for selecting and evaluating IT High High YES
profiles throughout the entire career
107
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO01.01 Define the organizational Establish an internal and extended organizational Low Low NO
structure. structure that reflects business needs and IT
priorities. Put in place the required management
structures (e.g., committees) that enable
management decision making to take place in
the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding of Medium Low NO
management objectives IT objectives and direction to stakeholders and
and direction. users throughout the enterprise.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing Medium Medium NO
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
APO07.05 Plan and track the usage Understand and track the current and future High Low YES
of IT and business human demand for business and IT human resources
resources. with responsibilities for enterprise IT. Identify
shortfalls and provide input into sourcing
plans, enterprise and IT recruitment processes
sourcing plans, and business and IT recruitment
processes.
APO07.06 Manage contract staff. Ensure that consultants and contract personnel Low Medium NO
who support the enterprise with IT skills know
and comply with the enterprise’s policies and
meet agreed-on contractual requirements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Responsible for gap analysis regarding IT skills and competencies High High YES
officer (CIO)
Head of HR Responsible for establishing expectations about staff High High YES
Specific IT management Responsible for identifying specific requirements High High YES
functions
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
108
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Skills and competencies Describe the existing skills and competencies within the IT organization and High Low YES
matrix allows for gap analysis.
Competency and career/ Describe the required growth of specific IT profiles. High Medium YES
skills development plans
Generic job function Describes skills/experience and knowledge requirements for generic profiles High High YES
descriptions within the IT organizations
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Medium High YES
knowledge regarding processes, technology, etc.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR skills Management of skills and competencies High High YES
Key Risk Indicators (KRIs) Related to IT Goals
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (13) Cost of application maintenance vs. overall IT cost
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Percentage of staff satisfied with their IT-related roles
• (16) Number of learning/training hours per staff member
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO07) Percentage of staff turnover
• (APO07) Average duration of vacancies
• (APO07) Percentage of IT posts vacant
109
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
110
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO01.01 Define the organizational Establish an internal and extended organizational High High YES
structure. structure that reflects business needs and IT
priorities. Put in place the required management
structures (e.g., committees) that enable
management decision making to take place in
the most effective and efficient manner.
APO01.04 Communicate Communicate awareness and understanding High High YES
management objectives of IT objectives and direction to stakeholders
and direction. throughout the enterprise.
APO03.01 Develop the enterprise The architecture vision provides a high-level Low Low NO
architecture vision. description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with
a key tool to sell the benefits of the proposed
capability to stakeholders within the enterprise.
The architecture vision describes how the
new capability will meet enterprise goals and
strategic objectives and address stakeholder
concerns when implemented.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High High YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing Medium Medium NO
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
APO07.05 Plan and track the usage Understand and track the current and future Low Low NO
of IT and business human demand for business and IT human resources
resources. with responsibilities for enterprise IT. Identify
shortfalls and provide input into sourcing plans,
and business and IT recruitment processes.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of HR Responsible for establishing expectations about staff High Low YES
111
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
112
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
113
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Title Description Frequency Impact Control
APO02.01 Understand enterprise Consider the current enterprise environment and Medium Low NO
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also
the external environment of the enterprise
(industry drivers, relevant regulations, basis for
competition).
APO06.02 Prioritize resource Implement a decision-making process to Medium Low NO
allocation. prioritize the allocation of resources and rules for
discretionary investments by individual business
units. Include the potential use of external
service providers and consider the buy, develop
and rent options.
APO07.01 Maintain adequate and Evaluate staffing requirements on a regular High Medium YES
appropriate staffing. basis or upon major changes to the enterprise
or operational or IT environments to ensure that
the enterprise has sufficient human resources to
support enterprise goals and objectives. Staffing
includes both internal and external resources.
APO07.02 Identify key IT personnel. Identify key IT personnel while minimizing High Medium YES
reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
APO07.03 Maintain the skills Define and manage the skills and competencies High High YES
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programs where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Responsible for gap analysis regarding IT skills and competencies High High YES
officer (CIO)
Head of HR Responsible for establishing expectations about staff High High YES
Specific IT management Responsible for identifying specific requirements High High YES
functions
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Medium High Yes
knowledge regarding processes, technology, etc.
114
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
115
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
116
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the environment. Maintain measures for protection against Low High YES
environmental factors. Install specialized
equipment and devices to monitor and control
the environment.
DSS01.05 Manage facilities. Manage facilities, including power and Low High YES
communications equipment, in line with
laws and regulations, technical and business
requirements, vendor specifications, and health
and safety guidelines.
DSS04.05 Review, maintain and Conduct a management review of the continuity Low Medium NO
improve the continuity capability at regular intervals to ensure its
plan. continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with
the change control process to ensure that the
continuity plan is kept up to date and continually
reflects actual business requirements.
DSS05.05 Manage physical access to Define and implement procedures to grant, limit High High YES
IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged
and monitored. This should apply to all persons
entering the premises, including staff, temporary
staff, clients, vendors, visitors or any other third
party.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief information Responsible for gap analysis regarding IT skills and competencies Low Medium NO
officer (CIO)
Specific IT management Responsible for identifying specific requirements Low Medium NO
functions
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Low High YES
knowledge regarding processes, technology, etc.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business analysis Matching the business needs to the required IT skills Low Medium NO
117
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
118
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
05 Staff Operations
0501 Inappropriate access rights
119
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
120
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
121
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.01 Perform operational Maintain and perform operational procedures and High High YES
procedures. operational tasks reliably and consistently.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular High High YES
review the business basis to exercise the recovery plans against
continuity plan (BCP). pre-determined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS04.07 Manage backup Maintain availability of business-critical information High High YES
arrangements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Responsible for technical protection of assets and information High High YES
manager
Head of IT operations Responsible for managing the operational environment High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leading by example Everybody is responsible for the protection of information within the enterprise. Medium Medium NO
Culture of preventing People respect the importance of policies and procedures. High High YES
errors and accidents
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
122
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
123
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
124
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
125
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
126
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
06 Information
0602 Uncontrolled shutdown
127
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI04.05 Investigate and address Address deviations by investigating and resolving Low Medium NO
availability, performance identified availability, performance and capacity
and capacity issues. issues.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Low High YES
review the business basis to exercise the recovery plans against
continuity plan (BCP). predetermined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS06.02 Control the processing Operate the execution of the business process Low Medium NO
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.04 Manage errors and Manage business process exceptions and errors Low High YES
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Responsible to implement proper controls and measures to protect data High Medium YES
and hardware
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Always select the safest option to perform daily operations Medium Medium NO
is practiced in daily
operations.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup reports Describes the status of backups
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup systems Ensure proper recovery in case of loss, modification or corruption of data. Low High YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Technical skills Implement proper controls and measures to protect data and hardware (e.g., High High YES
data backup, storage)
128
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
129
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
130
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS05.04 Manage user identity Ensure that all users have information access rights High Low YES
and logical access. in accordance with their business requirements and
coordinate with business units that manage their
own access rights within business processes.
DSS06.01 Align control activities Continually assess and monitor the execution Medium Low NO
embedded in business of the business process activities and related
processes with controls, based on enterprise risk, to ensure that
enterprise objectives. the processing controls are aligned with business
needs.
DSS06.02 Control the processing Operate the execution of the business process Medium Low NO
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High Medium YES
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to
business information processes, including those
under the custody of the business, IT and third
parties. This ensures that the business knows
where the data are and who is handling data on its
behalf.
DSS06.04 Manage errors and Manage business process exceptions and errors Low Low NO
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
DSS06.05 Ensure traceability of Ensure that business information can be traced Medium High YES
Information events and to the originating business event and to the
accountabilities. parties accountable. This enables traceability of
the information through its life cycle and related
processes. This provides assurance that information
that drives the business is reliable and has been
processed in accordance with defined objectives.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Provide guidance on proper controls and measures to protect data and Medium Medium NO
manager hardware.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Always select the safest option with regards to daily operations. Medium Low NO
is practiced in daily
operations.
Need to access only Limit the access of staff without affecting performance. High Low YES
Everybody is responsible Lead by example. Low Low NO
for the protection of
information within the
enterprise.
131
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Data loss prevention Increase awareness within the enterprise Medium Low NO
campaigns
Nondisclosure agreements Contractually protect intellectual property (IP) by deterring staff from disclosing Medium Medium NO
information to malicious parties.
Access and event logs Detecting of wrongful activity Low High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access control To prevent unauthorized physical access High Low YES
Data protection Encryption, passwords, email monitoring, etc., to enforce least privilege Medium Medium NO
infrastructure and principle
applications
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of IT-related non-compliance issues reported to the board or causing public comment or embarrassment
• (02) Coverage of compliance assessments
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Time to grant, change and remove access privileges, compared to agreed-on service levels
• (10) Frequency of security assessment against latest standards and guidelines
Key Risk Indicators (KRIs) Related to Process Goals
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Average time between change and update of accounts
• (DSS05) Number of accounts (vs. number of unauthorised users/staff)
• (DSS05) Number of incidents relating to unauthorised access to information
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
• (DSS06) Percentage of business process roles with assigned access rights and levels of authority
• (DSS06) Percentage of business process roles with clear separation of duties
• (DSS06) Number of incidents and audit findings due to access or separation of duties violations
• (DSS06) Percentage of completeness of traceable transaction log
• (DSS06) Number of incidents where transaction history cannot be recovered
132
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
133
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.06 Define information Position the IT capability in the overall organizational Low High YES
(data) and system structure to reflect an enterprise model relevant
ownership. to the importance of IT within the enterprise,
specifically its criticality to enterprise strategy and
the level of operational dependence on IT. The
reporting line of the Chief information officer (CIO)
should be commensurate with the importance of IT
within the enterprise.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, High High YES
documents and output accounting practices and inventory management
devices. over sensitive IT assets, such as special forms,
negotiable instruments, special-purpose printers or
security tokens.
DSS06.01 Align control activities Continually assess and monitor the execution Medium Low NO
embedded in business of the business process activities and related
processes with controls, based on enterprise risk, to ensure that
enterprise objectives. the processing controls are aligned with business
needs.
DSS06.02 Control the processing Operate the execution of the business process High High YES
of information. activities and related controls, based on enterprise
risk, to ensure that information processing is valid,
complete, accurate, timely, and secure (i.e., reflects
legitimate and authorized business use).
DSS06.04 Manage errors and Manage business process exceptions and errors Low Medium NO
exceptions. and facilitate their correction. Include escalation
of business process errors and exceptions and
the execution of defined corrective actions. This
provides assurance of the accuracy and integrity of
the business information process.
DSS06.05 Ensure traceability of Ensure that business information can be traced Low Low NO
Information events and to the originating business event and to the
accountabilities. parties accountable. This enables traceability of
the information through its life cycle and related
processes. This provides assurance that information
that drives the business is reliable and has been
processed in accordance with defined objectives.
DSS06.06 Secure information Secure information assets accessible by the Low High YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Provide guidance on proper controls and measures to protect data and High High YES
manager hardware.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Always select the safest option to perform daily operations. High High YES
is practiced in daily
operations.
Lead by example Everybody is responsible for the protection of information within the enterprise. High High YES
134
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Data loss prevention Increase awareness within the enterprise. High High YES
campaigns
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Data protection Encryption, passwords, email monitoring, etc., to enforce lease privilege Medium Medium NO
infrastructure and principle
applications
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A Medium Medium NO
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Number of non-compliance issues relating to contractual agreements with IT service providers
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Frequency of security assessment against latest standards and guidelines
• (15) Number of incidents related to non-compliance to policy
• (15) Percentage of stakeholders who understand policies
• (15) Percentage of policies supported by effective standards and working practices
Key Risk Indicators (KRIs) Related to Process Goals
• (APO01) Number of risk exposures due to inadequacies in the design of the control environment
• (DSS05) Number of vulnerabilities discovered
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
135
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
136
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
07 Architecture
0701 Inability to implement mobile banking
Competitors, however, currently provide a mobile solution to their customers and the bank’s customers are moving to those other banks.
Risk Scenario Components
Threat Type
The nature of the event is failure of the process APO03 Manage enterprise architecture.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the director for retail banking and the CIO.
Event
The event is an ineffective design and/or ineffective execution of the process APO03 Manage enterprise architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the lack of an effective process APO03 Manage enterprise architecture and the IT infrastructure
because the host system is inflexible and unable to meet the customer expectations.
Asset/Resource (Effect)
The resource that is affected is the business process retail banking because it is not available for mobile devices.
Time
The duration of the event is extended because the software application for retail banking on mobile devices cannot be delivered. The timing of the
occurrence is critical because the competitors already provide mobile solutions to their customers. The event is detected during the study and before
the project was started and, therefore, is moderate. The consequence is delayed and ongoing because the project cannot be executed.
Risk Type
IT Benefit/Value Enablement P Customer expectations for efficient processes using mobile devices cannot be met.Unsatisfied
customers are leaving the bank.
IT Programme and Project Delivery P New solutions cannot be developed without significantly changing the software and hardware
environment resulting in a lack of agility.
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: The board is accepting the inability to apply upcoming technology options. The board also accepts that the enterprise will lose
business competitiveness because competitors are currently providing a similar service to their customers and therefore may lose market share.
• Risk Sharing/Transfer: The chief executive officer (CEO) can outsource the mobile banking infrastructure and transfer the risk through the
outsourcing contract.
• Risk Mitigation: Apply architecture management and scenarios to amend the capabilities of the host and/or to replace the host system.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Architecture principles define the underlying general rules and guidelines for High High YES
the use and deployment of all IT resources and assets across the enterprise.
Exceptions procedure In specific cases, exceptions to the existing architectural rules can be allowed. High High YES
Specific cases and the procedure to follow for approval should be described.
137
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target Low High YES
solutions. architectures, taking both business and technical
perspectives, and logically group them into project
work packages. Integrate the project with any
related IT-enabled investment programs to ensure
that the architectural initiatives are aligned with
and enable these initiatives as part of overall
enterprise change. Make this a collaborative effort
with key enterprise stakeholders from business
and IT to assess the enterprise’s transformation
readiness, and identify opportunities, solutions and
all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration Medium High YES
implementation. plan in alignment with the program and project
portfolios. Ensure that the plan is closely
coordinated to ensure that value is delivered and
the required resources are available to complete the
necessary work.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture board Ensure compliance with the target architecture and allow exceptions High High YES
when needed.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect agreed-on The enterprise should stimulate the use of agreed-on standards. Medium Medium NO
standards
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture modelling Modelling application will optimize the architecture development and minimize Medium High YES
software the effort of analyzing impact to architecture in case of exceptions or changes.
138
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
139
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
140
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
APO03.03 Select opportunities and Rationalize the gaps between baseline and target Low High YES
solutions. architectures, taking both business and technical
perspectives, and logically group them into project
work packages. Integrate the project with any
related IT-enabled investment programs to ensure
that the architectural initiatives are aligned with
and enable these initiatives as part of overall
enterprise change. Make this a collaborative effort
with key enterprise stakeholders from business
and IT to assess the enterprise’s transformation
readiness, and identify opportunities, solutions and
all implementation constraints.
APO03.04 Define architecture Create a viable implementation and migration Medium High YES
implementation. plan in alignment with the program and project
portfolios. Ensure that the plan is closely
coordinated to ensure that value is delivered and
the required resources are available to complete the
necessary work.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture board Ensure compliance with the target architecture and allow exceptions Low Low NO
when needed.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture modelling Modeling application will optimize the architecture development and minimize Medium High YES
software the effort of analyzing impact to architecture in case of exceptions or changes.
141
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
142
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
143
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High High YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
BAI09.03 Manage the asset life Manage assets from procurement to disposal to Low Medium NO
cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
BAI10.02 Establish and maintain Establish and maintain a configuration Low High YES
a configuration management repository and create controlled
repository and baseline. configuration baselines.
BAI10.03 Maintain and control Maintain an up-to-date repository of configuration Medium Medium NO
configuration items. items by populating with changes.
BAI10.05 Verify and review Periodically review the configuration repository and Low Low NO
integrity of the verify completeness and correctness against the
configuration repository. desired target.
DSS05.01 Protect against Implement and maintain preventive, detective and High Low YES
malware. corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.02 Manage network and Use security measures and related management Low High YES
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, Low High YES
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Medium Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events events are integrated with general event monitoring
and incident management procedures.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture board Ensure compliance with the target architecture and allow exceptions High High YES
when needed.
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect policies and The enterprise should stimulate the use of agreed-on standards. High High YES
standards
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model Medium Medium NO
144
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
145
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
08 Infrastructure
0802 System not scalable to meet business growth
146
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO02.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO02.02 Assess the current Assess the performance of current internal business High High YES
environment, and IT capabilities and external IT services,
capabilities and and develop an understanding of the enterprise
performance. architecture in relation to IT. Identify issues currently
being experienced and develop recommendations
in areas that could benefit from improvement.
Consider service provider differentiators and options
and the financial impact and potential costs and
benefits of using external services.
BAI04.01 Assess current Assess availability, performance and capacity of Low High YES
availability, performance services and resources to ensure that
and capacity and create cost-justifiable capacity and performance are
a baseline. available to support business needs and deliver
against service level agreements (SLAs). Create
availability, performance and capacity baselines for
future comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review Low Medium NO
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
availability, performance identified availability, performance and capacity
and capacity issues. issues.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Accountable for the proper management and maintenance of the IT Low Low NO
infrastructure
Head of architecture Design architecture in an optimal way. Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
147
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture model Target architecture model High High YES
Configuration status Track changes to configuration. Medium Medium NO
reports
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Configuration management Assists in identifying areas for improvement High High YES
database (CMDB)
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs) Related to IT Goals
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (07) Percentage of the users satisfied with the quality of IT service delivery
• (11) Frequency of capability maturity and cost optimisation assessments
• (11) Trend of assessment results
• (11) Satisfaction levels of business and IT executives with IT-related costs and capabilities
• (14) Number of business process incidents caused by non-availability of information
Key Risk Indicators (KRIs) Related to Process Goals
• (BAI04) Number of unplanned capacity, performance or availability upgrades
• (BAI04) Number of transition peaks where target performance is exceeded
• (BAI04) Number of availability incidents
• (BAI04) Number of events where capacity has exceeded planned limits
• (BAI04) Number and percentage of unresolved availability, performance and capacity issues
148
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
During a maintenance shift, local subway train system employees were repairing the rails and accidentally cut off the optical fiber, which caused an
interruption in the service that was offered by the provider. This situation was detected immediately by the enterprise’s remote monitoring system and
alerts were given to the communications provider, which missed its service level agreements (SLAs) and took more than three days to find the spot
where the fiber was cut off.
During that time, the data center operated in yellow alert mode with reduced service and no ability to balance transactions or maintain data replication
between the two existing network attached storage (NAS). Because of the loss of communication, the enterprise invoked data backup procedures on
portable storage media and established four synchronized points per day, which incurred additional service costs.
Risk Scenario Components
Threat Type
The nature of the event is an accidental failure of the IT infrastructure. Secondarily, it is also a failure of the procurement process.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the Steering (Program/Projects)
Committee. The external actor is train system employees.
Event
The event is primarily a destruction of the IT infrastructure (network), which caused the interruption of the IT services. The event is also ineffective
design and/or ineffective execution of the process BAI01 Manage programmes and projects, specifically, the management practices Maintain a
standard approach for programme and project management and Manage project resources and work packages; and ineffective design
and/or ineffective execution of the process BAI03 Manage solutions identification and build, specifically, the management practice Procure
solution components.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the processes BAI01 Manage programmes and projects and BAI03 Manage solutions
identification and build and the people from the train system.
Asset/Resource (Effect)
The assets/resources that are affected by the event are the physical and IT structure that was destroyed and the information and applications that
are interrupted.
Time
The duration of the event is extended, because the provider missed its SLAs and took more than three days to find the spot where the fiber was cut off.
The time of occurrence is critical because the company currently has no redundant communication lines. The event was detected immediately by the
company’s remote monitoring system and alerts were given to the communications service provider. The time lag between event and consequences is
also immediate because at the moment that the fiber was cut, there was no network access.
Risk Type
IT Benefit/Value Enablement P Because the IT infrastructure cannot be used for innovation, there are missed opportunities to use
technology to improve efficiency and/or effectiveness.
IT Programme and Project Delivery S Because the IT infrastructure cannot be used to support programs and projects, there is no contribution
of IT to new or improved business solutions for quite a while.
IT Operations and Service Delivery P The operational stability, availability and protection are affected, which can lead to destruction or
reduction of value to the enterprise.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Ensure that the programs and projects are correctly defined, with specific requirements, including all environmental concerns.
149
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
150
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
151
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Some users, due to their job description, need access to both networks. This access is realized with two network interface cards in the end-user
computer. However, these computers are not adequately patched and are vulnerable to malicious code.
A malware infection of one of those computers resulted in the infection of multiple computers in the operations network and, due to the lack of security,
also in the office network.
Risk Scenario Components
Threat Type
The nature of the event lies in the inappropriate design of the network architecture caused by error.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the chief information officer (CIO), the
information security officer, the network manager and the operations network manager. The external actors are the developers of malicious code.
Event
The event is interruption caused by systems not available and ineffective design of the network architecture.
Asset/Resource (Cause)
The resources that lead to the business impact are the process DSS05 Manage security services, with ineffective patch management and inadequate
security incident procedures, and the IT infrastructure, with unpatched systems, inadequate segregation of networks and monitoring capabilities (e.g.,
intrusion prevention system [IPS]).
Asset/Resource (Effect)
The resources affected are business processes, which cannot be operated because no IT services are available; the unavailable IT infrastructure; the
accessibility of information; and the accessibility of applications.
Time
The duration of the event is extended because a long period of time is required to upgrade or replace the network infrastructure. The timing of
occurrence is critical because business processes are regularly unavailable, which results in missed business. Because security events are not detected
immediately, the detection is moderate. The consequence is immediate because there is momentarily no business.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruptions
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: Outsourcing of patch management services
•R isk Mitigation: Separate networks with proper mechanisms and apply an IPS. Define and apply a patch management process for both networks.
Monitor network security.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Define the underlying general rules and guidelines for the use and deployment Medium Medium NO
of all IT resources and assets across the enterprise.
152
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
BAI04.01 Assess current Assess availability, performance and capacity of Low High YES
availability, performance services and resources to ensure that
and capacity and create cost-justifiable capacity and performance are
a baseline. available to support business needs and deliver
against service level agreements (SLAs). Create
availability, performance and capacity baselines for
future comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review Low Medium NO
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
availability, performance identified availability, performance and capacity
and capacity issues. issues.
BAI09.01 Identify and record Maintain an up-to-date and accurate record of all High High YES
current assets. IT assets required to deliver services and ensure
alignment with configuration management and
financial management.
BAI09.02 Manage critical assets. Identify assets that are critical in providing service High High YES
capability and take steps to maximize their
reliability and availability to support business needs.
BAI09.03 Manage the asset Manage assets from procurement to disposal to Low Medium NO
life cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
DSS05.02 Manage network and Use security measures and related management Low High YES
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Medium Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
153
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
154
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Risk Scenario Title Data center infrastructure not adapted to growing needs
Risk Scenario Category 08 Infrastructure
Risk Scenario Reference 0806
Risk Scenario
A data center is hosting operational, development and testing equipment. As the business demand grew, additional IT infrastructure was installed in the
data center, but the data center infrastructure (e.g., the air-conditioning cooling capability) was not adapted to the growing needs.
In peak times, the development and test systems had to be shut down due to overheating of the server room. Due to overheating, some servers had a
hardware failure, some shut down independently and some air conditioning systems broke and had to be replaced.
A proper plan to maintain the physical infrastructure was not in place, and corrective action was taken in an ad hoc manner, rather than being based on a
sound business continuity plan (BCP).
Risk Scenario Components
Threat Type
The nature of the event is in the inappropriate design of the data center caused by accident/error.
Actor-
The actor that generates the threat that exploits a vulnerability is internal—the head of operations.
Event
The event is interruption, which is caused by a significant drop of system availability, and ineffective design of the data center.
Asset/Resource (Cause)
The resources that lead to the business impact are the process BAI09 Manage assets, e.g., ineffective management of infrastructure, the process
BAI04 Manage availability and capacity and the physical infrastructure, due to the inadequate data center infrastructure.
Asset/Resource (Effect)
The resources affected are processes such as development and testing, which cannot be executed; the IT infrastructure because hardware is broken
due to overheating or being shut down; the physical infrastructure because of broken air-conditioning equipment; information because it is not
available; and applications because testing and development environments are not available.
Time
The duration of the event is extended because a long period of time is required to upgrade or replace the infrastructure. Business is missed because
systems are not regularly available. Therefore, the timing of occurrence is critical. Because hardware failure and the system unavailability are immediate,
the detection is instant. Because a long period of time is required to update or replace the infrastructure, the consequences are delayed.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery P Delays in projects because development and test environments were not available
IT Operations and Service Delivery P IT service interruptions
Possible Risk Responses
• Risk Avoidance: Shut down some servers.
• Risk Acceptance: The board accepts the risk that there may be service disruptions.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Upgrade the infrastructure equipment to meet the technology needs. Replace servers with newer technologies and a lower footprint.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Define the underlying general rules and guidelines for the use and deployment Medium Medium NO
of all IT resources and assets across the enterprise.
Change management Define the rules and guidelines to change infrastructure components in a High High YES
policy controlled and safe way.
155
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO03.01 Understand enterprise Consider the current enterprise environment and High High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO03.02 Develop the enterprise The architecture vision provides a first-cut, High High YES
architecture vision. high-level description of the baseline and target
architectures, covering the business, information,
data, applications and technology domains. The
architecture vision provides the sponsor with a key
tool to sell the benefits of the proposed capability to
stakeholders within the enterprise. The architecture
vision describes how the new capability will meet
enterprise goals and strategic objectives and
address stakeholder concerns when implemented.
BAI04.01 Assess current Assess availability, performance and capacity Low High YES
availability, performance of services and resources to ensure that cost-
and capacity and create justifiable capacity and performance are available
a baseline. to support business needs and deliver against
service level agreements (SLAs). Create availability,
performance and capacity baselines for future
comparison.
BAI04.02 Assess business Identify important services to the enterprise, map Low Low NO
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
BAI04.03 Plan for new or Plan and prioritize availability, performance and Low Medium NO
changed service capacity implications of changing business needs
requirements. and service requirements.
BAI04.04 Monitor and review Monitor, measure, analyze, report and review High Medium YES
availability and capacity. availability, performance and capacity. Identify
deviations from established baselines. Review trend
analysis reports identifying any significant issues
and variances, initiating actions where necessary,
and ensuring that all outstanding issues are
followed up.
BAI04.05 Investigate and address Address deviations by investigating and resolving High High YES
availability, performance identified availability, performance and capacity
and capacity issues. issues.
BAI09.01 Identify and record Maintain an up-to-date and accurate record of all High High YES
current assets. IT assets required to deliver services and ensure
alignment with configuration management and
financial management.
BAI09.02 Manage critical assets. Identify assets that are critical in providing service High High YES
capability and take steps to maximize their reliability
and availability to support business needs.
BAI09.03 Manage the asset Manage assets from procurement to disposal to Low Medium NO
life cycle. ensure that assets are used as effectively and
efficiently as possible and are accounted for and
physically protected.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
156
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
157
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
158
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
09 Software
0908 High number of emergency changes
An analysis of changes showed that 40 percent of all changes were emergency changes that were deployed without being properly tested. These
changes caused 80 percent of the incidents recorded.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process BAI06 Manage changes.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers, the IT operations function and the business owners.
Event
The event is unauthorized and untested modification of applications.
Asset/Resource (Cause)
The resources that lead to the business impact are the ineffective process BAI06 Manage changes, a lack of people and skills to perform quality
assurance and a lack of people and skills in the business staff who should be involved in development and testing. Another asset that causes the
business impacts are the applications because a lack of quality is causing errors and requiring quick fixes and/or a lack of functionality is
requiring amendments.
Asset/Resource (Effect)
The resources and assets affected are business processes because erroneous applications cause IT service interruptions, which cause process
interruptions. Information is also affected because as it can be unduly changed or is inconsistent due to untested and erroneous applications. The lack
of change records and/or audit trails makes the effect on information even worse. Applications are affected because they are changed without being
duly tested.
Time
The duration of the event is extended because a long period of time is required to change the related processes and because the event is also a cultural
issue. The timing of occurrence can be critical because systems and applications are not available for doing business. The detection is moderate
because the malfunctions caused by emergency changes are usually detected shortly after implementation. Because systems and applications can be
interrupted at the moment, an emergency change is put into production and the time lag between event and consequence is immediate.
Risk Type
IT Benefit/Value Enablement S Updated solutions are available on short notice.
IT Programme and Project Delivery S Quick delivery of solutions
S Development resources can barely be planned, which leads to delays in projects.
IT Operations and Service Delivery P Quality issues and service interruptions due to untested applications
S Compliance and security issues due to unapproved changes
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Only the business owners experiencing quality and/or availability issues can approve emergency changes.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Define and apply a sound change management and approval process. Update access control for developers to the live environment.
Require, for emergency changes, a thorough test and documentation after deployment to the live environment to make emergency changes more
complex than regular changes. Require a formal test and approval by the business after deployment to the live environment to ensure that the
emergency change addressed the issue and the change was needed on short notice.
159
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
160
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
161
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
The developers, who are confident in their work, agreed to apply changes to the system without proper end-user testing and, often, without informing
the end users of a new functionality. This practice results in added capabilities that are not used and late detection of errors in the changes and leads to
incorrect information, service disruption and incidents that result in business losses.
Risk Scenario Components
Threat Type
The nature of the event is failure of the process BAI06 Manage changes.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the IT developers.
Event
The event is unauthorized modification of applications.
Asset/Resource (Cause)
The resources that lead to the business impact are the ineffective processes BAI 06 Manage changes, BAI07 Manage change acceptance and
transitioning, and DSS06 Manage business process controls and people and skills, such as the developers who are applying changes without
authorization, the lack of sufficient staff to perform development QA and the lack of business users who are involved in development and testing.
Asset/Resource (Effect)
The resources affected are business processes caused by new and unplanned/untested alterations of functionality, applications caused by changed
functionality without adequate testing and acceptance and information that is unduly changed due to malfunction of applications.
Time
The duration of the event is extended because a long period of time is needed to change the related processes. The timing of occurrence is
noncritical. The detection is slow because malfunctions cannot always be detected immediately. Because a long period of time is needed to change the
related process and update the infrastructure, the consequences are delayed.
Risk Type
IT Benefit/Value Enablement P The added functionality is not used by the business functions.
IT Programme and Project Delivery S Usage of development resources is not aligned with business priorities and resources can barely
be planned.
IT Operations and Service Delivery P IT service interruptions due to malfunctioning applications
S Compliance issue due to untested and unapproved changes
S Compliance issue and security problems of developers having access to the live environment
Possible Risk Responses
• Risk Avoidance: Remove access rights to the live environment for developers.
•R isk Acceptance: Board approval of the risk. The chief information officer (CIO) or developers should not be able to accept the significant exposure of
developers having access to the live environment and the lack of a change process.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Define and apply a sound change management and approval process. Update access control for developers to the live environment.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Change management Define the rules and guidelines to change infrastructure components in a High High YES
policy controlled and safe way.
162
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI06.01 Evaluate, prioritize Evaluate all requests for change to determine the High Low YES
and authorize change impact on business processes and IT services,
requests. and to assess whether change will adversely
affect the operational environment and introduce
unacceptable risk. Ensure that changes are logged,
categorized, assessed, authorized, prioritized
planned and scheduled.
BAI06.03 Track and report Maintain a tracking and reporting system to Low Medium NO
change status. document rejected changes, communicate the
status of approved and in-process changes, and
complete changes. Make certain that approved
changes are implemented as planned.
BAI06.04 Close and document Whenever changes are implemented, update Low Low NO
the changes. accordingly the solution and user documentation
and the procedures affected by the change.
BAI07.01 Establish an Establish an implementation plan that covers High High YES
implementation plan. system and data conversion, acceptance testing
criteria, communication, training, release
preparation, promotion to production, early
production support, a fallback/backout plan, and a
postimplementation review. Obtain approval from
relevant parties.
BAI07.03 Plan acceptance tests. Establish a test plan based on enterprisewide High High YES
standards that define roles, responsibilities, and
entry and exit criteria. Ensure that the plan is
approved by relevant parties.
BAI07.04 Establish a test Define and establish a secure test environment High High YES
environment. representative of the planned business process
and IT operations environment, performance and
capacity, security, internal controls, operational
practices, data quality and privacy requirements,
and workloads.
BAI07.05 Perform acceptance Test changes independently in accordance with High High YES
tests. the defined test plan prior to migration to the live
operational environment.
BAI07.06 Promote to production Promote the accepted solution to the business and Medium High YES
and manage releases. operations. Where appropriate, run the solution as
a pilot implementation or in parallel with the old
solution for a defined period and compare behavior
and results. If significant problems occur, revert
back to the original environment based on the
fallback/backout plan. Manage releases of solution
components.
DSS06.03 Manage roles, Manage the business roles, responsibilities, levels High High YES
responsibilities, access of authority and segregation of duties needed to
privileges and levels of support the business process objectives. Authorize
authority. access to any information assets related to
business information processes, including those
under the custody of the business, IT and third
parties. This ensures that the business knows
where the data are and who is handling data on its
behalf.
163
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
164
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
165
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
166
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO11.05 Integrate quality Incorporate relevant quality management practices High High YES
management into the definition, monitoring, reporting and ongoing
into solutions for management of solutions development and service
development and offerings.
service delivery.
BAI01.09 Manage program and Prepare and execute a quality management plan, Low Medium NO
project quality. processes and practices, aligned with the quality
management system (QMS) that describes the
program and project quality approach and how it
will be implemented. The plan should be formally
reviewed and agreed on by all parties concerned
and then incorporated into the integrated program
and project plans.
BAI03.01 Design high-level Develop and document high-level designs using High High YES
solutions. agreed-on and appropriate phased or rapid agile
development techniques. Ensure alignment with the
IT strategy and enterprise architecture. Reassess
and update the designs when significant issues
occur during detailed design or building phases or
as the solution evolves. Ensure that stakeholders
actively participate in the design and approve each
version.
BAI03.02 Design detailed Develop, document and elaborate detailed designs High High YES
solution components. progressively using agreed-on and appropriate
phased or rapid agile development techniques,
addressing all components (business processes
and related automated and manual controls,
supporting IT applications, infrastructure services
and technology products, and partners/suppliers).
Ensure that the detailed design includes internal
and external service level agreements (SLAs) and
operational level agreements (OLAs).
BAI03.03 Develop solution Develop solution components progressively High High YES
components. in accordance with detailed designs following
development methods and documentation
standards, QA requirements, and approval
standards. Ensure that all control requirements in
the business processes, supporting IT applications
and infrastructure services, services and technology
products, and partners/suppliers are addressed.
BAI03.04 Procure solution Procure solution components based on the High High YES
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles and
standards, and the enterprise’s overall procurement
and contract procedures, quality assurance (QA)
requirements, and approval standards. Ensure that
all legal and contractual requirements are identified
and addressed by the supplier.
BAI03.05 Build solutions. Install and configure solutions and integrate High High YES
with business process activities. Implement
control, security and auditability measures during
configuration, and during integration of hardware
and infrastructural software, to protect resources
and ensure availability and data integrity. Update the
services catalogue to reflect the new solutions.
BAI03.06 Perform quality Develop, resource and execute a quality assurance High High YES
assurance (QA). (QA) plan aligned with the quality management
system (QMS) to obtain the quality specified in the
requirements definition and the enterprise’s quality
policies and procedures.
167
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
168
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
169
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
10 Business Ownership of IT
1001 Business failing to be accountable
170
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.04 Communicate Communicate awareness and understanding of IT Medium Medium NO
management objectives objectives and direction to stakeholders throughout
and direction. the enterprise.
APO02.01 Understand enterprise Consider the current enterprise environment and Medium Medium NO
direction. business processes, as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO05.06 Manage benefits Monitor the benefits of providing and maintaining High High YES
achievement. appropriate IT services and capabilities, based on
the agreed-on and current business case.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an High High YES
engagement. active exchange of accurate, consistent and timely
information that reaches all relevant stakeholders.
This includes planning, identifying and engaging
stakeholders and managing their expectations.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Finance Provide a common methodology used by business and IT to assess High High YES
opportunities in terms of value for the enterprise.
Strategy (IT executive) Key structure that should take accountability over IT and business High High YES
committee cooperation
Board of directors Accountable for the governance framework setting and maintenance Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business and IT work The business takes into account the difficulties that IT faces, IT learns the High High YES
together as partners. business issues.
Information Enabler
IT strategy Align IT plans with business objectives and this will lead to a more efficient High High YES
accountability of the business over IT.
Authority levels Clarify the decision-making responsibilities. High High YES
Service level agreements Describe the service level/objectives established to meet business High High YES
(SLAs) expectations.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Relationship management IT should have the proper skills to build relations with relevant business Medium Medium NO
skills stakeholders.
IT-related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
required affinity with IT.
171
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
172
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
The cross-border data, security, privacy and potential compliance issues are:
• Personally identifiable information (PII) and various global data privacy laws
• Sensitive personal information (SPI)
• Cloud provider policies and procedures
• Data leakage
A process for reviewing the third-party compliance requirements is non-existent, and the decision was imposed on IT.
When the service is in place, the company detects data leakage in critical information and unknown areas of data.
Due to this severe issue, the impact to business reputation is severely damaged and will potentially drive the company out of business by losing future
service contracts.
Risk Scenario Components
Threat Type
The nature of the event is a failure (ignorance) of the governance process EDM01 Ensure governance framework setting and maintenance. The
consequence was non-compliance with rules and regulations.
Actor
The actors that generate the threat that exploits a vulnerability are internal—the business executives that decided to outsource without involving IT.
Event
The event is an ineffective execution of the governance process EDM01 Ensure governance framework setting and maintenance and an ineffective
design of the management process MEA03 Monitor, evaluate and assess compliance with external requirements, which lead to a breach of rules and
regulations. The event can also be classified as disclosure because data leakage in critical information was detected.
Asset/Resource (Cause)
The resources/assets that lead to the business impact are the processes EDM01 Ensure governance framework setting and maintenance and
MEA03 Monitor, evaluate and assess compliance with external requirements and the people and skills, with business executives ignoring the
governance process.
Asset/Resource (Effect)
The resource/asset that was mainly affected is critical information due to data leakage. But also the entire enterprise (organizational structures and
people) is affected because its reputation is severely damaged, which can drive the company out of business.
Time
The duration of the events is extended because a long period of time is required to correct the situation, if ever. Because the company can be driven
out of business, the timing of occurrence is critical. The event was detected as soon as IT was involved and the noncompliance was recognized,
therefore, detection can be classified as moderate. The time lag between event and consequence is delayed because it can potentially drive the
company out of business.
Risk Type
IT Benefit/Value Enablement S IT not seen as technology enabler for new business initiatives.
IT Programme and Project Delivery P No contribution of IT to new or improved business solutions
IT Operations and Service Delivery S Service interruption.
Possible Risk Responses
• Risk Avoidance: Not engaging with third parties
• Risk Acceptance: If the contract has been executed (without IT review), the company has to accept that it is not going to be able to recover assets.
• Risk Sharing/Transfer: N/A
• Risk Mitigation: The process for selection of third parties will be reviewed to include all technical and non-technical requirements.
173
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
174
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
IT strategy Align IT plans with business objectives and this will lead to a more efficient High High YES
accountability of the business over IT.
Authority levels Clarify the decision-making responsibilities. High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Relationship management IT should have the proper skills to build relations with relevant business Medium Medium NO
skills stakeholders.
IT related skills/affinity Business representatives should be trained/selected based on a minimal Medium Medium NO
required affinity with IT.
Key Risk Indicators (KRIs) Related to IT Goals
• (01) Percentage of enterprise strategic goals and requirements supported by IT strategic goals
• (01) Percentage of IT value drivers mapped to business value drivers
• (03) Percentage of executive management roles with clearly defined accountabilities for IT decisions
• (03) Number of times IT is on the board’s agenda in a proactive manner
• (03) Frequency of IT strategy (executive) committee meetings
• (03) Rate of execution of executive IT-related decisions
• (07) Percentage of business stakeholders satisfied that IT service delivery meets agreed-on service levels
• (07) Percentage of users satisfied with the quality of IT service delivery
• (12) Number of business processing incidents caused by technology integration errors
• (12) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12) Number of applications or critical infrastructures operating in silos and not integrated
• (14) Level of business user satisfaction with quality and timeliness (or availability) of management information
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM01) Level of stakeholder satisfaction (measured through surveys)
• (APO02) Percentage of objectives in the IT strategy that support the enterprise strategy
• (APO02) Percentage of enterprise objectives addressed in the IT strategy
• (APO02) Percentage of initiatives in the IT strategy that are self-funding (financial benefits in excess of costs)
• (APO02) Trends in ROI of initiatives included in the IT strategy
• (APO02) Level of enterprise stakeholder satisfaction survey feedback on the IT strategy
• (APO02) Percentage of projects in the IT project portfolio that can be directly traced back to the IT strategy
• (APO02) Percentage of strategic enterprise objectives obtained as a result of strategic IT initiatives
• (APO02) Number of new enterprise opportunities realised as a direct result of IT developments
• (APO02) Percentage of IT initiatives/projects championed by business owners
• (APO02) Achievement of measurable IT strategy outcomes part of staff performance goals
• (APO02) Frequency of updates to the IT strategy communication plan
• (APO02) Percentage of strategic initiatives with accountability assigned
• (APO09) Number of business processes with undefined service agreements
• (APO09) Percentage of live IT services covered by service agreements
• (APO09) Percentage of customers satisfied that service delivery meets agreed-on levels
• (APO09) Number and severity of service breaches
• (APO09) Percentage of services being monitored to service levels
• (APO09) Percentage of service targets being met
• (BAI02) Percentage of requirements reworked due to misalignment with enterprise needs and expectations
• (BAI02) Level of stakeholder satisfaction with requirements
• (BAI02) Percentage of requirements satisfied by proposed solution
• (BAI02) Percentage of business case objectives met by proposed solution
• (BAI02) Percentage of stakeholders not approving solution in relation to business case
175
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
176
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.04 Communicate Communicate awareness and understanding of IT Low High YES
management objectives objectives and direction to stakeholders throughout
and direction. the enterprise.
APO02.01 Understand enterprise Consider the current enterprise environment and Low High YES
direction. business processes as well as the enterprise
strategy and future objectives. Consider also the
external environment of the enterprise (industry
drivers, relevant regulations, basis for competition).
APO05.06 Manage benefits Monitor the benefits of providing and maintaining High High YES
achievement. appropriate IT services and capabilities based on
the agreed-on and current business case.
APO09.03 Define and prepare Define and prepare service agreements (SLAs) based High High YES
service agreements. on the options in the service catalogues. Include
internal operational level agreements (OLAs).
APO09.04 Monitor and report Monitor service levels, identify trends and provide High High YES
service levels. reports that management can use to make
decisions and manage future requirements for
performance.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an Low High YES
engagement. active exchange of accurate, consistent and timely
information that reaches all relevant stakeholders.
This includes planning, identifying and engaging
stakeholders and managing their expectations.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Finance Provide a common methodology used by business and IT to assess High High YES
opportunities in terms of value for the enterprise.
Strategy (IT executive) Key structure that should take accountability over IT and business cooperation High High YES
committee
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business and IT work The business takes into account the difficulties that IT faces, IT learns the High High YES
together as partners. business issues.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
IT strategy Align IT plans with business objectives and this will lead to a more efficient High High YES
accountability of the business over IT.
Authority levels Clarify the decision-making responsibilities. High High YES
Service level agreements Describe the service level/objectives established to meet business High High YES
(SLAs) expectations.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
177
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
178
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
11 Suppliers
1101 Outsourcing of implementation services
The requirements for this business partner are local representation and knowledge of local regulations that apply to the specific industry. Lack of
supplier due diligence regarding delivery capability and sustainability of the supplier’s service are the main issues with the decision that was made.
After the bank detects the inability of the business partner to comply with service level agreements (SLAs), the implementation process is interrupted
with a substantial loss in time and resources, due to excessive reliance upon the vendor and a lack of training of its own personnel.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the procurement process because too much weight was put on sustainability of the provider instead of equal
weight on sustainability and the capability to comply with SLAs.
Actor
The actors that generate the threat that exploits a vulnerability are internal (function accountable for the procurement process), and external (provider
of the implementation services).
Event
The event is interruption of the implementation process.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process APO10 Manage suppliers.
Asset/Resource (Effect)
The resources that are affected by the interruption of the implementation are mainly the IT infrastructure and applications. The business processes
that are supported by the affected IT infrastructure and applications are secondary resources.
Time
The duration of the event is extended because there is a substantial loss in time. The timing of occurrence is critical because the bank needs this new
bundle of software for its branches. The detection is slow because it was not recognized until the implementation already started. The time lag between
event and consequence is delayed because, in the worst case, a new provider must be evaluated.
Risk Type
IT Benefit/Value Enablement S Missed opportunity to use technology to improve efficiency and effectiveness
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Service interruption
Possible Risk Responses
• Risk Avoidance: Bank will abstain from outsourcing. Bank should train own personnel in the service application implementation to counter reliance
on the business partner.
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Bank will review its governance process and enhance requirements when building the request for information (RFI) and request for
proposal (RFP) for qualifying business partners. Bank will perform proper review and selection of third parties.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Procurement policy Provide a set approach to selecting suppliers, including the acceptance criteria High High YES
for terms of business.
179
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO10.02 Select suppliers. Select suppliers according to a fair and formal Low High YES
practice to ensure a viable fit based on specified
requirements. Requirements should be optimized
with input from potential suppliers and enterprise
stakeholders.
APO10.03 Manage supplier Formalize and manage relationships for each High High YES
relationships and strategic supplier. Manage, maintain and monitor
contracts. contracts and service delivery. Ensure that new or
changed contracts conform to enterprise standards
and legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the High High YES
ability to continually provide secure, efficient and
effective service delivery.
APO10.05 Monitor supplier Periodically review the overall performance of Low High YES
performance and suppliers, compliance to contract requirements,
compliance. and value, and address identified issues promptly.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business process owner Set requirements and performance indicators and ensure that proper High High YES
expectations are incorporated in the contracts.
Procurement department Provide the support and approach to efficiently engage with suppliers. High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect procurement Additional effort is required to ensure minimal protection regarding suppliers. High High YES
procedures
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Service requirements Knowing business goals allows for a reasonable position for negotiation. High High YES
IT strategy Define boundaries and enterprise objectives to take into account when High High YES
negotiating contracts.
Supplier catalogue A structured presentation of known suppliers, including previous performance High High YES
Service level agreements Describe the service level/objectives established to meet business Medium High YES
(SLAs) expectations.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Vendor management Sets up a system to keep track of the evolution of exposure to risk during the High High YES
system entire process from selection until termination of service.
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Negotiation skills Ensure that minimal requirements are supported Medium Medium NO
180
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
181
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
After the service is in place, the company detects that the service provider cannot meet contract service level agreements (SLAs) for the future increase
in company operations volume that is planned for the next two years. Due to this severe issue, future business growth and sustainability is in jeopardy
and threatens the planned business expansion.
The main issues that have become evident are related to security, compliance, business continuity planning and cloud supplier capacity, as follows:
• Insufficient network throughput/capacity
• Slow transaction response time
• No review of cloud provider policies and procedures
• Need to update the business continuity plan (BCP) and the disaster recovery plan (DRP) processes to include the vendor/provider BCP/DRP
Risk Scenario Components
Threat Type
The nature of the event is a failure in decision making because the decision lacked adequate information from inappropriate due diligence.
Actor
The actors that generate the threat that exploits a vulnerability are internal and external. The internal actor is the function that is accountable for the
due diligence within the process APO10 Manage suppliers. The external actor is the service provider.
Event
The event is interruption of services and ineffective design of IT infrastructure.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process APO10 Manage suppliers.
Asset/Resource (Effect)
The resources that are affected are mainly the IT infrastructure and applications. The secondary affected resources are the business processes that
are supported by the affected IT infrastructure and applications.
Time
The duration of the event is extended because the provider must upgrade its infrastructure and systems or the company has to switch to another
provider. The timing of occurrence is critical due to the severe issue that future business growth and sustainability are in jeopardy, which threatens
the planned business expansion. The detection is slow because it was not recognized until the service was in place. The time lag between event and
consequence is delayed because, in the worst case, the new provider needs to be evaluated.
Risk Type
IT Benefit/Value Enablement S Missed opportunity to use technology to improve efficiency and effectiveness—future business growth
and sustainability are in jeopardy and the planned business expansion is threatened
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Insufficient network throughput/capacity, slow transaction response time, security problems and
compliance issues.
Possible Risk Responses
• Risk Avoidance: Abstinence from outsourcing
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
•R isk Mitigation: The process for selection of third parties will be reviewed and then the company will adjust all technical and
non-technical requirements.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Procurement policy Provide a set approach to selecting suppliers including the acceptance criteria High High YES
for terms of business.
182
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO10.02 Select suppliers. Select suppliers according to a fair and formal Low High YES
practice to ensure a viable fit based on specified
requirements. Requirements should be optimized
with input from potential suppliers and enterprise
stakeholders.
APO10.03 Manage supplier Formalize and manage relationships for each High High YES
relationships and strategic supplier. Manage, maintain and monitor
contracts. contracts and service delivery. Ensure that new or
changed contracts conform to enterprise standards
and legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the High High YES
ability to continually provide secure, efficient and
effective service delivery.
APO10.05 Monitor supplier Periodically review the overall performance of Low High YES
performance and suppliers, compliance to contract requirements, and
compliance. value, and address identified issues promptly.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Procurement department Provide the support and approach to efficiently engage with suppliers. Medium Medium NO
Chief information Accountable for managing suppliers Medium Medium NO
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect procurement Additional effort is required to ensure minimal protection regarding suppliers. High High YES
procedures.
A transparent and To optimize the outcome of the vendor relationship High High YES
participative culture is an
important focus point.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Service requirements Knowing business goals allows for a reasonable position for negotiation. High High YES
IT strategy Define boundaries and enterprise objectives to take into account when Medium Medium NO
negotiating contracts.
Supplier catalogue A structured presentation of known suppliers, including previous performance High High YES
Service level agreements Describe the service level/objectives established to meet business Medium Medium NO
(SLAs) expectations.
183
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
184
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Following discussions with the business, it is agreed to terminate the development of the external solution and to transition the relationship with the
cloud provider to IT.
IT is now encumbered with a service level agreement that has minimal performance metrics reporting (most of the service level agreement [SLA]
reporting is meaningless). Without integration with in-house systems (especially dashboards for ticketing events), it will be difficult to derive value for
the enterprise.
Risk Scenario Components
Threat Type
The nature of the event is a failure in decision making because the decision was made by the business without consulting IT.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the business executive that made the decision without consulting IT.
Event
The event is inappropriate use of resources and ineffective design of the SLAs.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process APO10 Manage suppliers.
Asset/Resource (Effect)
The main resources that are affected are the applications. The secondary resources that are affected are the business processes that are supported by
the affected applications.
Time
The duration of the event is extended because the IT department now has the responsibility for the relationship and must integrate the provided
services with the in-house systems. The timing of occurrence is noncritical. The detection is moderate because the relationship was detected
accidentally, following a request from the cloud provider. The time lag between event and consequence is immediate because the responsibility of the
relationship is transferred immediately to IT.
Risk Type
IT Benefit/Value Enablement S Missed opportunity to use technology to improve efficiency and effectiveness—future business growth
and sustainability in jeopardy and the planned business expansion is threatened
IT Programme and Project Delivery P Run redundant projects.
IT Operations and Service Delivery N/A
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: The IT department enters into a relationship with the business to understand the business expectations and attempts to renegotiate
effective monitoring and service delivery with the cloud provider.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Procurement policy Provide a set approach to selecting suppliers, including the acceptance criteria High High YES
for the terms of business.
185
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO09.02 Catalog IT-enabled Define and maintain one or more service catalogs Medium High YES
services. for relevant target groups. Publish and maintain live
IT-enabled services in the service catalogs.
APO09.03 Define and prepare Define and prepare service agreements (SLAs) Medium High YES
service agreements. based on the options in the service catalogs. Include
internal operational level agreements (OLAs).
APO09.04 Monitor and report Monitor service levels, identify trends and provide Medium High YES
service levels. reports that management can use to make
decisions and manage future requirements for
performance.
APO09.05 Review service Conduct periodic reviews of the service agreements Medium High YES
agreements and and revise when needed.
contracts.
APO10.02 Select suppliers. Select suppliers according to a fair and formal Low High YES
practice to ensure a viable fit based on specified
requirements. Requirements should be optimized
with input from potential suppliers and enterprise
stakeholders.
APO10.03 Manage supplier Formalize and manage relationships for each High High YES
relationships and strategic supplier. Manage, maintain and monitor
contracts. contracts and service delivery. Ensure that new or
changed contracts conform to enterprise standards
and legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the Low High YES
ability to continually provide secure, efficient and
effective service delivery.
APO10.05 Monitor supplier Periodically review the overall performance of Medium Medium NO
performance and suppliers, compliance to contract requirements,
compliance. and value, and address identified issues promptly.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Procurement department Provide the support and approach to efficiently engage with suppliers High High YES
Chief information Accountable for managing suppliers Low Low NO
officer (CIO)
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Respect procurement Additional effort is required to ensure minimal protection regarding suppliers. High High YES
procedures.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Service requirements Knowing business goals allows for a reasonable position for negotiation Medium High YES
IT strategy Defining boundaries and enterprise objectives to take into account when Low Low NO
negotiating contracts
Service level agreements Describe the service level/objectives established to meet business Medium High YES
(SLAs) expectations.
186
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
187
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
188
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
12 Regulatory Compliance
1201 PCI DSS Compliance
A company makes a major change in its business strategy and introduces an e-commerce web site to sell its products. The company is taking credit
card payments through this web site, which generates a large proportion of company total sales. Senior management was either unaware or decided
to go to market before the company was fully PCI DSS compliant. The noncompliance with the PCI DSS regulation is detected by the enterprise’s
sponsoring bank, which takes action. This action results in a fine to the company and has a negative impact on the enterprise’s reputation.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the process MEA03 Monitor, evaluate and assess compliance with external requirements and, at a more detailed
level, a failure of the management practice identify external compliance requirements. The threat type can also be classified as a breach of external
requirements.
Actor
The actors that generate the threat that exploits the vulnerability are internal and external. The internal actor is the senior management that was either
unaware or decided to go to market before the company was fully PCI DSS compliant. The external actors are the enterprise’s bank and the regulators
that fine the company.
Event
The event is ineffective design and/or ineffective execution of the management practice Identify external compliance requirements, within the process
MEA03 Monitor, evaluate and assess compliance with external requirements. The event can also be classified as a breach of rules and regulations.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the process MEA03 Monitor, evaluate and assess compliance with external requirements.
Asset/Resource (Effect)
The assets/resources that are affected are the business processes of the company’s e-commerce activities.
Time
The duration is extended because the company must implement additional security measures to be compliant, and then these security measures must
be assessed. Timing is noncritical because noncompliance will not have an immediate impact on the business. Detection is through the enterprise’s
bank and is slow because it took some time before noncompliance was discovered. The time lag between event and consequence is delayed because
the regulator will first need to assess the extent of the breach of rules and regulations and then will address the fine.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Compliance issues
Possible Risk Responses
• Risk Avoidance: The enterprise decides to have no online sales presence.
• Risk Acceptance: Senior management accepts the risk and is prepared to pay any fines and have the company’s reputation damaged.
• Risk Sharing/Transfer: The enterprise outsources the processing of the e-commerce web site.
• Risk Mitigation: Implement required data security practices to be compliant with PCI DSS.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Compliance policy Guide the identification of external compliance requirements. High High YES
189
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
MEA03.01 Identify external On a continuous basis, identify and monitor for High Low YES
compliance changes in local and international laws, regulations
requirements. and other external requirements applicable to the
enterprise.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, High High YES
external requirements. procedures and methodologies to ensure that
legal, regulatory and contractual requirements are
addressed and communicated. Consider industry
standards, codes of good practice, and best practice
guidance for adoption and adaptation of existing
plans.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High Low YES
compliance. contractual requirements.
MEA03.04 Obtain assurance of Obtain and report assurance of compliance and High High YES
external compliance. adherence with policies, principles, standards,
procedures and methodologies. Confirm that
corrective actions to address compliance gaps are
closed in a timely manner.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Compliance department Provide guidance on legal, regulatory and contractual compliance. Track new High High YES
and changing regulations.
Legal group Legal support during analysis and litigation High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Compliance is embedded All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
in daily operations. compliance.
Information Enabler
Analysis of new legal and Regulations imposed by government need to be analyzed. High High YES
regulatory compliance
requirements
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Regulatory databases Facilitate the follow-up of compliance requirements. High High YES
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Litigation skills Once prosecution is initiated, the proper skills are required to minimize Low Medium YES
legal impact
Legal analysis skills Understand expectations of local regulator. High High YES
190
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
191
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
192
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
MEA03.01 Identify external On a continuous basis, identify and monitor for High Low YES
compliance changes in local and international laws, regulations
requirements. and other external requirements applicable to the
enterprise.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, High Low YES
external requirements. procedures and methodologies to ensure that
legal, regulatory and contractual requirements are
addressed and communicated. Consider industry
standards, codes of good practice, and best practice
guidance for adoption and adaptation of existing
plans.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High Low YES
compliance. contractual requirements.
MEA03.04 Obtain assurance of Obtain and report assurance of compliance and High Low YES
external compliance. adherence with policies, principles, standards,
procedures and methodologies. Confirm that
corrective actions to address compliance gaps are
closed in a timely manner.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Compliance department Provide guidance on legal, regulatory and contractual compliance. Track new High High YES
and changing regulations.
Legal group Legal support during analysis and litigation High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Risk-aware and All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
compliance-aware culture compliance.
is present throughout the
enterprise including the
proactive identification and
escalation of risk.
Compliance is embedded All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
in daily operations. compliance.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Analysis of new legal and Regulations imposed by the government need to be analyzed. High High YES
regulatory compliance
requirements
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Regulatory databases Facilitate the follow-up of compliance requirements. High High YES
193
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
194
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
195
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
MEA03.01 Identify external On a continuous basis, identify and monitor for High Low YES
compliance changes in local and international laws, regulations
requirements. and other external requirements applicable to the
enterprise.
MEA03.02 Optimize response to Review and adjust principles, policies, standards, High Low YES
external requirements. procedures and methodologies to ensure that
legal, regulatory and contractual requirements are
addressed and communicated. Consider industry
standards, codes of good practice, and best
practice guidance for adoption and adaptation of
existing plans.
MEA03.03 Confirm external Confirm compliance with legal, regulatory and High Low YES
compliance. contractual requirements.
MEA03.04 Obtain assurance of Obtain and report assurance of compliance and High Low YES
external compliance. adherence with policies, principles, standards,
procedures and methodologies. Confirm that
corrective actions to address compliance gaps are
closed in a timely manner.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Privacy officer Monitor impact of laws and make sure privacy directives are met. High High YES
Compliance department Provide guidance on legal, regulatory and contractual compliance. Track new High High YES
and changing regulations.
Legal group Legal support during analysis and litigation High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Risk-aware and All members of the enterprise are empowered to facilitate regulatory Medium Medium NO
compliance-aware culture compliance.
is present throughout the
enterprise, including the
proactive identification and
escalation of risk.
Compliance is embedded All members of the enterprise are empowered to facilitate regulatory High High YES
in daily operations compliance.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Analysis of new legal and Regulations imposed by the government need to be analyzed. High High YES
regulatory compliance
requirements
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Regulatory databases Facilitate the follow-up of compliance requirements. High High YES
196
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
197
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
198
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
13 Geopolitical
1301 Fire caused by political activists
199
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
EDM03.01 Evaluate risk Continually examine and make judgment on the Low High YES
management. effect of risk on the current and future use of IT in
the enterprise. Consider whether the enterprise’s
risk appetite is appropriate and that risk to
enterprise value related to the use of IT is identified
and managed.
EDM03.02 Direct risk Direct the establishment of risk management Low Medium NO
management. practices to provide reasonable assurance that
IT risk management practices are appropriate to
ensure that the actual IT risk does not exceed the
board’s risk appetite.
APO12.01 Collect data. Identify and collect relevant data to enable effective Medium High YES
IT-related risk identification, analysis and reporting.
APO12.02 Analyze risk. Develop useful information to support risk decisions Low High YES
that take into account the business relevance of
risk factors.
APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk Low High YES
attributes (including expected frequency, potential
impact and responses) and of related resources,
capabilities and current control activities.
APO12.04 Articulate risk. Provide information on the current state of Low High YES
IT-related exposures and opportunities in a timely
manner to all required stakeholders for appropriate
response.
APO12.05 Define a risk Manage opportunities to reduce risk to an Medium Medium NO
management action acceptable level as a portfolio.
portfolio.
APO12.06 Respond to risk. Respond in a timely manner with effective Low High YES
measures to limit the magnitude of loss from
IT-related events.
DSS04.01 Define the business Define business continuity policy and scope aligned Low Medium NO
continuity policy, with enterprise and stakeholder objectives.
objectives and scope.
DSS04.02 Maintain a continuity Evaluate business continuity management options Low High YES
strategy. and choose a cost-effective and viable continuity
strategy that will ensure enterprise recovery and
continuity in the face of a disaster or other major
incident or disruption.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS04.05 Review, maintain and Conduct a management review of the continuity Low High YES
improve the continuity capability at regular intervals to ensure its
plan. continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with
the change control process to ensure that the
continuity plan is kept up to date and continually
reflects actual business requirements.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business continuity and Maintain options for continuous service. Low High YES
disaster recovery
Culture, Ethics and Behaviour Enabler
N/A N/A
200
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Contingency planning skills Maintain options for continuous service. Low High YES
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Frequency of security assessment against latest standards and guidelines
• (14) Number of business process incidents caused by non-availability of information
• (14) Ratio and extent of erroneous business decisions where erroneous or unavailable information was a key factor
Key Risk Indicators (KRIs) Related to Process Goals
• (EDM03) Level of alignment between IT risk and enterprise risk
• (EDM03) Number of potential IT risks identified and managed
• (EDM03) Refreshment rate of risk factor evaluation
• (EDM03) Percentage of IT risk action plans executed on time
• (EDM03) Percentage of critical risk that has been effectively mitigated
• (EDM03) Level of unexpected enterprise impact
• (EDM03) Percentage of IT risk that exceeds enterprise risk tolerance
• (APO12) Degree of visibility and recognition in the current environment
• (APO12) Number of loss events with key characteristics captured in repositories
• (APO12) Percentage of audits, events and trends captured in repositories
• (APO12) Percentage of key business processes included in the risk profile
• (APO12) Completeness of attributes and values in the risk profile
• (APO12) Percentage of risk management proposals rejected due to lack of consideration of other related risk
• (APO12) Number of significant incidents not identified and included in the risk management portfolio
• (DSS04) Number of critical business systems not covered by the business continuity plan
• (DSS04) Number of exercises and tests that have achieved recovery objectives
• (DSS04) Percentage of agreed-on improvements to the business continuity plan that have been incorporated
• (DSS04) Percentage of issues identified that have been subsequently addressed in the business continuity plan
201
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
202
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
EDM03.01 Evaluate risk Continually examine and make judgment on the Low Medium NO
management. effect of risk on the current and future use of IT in
the enterprise. Consider whether the enterprise’s
risk appetite is appropriate and that risk to
enterprise value related to the use of IT is identified
and managed.
APO12.01 Collect data. Identify and collect relevant data to enable effective Low High YES
IT-related risk identification, analysis and reporting.
APO12.02 Analyze risk. Develop useful information to support risk decisions Low High YES
that take into account the business relevance of
risk factors.
APO12.03 Maintain a risk profile. Maintain an inventory of known risk and risk Low High YES
attributes (including expected frequency, potential
impact and responses) and of related resources,
capabilities and current control activities.
APO12.04 Articulate risk. Provide information on the current state of Low High YES
IT-related exposures and opportunities in a
timely manner to all required stakeholders for
appropriate response.
APO12.05 Define a risk Manage opportunities to reduce risk to an Low High YES
management action acceptable level as a portfolio.
portfolio.
APO12.06 Respond to risk. Respond in a timely manner with effective Low High YES
measures to limit the magnitude of loss from
IT-related events.
DSS04.02 Maintain a continuity Evaluate business continuity management options Low Medium NO
strategy. and choose a cost-effective and viable continuity
strategy that will ensure enterprise recovery and
continuity in the face of a disaster or other major
incident or disruption.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business continuity and Maintain options for continuous service. Low High YES
disaster recovery
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
203
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
204
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
205
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
EDM03.01 Evaluate risk Continually examine and make judgment on the Low High YES
management. effect of risk on the current and future use of IT in
the enterprise. Consider whether the enterprise’s
risk appetite is appropriate and that risk to
enterprise value related to the use of IT is identified
and managed.
DSS01.04 Manage the Maintain measures for protection against High High YES
environment. environmental factors. Install specialized
equipment and devices to monitor and control the
environment.
DSS01.05 Manage facilities. Manage facilities, including power and Low Medium NO
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.01 Define the business Define business continuity policy and scope aligned Low High YES
continuity policy, with enterprise and stakeholder objectives.
objectives and scope.
DSS04.02 Maintain a continuity Evaluate business continuity management options Low High YES
strategy. and choose a cost-effective and viable continuity
strategy that will ensure enterprise recovery and
continuity in the face of a disaster or other major
incident or disruption.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS05.05 Manage physical Define and implement procedures to grant, limit High Medium YES
access to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business continuity and Maintain options for continuous service. Low High YES
disaster recovery
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
206
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
207
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
208
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
New employees are often encouraged to enter facilities along with other employees who have been granted access to the facilities. A clear
differentiation does not exist between the badges assigned to visitors and employees. Regularly, the security personnel fail to escort visitors.
The company has not upgraded its security monitoring to a digital format.
After a recent physical site audit (using camera and monitor recordings), it was observed that an unknown person gained access to the building, which
resulted in industrial espionage through the theft of a device with information about the latest company product that was scheduled to be launched to
the market in the next quarter.
Risk Scenario Components
Threat Type
The nature of the event is malicious.
Actor
The actor that generates the threat that exploits a vulnerability is an external person—thief.
Event
The event is theft and disclosure of sensitive information about the latest company product.
Asset/Resource (Cause)
The assets/resources that lead to the business impact an ineffective design and/or ineffective execution of the process DSS05 Manage security
services and its management practices Manage physical access to IT assets and Manage sensitive documents and output devices.
Asset/Resource (Effect)
The asset/resource that was affected is the sensitive information about the latest company product.
Time
The duration of the event is extended because the advantage against the competitors is lost. The timing of occurrence is critical because the
company’s product was just about to hit the market within the next quarter. Detection is moderate because it was detected through the reviewing of the
videotapes. The time lag between event and consequence is delayed because the company will increase revenue with the new product.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Physical security problems
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Physical site security policies will be enforced. Visitor badges will be changed to a flashing color and physical barriers and visitor
logs will be installed.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Physical and Restrict physical access to infrastructure in order to prevent destruction. High High YES
environmental information
security policy
209
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS05.05 Manage physical Define and implement procedures to grant, limit High High YES
access to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
DSS05.06 Manage sensitive Establish appropriate physical safeguards, High High YES
documents and output accounting practices and inventory management
devices. over sensitive IT assets, such as special forms,
negotiable instruments, special-purpose printers or
security tokens.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Implementation of security measures High High YES
manager
Head of IT operations Respond to infrastructure theft and destruction. Low High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent unauthorized physical access High Medium YES
is practiced in daily
operations.
People respect the To prevent unauthorized physical access High Medium YES
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of infrastructure theft and destruction High High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access requests Audit access requests and approvals. High Medium YES
Access logs Monitor access to facilities. Medium High YES
Facilities assessment The enterprise is aware of the state and risk of the facilities. High Low YES
reports
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access control To prevent unauthorized logical access High Medium YES
Alarm and monitoring To prevent unauthorized physical access High High YES
security system
210
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
211
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
There was a break-in at the building that hosted the development team, and most of the development servers were stolen. Because the servers could
not be replaced quickly, the theft of the servers led to big delays in most of the development projects.
Risk Scenario Components
Threat Type
The nature of the event is malicious.
Actor
The actor that generates the threat that exploits the vulnerability is an external thief.
Event
The event is theft of a substantial number of development servers.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is ineffective design and/or ineffective execution of environmental controls for the physical
infrastructure, facilities and equipment.
Asset/Resource (Effect)
The asset/resource that was affected is the IT infrastructure, specifically, the development servers.
Time
The duration of the event is extended because replacement cannot be organized immediately. The timing of occurrence is critical because the company
is working on some strategically important development projects. Detection is immediate because it was detected the morning after the servers were
stolen. The time lag between event and consequence is delayed because the company must acquire, configure and implement the new servers, which
can take a long period of time.
Risk Type
IT Benefit/Value Enablement S Delayed projects lead to missed opportunities as an enabler for new business initiatives.
IT Programme and Project Delivery S Delayed project delivery
IT Operations and Service Delivery P Destruction of value to the enterprise
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: Insurance for equipment
•R isk Mitigation: Physical site security policies will be enforced for all sites. Environmental controls will be implemented for all sites. Contract to a
disaster recovery service.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Physical and Restrict physical access to infrastructure in order to prevent destruction. High Low YES
environmental information
security policy
Business continuity and Validate recoverability of information, services, application and infrastructure. Low High YES
disaster recovery policy
212
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the Maintain measures for protection against High Medium YES
environment. environmental factors. Install specialized equipment
and devices to monitor and control the environment.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS05.05 Manage physical Define and implement procedures to grant, limit High Low YES
access to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Responsible for implementing security measures. High Low YES
manager
Head of IT operations Respond to infrastructure theft and destruction. Low High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent unauthorized physical access High Low YES
is practiced in daily
operations.
People respect the To prevent unauthorized physical access High Low YES
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of infrastructure theft and destruction Medium High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access requests Audit access requests and approvals. High Low YES
Access logs Monitor access to facilities. Medium Low NO
Facilities assessment The enterprise is aware of the state and risk of the facilities. High Low YES
reports
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Access control To prevent unauthorized logical access High Low YES
Alarm and monitoring To prevent unauthorized physical access High Medium YES
security system
213
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
214
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
215
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS04.07 Manage backup Maintain availability of business-critical information. Low High YES
arrangements.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High High YES
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS06.06 Secure information Secure information assets accessible by the High High YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Respond to infrastructure theft and destruction. Low High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Stakeholders are aware To minimize impact of infrastructure theft and destruction Low High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security skills To implement controls to prevent or reduce the impact of infrastructure theft High High YES
and destruction.
216
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
217
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
218
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
15 Malware
1502 Virus Infection
219
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.08 Maintain compliance Implement procedures to maintain compliance, Medium Low NO
with policies and performance measurement of policies and other
procedures. enablers of the control framework, and enforce the
consequences of noncompliance or inadequate
performance. Track trends and performance
and consider these in the future design and
improvement of the control framework.
APO13.02 Define and manage an Maintain an information security plan that describes High Medium YES
information security risk how information security risk is to be managed and
treatment plan. aligned with the enterprise strategy and enterprise
architecture. Ensure that recommendations for
implementing security improvements are based on
approved business cases and implemented as an
integral part of services and solutions development,
then operated as an integral part of business
operation.
DSS05.01 Protect against Implement and maintain preventive, detective and High Medium YES
malware. corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.07 Monitor the Using intrusion detection tools, monitor the High Low YES
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
DSS06.06 Secure information Secure information assets accessible by the High High YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Implement security measures. High High YES
manager
Head of IT operations Lead the incident response team to restore service in a timely fashion. Low High
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent the unintentional installation of malware Medium Low NO
is practiced in daily
operations.
People respect the To prevent the unintentional installation of malware High Low YES
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of the installation of malware Medium High YES
of how to identify and
respond to threats to the
enterprise.
Awareness and training To prevent the unintentional installation of malware High Low YES
regarding malware, email
and Internet usage.
220
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Threat information reports Intelligence regarding types of attacks High Low NO
Monitoring reports Identification of attack attempts, threat events, etc. Low High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Security information and Provides real-time analysis of security alerts generated by network hardware High High YES
event management (SIEM) and applications.
Anti-malware tools Protection against viruses High Low YES
Monitoring and alert Timely notification of potential threats Medium High YES
services
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security skills Prevent and reduce the impact of malware. High High YES
IT technical skills Appropriate configuration of IT infrastructure such as intrusion detection High Medium YES
systems (IDS) to detect infections and prevent spreading.
Key Risk Indicators (KRIs) Related to IT Goals
• (02) Cost of IT non-compliance, including settlements and fines, and the impact of reputational loss
• (02) Number of non-compliance issues relating to contractual agreements with IT service providers
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (07) Number of business disruptions due to IT service incidents
• (10) Number of security incidents causing financial loss, business disruption or public embarrassment
• (10) Number of IT services with outstanding security requirements
• (10) Frequency of security assessment against latest standards and guidelines
• (14) Number of business process incidents caused by non-availability of information
• (15) Number of incidents related to non-compliance policy
• (15) Percentage of stakeholders who understand policies
• (15) Percentage of policies supported by effective standards and working practices
• (16) Percentage of staff whose IT-related skills are sufficient for the competency required for their role
• (16) Number of learning/training hours per staff member
Key Risk Indicators (KRIs) Related to Process Goals
• (APO01) Percentage of active policies, standards and other enablers documented and up to date
• (APO01) Number of risk exposures due to inadequacies in the design of the control environment
• (APO01) Number of staff who attended training or awareness sessions
• (APO13) Number of security related incidents
• (APO13) Level of stakeholder satisfaction with the security plan throughout the enterprise
• (APO13) Number of security solutions deviating from the plan
• (APO13) Number of security incidents caused by non-adherence to the security plan
• (APO13) Number of services with confirmed alignment to the security plan
• (APO13) Number of security incidents caused by non-adherence to the security plan
• (DSS05) Number of vulnerabilities discovered
• (DSS05) Number of firewall breaches
• (DSS05) Percentage of individuals receiving awareness training related to use of endpoint devices
• (DSS05) Number of incidents involving endpoint devices
• (DSS05) Number of unauthorised devices detected on the network or in the end-user environment
• (DSS05) Number of incidents relating to unauthorised access to information
• (DSS06) Percentage of completed inventory of critical processes and key controls
• (DSS06) Percentage of coverage of key controls with test plans
• (DSS06) Number of incidents and audit report findings indicating failure of key controls
221
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
After securing these data on his own media device, he designs a time bomb and puts it into production systems to change systems logic that supports
critical business functions (90 days after he is gone from the company) that will result in great losses to the company.
Because this employee is very close to the company’s chief information security officer (CISO), who is going to retire from the company, the CISO agrees
to help this employee alter the company’s security controls.
Risk Scenario Components
Threat Type
The nature of the event is malicious.
Actor
The actor that generates the threat that exploits a vulnerability is internal—the employee who was laid off.
Event
The event is disclosure of company data and unauthorized modification of the systems logic by the time bomb.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is people (the employee who was laid off). The ineffective design and ineffective execution of
the processes DSS05 Manage security services and APO07 Manage human resources are also resources.
Asset/Resource (Effect)
The resources that are affected are the business processes that are supported by the system logic that was changed by the time-bomb and
information, such as the core enterprise data that were copied and sent to competitors.
Time
The duration of the event is extended because it takes a long time to correct the affected system logic, the damage to reputation and the business due
to the disclosed core enterprise data. Timing is critical because the CISO is going to retire. The detection is slow because the time bomb is not detected
before it destroys the system logic. For the same reason, the time lag between the event and the consequence is delayed.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Security problems
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
•R isk Mitigation: The enterprise needs to update the human resources (HR) policy for employee termination, especially for critical employees,
defining processes, including notification to the IT department. The IT department, after notification, should:
– Verify and actively monitor employee’s activity log after employee is notified.
– Build special reports to management on this activity log.
– Limit data access to critical resources.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security policy Outline information security arrangements within the enterprise. High High YES
Malicious software Detail the preventive, detective and corrective measures in place across the High High YES
prevention policy enterprise to protect information systems and technology from malware.
Architecture principles Information security requirements are embedded within the enterprise High Low YES
architecture and translated into a formal information security architecture.
Business continuity and Validate recoverability of information, services, application and infrastructure. Low High YES
disaster recovery policy
222
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS05.01 Protect against Implement and maintain preventive, detective and Medium Low NO
malware. corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.04 Manage user identity Ensure that all users have information access rights High Medium YES
and logical access. in accordance with their business requirements and
coordinate with business units that manage their
own access rights within business processes.
DSS05.05 Manage physical Define and implement procedures to grant, limit High Low YES
access to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
DSS05.07 Monitor the Using intrusion detection tools, monitor the High Low YES
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Implement security measures. High High YES
manager
Head of IT operations Lead the incident response team to restore service in a timely fashion. Low High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent the unintended installation of malware High Low YES
is practiced in daily
operations.
People respect the To prevent the unintended installation of malware Medium Medium NO
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of the installation of malware Low High YES
of how to identify and
respond to threats to the
enterprise.
Awareness and training To prevent the unintended installation of malware High Low YES
regarding malware, email
and internet usage.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Threat information reports Intelligence regarding types of attacks Medium Medium NO
Monitoring reports Identify attack attempts, threat events, etc. Low High YES
223
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
224
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
1504 Phishing
225
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.03 Maintain the enablers Maintain the enablers of the management system Medium Low NO
of the management and control environment for enterprise IT, and
system. ensure that they are integrated and aligned with
the enterprise’s governance and management
philosophy and operating style. These enablers
include the clear communication of
expectations/requirements. The management
system should encourage cross-divisional
co-operation and teamwork, promote compliance
and continuous improvement, and handle process
deviations (including failure).
APO01.04 Communicate Communicate awareness and understanding of IT Medium Low NO
management objectives objectives and direction to stakeholders throughout
and direction. the enterprise.
APO01.08 Maintain compliance Implement procedures to maintain compliance, Medium Low NO
with policies and performance measurement of policies and other
procedures enablers of the control framework, and enforce the
consequences of noncompliance or inadequate
performance. Track trends and performance
and consider these in the future design and
improvement of the control framework.
APO07.03 Maintain the skills Define and manage the skills and competencies Medium Low NO
and competencies of required of personnel. Regularly verify that
personnel. personnel have the competencies to fulfil their
roles on the basis of their education, training
and/or experience, and verify that these
competencies are being maintained, using
qualification and certification programmes where
appropriate. Provide employees with ongoing
learning and opportunities to maintain their
knowledge, skills and competencies at a level
required to achieve enterprise goals.
APO13.02 Define and manage an Maintain an information security plan that describes High Medium YES
information security risk how information security risk is to be managed and
treatment plan. aligned with the enterprise strategy and enterprise
architecture. Ensure that recommendations for
implementing security improvements are based on
approved business cases and implemented as an
integral part of services and solutions development,
then operated as an integral part of business
operation.
DSS05.01 Protect against Implement and maintain preventive, detective and High Medium YES
malware. corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.07 Monitor the Using intrusion detection tools, monitor the High Low YES
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
DSS06.06 Secure information Secure information assets accessible by the High High YES
assets. business through approved methods, including
information in electronic form (such as methods
that create new assets in any form, portable media
devices, user applications and storage devices),
information in physical form (such as source
documents or output reports) and information
during transit. This benefits the business by
providing end-to-end safeguarding of information.
226
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
227
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
228
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
16 Logical Attacks
1602 Network penetration
229
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS05.01 Protect against Implement and maintain preventive, detective High Medium YES
malware. and corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.02 Manage network and Use security measures and related management Medium Low NO
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High Low YES
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Low Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Implement security measures. High High YES
manager
Head of IT operations Lead the management response team to restore service in a timely fashion. Low High YES
Service manager In case attacks are successful, communicate with end-user and help to Low High YES
manage the response.
Chief security architect Design security measures. High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent logical attacks High Medium YES
is practiced in daily
operations.
People respect the To prevent logical attacks Medium Low NO
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of logical attacks Low High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Service level agreements Detail the action to be undertaken in case of attack. Low Medium NO
(SLAs)
Threat information reports Intelligence regarding types of attacks High Medium YES
Monitoring reports Identify attack attempts, threat events, etc. Low High YES
230
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
231
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
The duration of the event is extended because APTs usually remain undetected for quite some time. The timing of occurrence is critical because the
company has a short period of time before issuing a new pharmaceutical product based on the sensitive research results. Because it may be a long
period of time before this information leakage is detected, the classification for the detection is slow, and, for the same reason, the time lag between
event and consequence is delayed.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
232
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS05.01 Protect against Implement and maintain preventive, detective High Medium YES
malware. and corrective measures in place (especially
up-to-date security patches and anti-malware)
across the enterprise to protect information systems
and technology from viruses, worms, spyware,
spam, etc.
DSS05.02 Manage network and Use security measures and related management Medium Low NO
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.03 Manage endpoint Ensure that endpoints (e.g., laptop, desktop, server, High Low YES
security. and other mobile and network devices or software)
are secured at a level that is equal to or greater
than the defined security requirements of the
information processed, stored or transmitted.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Low Medium NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Implement security measures. High High YES
manager
Service manager In case attacks are successful, communicate with end-user and help to Low Medium NO
manage the response.
Chief security architect Design security measures. High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent logical attacks High Low YES
is practiced in daily
operations.
People respect the To prevent logical attacks High Low YES
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of logical attacks Low High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Service level agreements Detail the action to be undertaken in case of attack. Low High YES
(SLAs)
Threat information reports Intelligence regarding types of attacks High Medium YES
Monitoring reports Identify attack attempts, threat events, etc. Low High YES
233
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
234
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
1606 Hacktivism
235
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.03 Monitor IT Monitor the IT infrastructure and related events. Low High YES
infrastructure. Store sufficient chronological information in
operations logs to enable the reconstruction,
review and examination of the time sequences of
operations and the other activities surrounding or
supporting operations.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS05.02 Manage network and Use security measures and related management Medium Low NO
connectivity security. procedures to protect information over all methods
of connectivity.
DSS05.07 Monitor the Using intrusion detection tools, monitor the Low Low NO
infrastructure for infrastructure for unauthorized access and ensure
security-related events. events are integrated with general event monitoring
and incident management procedures.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security Implement security measures. High High YES
manager
Head of IT operations Lead the response team to restore service in a timely fashion. Low High YES
Service manager In case attacks are successful, communicate with end-user and help to Low High YES
manage the response.
Chief security architect Design security measures. High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information security To prevent logical attacks High Low YES
is practiced in daily
operations.
People respect the To prevent logical attacks High Low YES
importance of information
security policies and
principles.
Stakeholders are aware To minimize impact of logical attacks Medium High YES
of how to identify and
respond to threats to the
enterprise.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Service level agreements Detail the action to be undertaken in case of attack. Low High YES
(SLAs)
Threat information reports Intelligence regarding types of attacks High Medium YES
Monitoring reports Identify attack attempts, threat events, etc. Low High YES
236
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
237
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
238
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
17 Industrial Action
1701 Staff is on strike
Business users also are on strike, so the impact on service delivery is significant; all systems have stopped.
Risk Scenario Components
Threat Type
Because the strike by the members of the IT department was provoked by the labor union, the nature of the event is based on an external requirement.
Actor
The actors that generate the threat that exploits a vulnerability are internal (IT staff that is on strike) and external (labor union that provoked the strike).
Event
The event is an interruption of the overall IT services.
Asset/Resource (Cause)
The resource/asset that leads to the business impact is the people of the IT department which is on strike.
Asset/Resource (Effect)
The resources affected are business processes that are not being performed. IT processes such as development are also affected by the standstill of
the IT department. Because the IT developers are not working, the applications are not being updated and operated.
Time
Because it appears that the strike will not be finished soon and that there is a delay in development of new applications, the duration of the event is
looked at as extended. As programs and projects for urgently needed new applications are stopped and will be delayed, the timing of occurrence
is critical. The detection is clearly immediate because the work stopped at the same time as the strike started. For the same reason, the time gap
between the event and the consequence is immediate.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery P No progress in projects
IT Operations and Service Delivery P No services are provided to internal users.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Acceptance of the risk by the board
• Risk Sharing/Transfer: Outsource service delivery.
• Risk Mitigation: Negotiate with staff members and/or the union to keep essential services (e.g., in a hospital or in an EPU).
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Human resources (HR) Define rights and obligations of all staff, detailing acceptable and unacceptable High Medium YES
policy behavior by the employees, and in so doing, manage the risk that is linked to
human behavior.
Vendor management Define backup or emergency service delivery options. Low High YES
policy
239
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO01.01 Define the Establish an internal and extended organizational Low High YES
organizational structure. structure that reflects business needs and IT
priorities. Put in place the required management
structures (e.g., committees) that enable
management decision making to take place in the
most effective and efficient manner.
APO07.02 Identify key IT Identify key IT personnel while minimizing Low High YES
personnel. reliance on a single individual performing a
critical job function through knowledge capture
(documentation), knowledge sharing, succession
planning and staff backup.
BAI01.10 Manage program and Eliminate or minimize specific risk associated Low Medium NO
project risk. with programs and projects through a systematic
process of planning, identifying, analyzing,
responding to, and monitoring and controlling the
areas or events that have the potential to cause
unwanted change. Risk faced by program and
project management should be established and
centrally recorded.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of HR Responsible for establishing expectations from and for staff High Medium YES
Legal group Support initial contracting and prosecution in case of breach of contract. Medium Medium NO
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational High High YES
structure for stakeholder communication
Business executive Facilities two-way communication. Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Transparent and To prevent industrial action from occurring High Low YES
participative culture is an
important focus point.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Contract agreements with Clear definition of responsibilities, rights and obligations for all individual staff High Medium YES
staff
Supplier contracts Clear definition of responsibilities, rights and obligations for specific Medium Medium NO
arrangements with vendors
Knowledge repositories Minimizing the effect of partial unavailability of resources by sharing Low High YES
knowledge regarding processes, technology, etc.
Resource gap analysis Clear analysis of critical level of resources Medium High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Third-party backup Temporary support in case of industrial action Low High YES
services
240
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
241
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
242
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO02.02 Assess the current Assess the performance of current internal business Medium Medium NO
environment, and IT capabilities and external IT services,
capabilities and and develop an understanding of the enterprise
performance. architecture in relation to IT. Identify issues currently
being experienced and develop recommendations
in areas that could benefit from improvement.
Consider service provider differentiators and options
and the financial impact and potential costs and
benefits of using external services.
APO10.01 Identify and evaluate Identify suppliers and associated contracts and Low High YES
supplier relationships categorize them into type, significance and
and contracts. criticality. Establish supplier and contract evaluation
criteria and evaluate the overall portfolio of existing
and alternative suppliers and contracts.
APO10.02 Select suppliers. Select suppliers according to a fair and formal Medium High YES
practice to ensure a viable fit based on specified
requirements. Requirements should be optimized
with input from potential suppliers and enterprise
stakeholders.
APO10.03 Manage supplier Formalize and manage relationships for each Low High YES
relationships and strategic supplier. Manage, maintain and monitor
contracts. contracts and service delivery. Ensure that new or
changed contracts conform to enterprise standards
and legal and regulatory requirements.
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the Low High YES
ability to continually provide secure, efficient and
effective service delivery.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Legal group Support initial contracting and prosecution in case of breach of contract. High High YES
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational Medium Medium NO
structure for stakeholder communication
Business executive Facilitate two-way communication. Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Supplier contracts Clear definition of responsibilities, rights and obligations for specific High High YES
arrangements with vendors
Knowledge repositories Minimize the effect of partial unavailability of resources by sharing knowledge Low Medium NO
regarding processes, technology, etc.
Resource gap analysis Clear analysis of critical level of resources Low High YES
243
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
244
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
The company’s customers and enterprise providers cannot cash checks using automated teller machines (ATMs) or perform other operations. Although
the bank has electronic channels, the strike is also affecting the related services that require manual procedures in the background. As a result of the
strike, the company finances are being affected and no cash is flowing.
It does not look like the strike will be resolved soon. The company needs to align the standard and automated procedures (e.g., credit allowance,
payment period, customer limits) and, therefore, several changes are needed to systems and information on short notice. Although there is a service level
agreement (SLA) with an emergency response team that does not adhere to the strike, the bank does not have the capacity to apply those changes in the
time frame needed.
Risk Scenario Components
Threat Type
Because the bank is affected by the strike rather than the company, the nature of the event can be classified as an external requirement.
Actor
The actor that generates the threat that exploits a vulnerability is external—the bank or, specifically, their labor.
Event
The event is an interruption of external banking services.
Asset/Resource (Cause)
The resource/asset that leads to the business impact is the organizational structure because it is the external bank that cannot provide the services.
Asset/Resource (Effect)
The resources/assets affected are customer facing and other finance processes that need to be amended. Also, information from applications such as
credit allowance and payment period are affected and need to be changed.
Time
Because it appears that the strike will not be over soon, the duration of the event can be classified as extended. Because payments have to be made and
data such as credit allowance is urgently needed, the timing of occurrence is critical. The detection is clearly immediate because the services provided
by the bank stopped at the same time that the strike started. For the same reason, the time gap between the event and the consequence is immediate.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruptions due to emergency changes
S IT service operations due to service providers refusing to provide the service
S Changes to information as controls are being loosened (e.g., staff who are allowed to change credit
allowance can also change other information)
245
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO10.04 Manage supplier risk. Identify and manage supplier risk, including the Low High YES
ability to continually provide secure, efficient and
effective service delivery.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of HR Responsible for establishing expectations from and towards staff. High Medium YES
Legal group Support initial contracting and prosecution in case of breach of contract. Medium Medium NO
Board of directors Accountable for the well-functioning of the enterprise, top-level organizational High High YES
structure for stakeholder communication
Business executive Facilitate two-way communication. Medium Medium NO
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Transparent and To prevent industrial action from occurring High Medium YES
participative culture is an
important focus point.
Information Enabler
Contract agreements Clear definition of responsibilities, rights and obligations for all individual staff High Medium YES
with staff
Supplier contracts Clear definition of responsibilities, rights and obligations for specific Medium Medium NO
arrangements with vendors
Knowledge repositories Minimize the effect of partial unavailability of resources by sharing knowledge Low High YES
regarding processes, technology, etc.
Resource shortfall analysis Temporary support in case of industrial action Low High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Third-party backup Temporary support in case of industrial action Low High YES
services
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
HR skills Management of skills and competencies High Medium YES
Negotiation skills Facilitate the maximal two-way communication and ensure that minimal Medium Medium YES
operational requirements are met.
Litigation skills Once prosecution is initiated, the proper skills are required to defend the Low High YES
interests of the enterprise.
246
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
247
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
248
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
18 Environmental
1801 Emergency generator fuel containment
249
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the Maintain measures for protection against Low High YES
environment. environmental factors. Install specialized
equipment and devices to monitor and control the
environment.
DSS01.05 Manage facilities. Manage facilities, including power and High Low YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Medium High YES
review the BCP. basis to exercise the recovery plans against
predetermined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS05.05 Manage physical access Define and implement procedures to grant, limit High High YES
to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Head of IT operations Responsible for managing the IT environment and facilities High High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
A clearly defined structure People are involved and aware of the consequences of environmental issues High High YES
for ethical responsibility and are empowered to handle according to ethical guidelines.
and a culture that
promotes specific
accountability is developed
and supported.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
IT strategy Environmental awareness should be part of the IT strategy. Medium Medium NO
Asset register To assess the environmental impact of the used technology High High YES
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Systems development Streamline and optimize the technology. Low Low NO
250
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
251
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
252
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
19 Acts of Nature
1903 Data center design
Due to the climate change, during a severe rain and hail storm, the existing roof integrity was compromised, which resulted in water leakage into the
critical servers. Because the hail stones were so big, the main communication lines to the backup data center were also destroyed.
This situation interrupted the service and resulted in missed service level agreements (SLAs) for critical and long standing clients who terminated their
contracts immediately. This situation was a significant loss of revenue for the company offering the service.
Risk Scenario Components
Threat Type
The main threat type is a natural event.
Actor
Not every type of threat requires an actor, e.g., failures or natural causes. This event has a natural cause and there is no actor.
Event
The event is an interruption of the services caused by the destruction of the roof resulting in a water leakage and the destruction of the main
communications lines to the backup data center.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the facilities (the roof of the data center and the missing enclosure of the critical infrastructure).
Asset/Resource (Effect)
The assets/resources that are affected are different business processes (especially the ones from the clients) and the infrastructure and facilities that
were destroyed by the severe rain and hail storm.
Time
At the time of the severe rain and hail storm, there was no enclosure for the critical infrastructure and also no backup communication line and, therefore,
the time of occurrence is critical. The duration of the event is extended because clients terminated their contracts and will not come back, and it takes
quite some to get the lost reputation back to attract new clients. Because the water poured in the data center and suddenly interrupted the services,
the detection is immediate. The consequences are also immediate because the infrastructure cannot be used any longer. The clients terminated their
contracts immediately and therefore the revenue was lost immediately.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruption and compliance issues (unfulfilled SLAs)
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Acceptance that this situation stays after the facilities are repaired and the infrastructure is replaced
• Risk Sharing/Transfer: Insurance against the financial loss for the infrastructure and facilities
• Risk Mitigation: The board needs to take into consideration audit reports. Communication lines and resources need to be redundant and secondary
routes need to be put in place. A special enclosure and enhanced roof capability must be built for the data center.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup policy Backups are available. Low High YES
253
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
BAI04.02 Assess business Identify important services to the enterprise, map Medium High YES
impact. services and resources to business processes, and
identify business dependencies. Ensure that the
impact of unavailable resources is fully understood
and accepted by business owners. Ensure that,
for critical business functions, the SLA availability
requirements can be satisfied.
DSS01.04 Manage the Maintain measures for protection against Low High YES
environment. environmental factors. Install specialized
equipment and devices to monitor and control the
environment.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on High High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business continuity Responsible for BCP plans Low High YES
manager
Head IT operations Responsible for managing the IT environment and facilities High Medium YES
Chief information Responsible for developing and implementing a business continuity response Low High YES
officer (CIO)
Business process owners Accountable for developing and implementing a business continuity response Low High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Stakeholders are aware People are involved and aware of how to react when an incident occurs. High High YES
of how to identify and
respond to threats.
Business management The business is committed and proactively contributes to risk mitigation. Low High YES
engages in continuous
cross-functional
collaboration to allow for
efficient and effective
business continuity
programs.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Insurance policy Insurance in case of acts of nature is available. Low Medium NO
Facilities assessment The enterprise is aware of the state and risk of the facilities. High Low YES
reports
Incident response actions People are aware of how to react when an incident occurs. Low High YES
and communications
254
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
255
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
This resulted in severe damage to the data center. Furthermore, due to the loss of critical staff, the acquired company’s backup files access list not being
updated and the contract with the acquired manufacturer’s backup capability not being renewed, there was no capability to easily recover IT facilities
in a time frame required by the business. Not only is the plant impacted, the ability to manage debtors, creditors and staff has been lost until IT facilities
can be restored.
The disaster recovery plan (DRP) covers the manufacturing equipment and the systems related to their recovery, but it does not cover the IT facilities.
Risk Scenario Components
Threat Type
The main threat type is a natural event. A secondary nature of the event is failure of the process DSS04 Manage continuity, especially not updating the
backup files access list and not renewing the contract with the acquired manufacturer’s backup capability.
Actor
Not every type of threat requires an actor, e.g., failures of equipment or natural causes. This event has a natural cause and for this there is no actor. For
the failure of the process DSS04 Manage continuity, the actor is internal—the person accountable for the update of business continuity plan (BCP) and
the DRP capabilities.
Event
The event is destruction of facilities (the plant) and an interruption because there was no capability to easily recover in a reasonable time frame. Also,
the ability to manage creditors and staff has been lost (interruption) until operations can be restored.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the facilities in the destroyed plant and the process DSS04 Manage continuity, which was
ineffectively executed.
Asset/Resource (Effect)
The assets/resources that are affected are different business processes, and also the facilities that were destroyed.
Time
Because the heavy rain happened when the backup files access list had not yet been updated and when the contract with the acquired manufacturer’s
backup capability had not yet been renewed, the time of occurrence of the event is critical. Because there is no capability to easily recover in a
reasonable time frame, the duration of the event is extended. As the flooding (snow melting and heavy rain) suddenly destroyed the plant and
interrupted the services at the same time, the detection is immediate. The consequences are also immediate because the destroyed plant cannot be
used any longer and has to be replaced, rebuilt or repaired.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P Destruction of facilities and service interruption
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: Insurance of facilities
•R isk Mitigation: The company needs to undertake an immediate review of their BCP to incorporate all critical systems and test the plan following a
review of the process and method of recovery.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup policy Backups are available. Low High YES
Business continuity and Validate recoverability of data. Low High YES
disaster recovery policy
256
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the Maintain measures for protection against Medium High YES
environment. environmental factors. Install specialized equipment
and devices to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and Medium High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.01 Define the business Define business continuity policy and scope aligned Medium High YES
continuity policy, with enterprise and stakeholder objectives.
objectives and scope.
DSS04.02 Maintain a continuity Evaluate business continuity management options Medium High YES
strategy. and choose a cost-effective and viable continuity
strategy that will ensure enterprise recovery and
continuity in the face of a disaster or other major
incident or disruption.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Medium High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Medium High YES
review the BCP. basis to exercise the recovery plans against
predetermined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS04.05 Review, maintain and Conduct a management review of the continuity Medium High YES
improve the BCP. capability at regular intervals to ensure its
continued suitability, adequacy and effectiveness.
Manage changes to the plan in accordance with the
change control process to ensure that the continuity
plan is kept up to date and continually reflects
actual business requirements.
DSS04.06 Conduct BCP training. Provide all concerned internal and external parties Medium High YES
with regular training sessions regarding the
procedures and their roles and responsibilities in
case of disruption.
DSS04.07 Manage backup Maintain availability of business-critical information Medium High YES
arrangements.
DSS04.08 Conduct a Assess the adequacy of the BCP following the Medium High YES
post-resumption successful resumption of business processes and
review. services after a disruption.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business continuity Responsible for BCP Low High YES
manager
Head of IT operations Responsible for managing the IT environment and facilities High Medium YES
Chief information Responsible for developing and implementing a business continuity response Low High YES
officer (CIO)
Business process owners Accountable for developing and implementing a business continuity response Low High YES
257
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
258
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
From time to time, there has been moisture appearing in the data center and the amount of moisture has been increasing over time with dehumidifiers
being installed to compensate. Over time, the level of moisture has steadily increased and a dehumidifier failure led to a complete failure of the data
center, requiring the replacement of a large amount of equipment due to water damage.
A subsequent review identified that there is a slowly rising water table. Although not critical, the dependence on the data center mandates that
action is required.
Risk Scenario Components
Threat Type
The main threat type is a natural event. A secondary nature of the event is failure of physical infrastructure/equipment—the dehumidifiers.
Actor
Not every type of threat requires an actor, e.g., failures of equipment or natural causes. This event has a natural cause, and the secondary type is failure
of the dehumidifiers and there is no actor.
Event
The event is an interruption caused by the complete failure of the data center and the destruction of the roof resulting in water leakage and the
destruction to a lot of the equipment due to water damage.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the facilities/equipment—failure of the dehumidifier.
Asset/Resource (Effect)
The assets/resources that are affected are different business processes and the infrastructure itself that was destroyed and has to be replaced.
Time
At the time of the dehumidifier failure, the moisture had already been increasing over a time, therefore, the time of occurrence of the event (failure of the
dehumidifier) is critical.
Because a subsequent review identified that there is a slowly rising water table, although noncritical, the dependence on the data center mandates that
action is required and that this can take some time and this classifies the duration of the event as extended. Because the moisture in the data center
suddenly damaged some of the equipment and interrupted the services at the same time, the detection is immediate. The consequences are also
immediate because the destroyed equipment cannot be used any longer and has to be replaced immediately.
Risk Type
IT Benefit/Value Enablement N/A
IT Programme and Project Delivery N/A
IT Operations and Service Delivery P IT service interruption, damage of equipment
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: Top management must determine whether the risk can be accepted and/or actions to mitigate the risk, including reconfiguration or
replacement of the data center. This would mean that only the dehumidifier that failed is replaced and the data center is left as is.
• Risk Sharing/Transfer: Insurance for the destroyed equipment
• Risk Mitigation: The enterprise must consider the implications of the environmental change on the data center and the ability for the data center to
function within the changing environmental circumstances. The enterprise will need to consider the future viability of the data center or change the
infrastructure and/or rebalancing the load across the enterprise.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Backup policy Backups are available. Low Medium NO
Business continuity and Validate recoverability of data. Low Medium NO
disaster recovery policy
259
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
DSS01.04 Manage the Maintain measures for protection against Medium High YES
environment. environmental factors. Install specialized equipment
and devices to monitor and control the environment.
DSS01.05 Manage facilities. Manage facilities, including power and High High YES
communications equipment, in line with laws and
regulations, technical and business requirements,
vendor specifications, and health and safety
guidelines.
DSS04.03 Develop and implement Develop a business continuity plan (BCP) based on Low High YES
a business continuity the strategy that documents the procedures and
response. information items that enable the enterprise to
continue its critical activities after an incident.
DSS04.04 Exercise, test and Test the continuity arrangements on a regular Low High YES
review the BCP. basis to exercise the recovery plans against
predetermined outcomes and to allow innovative
solutions to be developed and help to verify over
time that the plan will work as anticipated.
DSS05.05 Manage physical Define and implement procedures to grant, limit High High YES
access to IT assets. and revoke access to premises, buildings and
areas according to business needs, including
emergencies. Access to premises, buildings and
areas should be justified, authorized, logged and
monitored. This should apply to all persons entering
the premises, including staff, temporary staff,
clients, vendors, visitors or any other third party.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Business continuity Responsible for BCP plans Low High YES
manager
Head of IT operations Responsible for managing the IT environment and facilities High Medium YES
Chief information officer Responsible for developing and implementing a business continuity response Low High YES
(CIO)
Business process owners Accountable for developing and implementing a business continuity response Low High YES
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Stakeholders are aware People are involved and aware of how to react when an incident occurs. High High YES
of how to identify and
respond to threats.
Business management The business is committed and proactively contributes to risk mitigation. Low High YES
engages in continuous
cross-functional
collaboration to allow for
efficient and effective
business continuity
programs.
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Insurance policy Insurance in case of acts of nature is available. Low Medium NO
Facilities assessment The enterprise is aware of the state and risk of the facilities. High Low YES
reports
Incident response actions People are aware of how to react when an incident occurs. Low High YES
and communications
260
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
261
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
262
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
20 Innovation
2001 Systems upgrades interoperability
Due to this situation and the existing contract penalties that are defined in the service provider’s service level agreement (SLA), a high-priority
workaround project utilizing virtual machines must be put in place until the security and technology departments review the situation and take the
necessary remedial steps.
Because the additional processor and communication line requirements were not considered as part of the original design’s capacity planning
requirements for the branches, the entire upgrade is compromised.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation and BAI02 Manage requirements definition.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the Steering (Programs/Projects) Committee.
Event
The event is an ineffective design and/or ineffective execution of the processes APO04 Manage innovation and BAI02 Manage requirements definition
and leads to interruption of the project upgrading channels business platform solution.
Asset/Resource (Cause)
The assets/resources that lead to the business impact are the processes APO04 Manage innovation and BAI02 Manage requirements definition and the
people and skills of the Steering (Programs/Projects) Committee.
Asset/Resource (Effect)
The assets/resources that are affected are mainly the business processes that are supported by the channels business platform solution.
Time
The duration of the event is extended because the entire upgrade is delayed for quite some time. The timing of the occurrence is critical because the
branches need this update to improve their sales. The event detection is slow; it was not detected that the browser versions were not compatible until
the security concerns surfaced. The time lag between the event and the consequence is delayed because the overrun in time is quite material.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use technology to improve efficiency
IT Programme and Project Delivery S Overrun of time for the project
IT Operations and Service Delivery S The workarounds affect operational stability.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: N/A
• Risk Mitigation: Provide infrastructure that can be an enabler for innovation, such as collaboration tools for enhancing work between geographic
locations and divisions. Analyze stakeholder (IT security) interests and requirements. Monitor individual project performance related to delivery of the
expected capabilities, schedule, benefits realization, costs, risk or other metrics to identify potential impacts on program performance. Take timely
remedial action when required. Define and implement a requirements definition and maintenance procedure and a requirements repository that are
appropriate for the size, complexity, objectives and risk of the initiative.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Architecture principles define the underlying general rules and guidelines for High High YES
the use and deployment of all IT resources and assets across the enterprise.
263
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO04.01 Create an environment Create an environment that is conducive to Medium Low NO
conducive to innovation. innovation, considering issues such as culture,
reward, collaboration, technology forums, and
mechanisms to promote and capture employee
ideas.
APO04.02 Maintain an Work with stakeholders to understand their Medium Medium NO
understanding of the challenges. Maintain an adequate understanding of
enterprise environment. enterprise strategy and the competitive environment
or other constraints so that opportunities enabled by
new technologies can be identified.
APO04.04 Assess the potential of Analyze identified emerging technologies Medium Medium NO
emerging technologies and/or other IT innovation suggestions. Work
and innovation ideas. with stakeholders to validate assumptions on the
potential of new technologies and innovation.
APO04.05 Recommend Evaluate and monitor the results of High High YES
appropriate further proof-of-concept initiatives and, if favorable,
initiatives. generate recommendations for further initiatives
and gain stakeholder support.
BAI01.03 Manage stakeholder Manage stakeholder engagement to ensure an High High YES
engagement. active exchange of accurate, consistent and timely
information that reaches all relevant stakeholders.
This includes planning, identifying and engaging
stakeholders and managing their expectations.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High Low YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
BAI02.04 Obtain approval of Coordinate feedback from affected stakeholders High High YES
requirements and and, at predetermined key stages, obtain business
solutions. sponsor or product owner approval and sign-off on
functional and technical requirements, feasibility
studies, risk analyses and recommended solutions.
Organisational Structures Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Chief executive Accountable for creating the environment conducive for innovation Medium Low NO
officer (CEO)
Strategy committee Accountable for taking forward and monitoring favorable innovation initiatives Medium Medium NO
Chief information officer Accountable for identifying technology based innovations and for assessing High High YES
(CIO) their potential
Innovation group Responsible for identifying innovation opportunities and for developing High High YES
business cases for innovation initiatives
Culture, Ethics and Behaviour Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Willingness to take risk Innovation by definition is about new technologies and new ways of working, High High YES
both bringing potential resistance and unsure benefits. However, not having
this risk willingness attitude will exclude upfront any potential for innovation.
Support of senior Senior management support is required to fund the innovation initiatives and High High YES
management for to support them to overcome initial resistance.
innovation initiatives
Failure is allowed attitude Not every innovation project or initiative will be successful, and a certain High Medium YES
amount of failure should be accepted as the price to pay for successful
initiatives.
264
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Innovation plan Innovations are clearly laid out so they can be monitored and incorporated into High High YES
the enterprise’s strategic plans.
Recognition program Innovation needs to be adequately rewarded, according to a formalized plan. Low Low NO
Evaluation of innovation Formal evaluation of innovation initiatives facilitates executive High High YES
initiatives decision making.
Services, Infrastructure and Applications Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
N/A N/A
People, Skills and Competencies Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Leadership and Clarify the rationale for the architecture and the potential consequences. High High YES
communication
Architecture skills Develop efficient and effective architecture aligned to the business High High YES
requirements.
Key Risk Indicators (KRIs) Related to IT Goals
• (04) Percentage of critical business processes, IT services and IT-enabled business programmes covered by risk assessment
• (04) Number of significant IT-related incidents that were not identified in risk assessment
• (04) Percentage of enterprise risk assessments including IT-related risk
• (04) Frequency of update of risk profile
• (05) Percentage of IT-enabled investments where benefit realisation is monitored through the full economic life cycle
• (05) Percentage of IT services where expected benefits are realised
• (05) Percentage of IT-enabled investments where claimed benefits are met or exceeded
• (08) Net present value (NPV) showing business satisfaction level of the quality and usefulness of the technology solutions
• (09) Level of satisfaction of business executives with IT’s responsiveness to new requirements
• (09) Number of critical business processes supported by up-to-date infrastructure and applications
• (12) Number of business process changes that need to be delayed or reworked because of technology integration issues
• (12) Number of IT-enabled business programmes delayed or incurring additional cost due to technology integration issues
• (12) Number of applications or critical infrastructures operating in silos and not integrated
• (13) Number of programme/projects on time and within budget
• (13) Percentage of stakeholders satisfied with programme/project quality
• (13) Number of programmes needing significant rework due to quality defects
• (13) Cost of application maintenance vs. overall IT cost
• (17) Level of business executive awareness and understanding of IT innovation possibilities
• (17) Level of stakeholder satisfaction with levels of IT innovation expertise and ideas
• (17) Number of approved initiatives resulting from innovative IT ideas
Key Risk Indicators (KRIs) Related to Process Goals
• (APO04) Enterprise stakeholder perceptions and feedback on IT innovation
• (APO04) Percentage of implemented initiatives that realise the envisioned benefits
• (APO04) Percentage of implemented initiatives with a clear linkage to an enterprise objective
• (APO04) Stakeholder feedback and surveys
• (BAI01) Percentage of stakeholders effectively engaged
• (BAI01) Level of stakeholder satisfaction with involvement
• (BAI01) Percentage of stakeholders approving enterprise need, scope, planned outcome and level of project risk
• (BAI01) Percentage of activities aligned to scope and expected outcomes
• (BAI01) Frequency of project status reviews
• (BAI01) Percentage of deviations from plan addressed
• (BAI01) Percentage of stakeholder sign-offs for stage-gate reviews of active programmes
• (BAI01) Percentage of expected benefits achieved
• (BAI01) Percentage of outcomes with first-time acceptance
• (BAI01) Level of stakeholder satisfaction expressed at project closure review
• (BAI02) Percentage of requirements reworked due to misalignment with enterprise needs and expectations
• (BAI02) Level of stakeholder satisfaction with requirements
• (BAI02) Percentage of requirements satisfied by proposed solution
265
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
266
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
267
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
268
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
The company plans to acquire a solution from a relatively small software company. Plans are to replace its old self-developed solution with this new
standard software, which will become the new core insurance solution for claims administration. The implementation and customization is done together
with the software company. At about halfway through the project, it is recognized that the project will not deliver the expected benefits and not fulfil the
requirements. The project is stopped and the contract with the software company is cancelled.
Because the old legacy system still has to be replaced, there are different options for the insurance company to consider. These vary from a new
standard solution to a full in-house development. However, the stoppage leads to a delay of at least one to two years, and most of the developments to
date are lost.
Risk Scenario Components
Threat Type
The nature of the event is a failure of the processes APO04 Manage innovation and BAI03 Manage solutions identification and build.
Actor
The actor that generates the threat that exploits the vulnerability is internal—the Steering Program/Project Committee.
Event
The event is an ineffective design and/or ineffective execution of the process BAI03 Manage solutions identification and build.
Asset/Resource (Cause)
The asset/resource that leads to the business impact is the people that chose this standard solution and decided to go with the small software
company—this could be the Strategy Executive Committee or the Steering (Program/Project) Committee.
Asset/Resource (Effect)
The assets/resources that are affected are the business processes and business innovation and the people who have to work with the inflexible systems.
Time
The duration of the event is extended as the stopped project has to be re-launched or even started from the scratch again. The timing of occurrence is
critical as other insurance companies already have new and more flexible solutions in place and therefore are more competitive. The event is detected
after a moderate time and project was stopped and not carried out until the end when it was detected that the solution will not meet the requirements.
The time lag between the event and the consequence is delayed as the project overrun in time will be one to two years.
Risk Type
IT Benefit/Value Enablement P Missed opportunity to use technology to improve efficiency, effectiveness and flexibility
IT Programme and Project Delivery P Stranded costs for investments
P Significant delay in project delivery
IT Operations and Service Delivery S The old and inflexible systems can bring reduction of value to the enterprise.
Possible Risk Responses
• Risk Avoidance: N/A
• Risk Acceptance: N/A
• Risk Sharing/Transfer: Use a business process provider for the administration of claims.
• Risk Mitigation: Proof of concept. Clear requirements management.
Risk Mitigation Using COBIT 5 Enablers
Principles, Policies and Framework Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Architecture principles Architecture principles define the underlying general rules and guidelines for High High YES
the use and deployment of all IT resources and assets across the enterprise.
269
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
Title on on Essential Essential
Reference Description Frequency Impact Control Control
APO04.02 Maintain an Work with stakeholders to understand their High High YES
understanding of the challenges. Maintain an adequate understanding of
enterprise environment. enterprise strategy and the competitive environment
or other constraints so that opportunities enabled by
new technologies can be identified.
APO04.03 Monitor and scan Perform systematic monitoring and scanning of Medium Low NO
the technology the enterprise’s external environment to identify
environment. emerging technologies that have the potential
to create value (e.g., by realizing the enterprise
strategy, optimizing costs, avoiding obsolescence,
and better enabling enterprise and IT processes).
Monitor the marketplace, competitive landscape,
industry sectors, and legal and regulatory trends
to be able to analyze emerging technologies or
innovation ideas in the enterprise context.
APO04.04 Assess the potential of Analyze identified emerging technologies Medium Low NO
emerging technologies and/or other IT innovation suggestions. Work
and innovation ideas. with stakeholders to validate assumptions on the
potential of new technologies and innovation.
APO04.05 Recommend Evaluate and monitor the results of Low Medium NO
appropriate further proof-of-concept initiatives and, if favorable,
initiatives. generate recommendations for further initiatives
and gain stakeholder support.
APO04.06 Monitor the Monitor the implementation and use of emerging Low High YES
implementation and use technologies and innovations during integration,
of innovation. adoption and for the full economic life cycle to
ensure that the promised benefits are realized and
to identify lessons learned.
BAI02.01 Define and maintain Based on the business case, identify, prioritize, High Medium YES
business functional and specify and agree on business information,
technical requirements. functional, technical and control requirements
covering the scope/understanding of all initiatives
required to achieve the expected outcomes of the
proposed IT-enabled business solution.
BAI02.02 Perform a feasibility Perform a feasibility study of potential alternative High High YES
study and formulate solutions, assess their viability and select the
alternative solutions. preferred option. If appropriate, implement the
selected option as a pilot to determine possible
improvements.
BAI02.03 Manage requirements Identify, document, prioritize and mitigate functional, Medium Medium NO
risk. technical and information processing-related risk
associated with the enterprise requirements and
proposed solution.
BAI03.04 Procure solution Procure solution components based on the Medium Medium NO
components. acquisition plan in accordance with requirements
and detailed designs, architecture principles and
standards, and the enterprise’s overall procurement
and contract procedures, quality assurance (QA)
requirements, and approval standards. Ensure that
all legal and contractual requirements are identified
and addressed by the supplier.
270
Personal Copy of: Mr. Yonscun Yonscun
Chapter 7
Risk Scenario Analysis Examples
271
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
272
Personal Copy of: Mr. Yonscun Yonscun
Appendix 1
Risk Scenario Analysis Template
Appendix 1
Risk Scenario Analysis Template10
This appendix contains a comprehensive template for the treatment of a risk scenario—from conception through response
and monitoring—in support of the core risk management processes (APO12) of an enterprise.
273
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Process Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
Information Enabler
Effect Effect
on on Essential
Reference Contribution to Response Frequency Impact Control
274
Personal Copy of: Mr. Yonscun Yonscun
Appendix 1
Risk Scenario Analysis Template
275
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
276
Personal Copy of: Mr. Yonscun Yonscun
Appendix 2
Glossary
Appendix 2
Glossary
Term Explanation
Asset Something of either tangible or intangible value that is worth protecting, including people, systems,
infrastructure, finances and reputation
Business goal The translation of the enterprise’s mission from a statement of intention into performance targets and results
Business impact The net effect, positive or negative, on the achievement of business objectives
Business impact analysis (BIA) Evaluating the criticality and sensitivity of information assets. An exercise that determines the impact of losing
the support of any resource to an enterprise, establishes the escalation of that loss over time, identifies the
minimum resources needed to recover, and prioritizes the recovery of processes and the supporting system.
Business objective A further development of the business goals into tactical targets and desired results and outcomes
Enterprise risk management (ERM) The discipline by which an enterprise in any industry assesses, controls, exploits, finances, and monitors risk
from all sources for the purpose of increasing the enterprise’s short- and long-term value to its stakeholders
Event Something that happens at a specific place and/or time
Event type For the purpose of IT risk management,11 one of three possible sorts of events: threat event, loss event and
vulnerability event
Frequency A measure of the rate by which events occur over a certain period of time
IT risk The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within
an enterprise
IT risk profile A description of the overall (identified) IT risk to which the enterprise is exposed
IT risk register A repository of the key attributes of potential and known IT risk issues. Attributes may include name, description,
owner, expected/actual frequency, potential/actual magnitude, potential/actual business impact and disposition.
IT risk scenario The description of an IT-related event that can lead to a business impact
IT-related incident An IT-related event that causes an operational, developmental and/or strategic business impact
Key risk indicator (KRI) A subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating
important risk
Lag indicator Metrics for achievement of goals—An indicator relating to the outcome or result of an enabler, i.e., this indicator
is only available after the facts or events
Lead indicator Metrics for application of good practice—An indicator relating to the functioning of an enabler, i.e., this indicator
will provide an indication on possible outcome of the enabler
Loss event Any event during which a threat event results in loss
Magnitude A measure of the potential severity of loss or the potential gain from realized events/scenarios
Residual risk The remaining risk after management has implemented a risk response
Risk (business) A probable situation with uncertain frequency and magnitude of loss (or gain)
Risk aggregation The process of integrating risk assessments at a corporate level to obtain a complete view on the overall risk for
the enterprise
Risk analysis 1. A process by which frequency and magnitude of IT risk scenarios are estimated
2. The initial steps of risk management: analyzing the value of assets to the business, identifying threats to those
assets and evaluating how vulnerable each asset is to those threats
Risk appetite The amount of risk, on a broad level, an entity is willing to accept in pursuit of its mission
Risk assessment A process used to identify and evaluate risk and its potential effects
Risk culture The set of shared values and beliefs that governs attitudes toward risk-taking, care and integrity, and determines
how openly risk and losses are reported and discussed
Risk factor A condition that can influence the frequency and/or magnitude and, ultimately, the business impact of IT-related
events/scenarios
Risk indicator A metric capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk
that exceeds the defined risk appetite
(IT) Risk issue 1. An instance of an IT risk
2. A combination of control, value and threat conditions that impose a noteworthy level of IT risk
Risk map A (graphic) tool for ranking and displaying risk by defined ranges for frequency and magnitude
11
Being able to consistently and effectively differentiate the different types of events that contribute to risk is a critical element in developing good risk-related metrics and
well-informed decisions. Unless these categorical differences are recognized and applied, any resulting metrics lose meaning and, as a result, decisions based on those
metrics are far more likely to be flawed.
277
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
Term Explanation
Risk response Risk avoidance, risk acceptance, risk sharing/transfer, risk mitigation, leading to a situation that as much future
residual risk (current risk with the risk response defined and implemented) as possible (usually depending on
budgets available) falls within risk appetite limits
Risk statement A description of the current conditions that may lead to the loss; and a description of the loss. Source: Software
Engineering Institute (SEI). For a risk to be understandable, it must be expressed clearly. Such a statement must
include a description of the current conditions that may lead to the loss; and a description of the loss.
Risk tolerance The acceptable level of variation that management is willing to allow for any particular risk as the enterprise
pursues its objectives
Threat Anything (e.g., object, substance, human) that is capable of acting against an asset in a manner that can result
in harm
Threat event Any event during which a threat element/actor acts against an asset in a manner that has the potential to directly
result in harm
Vulnerability A weakness in the design, implementation, operation or internal control of a process that could expose the
system to adverse threats from threat events
Vulnerability event Any event during which a material increase in vulnerability results. Note that this increase in vulnerability can
result from changes in control conditions or from changes in threat capability/force.
278
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
Appendix 3
Processes for Governance and Management of Enterprise IT
Figure 18—COBIT 5 Process Reference Model
EDM01 Ensure
Governance EDM02 Ensure EDM03 Ensure EDM04 Ensure EDM05 Ensure
Framework Setting Benefits Delivery Risk Optimisation Resource Stakeholder
and Maintenance Optimisation Transparency
MEA01 Monitor,
Evaluate and Assess
APO09 Manage Performance and
APO08 Manage APO10 Manage APO11 Manage APO12 Manage APO13 Manage Conformance
Service Risk Security
Relationships Agreements Suppliers Quality
279
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
280
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
281
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
282
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
283
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
284
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
285
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
286
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
287
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
288
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
289
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
290
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
291
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
292
Personal Copy of: Mr. Yonscun Yonscun
Appendix 3
Processes for Governance and Management of Enterprise IT
293
Personal Copy of: Mr. Yonscun Yonscun
Risk Scenarios Using COBIT® 5 for Risk
294
Personal Copy of: Mr. Yonscun Yonscun