Вы находитесь на странице: 1из 50

COBIT 5 & COBIT 5 for Risk –

An overview
Copyright ©
Copyright © 2012 ISACA®® All
2012 ISACA All rights
rights reserved
reserved
& HWgrc Ltd. 2015
& HWgrc Ltd. 2015
Agenda

• Introduction
• Introduction to COBIT 5.0
• Introduction to COBIT 5.0 for Risk

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
Mike Hughes
Introduction Mike.hughes@HWgrc.co.uk

• ISACA involvement – past and present


• Central UK Chapter founding Board member and Immediate Past President
• International Membership Board
• International Membership Growth & Retention Committee
• International Finance Committee
• Cobit 5.0 SME Reviewer
• Cobit for Risk development workshop and SME reviewer
• Cobit for Risk Scenarios Guide Task Force
• Professional Career
• HWgrc, Principal Director (2014-…)
• 123 Consultants, Principal Director (2008-…)
• KPMG, Senior Manager (1988-2008)
• Britannic Assurance, IT Auditor (1986-1988)
• Data Sciences International, IT Operations (1979-1986)
• CSB Data Processing, IT Operations (1978-1979)
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Mike Hughes
Introduction Mike.hughes@HWgrc.co.uk

• Qualifications
• CISA
• CGEIT
• CRISC

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
What is IT Governance?

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
What is IT Governance

“IT governance is the term used to describe how those


persons entrusted with governance of an entity will
consider IT in their supervision, monitoring, control and
direction of the entity. How IT is applied will have an
immense impact on whether the entity will attain its
vision, mission or strategic goals”
ISACA & ITGI

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
Enterprises that actively design their top-level IT governance
arrangements make and implement better IT-related decisions.
Gartner

Firms with focused strategies and above-average IT governance


had more than 20 percent higher profits than other firms
following the same strategies.
Peter Weill and Jeanne W. Ross, IT Governance

Enterprises focused on converging their business and


technology disciplines exhibited superior revenue growth and net
margins relative to their industry groups and exhibited
consistently greater rates of return than those of their
competitors.
BTM Institute

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT Framework

Member Free .pdf


Member Free .pdf

Member Free .pdf

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
• Many organisations practice elements of COBIT already
• COBIT provides a consistent, repeatable and comprehensive approach
• IT and business become equal shareholders because COBIT helps
management to answer these key questions:

The strategic question The value question

The architecture question The delivery question

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
The strategic question. Is the investment: The value question. Do we have:
In line with our vision? • A clear and shared understanding of the expected
Consistent with our business principles? benefits?
Contributing to our strategic objectives? • Clear accountability for realising the benefits?
Providing optimal value, at affordable cost, at an • Relevant metrics?
acceptable level of risk? • An effective benefits realisation process over the
full economic life cycle of the investment?
Are we Are we
doing getting

Some
the right
things?
the
benefits?
about the
fundamental value enabled
questions by IT
Are we Are we
doing them getting
the right them done
way? well?

The architecture question. Is the investment: The delivery question. Do we have:


• In line with our architecture? Effective and disciplined delivery and change
management processes?
• Consistent with our architectural principles?
Competent and available technical and business
• Contributing to the population of our architecture? resources to deliver:
• In line with other initiatives? The required capabilities?
The organisational changes required to
leverage the capabilities?
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
The COBIT 5
Framework

• COBIT 5 helps enterprises to create optimal value from IT by


maintaining a balance between realising benefits and
optimising risk levels and resource use.
• COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the whole
enterprise, taking in the full end-to-end business and
functional areas of responsibility, considering the IT-related
interests of internal and external stakeholders.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT 5 brings together the five principles that
allow the enterprise to build an effective
governance and management framework based
on a holistic set of seven enablers that optimises
information and technology investment and use
for the benefit of stakeholders.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
2

The COBIT 5 Principles

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT 5 enablers

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT 5
Enabling Processes
• The COBIT 5 process reference model subdivides the IT-
related practices and activities of the enterprise into two
main areas—governance and management— with
management further divided into domains of processes:
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined.
• The four MANAGEMENT domains are in line with the
responsibility areas of plan, build, run and monitor
(PBRM).
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved 17
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT 5
Enabling Processes

Copyright © 2012 ISACA® All rights reserved 18


Source: COBIT® 5, figure 16. ©Ltd.
& HWgrc 2012 ISACA® All rights reserved.
2015
2

COBIT 5
Integrated Framework
• COBIT 5 aligns with the latest relevant other standards
and frameworks:
– Enterprise: COSO, COSO ERM, ISO 9000, ISO 31000
– IT-related: ISO 38500, ITIL, ISO27000 series, TOGAF, PMBOK,
PRINCE2, CMMI, etc.
• This allows COBIT 5 to be used as the overarching
governance and management framework integrator.
• COBIT 5 also integrates all major ISACA guidance:
COBIT 4.1, Risk IT, Val IT, BMIS, ITAF.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
® All rights reserved
® All rights reserved
& HWgrc
& HWgrc Ltd.
Ltd. 20152015
1

In summary ……

• Simply stated: COBIT 5 helps enterprises create optimal


value from IT by maintaining a balance between realising
benefits and optimising risk levels and resource use
– COBIT 5 enables information and related technology to be
governed and managed in a holistic manner for the entire
enterprise.
– The COBIT 5 principles and enablers are generic and useful for
enterprises of all sizes, whether commercial, not-for-profit or in
the public sector.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT 5.0 for Risk
…… Introduction to risk management

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Why is risk management important?
Why is risk management
important?
Managing risk is about maximising opportunities,
not about introducing layers of bureaucratic
control.
 You want to achieve your
objectives
 You want to be in control - no
surprises
 The world is also changing rapidly
and expectations are increasing

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
Risk management in
practice Pragmatists (the real world):
 Senior management should
Evangelists:
be aware of the most
 Senior management significant/urgent risks.
should receive a new risk
 Risks are inherently
report every morning.
uncertain therefore not
 Risks should be on the predictable with absolute
agenda for every certainty.
management meeting.
 Likelihood/impact, H/M/L
 Risks can be accurately risk assessment
assessed to the nth level
 KISS (Keep It Simple,
of detail through use of
Stupid)
specialist algorithms.
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
What is risk ?

What is risk?

Risk can be defined as:

An Uncertainty of Outcome

(whether a positive opportunity or


negative threat)

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
Effective risk
management

Major factors for effective risk management:


 To manage risk to an acceptable level of tolerance
for the organisation
... “the organisation’s risk appetite”
 To reduce risk exposure in a cost effective manner
.... or risk mitigation

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
A final thought……..

“With the benefit of hindsight it can now be seen:


as the wrong price,
the wrong way to pay,
at the wrong time
and the wrong deal.”

Sir Philip Hampton, Chairman of RBS on the


ABN Amro deal.

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
COBIT 5.0 for Risk

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
COBIT 5
Enabling Processes

Copyright © 2012 ISACA® All rights reserved 29


Source: COBIT® 5, figure 16. ©Ltd.
& HWgrc 2012 ISACA® All rights reserved.
2015
COBIT 5
Enabling Processes
COBIT 5 Process Identification Reasoning
EDM03, Ensure Risk Optimisation This process covers the understanding, articulation and communication of the
organisation’s risk appetite and tolerance and ensures identification and
management of risk to the enterprise value related to the use of IT and its impact.
Goal of this process is to
 Define and communicate risk thresholds and make sure that key
IT-related risk is known;
 Effectively and efficiently manage critical IT-related enterprise
risk;
 Ensure IT-related enterprise risk does not exceed risk appetite.
APO12, Manage Risk This process covers the continuous identification, assessment and reduction of
IT-related risk within levels of tolerance set by enterprise executive management.
Management of IT-related enterprise risk should be integrated with overall ERM,
and the costs and benefits of managing IT-related enterprise risk should be
balanced. This is done by
 Collecting appropriate data and analysing risk;
 Maintaining the risk profile of the organisation and articulating
risk;
 Defining the risk management action portfolio and responding to
risk.® All rights reserved
Copyright © 2012 ISACA
Copyright
&©HWgrc Ltd. 2015
2012 ISACA ® All rights reserved

& HWgrc Ltd. 2015


Drivers

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& 123& HWgrc Ltd. 2015 Ltd. 2013
Consultants GRC
Drivers

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Situation Leads to.. Results in..
Budget overruns
Reluctance to say
“no” to projects
Project delays
Too many projects
Lack of strategic Business needs
focus not met

Can’t kill projects Benefits not


Quality of
Projects are “sold” on received
emotional basis—not execution suffers
selected
Increased
complexity
No strong review Underestimation
process of risks and Sub-optimal use
costs of resources
Overemphasis on
financial ROI
Projects not Finger pointing
No clear
aligned to strategy
strategic
criteria for Lack of
selection confidence (in IT)

Copyright © 2012 ISACA® All rights reserved


& HWgrc Ltd. 2015
Drivers

The main drivers for risk management include providing:


• Providing stakeholders with substantiated and consistent
opinions over the current state of risk throughout the
enterprise.
• Guidance on how to manage risk to levels within the
enterprise’s risk appetite.
• Guidance on how to set-up the right risk culture for the
enterprise.
• Wherever possible, quantitative risk assessments
enabling stakeholders to consider the cost of mitigation
and the required resources against the loss exposure.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Benefits

• End-to-end guidance on how to manage risk


• A common and sustainable approach for assessment and
response
• A more accurate view of significant current and near-future risk
throughout the Enterprise – and the impact of this risk on the
Enterprise
• Understanding how effective IT risk management optimises
value by enabling process effectiveness and efficiency
• Opportunities for integration of IT risk management with the
overall risk and compliance structures within the enterprise
• Promotion of risk responsibility and its acceptance throughout
the enterprise
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Two Risk
perspectives

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Alignment

• COBIT 5 for Risk – much like COBIT 5 itself – is an umbrella


approach for the provisioning of risk and is positioned in
context with the following risk-related standards:
 ISO 31000:2009 – Risk Management
 ISO 27005:2011 – Information security risk management
 COSO Enterprise Risk Management

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Risk scenarios using
COBIT 5 for Risk

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Risk scenarios

Definition
“A risk scenario is a description of a possible event
that, when occurring, will have an uncertain impact
on the achievement of the enterprise’s objectives. The
impact can be positive or negative”

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Risk scenarios

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk scenarios

• Top-down and Bottom-up – Both approaches are


complementary and should be used simultaneously.
• Risk scenarios must be relevant and linked to real business
risk.
• Specific risk items for each enterprise and critical business
requirements need to be considered in the enterprise risk
scenarios.
• COBIT 5 for Risk provides a comprehensive set of generic risk
scenarios – these should be used as a reference to reduce the
chance of overlooking major/common risk scenarios.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Risk response

• To bring risk in line with the risk appetite for the enterprise.
• A response needs to be defined such that as much future
residual risk as possible (current risk with the risk response
defined and implemented) falls within accepted limits.
• When risk analysis has shown that risk is not aligned with the
defined risk appetite and tolerance levels, a response is
required.
• This response can be any of the four possible responses:
– Avoid, Mitigate, Share/Transfer, Accept
• Risk response evaluation is not a one-time effort – it is part
of the risk management process cycle.

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015
Risk mitigation

• COBIT 5 for Risk provides a number of examples on how the


COBIT 5 enablers can be used to respond to risk scenarios.
• Risk mitigation is equivalent to implementing a number of IT
controls.
• In COBIT 5 terms, IT controls can be any enabler, e.g.,
– putting in place an organisational structure, putting in place
certain governance or management practices or activities,
etc.
• For each of the 20 risk scenario categories, potential mitigating
actions relating to all seven COBIT 5 enablers are provided, with
a reference, title and description for each enabler that can help
to mitigate the risk.
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Take Aways

• When someone says I’ve got an opportunity for you, the first
question you ask is: “what is it”? before you say Yes!

• Do you want a successful business?


• Do you want IT to be an enabler for business success?

• If the answer to either of these questions is yes, then:


– Appropriate and effective IT governance and risk management are required
– COBIT 5.0 can help
Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
In finishing

Member $35

Member Free .pdf


Member Free .pdf

Member Free .pdf

• To learn more – www.isaca.org/COBIT5


Member Free .pdf

Copyright
Copyright © 2012
© 2012 ISACA
ISACA
®
® All All rights
rights reserved
reserved
& HWgrc Ltd.
& HWgrc Ltd. 20152015
Questions?

Mike Hughes
mike.hughes@HWgrc.co.uk
www.isaca-central.org.uk
www.isaca.org
Copyright © 2012 ISACA® All rights reserved
& HWgrc Ltd. 2015