OBJECTIVE SESSION

1.Understand the
significance of risk
impacting project
2.Knows about IT Framework
for Existing and Project
Risk Management
(Definition, Using)

IT Risk management is the process

that allows IT managers to balance
the operational and
economic
costs
of
protective
measures and achieve gains in
mission capability by protecting the
IT systems and data that support
their organizations missions.

Type Of Risk :

Uncertainty
known
known-unknown
unknown-unknowns

Impact to
Scope
Quality
Schedule
Cost
3

Sources Of Risk

External, unpredictable
External
uncertainty

predictable,

Internal-non technical
Technical
Legal

Process Of RM
IT Risk management encompasses three
processes:

1. Risk Assessment,
2. Risk Mitigation,
3.
Evaluation
and
Assessment.

Whos the People

IT

Risk management is a management

responsibility. Personnel who should
support and participate in the risk
management process.
Senior Management
Chief Information Officer (CIO).
System and Information Owners.
Business and Functional
Managers.
ISSO.
IT Security Practitioners

Where RM is needed?
Banking : Credit risk, Market
risk, Liquidity risk, Operational
risk
IT : Enterprise Architecture, IT
Project, Software Development
Insurance : Investment
etc

IT RISK MANAGEMENT
PROGRAM
IT Risk Portfolio

Risk
Areas

Threats

Criticality

Likelihood

Identification
&
Measuremen
t

November 16, 2006

Mitigation Monitoring

Monitor

Risk Management

Ability to
Control

Project Risk
Management
Planning
11.1 Risk Management Planning
11.2 Risk Identification
11.3 Qualitative Risk Analysis
11.4 Quantitative Risk Analysis
11.5 Risk Response Planning
Monitoring & Controlling
11.6 Risk Monitoring & Control

Process Flow Diagram

Develop project
management plan

Risk
Identification

Scope Definition

Qualitative
Risk Analysis

Quantitative
Risk Analysis

Risk Response
Planning

Risk Monitoring
& Control

IT RISK CONSIDERATION FRAMEWORK

Risk Considerations

Impact

Criticality to Core Business

Process

Financial loss of revenue

Strategic impact on future revenue streams
Reputation
Operational impact on delivery of business services
Legal/regulatory/compliance financial penalties

Likelihood Of Sustained
Interruption

Odds of the threat being realized

Length of disruption & business criticality determine impact
Considered when determining risk mitigation response

Ability to Control Outcome

Ability to implement risk mitigation measures

Effectiveness of risk mitigation measures
Considered in the effectiveness of mitigation techniques

Risk Mitigation Alternatives

Avoid Risk by not implementing technology

Accept Risk if the cost outweighs the benefit
Transfer Risk to third party
Reduce Risk by Implementing Risk Mitigation Controls

IT
Risk Summary
Threat
Exposure

Mitigation Status

Low

Complete, stable, monitoring

Data Center Power Outage

Medium

Complete, stable, monitoring

Hardware Failure

Low

Complete, stable, monitoring

Data Center Fire/Water

Medium

Complete, stable, monitoring

WW Data Network Failure

Low

Complete, stable, monitoring

WW Voice Network Failure

Medium

Actively strengthening

Natural Disaster Service

Interruption

High

Actively strengthening

Criminal
Activity/Theft/Vandalism

Low

Complete, stable, monitoring

Civil Unrest & Terrorism

Medium

Complete, stable, monitoring

Software errors affecting

availability & integrity

Medium

Actively strengthening

Human Errors

Medium

Actively strengthening

Project Management

Medium

Complete, stable, monitoring

Business System Change

Control

Medium

Complete, stable, monitoring

Obsolescence

Medium

Actively strengthening

Risk Management Framework

COBIT version 4.0

NIST (National Institute ofStandard

and
Technology ) 800-30

OCTAVE (Operationally Critical Threat,

Asset, and Vulnerability Evaluation )

Summa
1.ry
Apa yang dimaksud dengan resiko?
2.
3.
4.
5.
6.

Mengapa berhubungan dengan

ketidakpastian?
Definisikan sumber-sumber resiko
Berikan contoh ITRM di beberapa bidang
Mengapa dibutuhkan ITRM?
Sebutkan aspek apa saja yang
berdampak terhadap ITRM?
Framework apa yang paling sesuai
dengan kebutuhan ITRM di negara
berkembang?

Referenc
e IT Risk Management, Slay
G.

Stoneburner,A. Goguen and A. Feringa, Risk

Management Guide for Technology Information
System Recommendation of National Institute
of standards and Technology special publication
800-30, July,2002
The IT Governance Institute, USA, "COBIT 4.0",
2005.
C.Alberts, A.Dorofee, Managing Information
Security Risks: The OCTAVESM Approach,
Addison Wesley, USA, July 09, 2002.
R. Flanagan and G. Norman, Risk management
and Construction, Blackwell Science Ltd,London,
1996.
ISACA, Information Security Harmonization:
Classification of Global Guidance, USA, 2005.

Silabu
s:

Framework

ITRM
Relasi ITRM dengan IT
Governance
RM Organisation aspect
RM Information Information
System Aspect
RM Proyek Management Aspect
Study kasus