Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall

Historical view – it was a low-key activity focused on delivering projects and keeping applications up and running. Today’s view – it has become much broader and complex, and it is recognized as an integral part of any technology- based work. 19-2

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Harm constituencies both within and outside companies. Damage corporate reputations. Dampens an organization’s ability to compete. 19-3

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 19-4 Legal/HazardsThird RegulatoryParties External Risk Operations Information Systems Development People Controls Processes Culture Governance Internal Risk ENTERPRISE RISK

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Third parties (i.e., partners, software vendors, service providers, suppliers, customers). Hazards (i.e., disasters, pandemics, geopolitical upheavals). Legal and regulatory issues (i.e., failure to adhere to the laws and regulations). 19-5

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Information risks (i.e., privacy, quality, accuracy, and protection). People risks (i.e., poorly designed business process, failure to adapt business processes). Cultural risks (i.e., risk aversion and lack or risk awareness). Control (i.e., ineffective controls). Governance (i.e., ineffective structure, roles). 19-6

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Viruses Hackers Organized crime Industrial spies Terrorists 19-7

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 1. Focus on what’s important : RM is not about anticipating all risks but about attempting to reduce significant risks to a manageable level (Austing and Darby 2003). RM should not be about saying “no” to a risk, but how to say “yes” – thereby building a more agile enterprise (Caldwell and Mogul 2006). 19-8

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 2. Expect the image to change over time: RM actions should be continuous, iterative, and structured. Mandatory risk assessment should be implemented at different key stages. Ongoing reviews and process of evaluation need to be adapted (Coles and Moulton 2003). 19-9

© 2012 Pearson Education, Inc. Publishing as Prentice Hall 3. View risk from multiple levels and perspectives: RM assessments need to include root cause and multifaceted analyses. Organizations need to assess risk trends and develop strategies for dealing with them

© 2012 Pearson Education, Inc. Publishing as Prentice Hall The goal of a risk management framework (RMF) is to ensure that the right risks are being addresses at the right levels. The RMF guides the development of risk policies and integrates appropriate risk standards and processes into existing practices (e.g., the SDLC).

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Risk category Policies and standards Risk type Risk ownership Risk mitigation Risk reporting and monitoring

© 2012 Pearson Education, Inc. Publishing as Prentice Hall The general area of enterprise risk involved (e.g., criminal, operations, third party, etc.).

© 2012 Pearson Education, Inc. Publishing as Prentice Hall It includes the general principles for guiding risk decisions. The principles identify any standards that should apply to each risk category (i.e., SAI Global is an international standard).

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Each risk should be identified and labeled with a generic name and definition, ideally linked to a business impact.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Each type of risk should have an owner, either in IT or in the business. Owners and stakeholders should have clear responsibilities and accountabilities. Major risks can be owned by committees (i.e., enterprise risk committee or risk review council).

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Each type of risk should be associated with controls, practices, and tools for addressing it effectively. The goal of the framework is to provide means by which risks can be managed consistently, effectively, and appropriately.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Risk metrics should be reported in a way the organization understands (e.g., high, medium, low). Risk monitoring is an ongoing process because levels and types of risks are changing continually.

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Look beyond technical risk Develop a common language of risk Simplify the presentation Right size Standardize the technology base Rehearse Clarify roles and responsibilities Automate where appropriate Educate and communicate

© 2012 Pearson Education, Inc. Publishing as Prentice Hall IT risk is involved in many types of business risks and therefore should be managed holistically. An integrated risk management framework helps organizations understand risk and make better decisions associated with it

© 2012 Pearson Education, Inc. Publishing as Prentice Hall Copyright © 2012 Pearson Education, Inc. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall