Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICT Risk Information and Communications Technology Risk Management Mark Ames CISA, CISM, CISSP IT Security Return on Investment Risk Management Approach.

Published byCarmel Mitchell Modified over 8 years ago

Similar presentations

Presentation on theme: "ICT Risk Information and Communications Technology Risk Management Mark Ames CISA, CISM, CISSP IT Security Return on Investment Risk Management Approach."— Presentation transcript:

1 ICT Risk Information and Communications Technology Risk Management Mark Ames CISA, CISM, CISSP IT Security Return on Investment Risk Management Approach

2 ICT Risk Information and Communications Technology Risk Management ROI and Cost Benefits Analysis (total benefit - total costs) = ____ X 100 = ROI(%) total costs ROI is measured over time, typically 1-5 years

3 ICT Risk Information and Communications Technology Risk Management Return or Restraint? ROI is a principal tool for cost-cuttingROI is a principal tool for cost-cutting ROI is a way of saying “NO”ROI is a way of saying “NO” ROI is a principal tool for cost-cuttingROI is a principal tool for cost-cutting ROI is a way of saying “NO”ROI is a way of saying “NO”

4 ICT Risk Information and Communications Technology Risk Management Real Returns? Return on Investment (ROI) is based on static, speculative data.Return on Investment (ROI) is based on static, speculative data. ROI provides no formal information on the value of an investment.ROI provides no formal information on the value of an investment. ROI is used primarily for self-justification rather than business improvement.ROI is used primarily for self-justification rather than business improvement. ROI fails to consider the time value of money (interest rates and inflation) or the investment policy of the organisation.ROI fails to consider the time value of money (interest rates and inflation) or the investment policy of the organisation. Return on Investment (ROI) is based on static, speculative data.Return on Investment (ROI) is based on static, speculative data. ROI provides no formal information on the value of an investment.ROI provides no formal information on the value of an investment. ROI is used primarily for self-justification rather than business improvement.ROI is used primarily for self-justification rather than business improvement. ROI fails to consider the time value of money (interest rates and inflation) or the investment policy of the organisation.ROI fails to consider the time value of money (interest rates and inflation) or the investment policy of the organisation.

5 ICT Risk Information and Communications Technology Risk Management Turn 20 minutes into $1 million Single Sign On will save 20 minutes per day of call centre staff time.Single Sign On will save 20 minutes per day of call centre staff time. Increase productivity by 73.33 days per year (20 mins X 220 working days)Increase productivity by 73.33 days per year (20 mins X 220 working days) $13,333 per staff member/year$13,333 per staff member/year 76 staff x $ 13,333 = $1,013,30876 staff x $ 13,333 = $1,013,308 Single Sign On will save 20 minutes per day of call centre staff time.Single Sign On will save 20 minutes per day of call centre staff time. Increase productivity by 73.33 days per year (20 mins X 220 working days)Increase productivity by 73.33 days per year (20 mins X 220 working days) $13,333 per staff member/year$13,333 per staff member/year 76 staff x $ 13,333 = $1,013,30876 staff x $ 13,333 = $1,013,308 (total benefit - total costs) = ____ X 100 = ROI(%) total costs ($5,066,540 - $800,000) = 5.33 X 100 = 533 % $800,00

6 ICT Risk Information and Communications Technology Risk Management Net Present Value - NPV NPV compares the value of a dollar today to the value of that same dollar in the future, after taking inflation and return into account. If the NPV of an investment is positive, then it has a truly positive return. If it is negative, then the investment should be rejected because cash flows are negative. NPV =  T t=0 CF t (1 + r) t = CF 0 + CF 1 (1 + r) 1 CF 2 (1 + r) 2 ++ … + CF T (1 + r) T

7 ICT Risk Information and Communications Technology Risk Management What are we measuring? Predictors of lossPredictors of loss Predictors of cost savingsPredictors of cost savings Predictors of revenue increasePredictors of revenue increase Predictors of lossPredictors of loss Predictors of cost savingsPredictors of cost savings Predictors of revenue increasePredictors of revenue increase Measurable criteria that can be used to examine the feasibility of investments No silver bullets or magic formulas

8 ICT Risk Information and Communications Technology Risk Management Risk is the chance [likelihood] of something [threat] happening that will have an impact upon objectives. Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. Measuring Risk USA - NIST SP 800-30 Risk - The combination of the probability [likelihood] of an event [threat] and its consequence [impact] ISO/IEC 17799 AS/NZ 4360 Risk is the potential [likelihood]that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm [impact] to the organization. ISO/IEC TR 13335 Mathematically, risk can be expressed as threat likelihood x consequence [impact] ACSII 33 - HB 3 Mitigated (reduced) by controls Which strengthen vulnerabilities, block threats, minimise impact Risk =Likelihood x Impact of Threat exploiting Vulnerability Resulting in

9 ICT Risk Information and Communications Technology Risk Management Likelihood & Consequences Measure Almost Certain Likely Possible Unlikely Rare Description Is expected to occur in most conditions 1 or more times per year The event will probably occur in most conditions Once in 2 years The event might occur at some time Once in 5 years The event could happen at some time Once in 10 years May occur only in exceptional circumstances Once in 100 years MeasureDescription Major problems would threaten business operations $ 1 million to $10 million loss Business would be severely limited $ 100,000 to $ 1 million loss Major Moderate Minor Insignificant Business operations would be disrupted. $ 10,000 to $100,000 loss Dealt with as a part of routine operations. Less than $ 10,000 loss Catastrophic Death, social disruption, company ceases trading More than $ 10 million loss

10 ICT Risk Information and Communications Technology Risk Management Predictors of Loss Inherent Risk Low likelihood (Possible) x Major Consequences 20% x $ 1,000,000 (regulatory fines) = $200,000 (Annual loss Expectancy) Exploitation of dormant accounts – Lack of Financial Accountability Exploitation of dormant accounts – Lack of Financial Accountability High likelihood (20 times per year) x Minor Consequences 20 x $ 50,000 = $1,000,000 (Annual loss Expectancy) Identity Theft - Fraud Identity Theft - Fraud Anticipated $1,200,000 loss per annum Risks addressed by Identity Management (SSO and Account Management)

11 ICT Risk Information and Communications Technology Risk Management Predictors of Loss Residual Risk Lower likelihood (Unlikey) x Major Consequences 10% x $ 1,000,000 (regulatory fines) = $100,000 (Annual loss Expectancy) Exploitation of dormant accounts – Lack of Financial Accountability Exploitation of dormant accounts – Lack of Financial Accountability Lower likelihood (2 times per year) x Minor Consequences 2 x $ 50,000 = $100,000 (Annual loss Expectancy) Identity Theft - Fraud Identity Theft - Fraud Anticipated $200,000 loss per annum Likely risks reduction provided by Identity Management

12 ICT Risk Information and Communications Technology Risk Management Predictors of cost savings Single Sign On will save 20 minutes per day of call centre staff time.Single Sign On will save 20 minutes per day of call centre staff time. Potential productivity increase of 33%Potential productivity increase of 33% Likely realised increase of 15%Likely realised increase of 15% Anticipated workload increase of 10%Anticipated workload increase of 10% Savings on hiring 4 new staff per year @ $50,000 = $200,000Savings on hiring 4 new staff per year @ $50,000 = $200,000 Single Sign On will save 20 minutes per day of call centre staff time.Single Sign On will save 20 minutes per day of call centre staff time. Potential productivity increase of 33%Potential productivity increase of 33% Likely realised increase of 15%Likely realised increase of 15% Anticipated workload increase of 10%Anticipated workload increase of 10% Savings on hiring 4 new staff per year @ $50,000 = $200,000Savings on hiring 4 new staff per year @ $50,000 = $200,000 Anticipated $200,000 saving per annum

13 ICT Risk Information and Communications Technology Risk Management Value of Investment Risk Reduction $1,200,000 (inherent) - $200,000 (residual) = $1,000,000 (annual) Adjust for time value of Risk: Trends in Regulatory Enforcement Trends in Fraud Losses Trends in ID theft losses

14 ICT Risk Information and Communications Technology Risk Management Value of Investment Cost Savings 4 new staff per year @ $50,000 = $200,000 Adjust for time value of Costs: Trends in recruiting costs Trends in salaries and wages Trends in call centre volumes

15 ICT Risk Information and Communications Technology Risk Management Cost of Investment Total Cost of System Adjust for time value of money: Interest and inflation rates Trends salaries and wages $ 500,000 (License cost) + 800,000 (implementation cost) = $1,300,000 (Initial) $ 50,000 (annual renewal cost) + 30,000 (support cost - external) + 40,000 (support cost - internal) = $1,200,000 (annual operating cost) 5 year cash flow (-) = $ 6,500,000

16 ICT Risk Information and Communications Technology Risk Management Bottom Line 5 year of costs (-)= $ 6,500,000 5 year return (+): (savings) $ 1,200,000 (loss reduction) 5,400,000 6,600,000 NPV of total investment + $ 100,000

17 ICT Risk Information and Communications Technology Risk Management Measure what’s important TCOTCO –Development/acquisition costs –Impact on infrastructure costs –Operating and staffing costs Value componentValue component –Revenue increase –Loss prevention Other measuresOther measures –Market share –Share price –Governance & Regulatory compliance TCOTCO –Development/acquisition costs –Impact on infrastructure costs –Operating and staffing costs Value componentValue component –Revenue increase –Loss prevention Other measuresOther measures –Market share –Share price –Governance & Regulatory compliance What are these worth?

18 ICT Risk Information and Communications Technology Risk Management Tackling Compliance How do we measure compliance?How do we measure compliance? What ‘reasonable steps’ are necessary?What ‘reasonable steps’ are necessary? Who do we have to watch out for?Who do we have to watch out for? –APRA, ASIC, Commonwealth Police, Shareholders? A Program for each Act & Regulation??A Program for each Act & Regulation?? How do we measure compliance?How do we measure compliance? What ‘reasonable steps’ are necessary?What ‘reasonable steps’ are necessary? Who do we have to watch out for?Who do we have to watch out for? –APRA, ASIC, Commonwealth Police, Shareholders? A Program for each Act & Regulation??A Program for each Act & Regulation?? Your search for “Regulatory Compliance Management Solutions” returned 2710 Results How about Good Management (Governance) so we know what’s going on? (And can manage it)

19 ICT Risk Information and Communications Technology Risk Management Frameworks Overview BOARD Risk Management Committee Audit Committee Financial Risk Operating Risk Financial Reviews Policy Compliance Lines of Business (Business Units) REPORTING MONITORING Business Processes & Systems ICT Infrastructure Business Plans And Objectives Business Requirements Systems Requirements Financial Performance Asset Management Investment Performance Control Effectiveness Policy & Standards Compliance Configuration Review COSO ITIL C OBI T ISO 17799

20 ICT Risk Information and Communications Technology Risk Management Success Factors Keep it realKeep it real –Organisational and industry experience –Human factors –Not all benefits are fully realised –Validate, validate, validate Involve Financial ManagementInvolve Financial Management –Up front –Encourage ownership Don’t forget non-monetary valuesDon’t forget non-monetary values –Corporate values –Reputation –Compliance –Market share –etc Keep it realKeep it real –Organisational and industry experience –Human factors –Not all benefits are fully realised –Validate, validate, validate Involve Financial ManagementInvolve Financial Management –Up front –Encourage ownership Don’t forget non-monetary valuesDon’t forget non-monetary values –Corporate values –Reputation –Compliance –Market share –etc

21 ICT Risk Information and Communications Technology Risk Management Avoiding ROI Treat the cost as infrastructureTreat the cost as infrastructure –Locks on doors Roll expenses into a bigger projectRoll expenses into a bigger project –Customer Relations Management Go for ‘soft’ benefitsGo for ‘soft’ benefits –6 minutes to $1 million –Market perception –Reputation Treat the cost as infrastructureTreat the cost as infrastructure –Locks on doors Roll expenses into a bigger projectRoll expenses into a bigger project –Customer Relations Management Go for ‘soft’ benefitsGo for ‘soft’ benefits –6 minutes to $1 million –Market perception –Reputation

22 ICT Risk Information and Communications Technology Risk Management QuestionsQuestions ICT Risk Information and Communications Technology Risk Management mark.ames@ictrisk.com.au

Download ppt "ICT Risk Information and Communications Technology Risk Management Mark Ames CISA, CISM, CISSP IT Security Return on Investment Risk Management Approach."

Similar presentations

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
More than OH&S. Definitions of Risk Risk is virtually anything that threatens or limits the ability of a community or non-profit organisation to achieve.

More than OH&S. Definitions of Risk Risk is virtually anything that threatens or limits the ability of a community or non-profit organisation to achieve.
RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.

Appendix H: Risk training slides (sample). What is Risk? “ Risk is the effect of uncertainty on objectives ” AS/NZS ISO31000:2009.
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
SYS364 Feasibility and Cost Analysis. Today’s Agenda  Feasibility and Cost Analysis Tools  Understanding Costs and Benefits  Payback Analysis  Return.

SYS364 Feasibility and Cost Analysis. Today’s Agenda  Feasibility and Cost Analysis Tools  Understanding Costs and Benefits  Payback Analysis  Return.
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
1 Risk management and Investigation Peter Roberts

1 Risk management and Investigation Peter Roberts
Disaster Recovery Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Disaster Recovery Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management - Principles & Process UCC Summer School May 2013.

Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management - Principles & Process UCC Summer School May 2013.
Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.

Irish League of Credit Unions, 2012 W E L O O K A T T H I N G S D I F F E R E N T L Y Risk Management for Credit Unions September 2013 Risk Management.
Sapient Insurance Partners. Overview & Services We have almost four decades of combined experience in the property & casualty insurance and reinsurance.

Sapient Insurance Partners. Overview & Services We have almost four decades of combined experience in the property & casualty insurance and reinsurance.
The purpose and role of an audit committee Neeta Major Chief Internal Auditor.

The purpose and role of an audit committee Neeta Major Chief Internal Auditor.

Similar presentations

Ads by Google