Scribd Logo
Upload

Welcome to Scribd!

  • Nabling Rocesses: Governance Practice Inputs Outputs EDM03.01 Evaluate Risk Management. From Description Description To

    Uploaded by

    MNTOUISE
    712 views2 pages
    This document provides guidance on evaluating, directing, and monitoring risk management as it relates to information technology. It outlines three key governance practices - EDM03.01 to evaluate risk management, EDM03.02 to direct risk management, and EDM03.03 to monitor risk management. For each practice, it lists relevant inputs and outputs, and provides example activities to implement the practice such as determining risk appetite, directing risk integration plans, and monitoring metrics against targets. The overall goal is to ensure IT risk is appropriately managed and does not exceed the organization's risk tolerance.

    Original Description:

    Cobit EDM03 Process

    Original Title

    EDM03 Full

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides guidance on evaluating, directing, and monitoring risk management as it relates to information technology. It outlines three key governance practices - EDM03.01 to evaluate risk management, EDM03.02 to direct risk management, and EDM03.03 to monitor risk management. For each practice, it lists relevant inputs and outputs, and provides example activities to implement the practice such as determining risk appetite, directing risk integration plans, and monitoring metrics against targets. The overall goal is to ensure IT risk is appropriately managed and does not exceed the organization's risk tolerance.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    712 views2 pages

    Nabling Rocesses: Governance Practice Inputs Outputs EDM03.01 Evaluate Risk Management. From Description Description To

    Uploaded by

    MNTOUISE
    This document provides guidance on evaluating, directing, and monitoring risk management as it relates to information technology. It outlines three key governance practices - EDM03.01 to evaluate risk management, EDM03.02 to direct risk management, and EDM03.03 to monitor risk management. For each practice, it lists relevant inputs and outputs, and provides example activities to implement the practice such as determining risk appetite, directing risk integration plans, and monitoring metrics against targets. The overall goal is to ensure IT risk is appropriately managed and does not exceed the organization's risk tolerance.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 2

    Evaluate, Direct and Monitor

    : ENABLING PROCESSES
    EDM03 Process Practices, Inputs/Outputs and Activities
    Governance Practice

    Inputs

    EDM03.01 Evaluate risk management.


    #ONTINUALLYEXAMINEANDMAKEJUDGEMENTONTHE effect of
    risk on the current and future use of IT in
    THEENTERPRISE.#ONSIDERWHETHERTHEENTERPRISE'SRISK
    appetite is appropriate and that risk to enterprise value
    related to the use of IT is identified and managed.

    From

    Outputs

    Description

    APO12.01

    Outside COBIT

    Description

    To

    Emerging risk issues


    and factors

    Risk appetite guidance

    APO12.03

    Approved risk tolerance


    levels

    APO12.03

    Enterprise risk
    management principles

    Evaluation of risk
    management activities

    APO12.01

    Activities
    1.$ETERMINETHELEVELOF)4-RELATEDRISKTHATTHEENTERPRISEISWILLINGTOTAKETOMEETITSOBJECTIVES(RISKAPPETITE).
    2.%VALUATEANDAPPROVEPROPOSED)4RISKTOLERANCETHRESHOLDSAGAINSTTHEENTERPRISE'SACCEPTABLERISKANDOPPORTUNITYLEVELS.
    3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy.
    4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made.
    5.$ETERMINETHAT)4USEISSUBJECTTOAPPROPRIATERISKASSESSMENTANDEVALUATION,ASDESCRIBEDINRELEVANTINTERNATIONALANDNATIONALSTANDARDS.
    6.%VALUATERISKMANAGEMENTACTIVITIESTOENSUREALIGNMENTWITHTHEENTERPRISE'SCAPACITYFOR)4-RELATEDLOSSANDLEADERSHIP'STOLERANCEOFIT.
    Governance Practice

    Inputs

    EDM03.02 Direct risk management.


    Direct the establishment of risk management
    practices to provide reasonable assurance that IT risk
    management practices are appropriate to ensure
    THATTHEACTUAL)4RISKDOESNOTEXCEEDTHEBOARD'S
    risk appetite.

    From

    Description

    APO12.03

    Outside COBIT

    Outputs
    Description

    To

    Aggregated risk profile,


    including status of risk
    management actions

    Risk management policies

    APO12.01

    +EYOBJECTIVESTOBE
    monitored for risk
    management

    APO12.01

    Enterprise risk
    management (ERM)
    profiles and mitigation
    plans

    Approved process
    for measuring risk
    management

    APO12.01

    Activities
    1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts.
    2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations.
    3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans.
    4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of
    management, supported by agreed-on principles of escalation (what to report, when, where and how).
    5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with
    published policies and procedures and escalated to the relevant decision makers.
    6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques
    and processes for capturing and reporting the measurement information.

    40

    Personal Copy of: Mr. Dong Hong Wang

    COBIT 5 PROCESS REFERENCE

    CHAPTER 5
    GUIDE CONTENTS
    Evaluate, Direct and Monitor

    EDM03 Process Practices, Inputs/Outputs and Activities (cont.)


    Governance Practice

    Inputs

    EDM03.03 Monitor risk management. Monitor the


    key goals and metrics of the risk management
    processes and establish how deviations or problems
    will be identified, tracked and reported for remediation.

    From

    Description

    Outputs
    Description

    To

    APO12.02

    Risk analysis results

    Remedial actions to
    address risk management
    deviations

    APO12.06

    APO12.04

    s/PPORTUNITIESFOR
    acceptance of
    greater risk
    s2ESULTSOFTHIRD-PARTY
    risk assessments
    s2ISKANALYSISANDRISK
    profile reports
    for stakeholders

    Risk management issues


    for the board

    EDM05.01

    Activities
    1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds.
    2. Monitor key goals and metrics of risk governance and management processes against targets, analyse the cause of any deviations, and initiate
    remedial actions to address the underlying causes.
    3.%NABLEKEYSTAKEHOLDERS'REVIEWOFTHEENTERPRISE'SPROGRESSTOWARDSIDENTIFIEDGOALS.
    4. Report any risk management issues to the board or executive committee.
    EDM03 Related Guidance
    Related Standard

    Detailed Reference

    #/3//%2)3//)%#31000

    Framework for Risk Management

    )3//)%#38500
    King III

    s5.5.)4SHOULDFORMANINTEGRALPARTOFTHECOMPANY'SRISKMANAGEMENT. s5.7.
    !RISKCOMMITTEEANDAUDITCOMMITTEESHOULDASSISTTHEBOARDINCARRYINGOUTITS)4RESPONSIBILITIES.

    Personal Copy of: Mr. Dong Hong Wang

    41

    You might also like