Professional Documents
Culture Documents
Typical Approach For IT Risk Management Project PDF
Typical Approach For IT Risk Management Project PDF
Typical Approach For IT Risk Management Project PDF
PROJECT
----------------------------------------------------------------------------
Risk Governance (Step 1- Step 4)
Maintain a common viewMaintain standard risk register to provide a risk
update in business terms.
Define the organization structureDefine roles and responsibilities across the
organization to review and maintain IT risk profile.
Make risk-informed decisionsProvide IT risk dashboard to IT management to
enable risk-informed strategic decisions.
----------------------------------------------------------------------------
Step 1
Activity: Develop an understanding and documenting the assigned organization,
such as Amazon, Flipkart, and so on.
1
Deliverable (For Example)
Step 2
Activity: Identify functional areas and processes (discussed during sessions 7-8).
Tools and Techniques: Zechman Framework, a widely used tool, could be utilized
for this purpose. Zechman Framework has broad applications. You might (or might
not) have used it. What I wanted: you people to be familiar with it. You will probably
study about it in your Business Process Modeling classes.
2
Deliverables (Example): List of Processes
Step 3
Activity 1: Choose a Guiding Framework for Risk Management out of available
frameworks, such as ISO/IEC 27005:2008(ISO/IEC), BS 7799-3:2006 (ENISA), SP 800-
30 (NIST), Risk IT (ISACA) - (discussed during Sessions 4-The purposes of this activity
are presenting a uniform view of IT risk to stakeholders; the use of scenarios and
avoiding jargon encouraged stakeholders to participate in the process; defining a
monitoring process for continuous updating of changes in the risk profile;
acceptance by risk owners
Tools and Techniques: I gave you a tool based on two dimensions (completeness
of risk management and depth of coverage of IT)
3
Step 4
Activity: Identify various tools and techniques that you are going to use
Tools and Techniques: I discussed some of them during Sessions 9, 10, 12, 13, 14.
These tools and techniques are used in IT applications, and similar will apply to
other processes.
4
----------------------------------------------------------------------------
Risk Evaluation (Step 5)
Collect dataPrepare risk scenarios, conduct risk identification workshop,
establish process touch points for risk updating and link the impact assessment
with the business impact analysis (BIA).
Analyze riskUse a standard table for defining likelihood and Impact. Use the
Delphi technique (you did brainstorming), wherever required
Maintain risk registerUpdate and maintain the risk register to develop the risk
profile by aggregating departmental risk
----------------------------------------------------------------------------
Step 5
Activity 1: Conduct risk-identification workshop and prepare risk scenarios using
Risk Scenario Catalog
Risk Scenario Catalog looks like the below (if using ISACA Risk IT)
5
Activity 2: Identify and assess controls from control catalog
Control Catalog looks like the below (if using ISACA Risk IT)
Activity 3: Risk Scenario and control mapping, defining risk likelihood, and impact,
and so on. Use the Delphi technique (you used brainstorming), wherever required
6
Tools and Techniques: Risk-identification workshop, Risk Scenario Catalog,
Control Catalog
7
Activity 4: The above template is for ONE risk of a process. In real settings, you
have to generate one document for each risk of considered process. And then you
can compile them in a matrix using Excel. Again, this has to be done for each
process. And then, you can combine processes (and risks within them) to have an
enterprise level risk register. You may get enterprise level risk register something
like this:
Processes
Process 1
Risk 1
Risk 2
Process 2
Risk 1
Risk 2
Process 3
Risk 1
Risk 2
IMPORTANT 2: please note that you used PMO Risk Register Excel Template
because we discussed ITRM of IT per se. PMO Risk Register is established in the
IT field.
8
----------------------------------------------------------------------------
Risk Response (Step 6)
Articulate riskEstablish a process for defining risk response and
communicating to stakeholders.
Manage riskMaintain a control catalog with risk mapping, and define the
review process.
React to risk eventsEstablish a link to incident management, change
management and operations management to review risk.
----------------------------------------------------------------------------
Step 6
Activity 1: Identify stakeholders and communicate the risk profile and results of the
risk management process
9
Activity 2: Link IT risk management with governance process
10
SUMMARY
Phases Milestones Key Deliverable
Risk Develop an Business model canvas
Governance understanding and
documenting the
assigned organization
Identify functional areas List of process areas
and Processes
11