A TYPICAL APPROACH FOR IT RISK MANAGEMENT

PROJECT
----------------------------------------------------------------------------
Risk Governance (Step 1- Step 4)
Maintain a common viewMaintain standard risk register to provide a risk
update in business terms.
Define the organization structureDefine roles and responsibilities across the
organization to review and maintain IT risk profile.
Make risk-informed decisionsProvide IT risk dashboard to IT management to
enable risk-informed strategic decisions.
----------------------------------------------------------------------------
Step 1
Activity: Develop an understanding and documenting the assigned organization,
such as Amazon, Flipkart, and so on.

Tools and technique: The Business Model Canvas is a strategic

management and lean startup template for developing new or documenting
existing business model

1
Deliverable (For Example)

Step 2
Activity: Identify functional areas and processes (discussed during sessions 7-8).

Tools and Techniques: Zechman Framework, a widely used tool, could be utilized
for this purpose. Zechman Framework has broad applications. You might (or might
not) have used it. What I wanted: you people to be familiar with it. You will probably
study about it in your Business Process Modeling classes.

2
Deliverables (Example): List of Processes

Step 3
Activity 1: Choose a Guiding Framework for Risk Management out of available
frameworks, such as ISO/IEC 27005:2008(ISO/IEC), BS 7799-3:2006 (ENISA), SP 800-
30 (NIST), Risk IT (ISACA) - (discussed during Sessions 4-The purposes of this activity
are presenting a uniform view of IT risk to stakeholders; the use of scenarios and
avoiding jargon encouraged stakeholders to participate in the process; defining a
monitoring process for continuous updating of changes in the risk profile;
acceptance by risk owners

Tools and Techniques: I gave you a tool based on two dimensions (completeness
of risk management and depth of coverage of IT)

Deliverable (Suppose, you chose ISACA Risk IT, now COBIT 5)

3
Step 4
Activity: Identify various tools and techniques that you are going to use

Tools and Techniques: I discussed some of them during Sessions 9, 10, 12, 13, 14.
These tools and techniques are used in IT applications, and similar will apply to
other processes.

Deliverables: List of tools and techniques, such as Group Discussion, Brainstorming,

Workshop, Monte Carlo, and so on.

4
----------------------------------------------------------------------------
Risk Evaluation (Step 5)
Collect dataPrepare risk scenarios, conduct risk identification workshop,
establish process touch points for risk updating and link the impact assessment
with the business impact analysis (BIA).
Analyze riskUse a standard table for defining likelihood and Impact. Use the
Delphi technique (you did brainstorming), wherever required
Maintain risk registerUpdate and maintain the risk register to develop the risk
profile by aggregating departmental risk

----------------------------------------------------------------------------
Step 5
Activity 1: Conduct risk-identification workshop and prepare risk scenarios using
Risk Scenario Catalog

Risk Scenario Catalog looks like the below (if using ISACA Risk IT)

5
Activity 2: Identify and assess controls from control catalog

Control Catalog looks like the below (if using ISACA Risk IT)

Activity 3: Risk Scenario and control mapping, defining risk likelihood, and impact,
and so on. Use the Delphi technique (you used brainstorming), wherever required

6
Tools and Techniques: Risk-identification workshop, Risk Scenario Catalog,
Control Catalog

Deliverables (Example if you are using ISACA Risk IT)

7
Activity 4: The above template is for ONE risk of a process. In real settings, you
have to generate one document for each risk of considered process. And then you
can compile them in a matrix using Excel. Again, this has to be done for each
process. And then, you can combine processes (and risks within them) to have an
enterprise level risk register. You may get enterprise level risk register something
like this:

Processes
Process 1
Risk 1
Risk 2

Process 2
Risk 1
Risk 2

Process 3
Risk 1
Risk 2

IMPORTANT 2: please note that you used PMO Risk Register Excel Template
because we discussed ITRM of IT per se. PMO Risk Register is established in the
IT field.

8
----------------------------------------------------------------------------
Risk Response (Step 6)
Articulate riskEstablish a process for defining risk response and
communicating to stakeholders.
Manage riskMaintain a control catalog with risk mapping, and define the
review process.
React to risk eventsEstablish a link to incident management, change
management and operations management to review risk.
----------------------------------------------------------------------------

Step 6
Activity 1: Identify stakeholders and communicate the risk profile and results of the
risk management process

Tools and techniques: Communication Plan ISACA Risk IT framework

Deliverables (Example if you are using ISACA Risk IT)

9
Activity 2: Link IT risk management with governance process

Tools and techniques: KRI templates from ISACA Risk IT framework

Deliverables: Definitions of Key Performance Indicators (KPIs), key risk indicators

(KRIs) and establishment of monitoring process

10
 SUMMARY
Phases Milestones Key Deliverable
Risk Develop an Business model canvas
Governance understanding and
documenting the
assigned organization
Identify functional areas List of process areas
and Processes

Define the risk IT risk framework, risk

management evaluation criteria, risk
framework by response policy
considering available
global standards
Implement the Identifying stakeholders
framework uniformly and risk champions in each
across the IT process area
organization
Risk Conduct risk Risk register for each
Evaluation identification process area
workshops to confirm
existing risk and identify
new risk +
Use the framework to Updated risk register
assess identified risk
and develop risk +
response options.
Build a risk register and Updated risk register
link it with the control
catalog
Develop a process for Enterprise level risk
risk aggregation and register
developing the risk
profile at enterprise
level

Risk Identify stakeholders Communication plan

Response and communicate the
risk profile and results
of the risk management
process
Link IT risk management Definitions of key
with governance performance indicators
process (KPIs), key risk indicators
(KRIs) and establishment of
monitoring process

11