This document discusses evaluating, directing, and monitoring risk management processes. It contains three governance practices - EDM03.01 evaluates risk management by examining risk factors and ensuring risk appetite is appropriate. EDM03.02 directs the establishment of risk management practices to ensure actual IT risk does not exceed the board's risk appetite. EDM03.03 monitors key goals and metrics of risk processes and establishes how deviations will be reported and remediated.
This document discusses evaluating, directing, and monitoring risk management processes. It contains three governance practices - EDM03.01 evaluates risk management by examining risk factors and ensuring risk appetite is appropriate. EDM03.02 directs the establishment of risk management practices to ensure actual IT risk does not exceed the board's risk appetite. EDM03.03 monitors key goals and metrics of risk processes and establishes how deviations will be reported and remediated.
This document discusses evaluating, directing, and monitoring risk management processes. It contains three governance practices - EDM03.01 evaluates risk management by examining risk factors and ensuring risk appetite is appropriate. EDM03.02 directs the establishment of risk management practices to ensure actual IT risk does not exceed the board's risk appetite. EDM03.03 monitors key goals and metrics of risk processes and establishes how deviations will be reported and remediated.
EDM03 Process Practices, Inputs/Outputs and Activities
Governance Practice Inputs Outputs EDM03.01 Evaluate risk management. From Description Description To #ONTINUALLYEXAMINEANDMAKEJUDGEMENTONTHE effect of APO12.01 Emerging risk issues Risk appetite guidance APO12.03 risk on the current and future use of IT in and factors THEENTERPRISE.#ONSIDERWHETHERTHEENTERPRISE'SRISK Approved risk tolerance APO12.03 appetite is appropriate and that risk to enterprise value levels related to the use of IT is identified and managed. Outside COBIT Enterprise risk Evaluation of risk APO12.01 management principles management activities Activities 1.$ETERMINETHELEVELOF)4-RELATEDRISKTHATTHEENTERPRISEISWILLINGTOTAKETOMEETITSOBJECTIVES(RISKAPPETITE). 2.%VALUATEANDAPPROVEPROPOSED)4RISKTOLERANCETHRESHOLDSAGAINSTTHEENTERPRISE'SACCEPTABLERISKANDOPPORTUNITYLEVELS. 3. Determine the extent of alignment of the IT risk strategy to enterprise risk strategy. 4. Proactively evaluate IT risk factors in advance of pending strategic enterprise decisions and ensure that risk-aware enterprise decisions are made. 5.$ETERMINETHAT)4USEISSUBJECTTOAPPROPRIATERISKASSESSMENTANDEVALUATION,ASDESCRIBEDINRELEVANTINTERNATIONALANDNATIONALSTANDARDS. 6.%VALUATERISKMANAGEMENTACTIVITIESTOENSUREALIGNMENTWITHTHEENTERPRISE'SCAPACITYFOR)4-RELATEDLOSSANDLEADERSHIP'STOLERANCEOFIT. Governance Practice Inputs Outputs EDM03.02 Direct risk management. From Description Description To Direct the establishment of risk management APO12.03 Aggregated risk profile, Risk management policies APO12.01 practices to provide reasonable assurance that IT risk including status of risk management practices are appropriate to ensure +EYOBJECTIVESTOBE APO12.01 management actions THATTHEACTUAL)4RISKDOESNOTEXCEEDTHEBOARD'S monitored for risk risk appetite. management Outside COBIT Enterprise risk Approved process APO12.01 management (ERM) for measuring risk profiles and mitigation management plans Activities 1. Promote an IT risk-aware culture and empower the enterprise to proactively identify IT risk, opportunity and potential business impacts. 2. Direct the integration of the IT risk strategy and operations with the enterprise strategic risk decisions and operations. 3. Direct the development of risk communication plans (covering all levels of the enterprise) as well as risk action plans. 4. Direct implementation of the appropriate mechanisms to respond quickly to changing risk and report immediately to appropriate levels of management, supported by agreed-on principles of escalation (what to report, when, where and how). 5. Direct that risk, opportunities, issues and concerns may be identified and reported by anyone at any time. Risk should be managed in accordance with published policies and procedures and escalated to the relevant decision makers. 6. Identify key goals and metrics of risk governance and management processes to be monitored, and approve the approaches, methods, techniques and processes for capturing and reporting the measurement information.
40 Personal Copy of: Mr. Dong Hong Wang
CHAPTER 5 COBIT 5 PROCESS REFERENCE GUIDE CONTENTS
Evaluate, Direct and Monitor
EDM03 Process Practices, Inputs/Outputs and Activities (cont.) Governance Practice Inputs Outputs EDM03.03 Monitor risk management. Monitor the From Description Description To key goals and metrics of the risk management APO12.02 Risk analysis results Remedial actions to APO12.06 processes and establish how deviations or problems address risk management will be identified, tracked and reported for remediation. deviations APO12.04 s/PPORTUNITIESFOR Risk management issues EDM05.01 acceptance of for the board greater risk s2ESULTSOFTHIRD-PARTY risk assessments s2ISKANALYSISANDRISK profile reports for stakeholders Activities 1. Monitor the extent to which the risk profile is managed within the risk appetite thresholds. 2. Monitor key goals and metrics of risk governance and management processes against targets, analyse the cause of any deviations, and initiate remedial actions to address the underlying causes. 3.%NABLEKEYSTAKEHOLDERS'REVIEWOFTHEENTERPRISE'SPROGRESSTOWARDSIDENTIFIEDGOALS. 4. Report any risk management issues to the board or executive committee.
EDM03 Related Guidance
Related Standard Detailed Reference #/3//%2- )3//)%#31000 Framework for Risk Management )3//)%#38500 King III s5.5.)4SHOULDFORMANINTEGRALPARTOFTHECOMPANY'SRISKMANAGEMENT. s5.7. !RISKCOMMITTEEANDAUDITCOMMITTEESHOULDASSISTTHEBOARDINCARRYINGOUTITS)4RESPONSIBILITIES.