Risk Reporting Template

1 © 2020 ISACA All rights reserved.

 Risk Reporting Template
Reporting Template

• The quarterly risk dashboard view is organized first by the high-level risk types (Table A from the
scenario template) and then by the top risk scenarios.

• The risk posture is evaluated based on incident trends, tolerance thresholds, concentrations of issues
and key risk indicators (KRIs).

• Each generation of the report includes a commentary highlighting significant achievements or

setbacks during the current quarter and a forecast for expected changes in the upcoming quarter.

• This template is designed to cover IT risk broadly and is not intended as a cybersecurity deep dive.

• Depending on the enterprise, it may be appropriate to add a page to the beginning covering changes
to the regulatory environment and/or the threat landscape.

• This template includes some pages that may be too detailed for senior leadership but can be helpful
as supporting materials.

2 © 2020 ISACA All rights reserved.

 Risk Reporting Template
Guiding Principles

• Start simple
Crawl Walk Run Fly • It is never too early to
measure and quantify risk.
Even the GEN1 report measures impact
on several dimensions.

• Each generation of the report

template builds on the last.
Tolerance, Move from basic measurements and
Incidents and Top Risk and Aggregated lagging indicators to granular scenarios
Issues and to anticipate changes in risk exposure.
Risk Areas Metrics Risk
Actions
• Risk reporting needs to go
beyond assessment by
showing accountability and
reporting on actions.

3 © 2020 ISACA All rights reserved.

 Generation 1 Report

4 © 2020 ISACA All rights reserved.

 Incident Analysis
Impact MAR FEB Q1 Q4 Commentary
Incidents 13 22 57 58

Clients 9,103 4,892 14,127 17,248

Cost $9,428 $1,376 $40,364 $202,349

Lost Revenue $0 $0 $0.5M $1.2M

5 © 2020 ISACA All rights reserved.

 Incidents by Risk and Root Cause
Risk Dashboard

Overview

 Added external monitoring tools and synthetic user

accounts to proactively identify issues.
Service Quality ꭓ The rollout of Project Sierra has made the production
environment unstable.
Owner: COO

 MFA is now required for all high-value client

accounts.
Data and System  Hired a new director to focus on identity theft and
Protection fraud.
Owner: CISO ꭓ Account brute-force attempts are increasing each
quarter.

 Approved headcount to hire head of new project

management office
Product Delivery ꭓ Insufficient capacity planning is leading to project
delays.
Owner: CTO

6 © 2020 ISACA All rights reserved.

 Generation 2 Report

7 © 2020 ISACA All rights reserved.

Risk Dashboard
Tolerance Impact Q1 Q4
Status and As of Q1
Trend Incidents 57 58

 System changes in wrong environment Clients 14,127 17,248

A continue to be top root cause for outages.
Service Quality Response time: 18 min
ꭓ BCM tabletop identified some office Cost $40,364 $202,349
Uptime: 99.999% resiliency gaps.
Owner: COO Lost Revenue $0.5M $1.2M
Repeat incidents: 2

 Completed updates to privacy language in

Data and R contracts with strategic vendors.
System Aged vulnerability: 0
ꭓ Progress has stalled to remove persistent
local administrator privileges.
Protection Persistent admin: 28%
Phish clicks: 8.4%
Owner: CISO

 Potential M&A targets are being evaluated.

G
ꭓ Project Pluto delayed due to insufficient
Product Delivery Agile workstreams: 30%
capacity planning.
Owner: CTO End-of-life systems: 16%
Open headcount: 3

Within thresholds Risk exposure increasing

Breach of lower threshold No change

8 © 2020 ISACA All rights reserved. Breach of upper threshold Risk exposure decreasing
 Issue Concentrations by Risk
Commentary
Risk Category Issues

Service Quality 12

Data and System Protection 10

Product Delivery 3

Total YTD New Issues Identified 25

Action Plans by Status H M L

Under Analysis 5 2 1 2

Mitigation In Progress 6 1 3 2

Accepted/Closed 14 9 5 0

Total 25 12 9 4

9 © 2020 ISACA All rights reserved.

 Issues Identified by Assessment
Assessments Q1 Q2 Q3 Q4 Total

SOC2 Audit - - 0 - 0

Customer Onsite Security Audit 2 - - - 2

BCM Tabletop - 7 - - 7

Regulatory Exams 3 - 3 - 6

Compliance Testing 0 1 1 4 6

Annual Cyber Risk Assessment 4 - - - 4

Total YTD New Issues Identified 9 8 4 4 25

Commentary

10 © 2020 ISACA All rights reserved.

 Action Plan Status

Action Risk Category Owner Status Target Comments

Dedicated QA resources hired for Customer

Apply 4-eyes checks to all customer email Service team
Data & System Protection COO On Track Q1 ‘YY
touchpoints
Managers are testing a sampling each day

General Project completed and effectiveness tracked

Address key CCPA gaps Data & System Protection Closed -
Counsel through KRI dashboard

New identity service will be included in new

strategic platform rollout later this year
Implement a new identity service Data & System Protection CTO Not Started Q4 ‘YY
Exposure will still exist for legacy product lines this
year

11 © 2020 ISACA All rights reserved.

 Generation 3 Report

12 © 2020 ISACA All rights reserved.

 Relative Impact by Risk Scenario
Major
Operational Error
Website PII Theft
Billing Outages Program should prioritize the top 6 risk
Miscalculations Account
scenarios (upper right quadrant).
IT Change Takeover
Loss of Key Errors
Partner Capacity Impact assumptions need to be validated.
PII Sent in Error Planning
Cost

Criminal Fraud This view represents a greatly simplified

view of the risk exposure.

Communications Relative risk impact may vary based on

Quality specific event frequency and magnitude.
Market Downturn
Key Person
Sales Associate Each risk type may have a substantial
Talent Retention Losses number of root causes.

Third-Party Business Ethics

Dependency

Value (revenue loss) Major

or
in
M

13 © 2020 ISACA All rights reserved.

Risk Dashboard
As of Q1 Q2 Forecast
Service Quality (COO)

 Added external monitoring tools and synthetic user accounts  Launch of new CRM for customer service might result
to proactively identify issues. in an initial incident uptick but then improve operations
Website outages ꭓ The rollout of Project Sierra has made the production in the long term.
environment unstable.  Completion of the cloud migration will increase DR
capability.
 Enrollment of systems into break-glass service is on track,  Enrollment into break-glass system will be completed.
Changes made to wrong IT with Tier 1 systems all enrolled.  Busy release schedule may stress existing controls.
environment  Additional banners added to CRM system to identify the
environment.
Data & System Protection (CISO)

Personal information sent to
wrong recipient
Product Delivery (CTO)
 Dedicated QA resources hired for customer service team.  Until it is tuned, new alerting system will briefly
increase potential incidents to investigate.
ꭓ The four-eyes check not yet added to all customer
touchpoints.

 Potential M&A targets being evaluated.  Platform strategy presentation is scheduled for next
Insufficient capacity client advisory board meeting.
planning for new products ꭓ Project Pluto delayed due to insufficient capacity planning.
 Pipeline for new services will increase.

Within thresholds Risk exposure increasing

Breach of lower threshold No change
14 © 2020 ISACA All rights reserved.
Breach of upper threshold Risk exposure decreasing
 Metrics by Risk Scenario
Three-
Available Month on
Risk Tolerance
Metrics
Month
Month
Incidents Overview Action
Average

SEV1: 0 List the key reasons for Take action to bring risk back
Website outages R 48%
tolerance levels or trends. within thresholds.
SEV2: 0

Changes made to wrong IT SEV1: 0

environment A 54%
SEV2: 1

Personal information sent to SEV1: 0

wrong recipient A 2%
SEV2: 1

SEV1: 0
Malicious PII disclosure A 72%
SEV2: 2

SEV1: 0
Client account takeover G 85%
SEV2: 0

Insufficient capacity planning for SEV1: 0

0% N/A N/A
new products SEV2: 0

Within thresholds
Breach of lower threshold
15 © 2020 ISACA All rights reserved.
Breach of upper threshold
No metrics available
Risk exposure increasing
1% to 25% of metrics available
26% to 50% of metrics available No change
51% to 75% of metrics available
Risk exposure decreasing
76% to 100% of metrics available
 Key Metrics Based on Tolerance
Lower Upper Mitigation
Risk Metric Description Threshold Threshold Q3 Q4 Q1 Target

Malicious PII
# of high-rated vulnerabilities aged >90 days on Internet-accessible systems 0 ≤20 1 1 0 N/A
Disclosure

Malicious PII
% of users with persistent local administrator privileges on endpoint devices ≤1% ≤2% 30% 29% 28% Q3
Disclosure

Malicious PII
% of users being phished by quarterly campaigns ≤10% ≤20% 21% 9.3% 8.4% N/A
Disclosure

Malicious PII
% of endpoints that have full disk encryption enabled 100% ≥95% 86% 98% 100% N/A
Disclosure

Malicious PII
% of endpoints with DLP agent active 100% ≥95% 96% 99% 99% Q2
Disclosure

Commentary

16 © 2020 ISACA All rights reserved.

 Action Plan Status
Actual/
Action Top Risk Owner Status Target Comments
Budget

Dedicated QA resources hired for

Apply four-eyes checks to all customer email Personal information sent A: $0.26M customer service team.
COO On Track Q1 ‘YY
touchpoints. to wrong recipient B: $0.50M Managers are testing a sampling
each day.

A: $1.27M Project completed and

General
Address key CCPA gaps. Malicious PII disclosure Closed - effectiveness tracked through
Counsel B: $1.23M KRI dashboard.

New identity service will be

included in new strategic
A: -
Implement a new identity service. Client account takeover CTO Not Started Q4 ‘YY platform rollout later this year
B: $28.01M
Exposure will still exist for legacy
product lines this year

17 © 2020 ISACA All rights reserved.

 Accepted Risk (Outside of Tolerance)
Annual One-Time
Issue Description Risk Owner Incidents Stress Factors
Loss Max

Key person risk is pervasive across multiple teams SEV1: 2 • New employees
Service Quality CTO $10M $200M
and geographies in the IT organization. SEV2: 5 • Aggressive business growth

• New employees and employee

Credit card information is sent to clients in email by SEV1: 0 turnover
Data and System General
the support team when resolving billing inquiries, $1M $10M
Protection Counsel SEV2: 7 • Outsourcing or moving offshore
with only manual checks.
• Increasing audit demands
• New employees and employee
turnover
Software engineering teams don’t have established SEV1: 0
Product Delivery CTO $0.5M $1M • Outsourcing or moving offshore
or consistent quality standards. SEV2: 2 • New products and services
• Modernizing technology

18 © 2020 ISACA All rights reserved.

 Generation 4 Report

19 © 2020 ISACA All rights reserved.

 Risk Dashboard
Local Admin on
Metrics as of Q1 YYYY Most
Likely
Annual
One-Time
Max Loss
After
Insurance
Quarterly
Trend
Mitigation
Status
Q2
Forecast
Q1 Incidents
Issues
Trend
Acceptance
Trend
Last
Assessed
Endpoints
Q4 Q3
Data and System Protection
(CISO) 29% 30%
COST: $20k
Q3 ‘YY

Personal information sent to $27M $13M REV: $500k

wrong recipient
N/A On Track
28%
COST: $0
Q1 ‘YY
$8M $44M $15M REV: $0
1,552 devices
Malicious PII disclosure Past Due
(theft)
COST: $10k
Q2 ‘YY
$4M $12M $1M REV: $0

Client Account take-over Not Started

Endpoints with
Active DLP
Key Findings:
 Several businesses regularly exchange sensitive data with clients via email.
Apr Feb
 Peer review on billing confirmation emails sent to clients is lacking. 99% 96%
 Breach response procedures have never been tested.
 Monitoring gaps exist on the distribution servers.

Recent Developments:
99%
+ Added four-eyes check on billing confirmation emails to clients.
+ Confirmed insurance policy covers most of the notification and investigation 1,552 devices
costs.
- Identified further gaps in tools and technologies to prevent confidentiality
issues.
- Project to remove credit card details from billing confirmation emails has
been delayed.

20 © 2020 ISACA All rights reserved.