DON’T WAIT FOR A RISK EVENT TO HAPPEN BEFORE YOU ADDRESS YOUR ENTERPRISE RISKS.

As I write this blog, I am experiencing a business disruption, and it is very frustrating. Should I blame my vendor, or is it my fault for not effectively managing my business risks?

I outsource my email and my provider has been down for several days with no end in sight. In fact, it took them several hours to even fess up to this event, and when they finally did, the communication was dismal at best. If you don’t use Rackspace for your email, you most likely haven’t heard about this massive outage. If you do, you are probably shaking your head while you read this.

Like most businesses, especially small entities like mine, we outsource many of our processes. We outsource IT services, payroll, testing, recruiting, development, websites, and many others. However, I can’t think of a single company like mine who doesn’t outsource their email. Small to medium sized enterprises depend on it. When I was working in large enterprises, I used to always joke about email. My theory was that email wasn’t considered a critical service until it went down. Well, it did for my business, and as it turns out…yes, it is a critical service. But I had a backup plan because I considered my risks, but did I do enough to predict this?

I don’t mean to beat down Rackspace while they’re down, but here’s my perspective from a customer/user perspective. Today is Monday, and this event started on Friday. I still have no clue what is going on. Rackspace is a $3B company who has recently chosen to ship its “Fanatical” customer service elsewhere as well as conducing several layoffs in recent memory. I’m not saying these are root causes, but I certainly should have seen these as potential risks. I’ve seen their service management practices decay in the last several months, but still considered any risk scenario with Rackspace as low likelihood because of their history with me.

If you do a quick search on Twitter, you’ll see some VERY irritated customers:

Let’s link this whole situation to risk. As a business owner, I think about those risks that could prevent my business from achieving its objectives. I continually think about the risk management process when it comes to my business. For your reference, the following is a quick view of the risk process I use:

 

Let’s dive into how I was somewhat prepared for this risk event. Using my risk management process from above, I want to break down my thinking for you.

Step 1, Identify my risk appetite.
Risk appetite is defined as the amount of risk I am willing to accept in pursuit of my goals, where tolerance is the acceptable level of deviation, or what I call the “wiggle room” under certain circumstances. What is my risk appetite and tolerance with respect to client communications?
“I will not accept a risk scenario that prevents me from communicating with my clients for more that three days. I will have a limited amount of tolerance during weekends, holidays and times of low project reporting times as long as it does not affect project deliverables.”
Now, let’s see how this drives the next several risk management steps.

Step 2, identify risk scenarios.
Think about the events that could happen that would impede your progress. As a small business owner, you can use several techniques to do this such as identifying previous events, scan current newsworthy events and industry articles, brainstorming, and identifying all scenarios that could possibly prevent you from meeting your goals.

For me, these include the following three high level scenarios:

An event that could prevent me from traveling, because travel is key to me delivering many of my engagements and courses.

An event that could prevent me from sharing knowledge online because I’m in the business of sharing knowledge with clients and peers.

An event that could prevent me from communicating with my clients, suppliers, and peers, because this is required for me to contract, execute and close projects with my clients.

An event that might affect my standing in the GRC community.

Therefore, examples of my key risk scenarios include:

Power, internet, or telco outage

Sickness or illness

Disruption in the travel industry

Failure to stay on top of the latest trends in GRC

A contractual or legal matter

Step 3, Analyze and assess risk scenarios.
This sounds easy, but it takes a little thought. For each of the scenarios that I discovered in step 2, I had to come up with a way to prioritize these. I went with the basic X and Y grid using X for likelihood and Y for impact.
Imagine a grid that visualizes this. You can use any form of measurement for this, like Low-Med-High, or a numerical system to meet your needs. Something like this:

Likelihood identifies the ‘chances’ the risk event could happen. It is based on frequency, probability, vulnerability and event timing. Impact is very different. It looks at things like goals achievement, financial, reputational, compliance, safety, privacy, and security impacts.

Once I identified these risks and analyzed their impact and likelihood, I prioritized these risks. It comes as no surprise that “power, internet, or telco outage” was high on my list. I’m also assuming that an email outage is part of this.

Step 4, Determine responses to those scenarios.
Now that I had a prioritized list of risks to my business, what should I do? I’ll boil this down to four primary responses:

I can choose to simply accept the risk.

This is not an option. Accepting a risk means that if the risk event becomes real, there’s no effect on my business. Accepting a risk basically means that if it happens, the effects are within my risk appetite and tolerance levels. Pass on this option since it exceeds my risk appetite.

I can choose to avoid the risk.

Avoidance in this case means that I choose to not use email at all, therefore avoiding the risk of this affecting my business. I choose to pass on this option as well because I, and many of my clients, depend on this communication medium.

Additionally, there are cost effective responses I can put in place to reduce either the likelihood or impact within my appetite level.

I can choose to transfer the risk.

Of course, the typical answer to this is insurance or outsourcing. Well, I outsourced this, but there is still the possibility of third party or vendor risk. What if my outsourcer fails? Yep, that happened. Let’s move to mitigation.

I can choose to mitigate the risk.

As luck would have it. I chose to mitigate this risk. Things that were going through my mind were things exactly like what is happening right now: what if my outsourcer fails to deliver on our agreement?

Here are my mitigations:

Create alternative email addresses to use in case my vendor fails

Use social media to communicate the change in my status

Have multiple sources of internet including phone hotspot and internet hotspot from a different provider

Step 5, Monitor these risk scenarios and continuously update my risks.

Here is the tough part, and frankly where I failed. For each risk, it is key to create some indicators that tells you whether the risk likelihood is low or high. Think of this as the weather report. If inclement weather affects your business, then you watch the weather forecast to determine how you might approach your day. As with any risk, what are the indicators you look to for indications that the risk event might become real? I’ll be honest, I failed at watching any key risk indicators for Rackspace. Had I done this, I would have had the information I needed to move away from this high-risk relationship before the risk event happened.

What I’ve leaned from this event? Digital Trust. You’ve no doubt seen some of my recent social media posts on digital trust. I’ve been a customer of organizations who have experienced situations like this in the past, but I stayed with them. Take for example a major hotel chain that has experienced several reportable breaches, yet I’m still a loyal customer of theirs. Why is it that Rackspace has one event, and I’m ready to leave them? That is digital trust. Stay tuned, I’ll be posting a blog on digital trust very soon.

As always, I look forward to your comments.

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content