INTEGRATING ENTERPRISE AND IT RISK FUNCTIONS USING SCENARIOS

The challenges that organizations face today are increasingly more complex than in the past. The constant change of the global economy, dynamics of business risks and opportunities, and an increased threat of cyberattacks add complexities we’ve never faced. Organizations today must constantly scan their environments and take practical steps to make risk-informed decisions that provide value for stakeholders.

It is not uncommon to see several roles and perspectives in an enterprise all collaborating on risk. Although they all have very valuable and unique viewpoints, their duties are often split across several functions of the organization. Coordination between these efforts is paramount to ensure a holistic enterprise view of risks across all functional lines of business. Emerging practices have led to the “Three Lines of Defense” model which provides a balanced echelon of mechanisms to protect the organization and allow enhanced decision-making. These three lines generally consist of: 1) Operations, 2) Risk/Compliance, and 3) Audit. Although all three are important, my focus today is on the first two. Ensuring alignment of identified risks between IT and enterprise efforts is key. It not only increases the visibility of risks, but reduces duplications of effort, improperly understood impacts, and poor decision making.

ERM vs. ITRM

From a functional perspective, risk has been managed from two primary directions. The first is from the enterprise perspective, top-down approaches focused on protecting assets reported on the balance sheet and assisting business executives in making informed decisions to protect those assets. We’ll call this Enterprise Risk Management, or ERM. The second is from the ground up, for example IT Risk Management, or ITRM, focused on the protection of the confidentiality, integrity, and availability of information and data. If you’ve been in IT for a while, you’ve witnessed the IT risk function grow from a few network security people in the basement to a function that looks at all risks that can be encountered in relation to IT investments. Now we are seeing two formal functions in an organization that often fail to synchronize their efforts. These perspectives are the ERM and ITRM functions. Therefore, one of the most common questions I get during risk based discussions is, “How do we get ERM and ITRM to collaborate in determining the holistic and/or aggregate risk from an enterprise perspective?”

Enterprises have come a long way in making decisions based on risk appetite and tolerance. This is largely in part due to the technologies that have allowed this to happen, as well as a better understanding of the types of risk they encounter. These types typically include the following:

It is important to note that the IT-related risks are a substrate to business risks. While the enterprise risk function focuses on the strategic business-related risks, the IT risk function focuses on IT-related risks that can have an effect on meeting business goals and objectives. Considering the emphasis of value placed on an enterprise strategy, ownership of the process should begin at the top, cascading downward to operational or functional managers, and in the case of IT-related risk, ITRM. However, not all risks can be identified using the top-down approach. A bottom-up approach provides some very specific scenarios based on technical vulnerabilities. If ERM processes support the top-down enterprise direction while the ITRM focuses on the IT-related risks from the bottom up, how do we optimize the two approaches to support a holistic strategic direction? The goal is to replace the old compartmentalized approach to managing risks with a more effective enterprise approach.

The Risk Process

The schematic below is a very high level depiction of a typical risk process. The separation of governance and management is key here. Risk governance sets direction and strategy as well as defines risk culture and acceptable levels of risk for the enterprise. It also ensures that risk management is effectively identifying, assessing, managing, monitoring, and reporting on all risks facing the enterprise. Risk management, on the other hand, is responsible for implementing IT related risk practices and activities per the policies and direction set by the risk governance function. To have effective risk management, the enterprise must maintain a focus on the business mission, goals, and objectives while integrating ITRM into the ERM function. This is where the gaps begin to emerge.

 

If you are looking for a more detailed description of this process and its practices and activities, some of the most applicable frameworks include: COSO, NIST, ISO38500, ISO31000, ISO27000 and COBIT5.

Using Risk Scenarios.

Assessing risk includes identifying, analyzing, and evaluating risks. I believe a core practice for this is to use the concept of risk scenarios as the starting point and basis of any assessment. A risk scenario describes an event that, if it occurs, could have an adverse impact on the business. The process of creating these scenarios includes four basic steps: 1) create generic scenarios, 2) validate scenarios against business strategy, 3) reduce scenarios to a manageable set, and 4) develop the risk register with the appropriate analysis and response. Risk scenarios can be created at any level of the business, but since this blog is focusing on connecting ERM with ITRM, we’ll keep our focus on those two altitudes.

As mentioned in other blogs I’ve posted, the COBIT5 for Risk document produced by ISACA has some great generic scenarios from which to start. There are 111 risk scenario examples in 20 categories. Although these scenarios are quite extensive, they are not intended to replace your organization’s creative process of determining which scenarios are applicable to you.

Creation of the IT Risk Scenarios.

Step One

Identify and validate a set of enterprise goals for the customer organization(s) you support.

Step Two

Determine the long list of potential IT risk scenarios. No need to do a full analysis at this point. Hint: COBIT5 for Risk.

Step Three

Shorten the scenario list by determining which scenarios impact the enterprise goals identified in step one. See below for an example of how to visualize this. You can also use a grid, or risk map, to visualize the Severity and Likelihood as well. See here for an example.

 

Step Four

Analyze each scenario and create a ranking, then create the IT Risk Register.

 

You might notice that each of our scenarios seems very high level. That is good. In the risk register, more details are added that provide structure to the scenario. For example, let’s take our first scenario from the above list: “There is an overreliance on key IT Staff.” This scenario can have from one to several specific events that led us to this scenario. For example:

  1. There is only one DBA in the organization and we are highly dependent on the information in our databases;
  2. Our primary developer is the only person who knows how to maintain our core business application; or
  3. Our Service Desk Manager knows the IT environment so well (s)he is used as both a level one and level two resource.

It’s at this level you can focus your risk responses (accept, transfer, avoid, or mitigate) and propagate your selected responses up to the generic scenario.

So we’ve created our IT Risk scenarios and register. How do we link these to enterprise risk? Within the ERM function, a set of risk scenarios can also be maintained that focus on even higher level risk scenarios – those that are focused on the business (strategic, environmental, market, credit, operational, compliance). As noted earlier in this blog, IT-related risk is a substrate to all other areas. So think of it like this. If the enterprise creates the high-level scenarios and supports them with specific events, the specific events can also be the high level scenarios identified by ITRM. It looks like this:

 

Business colleagues working together on a computer in an office.

Of course, all of this is largely dependent on the organizational structures, policies and procedures of each enterprise, but the concept is valid. We look at risk from multiple altitudes, and should strive to ensure they link. The process of keeping these altitudes aligned is a never-ending effort. Risk scenarios don’t wait until your next semi-annual planning process; they are dynamic and fluid. Therefore, constant vigilance towards keeping the scenarios aligned between ERM and ITRM is vital to proper decision making.

Here are some suggestions to keep in mind when it comes to managing the alignment of your risk scenarios (in no particular order):

  1. Create an enterprise view of the process that encompasses all business units and IT
  2. Adopt a common taxonomy for risk definitions and terms
  3. Cascade risks from top down and bottom up
  4. Link all risk scenarios to enterprise/business goals
  5. Identify and document appropriate roles (including ownership) and functions that are critical to risk governance and management
  6. Embed risk into the culture through training and awareness
  7. Use scenarios to make informed response decisions based on enterprise risk appetites and tolerances
  8. Leverage industry best practices to assist in designing and documenting your processes
  9. Apply both qualitative and quantitative analysis in the process to provide a solid foundation to your efforts
  10. Understand that this does not guarantee success, it provides the information needed to make better informed decisions

This blog focused on the alignment of scenarios and, as you may know, there’s much more to governing and managing risk than having scenarios. Just having lists of risks scattered throughout an enterprise with no real scenarios to link them to is akin to an un-prioritized to-do list that neither creates value nor supports informed decision-making.

I hope this short example has helped and, as always, your feedback is welcomed.

COBIT 2019 Governance and Management Objectives Domains

Each of the 40 Governance and Management objectives are aligned with an applicable domain. For example: Governance Objectives are found in EDM, while Management Objectives are in APO, BAI, DSS and MEA. Each of these objectives relates to one process. Therefore COBIT 2019 has 40 processes. The schematic below outlines these.

COBIT Governance and Management Objectives link to Processes.

This is very important to know because these objectives encompass all the potential areas that an enterprise needs to address to support the overall needs of its stakeholders. It is important to note here that all these objectives, or processes, do not need to be at the highest state of capability or level of implementation. The idea is that based on certain attributes, companies can tailor which ones, and to what level, are implemented. Which takes us to a tailored governance system.

Getting from the COBIT “Core” to a tailored governance system

One of the biggest challenges is taking the COBIT Core to a tailored system. This is where additional guidance is needed. There are many ways to do this, but to continually create value for the enterprise, make sure you consider your organization’s unique aspects. This is why COBIT introduced Design Factors and Focus Areas.

As with many frameworks, COBIT has historically been advertised as a flexible framework that can be modified to fit the needs of any enterprise. That sounds easy until you actually try to adopt a framework, so in the 2019 release, ISACA provide some much-needed guidance on how to do this. In addition to the guides there is also a very handy toolset that can get you started. I’ll show you more on that later.

What exactly does having a tailored governance system mean? This means that your enterprise has prioritized governance and management objectives, considered applicable design factors, used specific guidance from focus areas, and determined the target capability and performance management aspects of the system of governance over I&T.

Linking the COBIT2019 Core to a tailored system.

Design Factors and Focus Areas

In order to get from a framework with many options to a tailored system, design factors and focus areas should be considered.

Design factors can influence the blueprint of your enterprise’s governance system and position it for the successful use of I&T. Think of these as key points that can assist in creating a tailored governance system that truly aligns with specific and unique enterprise needs. The design factors include:

  • Enterprise strategy
  • Enterprise goals
  • Risk profile
  • I&T-related issues
  • Threat landscape
  • Compliance requirements
  • Role of IT
  • Sourcing model for IT
  • IT implementation methods
  • Technology adoption strategy
  • Enterprise size
  • Future factors

If you are looking for specific information on each of these design factors, refer to the COBIT 2019 Design Guide, pages 22-28.

Design factors have a huge impact on how you will design your governance system. There are three ways these can have influence and I have noted them below.

Impact of Design Factors.

A focus area “describes a certain governance topic, domain or issue that can be addressed by a collection of governance and management objectives and their components.” (COBIT Design Guide, ISACA). You can add or remove focus areas based on their applicability to your situation. These can include:

  • Small and medium enterprises
  • Cybersecurity
  • Digital transformation
  • Cloud computing
  • Privacy
  • DevOps

As of the writing of this post, there is no specific guidance released on leveraging Focus Areas in designing a tailored governance system. This information will most certainly be published by ISACA soon. Of course, I’m looking forward to this guidance as it really hits on some hot topics we’re seeing today.

Does the difference between Design Factors and Focus Areas still sound confusing to you? Don’t worry, it does to me too. I boil the difference down to this: think of DESIGN FACTORS as specific descriptions of your company while FOCUS AREAS are areas of influence, whether internal or external.

Workflow for designing a tailored governance system

COBIT 2019 provides a proposed workflow for designing this tailored governance system. Although the publication goes into greater detail, here is a summary of what the guidance looks like.

Steps to creating a tailored governance system using the COBIT Design Guide.

By following these steps (note, you are not required to complete ALL sub-steps), you can create a governance system that is tailored to your needs. This should provide prioritized governance and management objectives or related governance system components. However, this could result in conflicting guidance which is highly possible if you are using multiple design factors. As you most likely know, there is no magic formula to this. You may have to deal with discrepancies on a case-by-case basis. Our business environment is very dynamic, so as conditions and strategies change, you should also review the governance system regularly.

Linking the Design Guide and Implementation Guides

The good news is that the COBIT Implementation Guide in the 2019 update hasn’t really changed much since COBIT5. This is good in my opinion, it is a great model, it just needed some additional guidance – which we are getting with the Design Guide.

In case you are not familiar with this, the COBIT implementation roadmap looks like this:

The Seven Phases of the COBIT Implementation Roadmap. 2018 ©Information Systems Audit and Control Association, Inc. (ISACA).

The governance and management of enterprise I&T should be integrated with end-to-end enterprise governance. Therefore, the COBIT 2019 Implementation Guide emphasizes an enterprise-wide view of I&T governance, recognizing the relationship between business and IT-related activities.

COBIT suggests using a program approach to implementation, and I couldn’t agree more. If you look at the roadmap in the figure above, you will see that there are seven steps to an implementation approach and each step has three perspectives, or rings. The idea is that this cycle becomes a continuous approach until measurable benefits are generated, and the results become embedded in ongoing business activity. The goal is to establish the governance and management of enterprise I&T as a normal and sustainable business practice.

The Design Guide and Implementation Guide have a very distinct relationship and specific uses.

Although the Design Guide identifies some very specific synchronized points, the figure below summarizes how they are used together:

COBIT Design and Implementation Guide Relationships.

You may recognize that not all the phases in the Implementation Guide are linked to the design guide. This is because the first three phases are specifically related to the design of a governance system, while the remaining phases are focused on actual implementation. Personally, I refer to other frameworks to assist in the actual implementation. These are things like the PMBOK, PRINCE2, and of course processes in COBIT.

Using tools to assist in designing your new governance system

Finally! Let’s get to the fun stuff – seeing how this all comes together. When ISACA released the COBIT 2019 Design and Implementation Guides, they also released a toolkit that is available for download here. This Excel-based tool helps facilitate the application of the workflow I described above. The toolkit includes:

  • Introduction and instructions
  • A canvas tab that consolidates results including target capability levels
  • One tab for each design factor
  • Summary tabs that graphically represent the outcomes of steps 2 and 3
  • Mapping tables for design factors

I highly suggest you go download this tool and play around with it a bit. All of the things I’ve talked about in this post will become clear. Of course, the tool is explained in more detail in the Design Guide, but check out this short clip that walks us through an example scenario. I’ve created some inputs for a fictitious global manufacturing company and developed a tailored governance system specifically designed for their needs. Hopefully this helps put it all together.

Closing and suggestions

We’ve covered a lot of ground in this post. I hope it has been valuable in helping you understand how leverage COBIT 2019 to truly create a governance and management framework that is customized to meet your specific enterprise needs.

As always, your thoughts and comments are appreciated on this post, as well as my Twitter posts @escoute1.

Skip to content