Scribd
Upload
80 views41 pages

IT Risk Management Program Manual

Uploaded by

Riri Fajriah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
80 views41 pages

IT Risk Management Program Manual

Uploaded by

Riri Fajriah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Risk Management Program Manual

Introduction: How to Use This Template


Complete the companion activities in the IT Risk Management Program blueprint to modify and fill in the relevant
sections of this template. This Risk Management Program Manual houses critical documents, and outlines all of the
major activities of the risk management process. From risk identification to issue-tracking and escalation, create
repeatable, iterative processes and document them in this central location to:

(1) Standardize risk management processes


(2) Communicate processes, timelines, and results to the central risk function or senior leadership
(3) Enhance risk awareness in IT
(4) Train new hires in IT
(5) Capture new knowledge from annual risk assessments

To use this template, simply replace the text in dark grey with information customized to your organization. When
complete, delete all introductory or example text and convert all remaining text to black prior to distribution.

1
Research Group
Table of Contents
Introduction: How to Use This Template ...................................................................................................................... 1
I. Introduction ........................................................................................................................................................... 4
1.1 Document Version .............................................................................................................................................. 4
1.2 Document Revision History ................................................................................................................................ 4
1.3 Executive Brief ................................................................................................................................................... 5
II. <Insert Organization Name>’s IT Risk Management Program............................................................................. 6
2.1 Program Overview .............................................................................................................................................. 6
2.2 <Insert Organization Name>’s Current IT Risk Management Maturity .............................................................. 7
2.3 Success Factors ................................................................................................................................................. 8
2.4 Goals and Objectives ......................................................................................................................................... 8
2.5 Metrics ................................................................................................................................................................ 9
III. IT risk council Charter .................................................................................................................................... 10
3.1 IT risk council Mandate .................................................................................................................................... 10
3.2 Agenda and Responsibilities ............................................................................................................................ 10
3.3 Meeting Schedule ............................................................................................................................................. 10
3.4 Membership ............................................................................................................................................... 11
3.5 Executive Signatures ................................................................................................................................. 11
IV. Accountabilities and Responsibilities of IT Risk Management ...................................................................... 12
4.1 Accountabilities and Responsibilities of Key Stakeholders .............................................................................. 12
V. Schedule of Activities ..................................................................................................................................... 13
5.1 Identifying Risk Events ..................................................................................................................................... 13
Engage Key Stakeholders .................................................................................................................................. 13
Review Risk Categories...................................................................................................................................... 13
Augment Risk Identification with COBIT 5 Processes ........................................................................................ 14
Responsible Party ............................................................................................................................................... 14
Timing and Frequency ........................................................................................................................................ 14
5.2 Cataloguing Risk Events .................................................................................................................................. 14
Responsible Party ............................................................................................................................................... 14
Timing and Frequency ........................................................................................................................................ 15
5.3 Assessing Risk Severity ................................................................................................................................... 15
Unacceptable Risk Threshold ............................................................................................................................. 15
Probability and Impact Severity Thresholds ....................................................................................................... 15
Proximity Considerations .................................................................................................................................... 16
Frequency Considerations .................................................................................................................................. 16

2
Research Group
Responsible Party ............................................................................................................................................... 16
Timing and Frequency ........................................................................................................................................ 16
5.4 Risk Event Accountabilities and Monitoring Responsibilities ........................................................................... 17
Responsible Party ............................................................................................................................................... 17
Timing and Frequency ........................................................................................................................................ 17
5.5 Selecting Risk Responses................................................................................................................................ 17
Cost-Benefit Analysis (CBA) ............................................................................................................................... 17
Responsible Party ............................................................................................................................................... 18
Timing and Frequency ........................................................................................................................................ 18
5.6 Risk Reporting .................................................................................................................................................. 18
Responsible Party ............................................................................................................................................... 18
Timing and Frequency ........................................................................................................................................ 18
Appendix A: Risk Catalog .......................................................................................................................................... 19
IT Operations Risks ............................................................................................................................................ 19
Hardware Risks .................................................................................................................................................. 20
Software Risks .................................................................................................................................................... 21
Data Risks .......................................................................................................................................................... 22
Vendor Risks ...................................................................................................................................................... 23
Project Risks ....................................................................................................................................................... 24
Personnel Risks .................................................................................................................................................. 25
Disaster and Continuity Risks ............................................................................................................................. 26
Compliance & Security Risks ............................................................................................................................. 27
Appendix B: Risk Event Action Plan .......................................................................................................................... 28
Introduction: How to Use This Template ............................................................................................................ 28
Appendix C: Risk Report Template ........................................................................................................................... 31
Introduction: How to Use This Template ............................................................................................................ 31
Appendix D: Job Description – Chief Risk Officer ..................................................................................................... 37
Appendix E: Risk Management Program Improvement Plan .................................................................................... 39
Introduction: How to Use This Tool .................................................................................................................... 39

3
Research Group
I. Introduction
1.1 Document Version
Document Number IT25

Revision Number 1

Effective Date January 1, 2016

Owner Philip Schmidt

Approver Jan Leckie

1.2 Document Revision History


Version Date Revision Description

4
Research Group
1.3 Executive Brief
The Risk Management Program Manual serves to describe the processes, procedures, and activities that are
necessary to maintain risk governance, identify IT-related business risks, assess risk severity, and determine
appropriate risk responses for <Insert Organization Name>. The program manual and its supporting documents
(see Appendix) will be used to document detailed information regarding key risks and provide appropriate
mechanisms for reporting these risks to the Enterprise Risk Manager (ERM) at <Insert Organization Name>. The
Risk Management Program Manual was developed through the completion of ’s IT Risk Management Program
blueprint.

The Risk Register Tool and Risk Costing Tool will be used to track risks and determine appropriate risk responses,
and the blueprint will walk you through how to effectively employ these tools, as well as exercises to optimize IT
risk management processes. The Program Manual should be updated after completing each phase of the blueprint.

The Risk Management Program Manual will exist as a digital copy and a hard copy, located in <Insert a Central
Location>.

As part of good risk management practices, the Program Manual must be reopened during every meeting of the IT
risk council.

Any changes to the Risk Management Program Manual should be documented in Section 1.2.

5
Research Group
II. <Insert Organization Name>’s IT Risk Management Program
2.1 Program Overview
The intention of the IT risk management program at <Insert Organization Name> is to instill best-practice risk
management activities that allow us to proactively identify, assess, and respond to IT risks. The program formalizes
risk management by encouraging the regular tracking of risks, assigning responsibility to individuals for monitoring
and managing risks instead of leaving it to chance, and establishing risk responses to identified threats and
vulnerabilities.

In addition, the risk management program at <Insert Organization Name> aims to foster further communication
between IT and business stakeholders, and within the IT department itself. Central to <Insert Organization
Name>’s IT Risk Management Framework is the continuous monitoring and communication of IT risk with
appropriate business stakeholders.

<Insert Organization Name>’s IT Risk Management Framework is composed of four major pillars that govern risk
management practices.
1) Risk Governance – Ensure that IT’s risk management practices are aligned to organizational risk
management standards and that business stakeholders are aware of and accountable for severe IT
risks.
2) Risk Identification – Ensure that all IT risks are identified through comprehensive stakeholder
participation and the use of the top-down risk identification methodology.
3) Risk Assessment – Ensure that all IT risks are evaluated based on probability, impact, and proximity
to understand the severity of IT’s risk portfolio. Prioritize risks based on their respective severity.
4) Risk Response – Ensure that key risks are responded to appropriately. Cost-benefit analysis is used
to determine which risk response to implement.

6
Research Group
2.2 <Insert Organization Name>’s Current IT Risk Management Maturity
Populate the table below with maturity levels generated in Activity 1.2.1.

Risk Management
Current Process Practices Maturity Level
Process
Risk Governance 1. A dedicated committee or council exists to consider IT risk. Current: Optimized
2. The council meets at regular intervals.
3. Risk events are owned and monitored by specific individuals.
4. Business stakeholders participate in council meetings and
are always consulted.
5. Senior leadership signs off on all action plans for non-
negligible IT risk.
6. Accountability for executing the risk management program is
held by the CIO.
7. Accountability for IT risk decisions is held by the CEO.
Risk Identification 1. IT possesses a risk register that is updated to reflect IT’s Current: Optimized
overall risk portfolio.
2. Risk identification exercises are conducted bi-annually.
3. The IT risk list is developed and updated collaboratively with
key business stakeholders.
4. Risk events are brainstormed using high-level IT risk
categories and then refined using COBIT 5 IT processes.
Risk Assessment 1. Formal risk assessment exercises are conducted bi-annually. Current: Optimized
2. Unacceptable risk thresholds are dictated by the senior
leadership team.
3. All identified risk events are assigned a severity level based
on probability and impact assessments.
4. Top risks are reassessed for expected cost.
5. Key business stakeholders participate in risk assessment
exercises.
6. Alternative risk assessment methodologies are employed to
create accurate expected cost values.
Risk Response 1. Response options are brainstormed for all risks exceeding Current: Optimized
thresholds for acceptable risk.
2. Each risk event is reassessed for residual risk.
3. Residual expected cost values are determined for top risks.
4. Costs and benefits for each response are analyzed over
multiple years.
5. Responses are selected based on cost-benefit analysis and
IT’s capabilities to implement the projects.
6. All risk response recommendations are presented formally to
the senior leadership team for approval.
Risk Monitoring & 1. Risk owners are assigned to each risk event. Current: Optimized
Reporting 2. Key risk indicators (KRIs) and thresholds are developed to
track changes in risk severity.
3. Protocols have been established to escalate risks when
thresholds have been breached.
4. Risks are reported according to an enforced reporting
schedule.
5. KRIs, thresholds, and reporting schedules have been
approved by senior leadership.

7
Research Group
2.3 Success Factors
The success of the IT Risk Management Program at <Insert Organization Name> is dependent upon the IT risk
council’s ability to align and communicate with the business’s core risk management function. Success factors for
<Insert Organization Name>’s Risk Management Program are therefore driven by the business’s awareness and
support of the IT Risk Management Program. <Insert Organization Name>’s Risk Management success factors are
as follows:

a) Support and Sponsorship from Senior Leadership


I. Senior leadership sponsorship increases the likelihood that risk management is prioritized and
receives the necessary resources and attention to ensure that IT risk accountability is shared by
senior leadership.
b) Organizational Risk Culture and Awareness
I. The organization embraces new policies and processes that reflect a proactive approach to risk.
II. Risk culture is embedded in job descriptions and performance assessments to reflect IT risk
management responsibilities.

2.4 Goals and Objectives


The primary goal of <Insert Organization Name>’s Risk Management Program is to instill risk management best-
practices and reduce organizational exposure to risks that may affect the continuity of <Insert Organization
Name>’s value proposition. <Insert Organization Name>’s IT Risk Management Program enables IT to make
proactive decisions regarding preventable risks that have the potential to impact business continuity. Through
effective risk identification, assessment, response, and monitoring, IT risk management enables the strategic vision
of <Insert Organization Name> by reducing the reactive nature of risk management and implementing appropriate
actions to minimize risk to the organization. Additionally, <Insert Organization Name>’s IT Risk Management
Program effectively aims to:

Goal Objectives/Initiatives Additional Notes

Ensure that <Insert Organization  Identify and assess all risks that [Notes]
Name>’s exposure to risks that affect expose the organization.
the continuity of our customer value  Mitigate severe risks.
proposition is minimized.  Monitor key risks that have potential to
become severe.

Ensure that IT is compliant with  Review IT compliance laws and [Notes]


external laws and regulations. regulatory rules.
 Conduct an annual audit to ensure
compliance is maintained.

Ensure IT provides support for  Identify relevant business compliance [Notes]


business compliance. rules.
 Conduct an annual review of IT’s Risk
Management Program alignment with
organizational standards.

Ensure IT regularly communicates  Reduce the frequency of [Notes]


costs, benefits, and risks to the miscommunication between IT and the
business. business.

8
Research Group
Goal Objectives/Initiatives Additional Notes

Ensure that information and data are  Limit frequency and severity of security [Notes]
secured within the organization. breaches.

Ensure that IT services are delivered  Identify and mitigate critical risks that [Notes]
in line with business requirements. may disrupt business-critical IT
services.

Ensure IT projects are completed on-  Limit the impact of unforeseen risks [Notes]
time, within scope, and on-budget. associated with over-budget projects.

Revise the above goals, objectives, and initiatives as needed.

2.5 Metrics
The Risk Management Council has developed the following metrics to measure the success of <Insert
Organization Name>’s IT Risk Management Program. Revise the metrics as needed and insert your own SMART
metrics developed in Activity 1.2.5.

Base- Check- Check-


Name Method Target Deadline Final
line point 1 point 2
Number of risks Risk register 0 100 Dec. 31
identified
Number of business Meeting minutes 0 5 Dec. 31
units represented (risk
identification)
Frequency of risk Assessments 0 2/year. Year 2
assessment recorded in Program
Manual

Percentage of identified Ratio of risks 0 20% Dec. 31


risk events that undergo assessed in Risk
expected cost Costing Tool to risks
assessment assessed in Risk
Register Tool

Number of top risks Risk register 5 0 March 1


without an identified
risk response
Cost of risk Meeting frequency $2,000 $5,000 Dec. 31
management program and duration
operations per year multiplied by the cost
of participants’ time
Expected cost of IT risk Cumulative expected $330,00 $200,000 Year 2
portfolio cost of all IT risk 0
events

9
Research Group
III. IT risk council Charter
The IT risk council serves as a formalized task force that is responsible for ensuring that the risk management
program is initiated, optimized, and maintained through regular meetings.

The IT Risk Management Program is responsible for integrating risk management into regular IT practices. <Insert
Organization Name>’s IT risk council integrates IT Risk Management into IT’s agenda and priorities.

3.1 IT risk council Mandate


The IT risk council oversees the risk management processes for <Insert Organization Name>. Members of the IT
risk council are appointed by <Insert Role> and are accountable to the IT senior leadership team. The council will:

1. Provide risk management leadership for IT through the alignment of IT strategic objectives and processes
with enterprise strategic objectives and processes.
2. Prioritize all IT risk exposures and thresholds, and resolve resource allocation issues based on risk
prioritization.
3. Ensure optimal risk management through measurement of key success metrics.
4. Ensure open communication between the IT department and other functional units of <Insert Organization
Name> so as to promote collaborative risk management.

The IT risk council is not responsible in any way for the IT department’s operating budget, IT department staff, or
any other aspect of day-to-day IT operations.

3.2 Agenda and Responsibilities


The agenda of a typical IT risk council meeting will include the following items:

1. Identify and review major risks throughout the IT department.


2. Recommend an appropriate risk appetite or level of exposure for <Insert Organization Name>.
3. Review the assessment of the impact and likelihood of identified risks from project proposals.
4. Review the prioritized list of risks.
5. Create a response plan to avoid, mitigate, transfer, or accept a risk event.
6. Review and communicate overall risk impact and risk management success.
7. Assign risk ownership responsibilities of key risks to ensure they are monitored and risk responses are
effectively implemented.
8. Address any concerns with regards to the risk management program, including but not limited to:
a. Reviewing their risk management duties.
b. Risk Management Program success.
c. Risk management resourcing.
9. Communicate risk reports to senior management annually.
10. Make any alterations as needed to the committee roster and the individuals’ responsibilities as needed and
document those changes.

3.3 Meeting Schedule


The IT risk council will meet on the first Friday of every month. If a matter requires follow-up, subsequent
meetings will be planned during the initial first Friday meeting and documented.

10
Research Group
3.4 Membership
All permanent members of the IT risk council should be very familiar with the IT department’s policies, procedures,
and practices. Additionally, all permanent members should have the authority to make decisions, and take actions
on behalf of the business unit they represent.

If any member is unable to attend the majority of IT risk council meetings, then the Council Chair will designate a
replacement. If the IT risk council Chair is unable to attend the majority of IT risk council meetings, then the Council
itself will designate a replacement.

Members of the IT risk council will include:


 [CIO: Head of IT] – Council Chair
 [CRO: Head of Risk]
 [IT Directors, Applications, Infrastructure, Security, PMO, etc.]
 [Additional C-Level heads of business units]
 Ad hoc members, as required, who are experts of particular business processes or technologies.

3.5 Executive Signatures

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

11
Research Group
IV. Accountabilities and Responsibilities of IT Risk Management
4.1 Accountabilities and Responsibilities of Key Stakeholders
The success of the IT Risk Management program relies on clear articulation of risk management accountabilities
and responsibilities. The IT risk council will be responsible or accountable for the bulk of activities but success will
also be dependent on buy-in and endorsement by external stakeholders beyond the IT risk council. These
stakeholders must be aware of the IT Risk Management Program and are often consulted or informed about
important risk management activities.

Revise the RACI chart below as needed, and insert your own accountabilities and responsibilities developed in
Activity 1.2.8.

Cost- Risk
Stakeholder Risk Risk Risk Identify Decision-
Stakeholder Benefit Monitoring
Coordination Identification Thresholds Assessment Responses Making
Analysis

ITRC A R I R R R A C
ERM C I C I I I I C
CIO I A A A A A I R
CRO I R C I R
CFO I R C I R
CEO I R C I A
Business I C C C
Units
IT I I I I I I R C
PMO C C C

Legend:

R – Responsible
A – Accountable
C – Consulted
I – Informed

12
Research Group
V. Schedule of Activities
The IT Risk Management Program is made up of a number of separate but mutually reinforcing processes – some
of which are conducted periodically, and others that are ongoing throughout the year. The following schedule
outlines the timing and frequency for IT risk management processes, as well as their specific activities and tasks.

5.1 Identifying Risk Events


Risk identification is the most vital exercise of risk management and takes place <Insert Frequency – i.e. quarterly>
to ensure that all IT-related threats and vulnerabilities are identified. The IT risk council uses the risk identification
framework developed by Research Group and can be found in the IT Risk Management Program blueprint.

Engage Key Stakeholders


Comprehensive risk identification requires the engagement of key stakeholders within and outside of IT. Typically
during risk identification exercises, the IT risk council will engage stakeholders from the business that meet the
following criteria:

1. Significant reliance on IT services and technologies to achieve business objectives


2. Strong relationship with IT and willingness to engage in risk management activities
3. Unique perspectives, skills, and experiences that IT may not possess

Key stakeholders to complete the risk identification activities will include:


 [CIO: Head of IT] – Council Chair
 [CRO: Head of Risk]
 [IT Directors, Applications, Infrastructure, Security, PMO, etc.]
 [Additional C-Level heads of business units]
 Ad hoc members, as required, who are experts of particular business processes or technologies

Review Risk Categories


By exercising a technique known as Risk Prompting, <Insert Organization Name> is able to take a top-down
approach to risk identification. Research Group has provided a catalog of nine risk categories that describes high-
level groupings of IT functions where risks are frequently presented. Risk categories are complemented by risk
scenarios which represent common risk groups that are more specific than each risk category. The comprehensive
catalog of risk categories, risk scenarios, and risk events can be found in Appendix A of this manual. The nine risk
categories and associated risk scenarios are as follows:

1. IT Operations Risks
a. Enterprise Architecture
b. Technology Evaluation and Selection
c. Capacity Planning
d. Operation Errors
2. Hardware Risks
a. Hardware Implementation Errors
b. Hardware Configuration Errors
c. Hardware Maintenance Errors
d. Hardware Performance
e. Hardware Theft
f. Hardware Damage/Destruction

13
Research Group
g. Hardware Obsolescence
3. Software Risks
a. Software Implementation Errors
b. Software Configuration Errors
c. Software Maintenance Errors
d. Software Performance
e. Software Obsolescence
4. Data Risks
a. Data Theft
b. Data Integrity (Damage/Destruction)
5. Vendor Relation Risks
a. Vendor Selection
b. Vendor Management
c. Contract Termination
6. Project Risks
a. Project Scoping
b. Project Quality
c. Project Time Over-Runs
d. Project Cost Over-Runs
7. Personnel Risks
a. IT Staffing
b. IT Skills and Experience
8. Disaster and Continuity Risks
a. Acts of Nature
b. Utility Performance
c. Industrial Actions
d. System Failure
9. Compliance & Security Risks
a. Regulatory Compliance
b. Malware
c. Externally Originated Attack
d. Internally Originated Attack

Augment Risk Identification with COBIT 5 Processes


To complete the risk identification exercise, the IT risk council frequently reviews COBIT’s processes to identify
additional risk events associated with each process.

Responsible Party
Risk events will be identified by the IT risk council.

Timing and Frequency


Risk events will be identified on an <Insert Frequency> basis and reviewed on an <Insert Frequency> basis.

5.2 Cataloguing Risk Events


Identified risk events are documented in the Risk Register Tool to prepare for risk assessment. The corresponding
risk category will also be tracked in the tool. An identification tag will be assigned to each risk event to perpetually
track that unique risk. As risk events occur, they are tracked in the Risk Register Tool.

Responsible Party
Risk events will be documented and tracked in the Risk Register Tool by the IT risk council.

14
Research Group
Timing and Frequency
Risk events will be cataloged on an <Insert Frequency> basis and realized risk events will be documented as they
occur.

5.3 Assessing Risk Severity


Risk Severity is calculated to help the organization understand which of the current risk events represent the most
significant threat to the organization and are most in need of a response. Risk severity is determined via a two-level
approach. First, all identified risk events are evaluated using a Risk Severity Level Assessment (negligible, low,
medium, high, extreme). Top priority risks are re-assessed using an Expected Cost Assessment.

A Risk Severity Level Assessment is conducted by creating scales for risk probability and financial impact, which
inform an overall severity rating. Expected Cost Assessment calculates precise expected cost values, reflecting
more specific estimates for probability and impact. Expected cost is useful for illustrating the financial severity of
key risks to the business. These values are calculated using the Risk Costing Tool.

Unacceptable Risk Threshold


Before determining scales for probability and impact, the IT risk council must adopt <Insert Organization Name>’s
threshold for unacceptable risk. This value is determined or approved by the Senior Leadership Team. Any risk
event severity that exceeds this threshold must be acted upon immediately. This threshold should reflect <Insert
Organization Name>’s ability to absorb financial losses and reflect its organizational appetite and tolerance for risk.

<Insert Organization Name> (Un)Acceptable Risk Threshold: $ .


Last Updated: <DATE> .

Probability and Impact Severity Thresholds


The IT risk council uses the following financial severity scale to assess the severity of IT risk events:

Financial and Reputation Budgetary and Reputation Implications


Impact (Financial Impact; Reputational Impact)

Level 1 – Negligible < $10,000; Internal IT stakeholders aware of risk event occurrence

Level 2 – Very Low $10,001 – $25,000; IT directors aware of risk event occurrence

Level 3 – Low $25,001 – $50,000; IT executives aware of risk event occurrence

Level 4 – Moderately Low $50,001 – $100,000; Business customers aware of risk event occurrence

Level 5 – Moderate $100,001 – 200,000; Business executives aware of risk event occurrence

Level 6 – Moderately High $200,001 – $350,000; Board of directors aware of risk event occurrence

Level 7 – High $350,001 – $500,000; External customers aware of risk event occurrence

Level 8 – Very High $500,000 – $1,000,000; Media aware of risk event occurrence

Level 9 – Extreme > $1,000,000; Regulatory body aware and investigating risk event

15
Research Group
The IT risk council uses the probability scale to assess the likelihood that IT risk events will occur over the course
of the following year:

Occurrence Criteria
Probability Level
(Classification; probability of risk event within one year)
Level 1 – Negligible Negligible; <5%

Level 2 – Very Low Very Unlikely; 5–15%

Level 3 – Low Unlikely; 15–25%

Level 4 – Moderately Low Somewhat Possible; 25–40%

Level 5 – Moderate Possible; 40–60%

Level 6 – Moderately High Possibly Likely; 60–75%

Level 7 – High Likely; 75–85%

Level 8 – Very High Very Likely; 85–95%

Level 9 – Extreme Extremely Likely; >95%

Proximity Considerations
The severity of a risk event can fluctuate over time. This characteristic of risk is called risk proximity. These
fluctuations are often unpredictable; however, when possible, information about how time will impact the risk will be
documented in the Risk Register Tool.

Frequency Considerations
A risk event may be expected to occur more than once within the specified time frame. Frequency is reflected in the
financial impact of the risk event. This is accounted for by multiplying the number of expected occurrences by the
expected financial impact of the risk event.

Responsible Party
The organization’s threshold for (un)acceptable IT risk is determined or approved by the senior leadership team.
Probability and impact scales are determined by the IT risk council, and then transferred to the Risk Register Tool.
High-severity risks are assessed for expected cost by the IT risk council using the Risk Costing Tool.

Timing and Frequency


Risk-related thresholds will be reviewed on an <Insert Frequency> basis and risk-severity scales for each risk event
will be reviewed on an <Insert Frequency> basis. A comprehensive assessment of the IT risk portfolio will be
conducted on an <Insert Frequency> basis.

16
Research Group
5.4 Risk Event Accountabilities and Monitoring Responsibilities
Every risk event in the Risk Register Tool must be assigned to a member of the IT risk council who is responsible
for monitoring the risk event’s severity and reporting changes at ITRC (IT risk council) meetings. Risk owners are
selected based on their:

 Familiarity with the process, project, or IT function related to the risk event.
 Ability to access the necessary data to monitor and measure key risk indicators (KRIs).

Risk Owner Responsibilities

The responsibilities of the risk owner are:

• Monitor the risk event for changes in probability of occurrence and/or probable impact
• Monitor changes in the market and external environment that may alter the severity of the risk event
• Monitor changes of closely related risks that may have interdependencies
• Develop and use KRIs to measure changes in risk severity
• Regularly report changes in risk severity to the IT risk council
• If necessary, escalate the risk to other IT risk council personnel or senior management for reassessment
• Monitor risk severity levels for risk events after a risk response project is implemented

Severe risk events that exceed the (un)acceptable risk threshold must be closely monitored and regularly reported
on. Use ’s Risk Event Action Plan (Appendix B) to ensure that changes in risk severity are detected and reported.

Responsible Party
Risk Accountability will be assigned by the IT risk council.

Timing and Frequency


Risk Accountability will be assigned on an <Insert Frequency> basis.

5.5 Selecting Risk Responses


All risk responses fall under one of the following categories:

1. Avoidance – Risk avoidance involves taking evasive maneuvers away from the risk event. Risk avoidance
targets risk probability, decreasing the likelihood of the risk event occurring.
2. Mitigation – Risk mitigation actions are risk responses that reduce the probability and impact of the risk
event. Risk mitigation actions can either be to implement new controls or enhance existing ones.
3. Transfer – Risk transfer is the exchange of uncertain future costs for fixed present costs. Often, the
uncertain future cost of an IT risk event can be transferred to a third-party insurer who assumes the risk in
exchange for insurance premiums.
4. Acceptance – Accepting a risk means absorbing the expected cost of a risk event. It is a conscious and
deliberate decision to retain the threat.

Cost-Benefit Analysis (CBA)


When selecting a risk mitigation action, the IT risk council uses a cost-benefit analysis to guide financial decision-
making. This enables the IT risk council to assess numerous risk mitigation actions and make risk-conscious
investment decisions that fall within the IT budget. This exercise is completed by using ’s Risk Costing Tool. The
Risk Costing Tool enables us to analyze the capital expenditures, operating expenditures, and expected residual
financial impact following implementation of each risk mitigation action.

17
Research Group
Responsible Party
Risk responses will be generated and assessed by the risk owner and presented to the IT risk council for further
review.

Timing and Frequency


Risk responses will be determined once risk severities are finalized during <Insert Frequency> risk assessments.

5.6 Risk Reporting


Reporting requirements for risk events, including escalation protocols, are established in the respective Risk Event
Action Plan (Appendix B) of each risk event. High-level summaries of the IT risk portfolio are communicated to the
senior leadership team using the Risk Report Template located in Appendix C.
Dashboard, distribution graphs, and pie charts reflecting the most recent risk assessment are produced by the Risk
Register Tool and can be found on the Dashboards tab.
Chart 1: Sample Risk Dashboards

Responsible Party
The risk report will be completed by the IT risk council. Specific reports on key risks will be completed by the risk
owner using personal knowledge and information documented in the Risk Event Action Plan.
Timing and Frequency
Risk reports will be completed on an <Insert Frequency> basis, as mandated by the senior leadership team.

18
Research Group
Appendix A: Risk Catalog
This risk catalog is provided as a guide to stimulate the process of developing a custom risk catalog appropriate to
an individual enterprise. This risk catalog is structured according to risk scenarios and risk categories and provides
some examples of appropriate risks in each but under no circumstances is it to be considered a complete risk
catalog since definitions of risk can be variable amongst different organizations.

IT Operations Risks
Enterprise Architecture
Listed risks are generic in nature; individual risk events will apply to each enterprise architecture event.
 An enterprise architecture is improperly defined.
 An enterprise architecture is improperly maintained.
 Correlation of systems implementations with defined architecture is improperly tracked.
 Systems are implemented that do not correlate with the defined enterprise architecture.
Technology Evaluation and Selection
Listed risks are generic in nature; individual risk events will apply to each technology evaluation and selection
event.
 System use case is improperly defined.
 Systems are improperly specified to meet defined use case.
 Systems are improperly evaluated to demonstrate ability to meet defined use case.
 Systems are improperly selected to meet the defined use case.
Capacity Planning
Listed risks are generic in nature; individual risk events will apply to each capacity planning event.
 Systems are deployed with insufficient capacity to meet defined use case.
 Systems are deployed with insufficient capacity to meet defined use case life.
Operations Errors
Listed risks are generic in nature; individual risk events will apply to each operations error event.
 Scheduled jobs/processes are not defined.
 Scheduled jobs/processes are defined insufficiently/inappropriately.
 Scheduled jobs/processes are not revised as functional requirements are revised.
 Scheduled jobs/processes fail to run.
 Exceptional jobs/processes are not defined.
 Exceptional jobs/processes are defined insufficiently/inappropriately.
 Exceptional jobs/processes are not revised as functional requirements are revised.
 Exceptional jobs/processes fail to run.

19
Research Group
Hardware Risks
Hardware Implementation Errors
Listed risks are generic in nature; individual risk events will apply to each hardware implementation event.
 Hardware implementation requirements are improperly defined.
 Systems deliver degraded functionality because hardware is implemented incorrectly.
 Systems fail completely because hardware is implemented incorrectly.
Hardware Configuration Errors
Listed risks are generic in nature; individual risk events will apply to each hardware configuration event.
 Hardware configuration requirements are improperly defined.
 Systems deliver degraded functionality because hardware is configured incorrectly.
 Systems fail completely because hardware is configured incorrectly.
Hardware Maintenance Errors
Listed risks are generic in nature; individual risk events will apply to each hardware maintenance event.
 Hardware maintenance requirements are improperly defined.
 Systems deliver degraded functionality because hardware is maintained incorrectly.
 Systems fail completely because hardware is maintained incorrectly.
Hardware Performance
Listed risks are generic in nature; individual risk events will apply to each hardware performance event.
 Hardware performance requirements are improperly defined.
 Systems deliver degraded functionality because hardware fails to perform as expected/required.
 Systems fail completely because hardware fails to perform as expected/required.
Hardware Theft
Listed risks are generic in nature; individual risk events will apply to each hardware theft event.
 Systems deliver degraded functionality because hardware has been stolen.
 Systems fail completely because hardware has been stolen.
Hardware Damage/Destruction
Listed risks are generic in nature; individual risk events will apply to each hardware damage/destruction event.
 Systems deliver degraded functionality because hardware has been intentionally damaged/destroyed.
 Systems deliver degraded functionality because hardware has been inadvertently damaged/destroyed.
 Systems fail completely because hardware has been intentionally damaged/destroyed.
 Systems fail completely because hardware has been inadvertently damaged/destroyed.
Hardware Obsolescence
Listed risks are generic in nature; individual risk events will apply to each hardware obsolescence event.
 Systems deliver degraded functionality because hardware has become obsolete.
 Systems fail because component hardware has become obsolete.

20
Research Group
Software Risks
Software Implementation Errors
Listed risks are generic in nature; individual risk events will apply to each software implementation event.
 Software implementation requirements are improperly defined.
 Systems deliver degraded functionality because software is implemented incorrectly.
 Systems fail completely because software is implemented incorrectly.
Software Configuration Errors
Listed risks are generic in nature; individual risk events will apply to each software configuration event.
 Software configuration requirements are improperly defined.
 Systems deliver degraded functionality because software is configured incorrectly.
 Systems fail completely because software is configured incorrectly.
Software Maintenance Errors
Listed risks are generic in nature; individual risk events will apply to each software maintenance event.
 Software maintenance requirements are improperly defined.
 Systems deliver degraded functionality because software is maintained incorrectly.
 Systems fail completely because software is maintained incorrectly.
Software Performance
Listed risks are generic in nature; individual risk events will apply to each software performance event.
 Software performance requirements are improperly defined.
 Systems deliver degraded functionality because software fails to perform as expected/required.
 Systems fail completely because software fails to perform as expected/required.
Software Obsolescence
Listed risks are generic in nature; individual risk events will apply to each software obsolescence event.
 Systems deliver degraded functionality because software has become obsolete.
 Systems fail because component software has become obsolete.

21
Research Group
Data Risks
Data Theft
Listed risks are generic in nature; individual risk events will apply to each data theft event.
 Systems deliver degraded functionality because data has been intentionally stolen.
 Systems deliver degraded functionality because data has been inadvertently lost.
 Systems fail completely because data has been intentionally stolen.
 Systems fail completely because data has been inadvertently lost.
 Confidentiality is breached because data has been intentionally stolen.
 Confidentiality is breached because data has been inadvertently lost.
Data Integrity (Damage/Destruction)
Listed risks are generic in nature; individual risk events will apply to each hardware damage/destruction event.
 Systems deliver degraded functionality because data has been intentionally stolen.
 Systems deliver degraded functionality because data has been inadvertently damaged/destroyed.
 Systems fail completely because data has been intentionally damaged/destroyed.
 Systems fail completely because data has been inadvertently damaged/destroyed.

22
Research Group
Vendor Risks
Vendor Selection
Listed risks are generic in nature; individual risk events will apply to each vendor selection event.
 Use cases against which vendors must execute are improperly defined.
 Vendors are improperly evaluated to demonstrate ability to meet defined use case.
 Vendors are improperly selected to meet the defined use case.
Vendor Management
Listed risks are generic in nature; individual risk events will apply to each vendor management event.
 Vendor performance requirements are improperly defined.
 Vendor performance against defined performance requirements is improperly tracked.
 Vendors fail to meet defined performance requirements.
 Consequences for failed vendor performance are improperly defined.
 Consequences for failed vendor performance are improperly applied.
Contract Termination
Listed risks are generic in nature; individual risk events will apply to each contract termination event.
 Contract termination trigger events are improperly defined.
 Contract termination processes are improperly defined.
 Contract termination processes are improperly executed.

23
Research Group
Project Risks
Project Scoping
Listed risks are generic in nature; individual risk events will apply to each project scoping event.
 Project requirements/specifications are improperly defined.
 Projects are improperly scoped to meet defined requirements/specifications.
 Project scope is insufficiently controlled to deliver only defined requirements/specifications.
Project Quality
Listed risks are generic in nature; individual risk events will apply to each project quality event.
 Projects fail to meet original project requirements/specifications.
 Projects fail to meet revised project requirements/specifications.
Project Time Over-Runs
Listed risks are generic in nature; individual risk events will apply to each project time over-run event.
 Projects fail to complete within original time estimates.
 Projects fail to complete within revised time estimates.
Project Cost Over-Runs
Listed risks are generic in nature; individual risk events will apply to each project cost over-run event.
 Projects fail to complete within original budget estimates.
 Projects fail to complete within revised budget estimates.

24
Research Group
Personnel Risks
IT Staffing
Listed risks are generic in nature; individual risk events will apply to each IT staffing event.
 IT roles and responsibilities for IT staff have been improperly defined.
 IT organization/management structure is improperly defined.
 IT staff are insufficient to meet defined IT roles and responsibilities.
 IT roles and responsibilities are being executed by non-IT staff.
 IT roles and responsibilities are being executed by alternate IT staff.
IT Skills and Experience
Listed risks are generic in nature; individual risk events will apply to each IT skills and experience event.
 IT staff do not have sufficient skills to meet defined roles and responsibilities.
 IT staff do not have sufficient experience to meet defined roles and responsibilities.

25
Research Group
Disaster and Continuity Risks
Acts of Nature
Listed risks are generic in nature; individual risk events will apply to each act of nature event.
 Organization experiences a flood.
 Organization experiences a fire.
 Organization experiences an explosion.
 Organization experiences an earthquake.
 Organization experiences a tsunami.
 Organization experiences a tornado.
 Organization experiences a hurricane.
 Organization experiences a catastrophic impact.
 Organization is exposed to a radioactive agent.
 Organization is exposed to a chemical agent.
 Organization is exposed to a biological agent.
Utility Performance
Listed risks are generic in nature; individual risk events will apply to each utility performance event.
 Organization is impacted by degradation/loss of voice telecommunications connectivity.
 Organization is impacted by degradation/loss of data telecommunication connectivity.
 Organization is impacted by degradation/loss of electrical power delivery.
 Organization is impacted by degradation/loss of heating energy delivery.
 Organization is impacted by degradation/loss of water delivery.
Industrial Action
Listed risks are generic in nature; individual risk events will apply to each industrial action event.
 Organization is impacted by industrial action on the part of its employees.
 Organization is impacted by industrial action on the part of employees of a third party.
System Failure
Listed risks are generic in nature; individual risk events will apply to each system failure event.
 Organization is impacted by degradation/loss of system functionality.

26
Research Group
Compliance & Security Risks
Regulatory Compliance
Listed risks are generic in nature; individual risk events will apply to each regulatory compliance event.
 Organization fails to meet the specified requirements of an internal audit.
 Organization fails to meet the specified requirements of an external audit.
 Organization fails to meet a compliance requirement mandated by a third party.
Malware
Listed risks are generic in nature; individual risk events will apply to each malware event.
 Organization experiences a malware incident.
Externally Originated Attack
Listed risks are generic in nature; individual risk events will apply to each external attack event.
 Organization experiences a spam incident.
 Organization experiences a phishing incident.
 Organization experiences a wired network penetration/breach incident.
 Organization experiences a wireless network penetration/breach incident.
 Organization experiences a social engineering incident.
Internally Originated Attack
Listed risks are generic in nature; individual risk events will apply to each internal attack event.
 Organization experiences an abuse of privileges incident.
 Organization experiences an elevation of privileges incident.

27
Research Group
Appendix B: Risk Event Action Plan
Introduction: How to Use This Template
This template will help you establish and track accountability within your department and determine next steps for
managing IT risk. This form is used for all high-priority risk events.
Use Table 1 to list the risk event, details, owner, severity, and the monitoring and reporting schedule for the risk
event.
Use Table 2 to indicate the individual(s) accountable for monitoring the event, and the key risk indicators (KRIs)
used to monitor it.
Use Table 3 to track information regarding the organization’s response to the risk, including the project manager,
residual risk severity, and any other important details.
Obtain sign off from senior leadership at the bottom of the form to ensure that the business is aware of the
monitoring responsibilities and risk responses for each key risk.
Delete these guidelines prior to using the form.

Introduction
Risk management is an important part of our overarching IT strategy to support business objectives and drive value
for the business.
The purpose of this form is to establish and track accountability for managing and controlling specific risk events
impacting the organization. This information is to be collected in the tables below, and acted upon accordingly.
This information will be reviewed and signed off <Insert Frequency> or as otherwise indicated by senior
management.

Table 1: Risk Event Information


Risk Event Cloud vendor is being acquired or going out of business.

Details Issue with product delivery. Classified as a Vendor Risk.

Risk Event Bob Smith, Security Manager


Owner

Reporting Bi-weekly reports to IT risk council.


Requirement

Probability Very High Impact High Risk Severity Extreme

Absolute 86% Financial $400,000 Expected Cost $344,000


Probability Impact ($)

28
Research Group
Table 2: Risk Event Accountabilities and Key Risk Indicators

Accountable Key Risk Escalation Escalate


Metric Method
Party Indicator Threshold To:

Bob Smith,
Monitor stock
Security Financial health Stock price Falls below $X CIO
prices
Manager

Number of recent More than one


Bob Smith, Potential for
mergers or industry
Security merger or Market research CIO
acquisitions in the consolidation in
Manager acquisition
industry the last year

Two or more
Bob Smith, Potential for
Indication from the Intel from vendor vendor staff
Security merger or CIO
vendor reps predicting
Manager acquisition
acquisition

Consult with
Bob Smith, Number of strategic Fewer than two
Dependence on
Security alternative sourcing/vendor alternative CIO
vendor
Manager vendors identified management vendors
personnel

Consult with
Bob Smith, Estimated cost to strategic
Dependence on
Security transition to new sourcing/vendor Greater than $X CIO
vendor
Manager vendor management
personnel

Table 3: Risk Responses


The IT risk council selected an appropriate risk response to reduce the probability of occurrence and/or the impact
if the event were to occur.

Risk Event Cloud vendor is being acquired or going out of business.

Risk Response Risk mitigation action.

Risk Response Detail Implement a secondary back-up cloud vendor.

Risk Owner Bob Smith, Security Risk Reponses Project Alison Tim, Security
Manager Manager Analyst

Risk Response Capital $200,000 Risk Response $10,000/month


Expenditure Operating Expenditures

Residual Probability 5% Residual Financial $400,000


Impact ($)

29
Research Group
Residual Risk Severity $20,000

Executive Signatures
By signing below, you indicate that you:
a) Are aware of the above IT risk and its potential impact on business objectives.
b) Support the risk assessment conducted by the IT risk council.
c) Support the plan of action and monitoring responsibilities proposed by the IT risk council.

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

30
Research Group
Appendix C: Risk Report Template
Introduction: How to Use This Template
This template is designed to help you communicate the results of recent risk assessments to the senior leadership
team, and provides a summary of important IT risk management developments. The template provides an
executive summary of the risk assessment, recommendations from the IT risk council to address high-priority risks,
and summarizes funding requests for risk response actions.
Use the table in the Risk Identification section below to list the number of risk events under each major IT risk
category. Augment the presentation by inserting risk distribution graphics from the dashboards tab of the Risk
Register Tool.
Insert the “Risk Response Actions” graphic from the dashboards tab of the Risk Register Tool into the Risk
Assessment section of this report. Next, list high-priority risk events that must be reported to senior leadership.
Use the “Subsequent Risk Analysis” section of this document to demonstrate the expected costs of each risk event
and evaluated risk responses as calculated in the Risk Costing Tool. Provide recommendations to describe which
risk response is necessary, and use the expected costs, alternative risk response options, and five-year expected
costs to support your recommendations. Obtain sign-off from the senior leadership team. Copy and paste the
“Subsequent Risk Analysis” as needed to evaluate all high-priority risk events.
Delete these guidelines prior to using the form.

Executive Brief
On <Insert Date Here>, the IT risk council undertook its annual risk review. The IT risk council completed risk
identification and risk assessment exercises, and built risk responses for key risks that were above the
organizational unacceptable risk threshold. This risk report documents the results of the annual review as well as
numerous risk response mitigation actions for each risk event, and the IT risk council’s recommendations to
mitigate key risk events. The risk report was developed through the completion of ’s Build a Business-Driven IT
Risk Management Program blueprint.
The Risk Register Tool and Risk Costing Tool were used to track risks and determine appropriate risk responses.

Results of Risk Management Activities


Risk Identification
The IT risk council used ’s nine risk categories to comprehensively identify <Insert Number Here> IT risk events.
The portfolio of risk events is documented in ’s Risk Register Tool. Risk events were categorized by scenario:

Risk Category Number of Risk Events

IT Operations Risk 7

Hardware Risk 0

Software Risk 1

IT Project Risk 1

31
Research Group
IT Personnel Risk 1

Data Risk 1

IT Vendor Risk 0

Disaster & Continuity Risk 0

Compliance & Security Risk 0

Risk Category Distribution


8
7

2
1 1 1 1
0 0 0 0
0
IT Hardware Software IT Project IT Personnel Data Risk IT Vendor Diaster & Compliance
Operations Risk Risk Risk Risk Risk Continuity & Security
Risk Risk Risk

Risk Assessment
The IT risk council evaluated the severity of each IT risk event by assessing the probability of occurrence and
impact. The IT risk council evaluated probability and impact using a nine-scale categorization scale:

32
Research Group
Risk Severity Distribution
4

2 2 2
2

1 1

0 0 0
0
Negligible Very Low Low Moderately Moderate Moderately High Very High Extreme
Low High

Risk Responses
The IT risk council determined the necessary risk response for each identified risk event. There were four courses
of action to describe the most appropriate risk response:

Risk Response Actions


6
5

0 0 0
0
Accept Risk Defer/Avoid Risk Mitigate Risk Transfer/Insure Risk

Numerous key risks require additional risk response analysis by executive stakeholders. These risk events and
their subsequent individual risk response analyses will be presented in the following section. However, key risk
events under consideration for further analysis are as follows:

33
Research Group
Risk Number Risk Events

R002 Lack of measurement – power performance

R027 Change control process has no post-change review

R068 Loss of function based on H/W failure

R070 Loss of payment card processing (fines) (PCI)

R082 Inconsistent contract management (high cost, low service)

Subsequent Risk Response Analysis


Copy and paste this section as many times as needed. This depends on the number of key risks that require
additional risk response analysis by executive stakeholders.

Table One: Risk Event Information


Risk Event Cloud vendor is being acquired or going out of business.

Details Issue with product delivery. Classified as a Vendor Risk.

Root Cause

Existing Controls

Risk Event Owner Bob Smith, Security Manager

Reporting Bi-weekly reports to IT risk council


Requirement

Probability Very High Impact High Risk Severity Extreme

Absolute 86% Financial $400,000 Expected Cost $344,000


Probability Impact ($)

Table Two: Risk Response Information

34
Research Group
Risk Response #1

Accept Capital 0 Operating 0


Expenditure Expenditure

Residual Absolute 50% Residual Financial $5,000


Probability Impact

Residual Expected $2,500


Cost

Risk Response #2

Implement a basic Capital $7,500 Operating $1,000/year


firewall Expenditure Expenditure

Residual Absolute 10% Residual Financial $5,000


Probability Impact

Residual Expected $500


Cost

Risk Response #3

Outsource to a Capital 0 Operating $4,000/year


vendor Expenditure Expenditure

Residual Absolute 5% Residual Financial $5,000


Probability Impact

Residual Expected $250


Cost

Risk Response #4

Implement a Capital $12,000 Operating $500/year


comprehensive Expenditure Expenditure
spam firewall for all
user accounts Residual Absolute 0.1% Residual Financial $5,000
Probability Impact

Residual Expected $50


Cost

35
Research Group
Supporting Graphics

$25.000 Total Five-Year Expected Costs of Risk Responses

$21.250
$20.000
Total Expected Cost ($)

$15.000 $14.525
$15.000
$12.500

$10.000

$5.000

$-
Risk Response #1 Risk Response #2 Risk Response #3 Risk Response #4

Recommendations
The above graph represents the annual expected cost of each risk response under consideration. Although
implementing a comprehensive spam firewall for all user accounts has a high initial capital expense, it reduces the
probability of occurrence to nothing. Therefore, Risk Response #4 is the recommendation of the IT risk council.
This project will cost approximately $12,000 to implement and thus, the IT risk council is requesting funding from
executive leadership to mitigate this risk.

Executive Signatures
Selected Risk Response: _____________________________________________________________________

By signing below, you indicate that you:


a) Are aware of the above IT risk and its potential impact on business objectives.
b) Support the risk assessment conducted by the IT risk council.
c) Support the plan of action and monitoring responsibilities proposed by the IT risk council.

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

36
Research Group
Appendix D: Job Description – Chief Risk Officer

Title
Chief Risk Officer

Description
The Chief Risk Officer’s role is to directly assess and holistically manage all aspects of risk brought to bear on the
enterprise by IT security and legislative/regulatory compliance issues. The purview of this role includes risk as it
manifests in the areas of technology, operations, and strategy. Achievement of balance between IT security
concerns and compliance mandates is a primary objective of this role. The ability to make clear decisions under
pressure is required.

Responsibilities
Strategy & Planning
 Work with the executive and business managers to align the IT organization with business unit security and
compliance needs.
 Develop and institute security and compliance goals and objectives.
 Create and enforce security and compliance policies and standards.
 Establish guiding principles for flexible, yet holistic, compliance management.
 Review proposed projects to identify potential risks.
 Classify and valuate enterprise data assets.
 Project and track costs of risk management initiatives.
 Create dedicated security and compliance roles with segregation of duties as a fundamental factor.
 Identify and deploy standard risk assessment models or frameworks.
 Select and deploy appropriate best practices governance frameworks, such as COBIT.
 Create and communicate strategies for risk mitigation.

Acquisition & Deployment


 Assess all IT purchases to ensure they support security and compliance mandates.
 Deploy an integrated security toolset.

Operational Management
 Track and measure the enterprise’s risk posture.
 Review day-to-day management of IT security operations.
 Oversee automation of internal controls and centralize logging and reporting.
 Manage securing of all platforms and centralize security event management.
 Liaise between internal and external audit teams.
 Schedule and launch periodic audit reviews.
 Plan and oversee risk mitigation and remediation projects.
 Develop and deliver risk awareness training for key staff and stakeholders.

37
Research Group
Position Requirements
Formal Education & Certification
 University degree in the field of law, computer science, or business administration, as well as […] years of
equivalent work experience.
 Certifications in CISSP, CISA, CISM, or […].

Knowledge & Experience


 Specific knowledge of risk management principles and models.
 Deep knowledge of business management practices and principles.
 Proven experience in audit of legislative and/or regulatory compliance.
 Exemplary knowledge of legislation and regulations pertaining to the […] industry.
 Experience in technical management of technology software and hardware platforms.
 Superlative understanding of the organization’s goals and objectives.

Personal Attributes
 Proven leadership and management skills.
 Highest levels of personal and professional integrity.
 Superior analytical and problem-solving abilities.
 Ability to effectively prioritize and execute tasks in a high-pressure environment.
 Proven experience in interfacing with executive teams, business management, and external firms.
 Excellent written, oral, and interpersonal communication skills.
 Ability to conduct research into existing and emerging security and compliance issues as required.
 Ability to present ideas in both business-friendly and IT-friendly language.
 Highly self-motivated and directed.
 Keen attention to detail.
 Team-oriented and skilled in working within a collaborative environment.

Work Conditions
 On-call availability and periodic overtime to meet project deadlines.
 […]% travel required.
 Sitting for extended periods of time.
 Dexterity of hands and fingers to operate a computer keyboard, mouse, and other computer components.

38
Research Group
Appendix E: Risk Management Program Improvement Plan
Introduction: How to Use This Template
This template will help you jumpstart operational improvements to the IT risk management program based on the
challenges and successes of the program since the previous assessment period. It is intended to establish
accountability for each initiative as well as a timeline of completion. Tasks within each initiative should be reported
to the IT risk council as necessary. The improvement plan should also be communicated with the senior leadership
team through the IT risk management executive brief to demonstrate continuous commitment to risk management
enhancement.
Use the improvement plan to document challenges faced by the risk management program since the last
assessment period. Document initiatives generated and assign the liable action owner and the expected time frame
for completion.
Document your IT risk management program’s successes and accomplishments in the subsequent section.
Provide evidence to support each statement.
Obtain sign-off from senior leadership at the bottom of the form to ensure that the business is aware of the
monitoring and risk responses of each key risk.
Delete these guidelines prior to using the form.

Executive Brief
On <Insert Date Here>, the IT risk council undertook its <Insert Periodic Timeline> IT risk management program
review. The IT risk council completed a series of exercises to identify the successes and challenges of the IT risk
management program since the previous assessment period. The IT risk council built initiatives to mitigate key
operational challenges that were faced by the program. This risk management program improvement plan
documents the results of the <Insert Periodic Timeline> review as well as numerous successes and
accomplishments that the IT risk program capitalized on. The risk management program improvement plan was
developed through the completion of ’s Conduct a Regular Health Check for the IT Risk Management Strategy
blueprint.

Improvement Plan

Challenge Initiative Action Time Frame


Owner

The IT risk council does not have authority to Determine the correct escalation Apr. 30th 2016
act on all risk response actions. pathways for decision-making.

Some risk council members were not actively Implement performance metrics Apr. 30th 2016
involved in re-assessments. for risk council members.

The IT risk council did not have the expertise Select a member of the vendor Apr. 30th 2016
to identify vendor risks. management team to participate
in the IT risk council.

Identification of risk events does not follow a Methodologies will be reviewed Apr. 30th 2016
particular framework; therefore, risks were and internalized into our
potentially missed. program manual.

39
Research Group
Challenge Initiative Action Time Frame
Owner

Risk management activities are only Quarterly IT risk council July 31st 2016
executed once a year; risks identified meetings with a specific agenda
throughout the year are not addressed in a are to be scheduled.
timely manner.

No deadlines or action owners assigned for Project managers and timelines Sep. 30th 2016
mitigation actions. to be determined for all risk
responses.

Specific risk actions were not identified for all Risk thresholds are to be set for Sep. 31th 2016
risk events. determining when risk
responses are necessary.

The Risk Register Tool was not flexible and it Procure a new risk management Nov. 30th 2016
was difficult to use. tracking tool.

Internal IT risk management is frequently Generate a regular newsletter Dec. 15th 2016
viewed as an unnecessary responsibility and communicating success of the
as irrelevant. risk management program.

The leadership team is not engaged nor have Host a formal risk management Dec. 31st 2016
they bought into risk management activities. education session through the IT
risk management program.

40
Research Group
Successes and Accomplishments
Since the previous assessment period, the IT risk management program has had many successes and
accomplishments:
1. Risk management processes have been strictly followed as documented.
a. Risk management activities were documented in our risk management program manual.
2. The IT risk landscape is adequately covered.
a. No new risks have been identified.
3. Risks are tracked year over year.
a. An annual risk assessment takes place.
4. Risk severity ratings are tracked year over year.
a. Key risk events were monitored by independent risk owners.
5. <Insert number here> projects have been undertaken to mitigate IT’s severest risks.
a. E.g. data is backed up in the cloud system; competitors lost data when it was breached.

Executive Signatures

By signing below, you indicate that you:


a) Support the operational assessment conducted by the IT risk council.
b) Support the plan of action and monitoring responsibilities proposed by the IT risk council.

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

____________________________ ______________________________________ _____________


Name Signature Date

41
Research Group

You might also like