REFERENCE MATERIALS:

E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

Unit 6: ENTERPRISE RISK MANAGEMENT

Risk management is the process of identifying vulnerabilities and threats to

the information resources used by an organization in achieving business
objectives and deciding what countermeasures (safeguards or controls), if
any, to take in reducing risk to an acceptable level (i.e., residual risk),
based on the value of the information resource to the organization.

Effective risk management begins with a clear understanding of the

organization’s appetite for risk. This drives all risk management efforts
and, in an IT context, impacts future investments in technology, the extent
to which IT assets are protected and the level of assurance required. Risk
management encompasses identifying, analyzing, evaluating, treating,
monitoring and communicating the impact of risk on IT processes. Having
defined risk appetite and identified risk exposure, strategies for managing
risk can be set and responsibilities clarified.

Depending on the type of risk and its significance to the business, management
and the board may choose to:

• Avoid

—Eliminate the risk by eliminating the cause (e.g., where feasible, choose
not to implement certain activities or processes that would incur risk).

• Mitigate

—Lessen the probability or impact of the risk by defining, implementing and

monitoring appropriate controls.

• Share/Transfer

—Share risk with partners or transfer via insurance coverage, contractual

agreement or other means.

• Accept

—Formally acknowledge the existence of the risk and monitor it. Therefore,
risk can be avoided, reduced, transferred or accepted. An organization can
also choose to reject risk by ignoring it, which can be dangerous and should
be considered a red flag by the IS auditor.
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

1.6.1 DEVELOPING A RISK MANAGEMENT PROGRAM

Steps to developing a risk management program include:

• Establish the purpose of the risk management program

—The first step is to determine the organization’s purpose for creating a

risk management program. The program’s purpose may be to reduce the cost of
insurance or reduce the number of program-related injuries. By determining
its intention before initiating risk management planning, the organization
can define KPIs and evaluate the results to determine the program’s
effectiveness. Typically, senior management, with the board of directors,
sets the tone and goals for the risk management program.

• Assign responsibility for the risk management plan

—The second step is to designate an individual or team responsible for

developing and implementing the organization’s risk management program.
While the team is primarily responsible for the risk management plan, a
successful program requires the integration of risk management within all
levels of the organization. Operations staff and board members should assist
the risk management committee in identifying risk and developing suitable
loss control and intervention strategies.

1.6.2 RISK MANAGEMENT PROCESS

To ensure that an enterprise manages its risk consistently and appropriately,

an organization should identify and establish a repeatable process to manage
its IT risk. Basic steps in the risk management process are described in the
following sections.

Step 1: Asset Identification The first step in the process is the

identification and collection of relevant data to enable effective IT-related
risk identification, analysis and reporting. This will help to identify
information resources or assets that need protection because they are
vulnerable to threats.
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

In this context, a threat is any circumstance or event with the potential to

cause harm (such as destruction, disclosure, modification of data and/or
denial of service) to an information resource. The purpose of the
classification may be either to prioritize further investigation and identify
appropriate protection (simple classification based on asset value) or to
enable a standard model of protection to be applied (classification in terms
of criticality and sensitivity).

Examples of typical assets associated with information and IT include: •

Information and data

• Hardware

• Software

• Documents

• Personnel Other, more traditional business assets for consideration are

buildings, stock of goods (inventory), and cash and intangible assets such
as goodwill or image/reputation.

Step 2: Evaluation of Threats and Vulnerabilities to Assets The second step

in the process is to assess threats and vulnerabilities associated with the
information resource and the likelihood of their occurrence.

Common classes of threats are:

• Errors

• Malicious damage/attack

• Fraud

• Theft

• Equipment/software failure IT risk occurs because of threats (or

predisposing conditions) that have the potential to exploit vulnerabilities
associated with use of information resources.
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

Vulnerabilities are characteristics of information resources that can be

exploited by a threat to cause harm.

Examples of vulnerabilities are:

• Lack of user knowledge

• Lack of security functionality

• Inadequate user awareness/education (e.g., poor choice of passwords)

• Untested technology

• Transmission of unprotected communications

For a vulnerability to be realized, there must be either a human or

environmental threat to exploit the vulnerability. Typical human threat
actors (or threats caused by humans) are:

• Novices (kiddie scripters)

• Hacktivists

• Criminal

• Terrorists

• Nation-states

• Riots and civil unrest

Typical environmental threats include the following:

• Floods

• Lightning

• Tornados

• Hurricanes

• Earthquakes
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

Step 3: Evaluation of the Impact The result of a threat agent exploiting a

vulnerability is called an impact. The impact can vary in magnitude, affected
by severity and duration. In commercial organizations, threats usually result
in a direct financial loss in the short term or an ultimate (indirect)
financial loss in the long term.

Examples of such losses include:

• Direct loss of money (cash or credit)

• Breach of legislation (e.g., unauthorized disclosure)

• Loss of reputation/goodwill

• Endangering of staff or customers

• Breach of confidence

• Loss of business opportunity

• Reduction in operational efficiency/performance

• Interruption of business activity

Step 4: Calculation of Risk After the elements of risk have been established,
they are combined to form an overall view of risk.

A common method of combining the elements is to calculate the following for

each threat:

probability of occurrence × magnitude of impact. This will give a measure

of overall risk. The risk is proportional to the estimated likelihood of the
threat and the value of the loss/damage.

Step 5: Evaluation of and Response to Risk After risk has been identified,
existing controls can be evaluated or new controls designed to reduce the
vulnerabilities to an acceptable level. These controls are referred to as
countermeasures or safeguards and include actions, devices, procedures or
techniques (i.e., people, processes or products).
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

The strength of a control can be measured in terms of its inherent or design

strength and the likelihood of its effectiveness. Characteristics of controls
that should be considered when evaluating control strength include whether
the controls are preventive, detective or corrective, manual or automated,
and formal (i.e., documented in procedure manuals and evidence of their
operation is maintained) or ad hoc.

Residual risk, the remaining level of risk after controls have been applied,
can be further reduced by identifying those areas in which more control is
required. An acceptable level of risk target can be established by management
(risk appetite).

Risk in excess of this level should be reduced by the implementation of more

stringent controls.

Risk below this level should be evaluated to determine whether an excessive

level of control is being applied and whether cost savings can be made by
removing these excessive controls.

Final acceptance of residual risk considers:

• Organizational policy

• Risk appetite

• Risk identification and measurement

• Uncertainty incorporated in the risk assessment approach

• Cost and effectiveness of implementation

• Cost of control versus benefit It is important to realize that IT risk

management needs to operate at multiple levels, including:

• The operational level

—At the operational level, one is concerned with risk that could compromise
the effectiveness and efficiency of IT systems and supporting infrastructure,
the ability to bypass system controls, the possibility of loss or
unavailability of key resources (e.g., systems, data, communications,
personnel, premises), and failure to comply with laws and regulations.
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

• The project-level

—Risk management needs to focus on the ability to understand and manage

project complexity and, if this is not done effectively, to handle the
consequent risk that the project objectives will not be met.

• The strategic level

—The risk focus shifts to considerations such as how well the IT capability
is aligned with the business strategy, how it compares with that of
competitors and the threats (as well as the opportunities) posed by
technological change. The identification, evaluation and management of IT
risk at various levels are the responsibility of different individuals and
groups within the organization. However, these individuals and groups should
not operate separately because risk at one level or in one area may also
impact risk in another. A major system malfunction could impair an
organization’s ability to deliver customer service or deal with suppliers,
and it could have strategic implications that require top management
attention. Similarly, problems with a major project could have strategic
implications. Also, as projects deliver new IT systems and infrastructure,
the new operational risk environment needs to be considered. In summary, the
risk management process should achieve a cost-effective balance between the
application of security controls as countermeasures and the significant
threats. Some of the threats are related to security issues that can be
extremely sensitive for some industries.

1.6.3 RISK ANALYSIS METHODS

The most common risk analysis methods include qualitative, semiquantitative

and quantitative. Each has advantages and limitations.

Qualitative Analysis Methods Qualitative risk analysis methods use word or

descriptive rankings to describe the impacts or likelihood. They are the
simplest and most frequently used methods—used mostly where the risk level
is low.
REFERENCE MATERIALS:
E. Wainright Martin, et al. (’91), Managing Information and Technology What Managers Need to Know
Carol Brown, et al, (2012), Managing Information and Technology, 7th Edition
CISA MANUAL, 27TH EDITION, UPDATED FOR JOB PRACTICE 2019

MANAGING INFORMATION and TECHNOLOGY

A.Y. 2023-2024

DHVSU BSAIS Third Year, A.Y. 2023-2024/ KMS

They are normally based on checklists and subjective risk ratings such as
high, medium or low. While often less complicated and less time-consuming
than the other methods, they also lack the rigor that is customary for
accounting and management.

Semiquantitative Analysis Methods

In semiquantitative analysis, the descriptive rankings are associated with

a numeric scale. Such methods are frequently used when it is not possible to
use a quantitative method or to reduce subjectivity in qualitative methods.
For example, the qualitative measure of “high” may be given a quantitative
weight of 5, “medium” may be given 3 and “low” may be given 1. The total
weight for the subject area that is evaluated may be the aggregate of the
weights so derived for the various factors being considered.

Quantitative Analysis Methods

Quantitative analysis methods use numeric (e.g., monetary) values to describe

the likelihood and impacts of risk, using data from several types of sources
such as historic records, past experiences, industry practices and records,
statistical theories, testing, and experiments. This is a benefit because
these methods provide measurable results. Many quantitative risk analysis
methods are currently used by military, nuclear, chemical and financial
entities, as well as other areas. A quantitative risk analysis is generally
performed during a BIA. The main problem within this process is the valuation
of information assets. Different individuals may assign different values to
the same asset, depending on the relevance of information to the individuals.
In the case of technology assets, it is not the cost of the asset that is
considered but also the cost of replacement and the value of information
processed by that asset.