kpmg nformation Risk Management IT Governance & Risk Management A paradigm of the relationship between Information Risk Management and IT Governance Graham Blain Partner, KPMG Information Risk Management
kpmg
Information Risk Management
IT Governance&
Risk Management
A paradigm of the relationship between Information Risk Management and IT
Governance
Graham Blain Partner, KPMG Information Risk Management
kpmg
Information Risk Management
Presentation Road Map
1st
IT Governancevs
Risk Management?
3rd
Roles of Audit and Management
2nd
Risk Management & Process Maturity
kpmg
Information Risk Management
IT Governance and Information Risk Managementare synonymous… from a certain point of view!
Risk is “the chance of something happening that will have an impact on objectives” (AS/NZS 4360)
Risk management is “the culture, processes and structure which come together to optimise the management of potential opportunities and adverse threats” (AS/NZS 4360)
IT Governance is “A management framework which ensures the delivery of expected benefits of IT in a controlled manner” (Poole V)
1st
IT Governancevs
Risk Management?
kpmg
Information Risk Management
Risk Management can be practically applied as a comprehensive Governance approach…
Risks should be stated in terms of organisational objectives
Treatment of risks should comprise a combination of structure, processes, projects and specific actions
In the long term, appropriate structure and process maturity should be the goal
kpmg
Information Risk Management
A suggested distinction between inherent and residual risk…
Inherent Risk is the chance of something happening that will have an impact on objectives in the absence of structure and processes to optimise opportunities and threats
Residual Risk is the chance of something happening that will have an impact on objectives despite the structure and processes that are in place to optimise opportunities and threats
2nd
Risk Managementand
Process Maturity
kpmg
Information Risk Management
There is a relationship betweeninherent risk, process maturity and residual risk
4High Residual
Risk
3
2Moderate
Residual Risk
1
0Low Residual
Risk
0 1 2 3 4
Inhe
rent
Ris
k
Process Maturity
kpmg
Information Risk Management
The Seven Inherent Risks
Inherent Risk Key Question
Dependence on ITHow dependent am I on IT for the achievement of business objectives?
IT Skills and ResourcesWill the skills and resources required by my IT processes be available?
IT ReliabilityAre the information systems I will require to meet my objectives reliable?
Changes in ITWill organisational change result in high levels of change to systems?
External ITWill I be dependent on external parties for the achievement of my IT objectives?
Business FocusIs it important for the IT function to be closely aligned to business strategy?
Information AssetsDo we have valuable information assets that need to be protected?
kpmg
Information Risk Management
The relationships between inherent risk and targeted process maturity
Maturity
Dep
ende
nce
on
IT
IT S
kill
s an
d R
esou
rces
IT R
elia
bili
ty
Cha
nges
in I
T
Ext
erna
l IT
Bus
ines
s F
ocus
Info
rmat
ion
Ass
ets
Risk 3 4 0 3 0 1 2Delivery & Support
DS1 Define and manage service levels 1 3 (1) 0DS2 Manage third-party services 4 (1) (4) (4) (2)DS3 Manage performance and capacity 3 0 (3) (1)DS4 Ensure continuous service 0 3 0 2DS5 Ensure systems security 3 0 (1)DS6 Identify and allocate costs 0 4 0 1DS7 Educate and train users 1 (1) 2 (1) 0DS8 Assist and advise customers 2 1 (2) 0DS9 Manage the configuration 2 1 (2) 0DS10 Manage problems and incidents 3 0 (3) (1)DS11 Manage data 4 (1) (3) (2)DS12 Manage facilities 4 (1) (4) (2)DS13 Manage operations 4 (1) (4) (2)
Monitor
M1 Monitor the processes 4 0 (4)M2 Assess internal control adequacy 0 3 4 0 3 0 1 2M3 Obtain independent assurance 2 1 2 (2) 1 (2) (1) 0M4 Provide for independent audit 2 1 2 (2) 1 (2) (1) 0
kpmg
Information Risk Management
The focus of IT Management, Risk Management, Internal and External audit in IT Governance
4
3
2
1
0
0 1 2 3 4
Inhe
rent
Ris
k
Process Maturity
InternalInternalAuditAudit
ITITManagementManagement
Risk ManagementRisk ManagementExternal Audit review Internal Audit’s work
3rd
Roles of Auditand
Management
kpmg
Information Risk Management
Conclusions
Information Risk Management and IT Governance can be considered synonymous, depending on your point of view and approach
Process maturity improvement programmes can (and should?) be driven from a risk management based approach
Focus of relevant parties should be as follows:- IT Management on High Residual Risks- Internal Audit on Mature Processes- Risk Management on the Risk Management Process- External Audit on Internal Audit’s work
kpmg
Information Risk Management
A car has brakes to allow it to go faster…
kpmg
Information Risk Management
IT Governance(Information Risk Management)
Graham Blain
Partner
kpmg Information Risk Management
85 Empire Road, Parktown
(011) 647 7853