-
LHSLHS
Managing Risk in a
Service Management Environment
John MitchellPhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA, CISA,
QiCA, CFE
LHS Business Control Tel: +44 (0)1707 85145447 Grangewood Fax:
+44 (0)1707 851455Potters Bar Cell: +44 (0)7774 145638Herts EN6 1SL
[email protected] www.lhscontrol.com
© John Mitchell
-
2
LHSLHS
© John Mitchell
Themes
Risk management in a nutshellService delivery risksRisk
management reportingRisk assurance groups
-
3
LHSLHS
© John Mitchell
Risk Components
Inherent risk – without controlsRisk treatment -
controlsResidual risk – where you are after applying the
controlsRetained risk – what the Board agrees to live with (risk
appetite)
-
4
LHSLHS
© John Mitchell
Risk Management Process
Inherent Risk Identification
Control Implementation
Risk Management Plan
Monitoring& Evaluating
-
5
LHSLHS
© John Mitchell
Inherent RiskThe likelihood and consequence of risk
crystallisation before mitigating actions (controls) have been put
in place
-
6
LHSLHS
© John Mitchell
-
7
LHSLHS
© John Mitchell
-
8
LHSLHS
© John Mitchell
Residual RiskThe likelihood and consequence of risk
crystallisation after mitigating actions (controls) have been put
in place
-
9
LHSLHS
© John Mitchell
-
10
LHSLHS
© John Mitchell
Risk Components
EVENT – leading to
CONSEQUENCE – resulting in
EFFECT (IMPACT) ON BUSINESS OBJECTIVE
-
11
LHSLHS
© John Mitchell
Handling Risk
TERMINATE
TOLERATETRANSFER
TREAT
RISK
-
12
LHSLHS
© John Mitchell
Decision Matrix
Likelihood
ConsequenceLow High
High
EmergencyPlanning
(Transfer?)
LocalControl(Treat?)
No Action(Tolerate?)
ImmediateRemedial Action
(Terminate?)
-
13
LHSLHS
© John Mitchell
Mapping Likelihood & Consequence
High
E
LIKE
D
LIHO
C
OD B
Low
A
A B C D ELow CONSEQUENCE High
Senior ManagementAttentionLocal ManagementAttention
No Action
-
14
LHSLHS
© John Mitchell
Risk Management in a Nutshell
High
E
LIKE
D
LIHO
C
OD B
Low
A
A B C D ELow CONSEQUENCE High
Contr
olsInherentRisk
Residual Risk
Senior ManagementAttention
Local ManagementAttention
No Action
-
15
LHSLHS
© John Mitchell
Service Delivery Risks
Non-AvailabilitySlow response timesInadequate incident
handlingPoor problem solvingInferior configuration management
-
16
LHSLHS
© John Mitchell
Non-Availability Risks
EVENT -> CONSEQUENCE -> IMPACT
Customers are unable to access the system (EVENT) leading to
them being unable to place orders (CONSEQUENCE) resulting in loss
of income (IMPACT)Customers are unable to obtain help with
non-availability problems (EVENT) leading to dissatisfaction with
the company (CONSEQUENCE) resulting in loss of customers
(IMPACT)
-
17
LHSLHS
© John Mitchell
Non-Availability Root Causes (1)
1) Failure of connectivity as a result of loadingcompany
recommended third-party softwareon to customer computers
2) Failure of connectivity as a result of loadingcompany
produced software onto customercomputers
3) Failure of the company’s internet connection4) Company
firewall prevents legitimate access5) Company internal network
failure6) Key hardware failure7) Key software failure
-
18
LHSLHS
© John Mitchell
Non-Availability Root Causes (2)
8) Customer forgets access credentials9) Inadequate capacity
10) Hacking attack:a) Halts serversb) Halts network
11) Virus/worm infestation disrupts the system12) Power loss13)
Failure of the back-up/restore process14) Ineffective third-party
support for critical
software15) Complete destruction of computer facilities
-
19
LHSLHS
© John Mitchell
Inadequate Support Root Causes
16) Support staff not available when required17) Support staff
unresponsive to requests for
help18) Support staff have inadequate knowledge to
deal with the problem
-
20
LHSLHS
© John Mitchell
Availability Risks(Inherent to Residual Risk Mapping)
High
E 8
LIKE
D 2,18 3,4,5,6,7,9, 10,11,13,14 12
LIHO
C 16
OD B 1
Low
A 17 15
A B C D ELow CONSEQUENCE High
12) PowerLoss
15) Loss of Computing
14) 3rd Party Support
-
21
LHSLHS
© John Mitchell
Risk DocumentationIT risk register– Structure– Coverage
ConfidentialityIntegrityAvailabilityComplianceManagement
– Inherent to retained logic– Embedded monitors– Early warning
indicators
Planned improvement projects
Microsoft Excel Worksheet
-
22
LHSLHS
© John Mitchell
The Role of IT Audit
Primary– Provide assurance to the Board that IT
risks are being effectively managed
Secondary– Provide assurance that IT is providing
value for money– Assist IT in developing well controlled
business solutions
-
23
LHSLHS
© John Mitchell
Assurance Tools
International standards:– ISO 20000– ISO 9126– ISO 17799–
Control Objectives for IT (CobiT)
Best practices:– ITIL– Benchmarking
Data analytics software– ACL– IDEA
-
24
LHSLHS
© John Mitchell
Assurance Organisations
BCS IRMAISACAITGIIIA
-
25
LHSLHS
© John Mitchell
BCS IRMA
Information Risk Management & Audit SGOldest specialist
group in the BCS -formed 1965Active programme of meetingsQuarterly
magazineMembership of the BCS Security Panelwww.bcs-irma.org
-
26
LHSLHS
© John Mitchell
ISACAInformation Systems Audit & Control
AssociationCertified Information Systems Auditor (CISA)
qualificationCertified Information Security Manager (CISM)
qualificationPrimarily concerned with assurance of IT and security
processeswww.isaca.org
-
27
LHSLHS
© John Mitchell
ITGIInformation Technology Governance InstituteControl
Objectives for IT and related technologies (CobiT) international
open standardPrimarily concerned with IT governancewww.itgi.org
-
28
LHSLHS
© John Mitchell
IIA
Institute of Internal AuditorsQualification in Computer Auditing
(QiCA)Primary concerned with internal controlwww.iia.org.uk
-
29
LHSLHS
© John Mitchell
Summary
Risk management is simply a processInherent to residual/retained
risk is achieved by controlsControl effectiveness can be measured
by assurance professionals
-
30
LHSLHS
© John Mitchell
Questions?John Mitchell
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6
1SLEngland
Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455
[email protected]
Managing Risk in a Service Management EnvironmentThemesRisk
ComponentsRisk Management ProcessRisk ComponentsHandling
RiskDecision MatrixMapping Likelihood & ConsequenceRisk
Management in a NutshellService Delivery RisksNon-Availability
RisksNon-Availability Root Causes (1)Non-Availability Root Causes
(2)Inadequate Support Root CausesAvailability Risks(Inherent to
Residual Risk Mapping)Risk DocumentationThe Role of IT
AuditAssurance ToolsAssurance OrganisationsBCS
IRMAISACAITGIIIASummaryQuestions?