Policies and Risk Bpug Technology and Operations Deutsche Bank

Deutsche Bank
COBIT 5 for IT Policies and Risk

6th October 2015
Contents
How COBIT 5 is used for IT Management Policy

COBIT 5 as Basis for Risk Management
What COBIT, ISO, etc. Don’t Tell You
Deutsche Bank Alan Shepherd

Group Technology and Operations ISACA/BPUG COBIT in der Praxis
COBIT 5 as Basis for Policies
How COBIT 5 is used for IT Management Policy

Further Reading
Praxiswissen COBIT, Markus Gaulke

mit Praxisbeitrag zum Thema

Group Technology and Operations ISACA/BPUG COBIT in der Praxis 3
10/6/2015 2010 DB Blue template

COBIT 5 Product Family


COBIT 5 Enabling Processes


DB Policy Built in Two Steps
Version 1 (published)
9 out of 37 COBIT
Processes have been
included in V1.1 of the
IT Management Policy.
Version 2
All 37 COBIT
Processes will be
included in V2 of the IT
Management Policy.


COBIT 5 as Basis for Risk Management
COBIT 5 for Risk

Risk Scenarios
Risk Management Process
Other Standards

COBIT 5 Products


Risk Scenarios


Risk Scenarios


Risk Scenarios
See Appendix for Sample


Risk Management Process


Risk Management in ISO Standards
ISO 31000:2009(E) ISO/IEC 27005:2011


PMBOK
4th Edition


ISO/IEC 27005:2011


What COBIT, ISO, etc. Don’t Tell You
Some Problems with Current Risk Assessment Methods

Some Answers
Some Advanced Answers
References

Risk Assessment Methods
If your Risk Assessment is wrong ... ... mitigation is addressing Waste

the wrong problems
Bad Decisions
How do you know it works? Effectiveness of

methods not verified
Some methods are

known not to work
Methods that do work

are not used
Probability x Loss Assumes Risk Neutral Risk of extensive defaults Low

(most people are risk averse) on subprime loans
Risk of novel financial Low
Loses Information products
Risk of failure of AIG Low
Assumes Risks are
independent
Financial Crisis


Risk Assessment Problems
Catastrophic Overconfidence
Near misses or survivals
increase risk tolerance
Logical Errors Misconception of Chance
Conjunction Fallacy
Law of Small Numbers
Variance in Small Samples
Insensitivity to Prior Probabilities
Framing Posing question differently gets

different answers
Experience of “Experts” Non-Random
(Selective) Memory-Based
Logical Errors in Conclusions
Inconsistent


Ordinal Scales
High – Medium – Low 1–2–3–4–5  Unlikely – Possible - Likely




Understanding varies widely

between individuals
Range Compression High = > €100m €500m is also High
They are not units of measure

Clustering Cannot be added / multiplied
2 is not twice as good as 1
They ignore (psychological) research

Presumption of Regular Intervals Bias
Framing
Inconsistency
No Validation against Reality
Etc.


Probability and Measurement
Probability Wrong Distribution

Unambiguous description of uncertainty
50% Probability = Total Uncertainty Not everything is Gaussian
Measurement
Catastrophes, common mode
Observation based and cascade failures tend to be
Power Law
uncertainty reduction
about a quantity
You think you can’t measure it?

It has been done before
You have more data than you think
You need less data than you think
Getting more data is more economical than you think
You probably need completely different data than you think


Answer 1 – Know our Risk Appetite
Answer 2 – Model the Risks
Document Risk Appetite/Tolerance
Model Uncertain Systems


Answer 3 - Calibration
Calibrated Estimators
Give estimates with ranges which are correct 90%
of the time.
Know the confidence of binary (true/false)
answers.
It is not very difficult to learn! (1/2 day training)
After calibration, 9 out of 10

answers will be in the given range.
The resulting range may be wide, but it can be narrowed

by MEASUREMENT.


Answer 4 – Monte Carlo Simulation
Advanced
Monte Carlo Simulation

Generates 1000’s of random values for each
variable in a model and shows the distribution of
the results.
Easily implemented with Excel or other tools.
Can take
• Distributions
• Correlations
into account.


Answer 5 – Bayes 1/2
Very Advanced
Bayesian Networks
Update prior knowledge with new information.
Invert conditional probabilities.
Nothing known about Design,

Complexity, Testing Quality or
amount of usage.
Additional Information


Answer 5 – Bayes 2/2
Bayesian Networks
Update prior knowledge with new information.
Additional Information
If zero defects found in

testing
and
complexity known to be high
Defects expected in operation

are lower, but
there is a high probability that

testing was poor
and design was good


Answers – Other
Positions
Organisation
Incentives
Certifications
Community
Quality Control
Scientific
Approach Validate against
event history
Use empirical
observations


References
The Failure of Risk Management – Why it is Broken and How to Fix It

Douglas W. Hubbard, 2009
How to Measure Anything – Finding the Value of “Intangibles” in Business, 3rd Edition
Douglas W. Hubbard, 2014
Risk Assessment and Decision Analysis with Bayesian Networks

Norman Fenton, Martin Neill, 2013


Appendix
Sample COBIT 5 Risk Scenario






Policies and Risk Bpug Technology and Operations Deutsche Bank

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Policies and Risk Bpug Technology and Operations Deutsche Bank

Uploaded by

Copyright:

Available Formats

Deutsche Bank

COBIT 5 for IT Policies and Risk

How COBIT 5 is used for IT Management Policy

Deutsche Bank Alan Shepherd

How COBIT 5 is used for IT Management Policy

Deutsche Bank Alan Shepherd

Praxiswissen COBIT, Markus Gaulke

Deutsche Bank Alan Shepherd

10/6/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

10/6/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

COBIT 5 for Risk

Deutsche Bank Alan Shepherd

Deutsche Bank Alan Shepherd

10/6/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

See Appendix for Sample

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

ISO 31000:2009(E) ISO/IEC 27005:2011

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

10/6/2015 2010 DB Blue template

Deutsche Bank Alan Shepherd

10/6/2015 2010 DB Blue template

Some Problems with Current Risk Assessment Methods

Deutsche Bank Alan Shepherd

If your Risk Assessment is wrong ... ... mitigation is addressing Waste

How do you know it works? Effectiveness of

Some methods are

Methods that do work

Probability x Loss Assumes Risk Neutral Risk of extensive defaults Low

Deutsche Bank Alan Shepherd

10/6/2015 2010 DB Blue template

Logical Errors Misconception of Chance

Law of Small Numbers

Variance in Small Samples

Insensitivity to Prior Probabilities

Framing Posing question differently gets

Experience of “Experts” Non-Random

Logical Errors in Conclusions

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

High – Medium – Low 1–2–3–4–5  Unlikely – Possible - Likely

Understanding varies widely

Range Compression High = > €100m €500m is also High

They are not units of measure

They ignore (psychological) research

Deutsche Bank Alan Shepherd

06/10/2015 2010 DB Blue template

Probability Wrong Distribution

You think you can’t measure it?