RISK

SCENARIOS
Using COBIT® 5 for Risk
Risk Scenarios Using COBIT® 5 for Risk

About ISACA®
With more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust
in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge,
standards, networking, and career development for information systems audit, assurance, security, risk, privacy and
governance professionals. ISACA offers the Cybersecurity NexusTM, a comprehensive set of resources for cybersecurity
professionals, and COBIT®, a business framework that helps enterprises govern and manage their information and technology.
ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified
Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of
Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials. The association
has more than 200 chapters worldwide.

Disclaimer
ISACA has designed and created Risk Scenarios Using COBIT® 5 for Risk (“the Work”) primarily as an educational resource
for assurance, governance, risk and security professionals. ISACA makes no claim that use of any of the Work will assure a
successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive
of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the
propriety of any specific information, procedure or test, assurance, governance, risk and security professionals should
apply their own professional judgment to the specific circumstances presented by the particular systems or information
technology environment.

Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this
publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements, and
must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org

Provide feedback: www.isaca.org/riskscenarios

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ

Risk Scenarios Using COBIT® 5 for Risk

ISBN 978-1-60420-467-4

2
 Acknowledgments

Acknowledgments
ISACA wishes to recognize:
Lead Developer
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Fischer IT GRC Beratung & Schulung, Switzerland

Development Team
Evelyn Anton, CISA, CISM, CGEIT, CRISC, UTE, Uruguay
Robert E Stroud, CGEIT, CRISC, CA, USA
Mike Hughes, CISA, CGEIT, CRISC, 123 Consultants GRC Ltd., United Kingdom
Elza Adams, CISA, CISSP, PMP HP, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL Expert, bwin.party digital entertainment plc, Austria
Eduardo Ritegno, CISA, CRISC, QAR (IIA), Banco de la Nacion Argentina, Argentina
Andre Pitkowski, CGEIT, CRISC, APIT Informatica, Brazil

Expert Reviewers
Mohamed Tawfik Abul Farag, KPMG, Egypt
Mark Adler, CISA, CISM, CGEIT, CRISC, CCSA, CFE, CFSA, CIA, CISSP, CRMA, CRP, Wal-Mart Stores, Inc., USA
Gerardo H. Arancibia Vidal, CISM, CRISC, Ernst & Young, Chile
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK
Vilius Benetis , CISA, CRISC, PhD, NRD CS, Lithuania
Jean-Louis Bleicher, CRISC, France
Graham Carter, CISA, CGEIT, ABB Limited, Switzerland
Richard Cartwright, CGEIT, ISP/ITCP, ITIL, PMP, MZP Solutions, Canada
Katalina Coronel Hoyos, CISA, SASCURE Cia. Ltda., Ecuador
Gabriel Croci, CISA, CRISC, SOMOS Consultancy Services, Uruguay
Diego Patricio del Hoyo, CISM, CRISC, CISSP, Westpac Banking Corporation, Australia
Leela Ravi Shankar Dhulipalla, CGEIT, COBIT Certified Assessor, COBIT 5 Accredited Trainer, PMP,
Venlee IT Consultancy LLP, India
Joseph Fodor, CISA, CPA, Ernst & Young, LLP, USA
Giovanni Guzman De Leon, CISM, ITIL, CFC, ISO 9001, PhD Candidate, Independent Consultant, Guatemala
Jason Hageman, CISA, ITIL V3, MGM Resorts International, USA
Tomas Hellum, LinkGRC, Denmark
Sharon Jones, CISA, MGM Resorts International, USA
Masatoshi Kajimoto, CISA, CRISC, Independent Consultant, Japan
Satish Kini, CRISC, CISSP, COBIT 5 Certified Assessor, Firstbest Consultants Pvt Ltd., India
Vaman Amarjeet Gokuldas Kini, CISA, CISM, CEH, CISSP, LPT, 27KLA, The World Bank Group, India
Shruti Shrikant Kulkarni, CISA, CRISC, CISSP, CPISI, CCSK, ITIL V3 Expert, Infosys Technologies Limited, India
John W. Lainhart, CISA, CISM, CGEIT, CRISC, CIPP/G, CIPP/U, IBM Global Business Services, USA
Michel Lambert, CISA, CISM, CGEIT, CRISC, Ministere de l’Agriculture, des Pecheries et de l’Alimentation du
Quebec, Canada
Romualdas Lecickis, CISA, CISM, CGEIT, CRISC, NRD CS, Lithuania
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA
Sebastian Marondo, CISA, CISM, NRD-EA, National Audit Office- Tanzania, Tanzania
John Simiyu Masika, CISA, CISM, Kenya Airways Ltd., Kenya
Radmila Mihajlovic, CISA, Consultant, Canada
Lucio Augusto Molina Focazzio, CISA, CISM, CRISC, ITIL, GovernaTI, Colombia
Oscar Moreno Mulas, CISA, OKY Consulting/Zelaya Rivas Asociados, El Salvador
Raphael Otieno Onyango, CISA, BCOM, CPA (K), Ecumenical Church Loan Fund – Kenya, Kenya
Abdul Rafeq, Wincer Infotech Limited, India
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India
Franco Rigante, CISA, CRISC, PMP, Grant Thornton Argentina, Argentina
Salomon Rico, CISA, CISM, CGEIT, Deloitte Mexico, Mexico
Eddy J. Schuermans, CGEIT, ESRAS bvba, Belgium
Paras K. Shah, CISA, CGEIT, CRISC, CA, Vital Interacts, Australia
David Sheidlower, CISM, Health Quest, USA
Emil David Skrdla, CISA, CISM, CGEIT, CRISC, ITIL V3, PCI ISA, PCIP, The University of Oklahoma, USA
Gustavo A. Solís, Grupo Cynthus, S.A. de C.V., Mexico
Mark Stacey, CISA, FCA, BG Group, USA

3
Risk Scenarios Using COBIT® 5 for Risk

Acknowledgments (cont.)
Expert Reviewers (cont.)
Donald T. Steane, CIA, CMA, CPA, CRMA, DTS Consulting Services, Canada
Dirk Steuperaert, CISA, CGEIT, CRISC, ITIL, IT In Balance BVBA, Belgium
Louis C. Tinto, CISA, CRISC, CFE, CIA, Omnicom Media Group, USA
Alok Tuteja, CGEIT, CRISC, CIA, CISSP, Mazrui Holdings LLC, UAE
Orlando Tuzzolo, CISM, CGEIT, CRISC, World Pass IT Solutions, Brazil

ISACA Board of Directors

Robert E Stroud, CGEIT, CRISC, CA, USA, International President
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Vice President
Garry J. Barnes, CISA, CISM, CGEIT, CRISC, BAE Systems Detica, Australia, Vice President
Robert A. Clyde, CISM, Adaptive Computing, USA, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA,
Vice President
Vittal R. Raj, CISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co. (retired), USA, Past International President
Debbie A. Lew, CISA, CRISC, Ernst & Young LLP, USA, Director
Frank K.M. Yam, CISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director
Alexander Zapata Lenis, CISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge Board
Steven A. Babb, CGEIT, CRISC, ITIL, Vodafone, UK, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Neil Patrick Barlow, CISA, CISM, CRISC, CISSP, IntercontinentalExchange, Inc. NYSE, UK
Charlie Blanchard, CISA, CISM, CRISC, ACA, CIPP/E, CIPP/US, CISSP, FBCS, Amgen Inc., USA
Sushil Chatterji, CGEIT, Edutech Enterprises, Singapore
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
Ivan Sanchez Lopez, CISA, CISM, CISSP, ISO 27001 LA, DHL Global Forwarding & Freight, Germany

Guidance and Practices Committee

Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
John Jasinski, CISA, CGEIT, ISO20K, ITIL Exp, SSBB, ITSMBP, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Brazil
Jotham Nyamari, CISA, CISSP, Deloitte, USA
James Seaman, CISM, CRISC, A. Inst. IISP, CCP, QSA, RandomStorm Ltd., UK
Gurvinder Singh, CISA, CISM, CRISC, Australia
Siang Jun Julia Yeo, CISA, CRISC, CPA (Australia), MasterCard Asia/Pacific Pte. Ltd., Singapore
Nikolaos Zacharopoulos, CISA, CRISC, CISSP, Merck, Germany

Special recognition for financial support:

New Jersey Chapter

4
 Table of Contents

Table of Contents
List of Figures............................................................................................................................................................................7

Chapter 1. Introduction............................................................................................................................................................9
Background.............................................................................................................................................................................9
Purpose of This Publication..................................................................................................................................................10
Who Should Use This Guide?..............................................................................................................................................10
Scope and Approach.............................................................................................................................................................11
Prerequisite Knowledge........................................................................................................................................................11

Chapter 2. High-level Description of Risk Management Concepts...................................................................................13

Chapter 3. Risk Scenarios Explained....................................................................................................................................15

Risk Scenarios Defined........................................................................................................................................................15
Developing Risk Scenarios Workflow..................................................................................................................................16
Risk Factors...........................................................................................................................................................................16
IT Risk Scenario Structure....................................................................................................................................................19
Main Issues When Developing and Using Risk Scenarios..................................................................................................20
Characteristics of Good Scenarios........................................................................................................................................22

Chapter 4. Generic Risk Scenarios........................................................................................................................................23

Chapter 5. Using COBIT 5 Enablers to Mitigate IT Risk Scenarios................................................................................31

Risk Scenario Category 1: Portfolio Establishment and Maintenance...............................................................................32
Risk Scenario Category 2: Programme/Project Life Cycle Management..........................................................................34
Risk Scenario Category 3: IT Investment Decision Making..............................................................................................36
Risk Scenario Category 4: IT Expertise and Skills.............................................................................................................37
Risk Scenario Category 5: Staff Operations........................................................................................................................39
Risk Scenario Category 6: Information...............................................................................................................................41
Risk Scenario Category 7: Architecture..............................................................................................................................43
Risk Scenario Category 8: Infrastructure............................................................................................................................45
Risk Scenario Category 9: Software....................................................................................................................................47
Risk Scenario Category 10: Business Ownership of IT......................................................................................................49
Risk Scenario Category 11: Suppliers.................................................................................................................................51
Risk Scenario Category 12: Regulatory Compliance.........................................................................................................52
Risk Scenario Category 13: Geopolitical............................................................................................................................53
Risk Scenario Category 14: Infrastructure Theft or Destruction........................................................................................54
Risk Scenario Category 15: Malware..................................................................................................................................55
Risk Scenario Category 16: Logical Attacks.......................................................................................................................57
Risk Scenario Category 17: Industrial Action.....................................................................................................................59
Risk Scenario Category 18: Environmental........................................................................................................................60
Risk Scenario Category 19: Acts of Nature.........................................................................................................................61
Risk Scenario Category 20: Innovation...............................................................................................................................62

Chapter 6. Expressing and Describing Risk.........................................................................................................................65

Preparation of a Risk Scenario Analysis...............................................................................................................................65
Risk Analysis Methods—Quantitative vs. Qualitative.........................................................................................................67
Expressing Impact in Business Terms..................................................................................................................................68
Expressing Frequency...........................................................................................................................................................72
Risk Scenarios in Risk Response (Reduction).....................................................................................................................72

5
Risk Scenarios Using COBIT® 5 for Risk

Chapter 7. Risk Scenario Analysis Examples.......................................................................................................................75

How to Read Risk Scenario Analysis...................................................................................................................................75
01 Portfolio Establishment and Maintenance ......................................................................................................................76
02 Programme/Projects Life Cycle Management................................................................................................................85
03 IT Investment Decision Making......................................................................................................................................97
04 IT Expertise and Skills...................................................................................................................................................107
05 Staff Operations.............................................................................................................................................................119
06 Information.....................................................................................................................................................................127
07 Architecture....................................................................................................................................................................137
08 Infrastructure..................................................................................................................................................................146
09 Software.........................................................................................................................................................................159
10 Business Ownership of IT.............................................................................................................................................170
11 Suppliers.........................................................................................................................................................................179
12 Regulatory Compliance.................................................................................................................................................189
13 Geopolitical....................................................................................................................................................................199
14 Infrastructure Theft or Destruction................................................................................................................................209
15 Malware..........................................................................................................................................................................219
16 Logical Attacks...............................................................................................................................................................229
17 Industrial Action.............................................................................................................................................................239
18 Environmental................................................................................................................................................................249
19 Acts of Nature................................................................................................................................................................253
20 Innovation.......................................................................................................................................................................263

Appendix 1. Risk Scenario Analysis Template...................................................................................................................273

Appendix 2. Glossary............................................................................................................................................................277

Appendix 3. Processes for Governance and Management of Enterprise IT...................................................................279

6
 List of Figures

List of Figures figures

figures

Figure 1—Risk Scenario Overview...........................................................................................................................................9

Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits.....................................................................10

Figure 3—Document Overview and Guidance on its Use......................................................................................................11

Figure 4—IT Risk Categories..................................................................................................................................................13

Figure 5—Risk Duality............................................................................................................................................................13

Figure 6—Two Perspectives on Risk.......................................................................................................................................14

Figure 7—Scope of COBIT 5 for Risk.....................................................................................................................................14

Figure 8—Risk Scenario Overview.........................................................................................................................................15

Figure 9—Risk Factors.............................................................................................................................................................17

Figure 10—Internal Risk Factor Considerations.....................................................................................................................18

Figure 11—Risk Scenarios Structure......................................................................................................................................20

Figure 12—Risk Scenario Technique Main Focus Areas........................................................................................................21

Figure 13—Characteristics of Good Risk Scenarios...............................................................................................................22

Figure 14—Example Risk Scenarios.......................................................................................................................................23

Figure 15—Enterprise Goals...................................................................................................................................................70

Figure 16—Probability Rating.................................................................................................................................................72

Figure 17—Risk Response Workflow......................................................................................................................................73

Figure 18—COBIT 5 Process Reference Model...................................................................................................................279

7
Risk Scenarios Using COBIT® 5 for Risk

Page intentionally left blank

8
 Chapter 1
Introduction

Chapter 1
Introduction
Background
Risk scenario analysis is an important component of enterprise risk management (ERM) (figure 1). This technique is
a powerful tool because it helps describe risk in terms that are easier for business leaders to understand. ISACA has
issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals who are responsible for helping their
enterprises manage their risk portfolios.

Figure 1—Risk Scenario Overview

The Risk Management

Process (AP012)

All Related Enablers

APO12.01 Top Down Risk Factors
Collect Data
Principles, Policies Business Goals
and Frameworks
• Identify business Internal
APO12.02 objectives.
Processes Analyse Risk Environmental
• Identify scenarios with Factors
highest impact on
achievement of
business objectives.
Organisational APO12.03 External
Structures Maintain a Environmental
Risk Profile Factors
Culture, Ethics Risk Scenarios
and Behaviour
Risk
APO12.04 Management
Articulate Risk Capabilities
• Identify hypothetical
Information scenarios.
• Reduce through
high-level analysis.
Services, APO12.05 Define a IT-related
Infrastructure and Risk Management
Action Portfolio Generic Risk Capabilities
Applications Scenarios

People, Skills and Bottom Up

Competencies APO12.06
Respond to Risk

Source: COBIT® 5 for Risk, ISACA, USA, 2013, figure 34

Risk Scenarios Using COBIT 5 for Risk is a practical guide on how to use COBIT 5 for Risk to prepare IT-related risk scenarios
that can be used for risk analysis and assessment. Risk Scenarios Using COBIT 5 for Risk provides readers with potential
scenarios to consider in their own organizations—to allow the scenarios to be tailored—this will require that scenarios be
added, removed and amended to provide a focused set of relevant scenarios that fit organizations’ specific risk, risk appetite and
business needs.

Risk analysis is the process used to estimate the frequency and magnitude of IT-related risk scenarios. Risk assessment is a
process used to identify and evaluate risk, its potential effects and evaluation of the probabilities of a particular event. Risk
assessment is slightly broader, and includes the preliminary and ancillary activities of risk analysis, i.e., the identification
of detailed risk scenarios and the definition of responses such as mitigation plans and the description of existing controls.
Risk analysis and assessment is a core approach to bring realism, insight, organizational engagement, improved analysis and
structure to the complex matter of IT risk. Risk scenarios are the tangible and assessable representation of risk, and are one of
the key information items needed to identify, analyze and respond to risk (COBIT 5 Process APO12).

9
Risk Scenarios Using COBIT® 5 for Risk

Purpose of This Publication

Risk Scenarios Using COBIT 5 for Risk focuses on the development of IT-related risk scenarios and should be read in the
context of COBIT 5 for Risk and the COBIT 5 framework. The publication provides a high-level overview of risk concepts,
along with 60 risk scenario examples covering all 20 categories described in COBIT 5 for Risk. An accompanying tool kit
is available on the ISACA web site and contains interactive risk scenario templates for each of the 20 categories.

The main purpose of Risk Scenarios Using COBIT 5 for Risk is to give guidance on the development of IT-related risk
scenarios. These scenarios are based on the determination of the value of an asset or a business process. The potential threats
and vulnerabilities that can lead to a loss event should be considered as well as the potential benefits to more effective and
efficient achievement of business objectives and protection or increase of business value. The secondary purpose of this
publication is to provide guidance on how to respond to risk that exceeds the enterprise’s tolerance level. Special guidance is
given on how the COBIT 5 enablers can help in risk management activities.

Who Should Use This Guide?

The intended audience for Risk Scenarios Using COBIT 5 for Risk is extensive, and includes any person responsible for
helping the enterprise manage risk. Risk management professionals, in particular, can benefit from this publication and
the guidance provided to develop risk scenario analysis to support ERM efforts. IT and business professionals, in general,
benefit from the concepts and practices described in this publication and can understand better the role they can play in the
ERM process.

The adoption of risk scenario analysis can help satisfy requirements from multiple stakeholders. Figure 2 describes the
potential stakeholder benefits that risk scenario analysis can provide.

Figure 2—Risk Scenarios Using COBIT 5 for Risk Stakeholders and Benefits
Role/Function Benefits of Adopting Risk Scenarios Using COBIT 5 for Risk
Board and executive management Better understanding of the implications of IT risk to enterprise strategic objectives and how to better use IT for
successful strategy execution
Chief risk officer (CRO) and Assistance with managing IT risk, in line with generally accepted ERM principles, and incorporating IT risk into
corporate risk managers for enterprise risk
enterprise risk management (ERM)
Operational risk managers Linking their ERM framework to COBIT 5 for Risk; identification of operational losses or development of key risk
indicators (KRIs)
IT management Better understanding of how to identify and manage IT risk and how to communicate IT risk to business
decision makers
IT service managers Enhancement of their view of operational risk
IT security Positioning of security risk among other categories of IT risk
Information security/chief Positioning IT risk within the enterprise information risk management structure
information security officer (CISO)
Chief financial officer (CFO) Gaining a better view of IT risk and its financial implications
Business Better understanding and management of IT risk in line with business objectives
Internal auditors Better analysis of risk in support of audit plans and reports
Compliance Advise the risk function with regards to compliance requirements and their potential impact on the enterprise
General counsel Advise the risk function on regulation-related risk and potential impact or legal implications on the enterprise
Regulators Support assessment of regulated enterprises’ IT risk management approach and the impact of risk on
regulatory requirements
External auditors Additional guidance on exposure levels when establishing an opinion over the quality of internal control
Insurers Help establish adequate IT insurance coverage and obtain agreement on exposure levels
IT contractors and subcontractors Better alignment of utility and warranty of IT services provided; understanding of responsibilities arising from
risk assessment

10
 Chapter 1
Introduction

Scope and Approach

The practical guidance in this publication is specifically dedicated to the preparation of IT-related risk scenarios and risk
scenario analysis. Risk Scenarios Using COBIT 5 for Risk describes, at a high level, risk management concepts and the
different steps needed to prepare a complete risk scenario analysis. Figure 3 provides a brief description of each chapter
and appendix.

Figure 3—Document Overview and Guidance on its Use

Chapter
Chapter 1. Introduction
Chapter 2. High-level Description of Describes in high level the concepts of risk management on which this guidance is based
Risk Management Concepts
Chapter 3. Risk Scenarios
Explained
Chapter 4. Generic Risk Scenarios
Chapter 5. Using COBIT 5 Enablers
to Mitigate IT Risk Scenarios
Chapter 6. Expressing and
Describing Risk
Chapter 7. Detailed Example
Risk Scenarios
Appendix 1. Risk Scenario
Analysis Template
Appendix 2. Glossary
Appendix 3. Processes for
Governance and Management of
Enterprise IT
Description
Presents an overview on who should use this guidance, the scope and approach, and provides prerequisite guidance
Gives a definition of risk scenarios; explains how a risk scenario workflow can be developed and how risk
factors can be used in the context of risk scenarios; gives the characteristics of good scenarios
Contains example IT-related generic risk scenario categories and some practical advice on how to best use
these examples
Provides examples that show how to use COBIT 5 enablers to respond to the risk scenario examples described
in chapter 4
Describes the additional components necessary to prepare a comprehensive risk scenario analysis; describes
processes that can be used to analyse risk impact and frequency; and describes possible risk response options
Contains over 50 risk scenario analyses and describes the COBIT 5 enablers that can be used to respond in
each particular scenario
Provides a comprehensive risk scenario analysis template
Defines the key terms that are used throughout this guide
Shows the 37 governance and management processes defined in COBIT 5 and their respective activities as
defined in COBIT 5: Enabling Processes

Prerequisite Knowledge
Risk Scenarios Using COBIT 5 for Risk builds on COBIT 5 for Risk. The key concepts about the use of scenarios from
COBIT 5 for Risk are repeated in this guide, making it a fairly stand-alone guide, in essence not requiring any prerequisite
knowledge. However, an understanding of COBIT 5 for Risk will accelerate the comprehension of the contents of this
guide. In addition, some risk-relevant items that are described in detail in COBIT 5 for Risk are not repeated in Risk
Scenarios Using COBIT 5 for Risk and may require the use of other guides in the COBIT 5 product family.

For risk mitigation, Risk Scenarios Using COBIT 5 for Risk refers mainly to the COBIT 5 enablers and also to the process
reference model and COBIT 5 processes described therein. If readers wish to know more about COBIT 5 enablers, e.g.,
to implement or improve some of them as part of a risk response (mitigation), they are referred to the following COBIT 5
product family guides: the COBIT 5 framework, COBIT 5: Enabling Processes and COBIT 5: Enabling Information.

11