+

RISK MANAGEMENT
BY DR. SELASI OCANSEY
 LEARNING OBJECTIVES
1. Discuss the risk management process, and how it plays an important
role in protecting organizations’ information from IT threats.

2. Describe the Enterprise Risk Management—Integrated Framework,

as well as its eight risk and control components, and how they apply to
objectives set by management.

3. Explain what risk assessment is in the context of an organization.

4. Summarize professional standards that provide guidance to auditors

and managers about risk assessments.

5. Support the need of insurance coverage as part of the risk

assessment process for IT operations.
 Risk Management
 Inrecent years, businesses have experienced numerous risk-associated
reversals that have resulted in considerable financial loss, decrease in
shareholder value, damage to the organization reputation, dismissals of
senior management, and, in some cases, dissolution of the business.
 This
increasingly risky environment prompts management to adopt a
more proactive perspective on risk management.
 Riskmanagement ensures that losses do not prevent organizations’
management from seeking its goals of conserving assets and realizing
the expected value from investments.
 NIST defines risk management as the process of identifying and
assessing risk, followed by implementing the necessary procedures to
reduce such risk to acceptable levels.
 Risk Management
 Riskmanagement plays an important role in protecting organizations’
information from IT threats.
 For instance, IT risk management focuses on risks resulting from IT
systems with threats such as fraud, erroneous decisions, loss of
productive time, data inaccuracy, unauthorized data disclosure, and loss
of public confidence that can put organizations at risk.
A well-designed IT risk management process is essential for developing
a successful security program to protect the IT assets of an organization.
 When used effectively, a well-structured risk management methodology
will assist organizations’ management in identifying adequate controls
for supporting their IT systems.
 Enterprise Risk Management—Integrated Framework

 The COSO Enterprise Risk Management (ERM) Framework defines

enterprise risk management as follows:
 A process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risks to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity
objectives

 The ERM—Integrated Framework, developed by COSO, is an

effective tool for senior management and the Board to set goals and
strategies; identify, evaluate, and manage risk areas; select and
implement controls to mitigate or address the risk areas; and ensure
that the company ultimately achieves its objectives and goals.
Enterprise Risk Management—Integrated Framework

COSO-ERM model.
 Internal Environment
 The internal environment of a company is everything. It refers to its
culture, its behaviors, its actions, its policies, its procedures, its tone,
its heart. The internal environment is crucial in setting the company’s
goals, strategies, and objectives; establishing procedures to assess or
mitigate risk business areas; and identifying and implementing
adequate controls to respond to those risk areas.
A strong internal environment often prevents a company from
breakdowns in risk management and control. The internal environment
is the base and infrastructure for all other seven ERM components, and
consists of:
 Management’s beliefs, attitudes, operating style, and risk appetite
 Management’s commitment to integrity, ethical values, and competence
 Management’s oversight over the company’s internal control and structure
 Internal Environment
 Methods of assigning authority and responsibility through the
establishment of formal policies and procedures that are consistent
with goals and objectives.
 Human resource policies, procedures, and practices overseeing
existing working conditions, job incentives, promotion, and career
advancement.
 Procedures in place to comply with industry external requirements,
as well as regulatory laws, such as those imposed by banks, utilities,
insurance companies, the SEC and the PCAOB, among others.
 Objective Setting
 Objectivesrefer to the goals the company wants to achieve.
Objectives are established at various levels within a
company.
 That is, companies may set objectives at the top/management
level, say to guide their direction or strategy (e.g., become
the best seller in the market, acquire a separate business,
merge with a competitor, etc.);
 Or at lower levels, like improving existing operations (e.g.,
hiring quality personnel, improving current processes,
implementing controls to address additional risks,
maintaining certain levels of production, etc.).
 Objective Setting
 Companies may also set goals for reporting and compliance purposes.
Reporting-like objectives are set, for instance, to ensure reliability,
completeness, and accuracy of reports (e.g., financial statements, etc.).
 These objectives are achieved via adequately safeguarding financial
application systems, as well as performing timely and thorough
management reviews, for example.
 Compliance objectives, on the other hand, ensure all applicable
industry-specific, local, state, and federal laws are properly followed
and observed.
 Failureto comply with these can result in serious consequences,
leaving the company vulnerable to lawsuits, on-demand audits, and
sanctions that can ultimate lead to dissolution.
 Event (or Risk) Identification
 Events impact companies internally or externally. For instance,
events could occur outside the company (e.g., natural disasters,
enactment of new laws and regulations, etc.) that can significantly
affect its goals, objectives, and/or strategy. Identification of these
events or risks can result from responding to management questions,
such as:
(1) What could go wrong?
(2) How can it go wrong?
(3) What is the potential harm? And
(4) What can be done about it? An example would be an office desk
manufacturer that relies on sourcing the wood necessary to build the
desks from specific regions in the Caribbean.
 Event (or Risk) Identification
 The manufacturer’s organizational objective is to keep up with
production demand levels. So, here are the management questions
from above with hypothetical responses to identify internal or
external events:
1. What could go wrong? Shipment of wood may fail or may not be
received on time resulting in not having enough supplied wood to
meet customer demands and/or required production levels.
2. How can it go wrong? Weather conditions (e.g., hurricanes,
flooding, etc.) may affect safe conditions to cut trees and prepare the
necessary wood; or prevent timely shipment of the wood to the
manufacturing site.
 Event (or Risk) Identification
3. What is the potential harm? The lack of or limited supply may
prompt the manufacturer higher costs which could translate into
higher costs and prices to customers.
4. What can be done about it? Solutions may include identifying at
least one or two additional suppliers (outside of the Caribbean), and/or
having higher amounts of wood inventory on hand. These will help in
preventing or mitigating the issues just identified, and ensure that
minimum production levels are kept consistent with organizational
objectives.
 Risk Assessment
 Inview of the increased reliance on IT and automated systems,
special emphasis must be placed in the review and analysis of risk in
these areas.
 IT facilities and hardware are often included in the company’s
overall plant and property review; however, automated systems
require a separate analysis, especially when these systems are the
sole source of critical information to the company as in today’s e-
business environments. There are many risks that affect today’s IT
environment.
 Companies face loss from traditional events, such as natural
disasters, accidents, vandalism, and theft, and also from similar
events in electronic form. These can result from computer viruses,
theft of information or data, and so on.
 Risk Assessment
 Some examples of resources to assist in the identification and
evaluation of these IT-related risks include:
 NIST.gov. The NIST has been a leader in providing tools and
techniques to support IT. It has a number of support tools that can be
used by private small-to-large organizations for risk assessment
purposes.
 GAO.gov. The U.S. Government Accountability Office (GAO) has
provided a number of audit, control, and security resources as well as
identification of best practices in managing and reviewing IT risk in
many areas.
 Expected loss approach. A method developed by IBM that assesses
the probable loss and the frequency of occurrence for all
unacceptable events for each automated system or data file.
 Risk Assessment
 Unacceptable events are categorized as either: accidental or
deliberate disclosure; accidental or deliberate modification; or
accidental or deliberate destruction.
 Scoring approach. Identifies and weighs various characteristics of IT
systems. The approach uses the final score to compare and rank their
importance
 Once identified, risks are assessed, meaning that the probability of
their potential losses is quantified and ranked. Risks are assessed
from two perspectives: Likelihood and Impact.
 Likelihood refers to the probability that the event will occur. Impact,
on the other hand, is the estimated potential loss should such
particular event occurs.
 Risk Assessment
 Risks are categorized as follows:
 Critical—exposures would result in bankruptcy, for instance.
 Important—possible losses would not lead to bankruptcy, but
require the company to take out loans to continue operations.
 Unimportant—exposures that could be accommodated by
existing assets or current income without imposing undue financial
strain.
 Assigning identified risks to one of the above categories gives
them a level of significance and helps determine the proper
means for treating such risks. Assessment of risks is discussed in
more detail in a later section.
 Risk Response
 After assessing risks, the next step is to put an action plan
together and determine the applicable technique(s) to respond to
the identified risks.
 Typically,the risk response process starts with companies
evaluating their inherent risks, then selecting the appropriate
response technique, and finally assessing the residual risk.
 Management can react or respond to identified risks in one of the
following four ways: Avoid, Prevent, Reduce, or Transfer.
 Risk Response
 Avoid or completely eliminate the risk. For example, a new
feature included within the next application software release is
estimated to downgrade application performance by slowing
down some critical processing. To avoid the risk, the software
feature is eliminated from the next release.
 Prevent a risk through implementing IT controls, such as
(1) performing validity checks upon inputting data;

(2) cleaning disk drives and properly storing magnetic and optical media to
reduce the risk of hardware and software failures;

(3) configuring logical setting security controls (i.e., passwords) in the

application system
 Risk Response
 Reduce the risk through taking mitigation actions, such as having
controls detecting errors after data are complete. Examples of
these include implementing user access reviews, conducting
reconciliations, and performing data transmission controls,
among others.
 Transfer all or part of the risk to a third party. Common methods
of risk transfer include acquiring insurance or outsourcing
(subcontracting) services. As an example, a company that needs
to update its financial application system may choose to
outsource or subcontract such a project (along with all of its
risks) to an outsider
 Control Activities
 COBIT defines control activities as the “policies, procedures,
practices, and organization structures designed to provide
reasonable assurance that business objectives will be achieved
and that undesired events will be prevented or detected and
corrected.”
 Inother words, control activities (or controls) are procedures
management implement to safeguard assets, keep accurate and
complete information, as well as achieve established business
goals and objectives.
 Implementing controls is an effective way to:
(1) reduce identified risks to acceptable levels;
 Control Activities
(2) comply with company policies, procedures, laws, and
regulations;
(3) enhance efficiency of existing operations.
 Once in place, controls must be monitored for effective
implementation. They should also be assessed to determine
whether they do operate effectively and as expected when
originally designed.
 There are three types of controls: Preventive, Detective, and
Corrective. Management should identify and implement controls
from the three types above in order to protect the company from
undesired events.
 Control Activities
 Preventivecontrols, for instance, deter problems from occurring
and are usually superior than detective controls. Examples of
preventive controls include hiring qualified personnel,
segregating employee duties, and controlling physical access.
 The second type of controls, detective controls, are intended to
discover problems that cannot be prevented. Examples of a
detective control include performing reconciliations of bank
accounts, trial balances, etc. Detective controls are designed to
trigger when preventive controls fail.
 Control Activities
 Corrective controls, the third type of controls, are designed to
identify, correct, and recover from the problems identified.
Similar to detective controls, corrective controls “react to what
just happened.” Examples include maintaining backup copies of
files and correcting data entry errors. An effective internal control
system should implement all three types of controls.
 Areaswhere controls can be implemented include, among others,
duties segregation; approval and authorization of transactions;
change management; assets, records, and data protection; and
systems performance checks and monitoring.
 Information and Communication
 To describe the seventh component of the ERM—Integrated
Framework model, information and communication, it is crucial to
explain what information is and what communication refers to.
 Companies need information to carry out their internal control
responsibilities and ultimately to support the achievement of their
business goals and objectives. Information is data organized and
processed to provide meaning and, thus, improve decision making.
 Management needs that such information, generated from either
internal or external sources, be useful (i.e., quality information) in
order to make effective and efficient business decisions, as well as to
adequately support the functioning of its internal control system
 Information and Communication
 Information is useful when it is:
1. Relevant: information is pertinent and applicable to make a
decision (e.g., the decision to extend customer credit would need
relevant information on customer balance from an Accounts
Receivable aging report, etc.).
2. Reliable: information is free from bias, dependable, trusted.
3. Complete: information does not omit important aspects of events
or activities.
4. Timely: information needs to be provided in time to make the
decision.
 Information and Communication
 Information is useful when it is:

5. Understandable: information must be presented in a

meaningful manner.
6. Verifiable: two or more independent people can produce the
same conclusion.
7. Accessible: information is available when needed.
 Information and Communication
 Communication, on the other hand, refers to the process of
providing, sharing, and obtaining necessary information in a
continuing and frequent basis. Communication of information
could
 occurinternally within the company (e.g., message from the CEO
or CIO to all company employees, etc.) or externally (e.g.,
information received from regulators, information submitted for
audit purposes, etc.).
 An information and communication system, such as an
accounting information system (AIS), should be implemented to
allow for capturing and exchanging the information needed, as
well as conducting, managing, and controlling the company’s
operations.
 Monitoring
 Monitoring activities, either on a continuing or separate basis,
must occur to ensure that the information and communication
system (i.e., AIS) is implemented effectively and, most
importantly, operates as designed.
 Continuous monitoring assessments that have been incorporated
into existing business processes at various levels, for instance,
provide timely and relevant information supporting whether the
AIS is or not working as expected.
 Monitoring assessments that are performed separately vary in
scope and frequency, and are conducted depending on how
effective they are, the results from risk assessments, and specific
management goals and objectives.
 Monitoring
 Examples of monitoring activities may include”
 having internal audits or internal control evaluations;
 assessing for effective supervision;
 monitoring against established and approved budgets;
 tracking purchased software and mobile devices;
 conducting periodic external, internal, and/or network security
audits;
 bringing on board a Chief Information Security Officer and forensic
specialists;
 installing fraud detection software;
 and implementing a fraud hotline, among others.