Professional Documents
Culture Documents
Management Program
Mitigate the IT risks that could negatively
impact your organization.
4 Analyst Perspective
5 Executive Summary
102 Appendix
108 Bibliography
EXECUTIVE BRIEF
Analyst
Perspective Risk is an inherent part of life but not very well understood or executed within
Siloed risks are risky business for any organizations. This has led to risk being avoided or, when it’s implemented,
enterprise. being performed in isolated siloes with inconsistencies in understanding of
impact and terminology.
Looking at risk in an integrated way within an organization drives a truer sense
of the thresholds and levels of risks an organization is facing – making it easier
to manage and leverage risk while reducing risks associated with different
mitigation responses to the same risk events.
This opens the door to using risk information – not only to prevent negative
impacts but as a strategic differentiator in decision making. It helps you know
Valence Howden Brittany Lutes
which risks are worth taking, driving strong positive outcomes for your
Principal Research Senior Research Analyst,
Director, CIO Practice CIO Practice organization.
Executive Summary
Your Challenge Common Obstacles Info-Tech’s Approach
IT has several challenges when it comes to Many IT organizations realize these obstacles: • Transform your ad hoc IT risk management
addressing risk management: processes into a formalized, ongoing program
• IT risks and business risks are often addressed
and increase risk management success.
• Risk is unavoidable. Without a formal program separately, causing inconsistencies in the
to manage IT risk, you may be unaware of your approach. • Take a proactive stance against IT threats and
severest IT risks. vulnerabilities by identifying and assessing IT’s
• Security risk receives such a high profile that it
greatest risks before they occur.
• The business could be making decisions that are often eclipses other important IT risks, leaving
not informed by risk. the organization vulnerable. • Involve key stakeholders, including the
business senior management team, to gain buy-
• Reacting to risks after they occur can be costly • Failing to include the business in IT risk
in and to focus on the IT risks most critical to
and crippling, yet it is one of the most common management leaves IT leaders too accountable;
the organization.
tactics used by IT departments. the business must have accountability as well.
Info-Tech Insight
IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares
accountability with the business.
Case Studies
By identifying areas of risk exposure and creating solutions proactively, obstacles can
be removed or circumvented before they become a real problem.
Governance
3.1 3.2
Monitor IT Risks and Report IT Risk
Develop Risk Priorities
Responses
PHASE 2
Identify and Assess IT Risk
Start Here
PHASE 1 2.1 2.2
Review IT Risk Fundamentals and
Governance Identify IT Risks Assess and Prioritize IT
Risks
1.1 1.2
Review IT Risk Establish a Risk
Management Governance Framework
Fundamentals
Info-Tech Research Group | 10
Info-Tech Research Group | 11
Key deliverable: Blueprint deliverables
Each step of this blueprint is accompanied by supporting deliverables to help
you accomplish your goals:
Risk Management
Program Manual
Integrated Risk Maturity Centralized Risk
Use the tools and activities in each phase Assessment Register
of the blueprint to create a comprehensive,
customized program manual for the
Assess the organization's The repository for all the
ongoing management of IT risk.
current maturity and risks that have been
readiness for integrated identified within your
risk management (IRM). environment.
COSO’s Enterprise Risk ISO 31000 COBIT 2019’s IT functions were used
Management —Integrating with Risk Management can help to develop and refine our Ten IT Risk
Strategy and Performance addresses organizations increase the Categories used in our top-down risk
the evolution of enterprise risk likelihood of achieving objectives, identification methodology.
management and the need for improve the identification of
organizations to improve their opportunities and threats, and
approach to managing risk to meet the effectively allocate and use
demands of an evolving business resources for risk treatment.
environment.
COSO ISO 3100 COBIT 201
0 9
Info-Tech Research Group | 13
Drivers of Formalized Risk
Abandon ad hoc risk Management:
management
Drivers External to IT
A strong risk management foundation is valuable when building External
your IT risk management program. Audit Internal
Audit
Mandated by
This research covers the following IT risk fundamentals: ERM
Benefits of formalized risk management
Occurrence of Risk
Key terms and definitions Event
Risk management within ERM
Demonstrating IT’s
Risk management independent of ERM value to the
Proactive initiative
Four key principles of IT risk management business
Grassroots Drivers
• Meet the business’ service requirements. • Improved IT flexibility when responding to risk events and market
fluctuations.
• Improved satisfaction with IT by senior leadership and business • Reduced budget uncertainty.
units.
• Improved ability to make decisions when developing long-term
• Fewer resources wasted on fire-fighting. strategies.
• Improved availability, integrity, and confidentiality of sensitive • Improved stakeholder and shareholder confidence.
data. • Achieved compliance with external regulations.
• More efficient use of resources. • Competitive advantage over organizations with immature risk
management practices.
• Greater ability to respond to evolving threats.
Guided Implementation
DIY Toolkit Workshop Consulting
“Our team has already made this “Our team knows that we need to “We need to hit the ground “Our team does not have the time
critical project a priority, and we fix a process, but we need running and get this project or the knowledge to take this
have the time and capability, but assistance to determine where to kicked off immediately. Our project on. We need assistance
some guidance along the way focus. Some check-ins along the team has the ability to take this through the entirety of this
would be helpful.” way would help keep us on over once we get a framework project.”
track.” and strategy in place.”
Diagnostics and consistent frameworks are used throughout all four options.
Info-Tech
Info-Tech Research
Research Group| 17
Group | 17
Workshop Overview
Contact your account representative for more information.
workshops@infotech.com 1-888-670-8889
2.3 Determine the threshold for 3.3 Conduct expected cost 4.3 Create multi-year cost
1.4 Identify and engage key and to discuss next steps
stakeholders (un)acceptable risk assessment projections
2.4 Create impact and 3.4 Develop key risk indicators 4.4 Review techniques for
1.5 Add organization-specific
risk scenarios probability scales (KRIs) and escalation embedding risk management
protocols in IT
2.5 Select a technique to
1.6 Identify risk events
measure reputational cost 3.5 Perform root cause analysis 4.5 Finalize the Risk Report and
2.6 Conduct risk severity level 3.6 Identify and assess risk Risk Management Program
Manual
assessment responses
4.6 Transfer ownership of risk
responses to project
managers
1. Maturity Assessment 1. Finalized List of IT Risk 1. Risk Register 1. Risk Report 1. Workshop Report
2. Risk Management Program Events 2. Risk Event Action Plans 2. Risk Management Program
Manual 2. Risk Register 3. Risk Management Program Manual 2. Risk Management
Deliverables
Program Manual
3. Risk Management Program Manual
Manual
• IT executive leadership
Activities
Outcomes of this step
1.1.1 Gain buy-in from senior leadership • Reviewed key IT principles and
terminology
1.1.2 Assess current program maturity
• Gained understanding of the
relationship between IT risk
management and ERM
• Risk Governance
• Risk Prioritization & ERM
Communication
IT Risk Management
• Risk Identification
• Risk Assessment IT Risk Management
• Risk Monitoring
Pro: IT’s risk management responsibilities are defined (assessment Pro: IT is free to create its own IT risk council and develop
schedules, escalation and reporting procedures). customized processes that serve its unique needs.
Con: IT may lack autonomy to implement IT risk management best Con: Lack of clear reporting procedures and mechanisms to share
practices. accountability with the business.
Info-Tech Research Group | 21
Info-Tech’s IT risk management framework walks you through each
step to achieve risk readiness
IT Risk Management
Optimize Risk Framework Engage
Stakeholder
Risk Governance Management
Participation
Processes Risk Identification
Communication
Measure the Use Risk Compile
Assess Risk
Success of Identification IT-Related
Maturity
the Program Frameworks Risks
Business
Objectives
Establish Establish
Monitoring Thresholds for
Responsibilities Unacceptable
Monitoring Risk
1-4 hours
The resource demands of IT risk management will vary from organization to
organization. Here are typical requirements:
Integrated Risk integrated risk ensures the right risk management program can be adopted by
your organization.
Maturity
Assessment Integrated Risk Maturity
Assessment
A simple tool to understand if your
organization is ready to embrace
integrated risk management by
measuring maturity across four key
categories: Context & Strategic
Direction, Risk Culture & Authority,
The purpose of the Integrated Risk Risk Management Process, and Risk
Maturity Assessment is to assess the Program Optimization.
organization's current maturity and
readiness for integrated risk Use the results from this integrated risk maturity assessment to determine the type of risk
management (IRM) management program that can and should be adopted by your organizations.
Some organizations will need to remain siloed and focused on IT risk management only,
while others will be able to integrate risk-related information to start enabling automatic
controls that respond to this data.
Info-Tech Research Group | 25
Input Output
1-4 hours
This assessment is intended for frequent use; process completeness should be re-
evaluated on a regular basis.
2. Tab 2, "Data Entry:" This is a qualitative assessment of your integrated risk Materials Participants
management process and is organized by the categories of integrated risk
maturity. You will be asked to rate the extent to which you are executing the
activities required to successfully complete each phase of the assessment. Use the • Integrated Risk Maturity • IT executive leadership
Assessment Tool • Business executive
drop-down menus provided to select the appropriate level of execution for each leadership
activity listed.
3. Tab 3, "Results:" This tab will display your rate of IRM completeness/maturity.
You will receive a score for each category as well as an overall score. The results
will be displayed numerically, by percentage, and graphically.
Record the results in the Integrated Risk Maturity Assessment.
business
2 Identify organizational obstacles and set attainable risk
management goals.
Follow these best practices to make 3 Track the effectiveness and success of the program using
SMART risk management metrics.
sure your requirements are solid:
Info-Tech Insight
Metrics provide the foundation for determining the success of your IT risk management program and ensure ongoing funding to support appropriate
risk responses.
1-4 hours
Anticipate potential challenges and “blind spots” by determining which success
factors are missing from your current situation.
Instructions:
1. List the potential obstacles and missing success factors that you must overcome
to effectively manage IT risk and build a risk management program.
Materials Participants
• Skills and understanding around risk management within • Organization moving toward an integrated risk
IT management program
• Skills and understanding around risk management within • Ability to leverage lessons learned from similar companies
the organization
• Strong process management and adherence to policies by
• Lack of a defined risk management posture employees in the organization
One element of risk culture is what levels of risk the organization is willing to accept to pursue its objectives and what levels of risk are
deemed unacceptable. This is often called risk appetite.
The other component of risk culture is the degree to which risk factors into decision making.
Info-Tech Insight
Organizations typically fall in the middle of these spectrums. While risk culture will vary depending on the industry and maturity of the organization, a
culture with a balanced risk appetite that is extremely risk conscious is able to make creative, dynamic decisions with reasonable limits placed on risk-
related decision making.
Info-Tech Research Group | 35
Input Output
• Risk Culture
Translate your maturity assessment and knowledge about organizational risk culture,
potential obstacles, and success factors to develop goals for your IT risk management
program.
Instructions:
1. In the Risk Management Program Manual, revise, replace, or add to the high-level
Materials Participants
goals provided in section 2.4.
2. Make sure that you have three to five high-level goals that reflect the current and • Risk Management Program • IT executive leadership
Manual • Business executive
targeted maturity of IT risk management processes. leadership
3. Integrate potential obstacles, pain points, and insights from the organization’s risk
culture.
S pecific
Make sure the objective is clear and detailed.
2.
risk management program on a whiteboard.
Use the sample metrics listed in the table on the next slide as a
starting point.
M easurable
Objectives are measurable if there are specific metrics
assigned to measure success. Metrics should be objective.
3. Fill in the chart to indicate the:
a) Name of the success metric
b) Method for measuring success
A ctionable
Objectives become actionable when specific initiatives designed
to achieve the objective are identified. c) Baseline measurement
d) Target measurement
R Objectives must be achievable given your current resources e) Actual measurements at various points throughout the process
ealistic or known available resources. of improving the risk management program
f) A deadline for each metric to meet the target measurement
T
An objective without a timeline can be put off indefinitely.
Furthermore, measuring success is challenging without a
ime-Bound timeline.
metrics (continued)
1-3 hours
Attach metrics to your goals to gauge the success of the IT risk management program.
Sample Metrics
Name Method Baseline Target Deadline Checkpoint 1 Checkpoint 2 Final
Number of risks identified
Risk register 0 100 Dec. 31
(per year)
Number of business units
represented (risk Meeting minutes 0 5 Dec. 31
identification)
Assessments recorded in risk
Frequency of risk assessment 0 2 per year Year 2
management program manual
Percentage of identified risk Ratio of risks assessed in the
events that undergo expected risk costing tool to risks 0 20% Dec. 31
cost assessment assessed in the risk register
Number of top risks without
Risk register 5 0 March 1
an identified risk response
Meeting frequency and
Cost of risk management
duration, multiplied by the $2,000 $5,000 Dec. 31
program operations per year
cost of participation Info-Tech Research Group | 38
Create the IT risk committee (ITRC)
Responsibilities of the ITRC: Must be on the ITRC:
1. Formalize risk management processes. CIO
2. Identify and review major risks throughout the IT department. CRO (if applicable)
3. Recommend an appropriate risk appetite or level of exposure.
Senior Directors
4. Review the assessment of the impact and likelihood of identified risks.
Security Officer
5. Review the prioritized list of risks.
Head of Operations
6. Create a mitigation plan to minimize risk likelihood and impact.
7. Review and communicate overall risk impact and risk management success.
Should be on the ITRC:
8. Assign risk ownership responsibilities of key risks to ensure key risks are monitored and risk responses are
effectively implemented. CFO
9. Address any concerns in regards to the risk management program, including, but not limited to, reviewing their Senior representation from every business
risk management duties and resourcing. unit impacted by IT risk
1.2.5 Create the IT risk council • List of IT personnel and • Goals for the IT risk
business stakeholders management program
1-4 hours
Identify the essential individuals from both the IT department and the business to
create a permanent committee that meets regularly and carries out IT risk
management activities.
Instructions:
1. Review sections 3.1 (Mandate) and 3.2 (Agenda and Responsibilities) of the IT
Risk Committee Charter, located in the Risk Management Program Manual. Make Materials Participants
any necessary revisions.
2. In section 3.3, document how frequently the council is scheduled to meet. • Risk Management Program • CIO
Manual • CRO (if applicable)
3. In section 3.4, document members of the IT risk council. • Senior Directors
• Head of Operations
4. Obtain sign-off for the IT risk council from the CIO or another member of the
senior leadership team in section 3.5 of the manual.
Instructions
RACI is an acronym made up of four participatory roles: 1. Use the template provided on the following slide, and add key
stakeholders who do not appear and are relevant for your
Responsible Stakeholders who undertake the activity. organization.
2. For each activity, assign each stakeholder a letter.
Stakeholders who are held responsible for failure
Accountable
or take credit for success.
3. There must be an accountable party for each activity (every
activity must have an “A”).
Consulted Stakeholders whose opinions are sought. 4. For activities that do not apply to a particular stakeholder, leave the
Informed Stakeholders who receive updates. space blank.
5. Once the chart is complete, copy/paste it into section 4.1 of the Risk
Management Program Manual.
ITRC
A R I R R R A C
ERM
C I C I I I I C
CIO
I A A A A A I R
CRO
I R C I R
CFO
I R C I R
CEO
I R C I A
Business
Units
I C C C
IT
I I I I I I R C
PMO
C C C
Phase 2
following activities:
• Add organization-specific risk scenarios
• IT Risk Council
Activities
• Business executive leadership
2.1.1 Add organization-specific risk scenarios • Business risk owners
2.1.2 Identify risk events
2.1.3 Augment risk event list using COBIT 19 processes
Outcomes of this step
2.1.4 Conduct a PESTLE analysis • Participation of key stakeholders
2
Employ Info-Tech’s top-down
approach to risk identification. • Number of realized risk events not identified in the Risk Register Tool
• Level of business participation in enterprise IT risk identification
o Number of business units represented
o Number of meetings attended in person
Augment your risk event list using
3 alternative frameworks.
o Number of risk reports received
Info-Tech Insight
What you don’t know CAN hurt you. How do you identify IT-related threats and vulnerabilities that you are not already aware
of? Now that you have created a strong risk governance framework that formalizes risk management within IT and connects it to
the enterprise, follow the steps outlined in this section to reveal all of IT’s risks. Info-Tech Research Group | 45
Engage key stakeholders
Prioritizing and Selecting Stakeholders
Ensure that all key risks are identified by engaging key business
stakeholders. 1. Reliance on IT services and technologies to
Benefits of obtaining business involvement during the risk identification stage: achieve business objectives.
• You will identify risk events you had not considered or you weren’t aware of. 2. Relationship with IT, and willingness to engage
in risk management activities.
• You will identify risks more accurately.
• 3. Unique perspectives, skills, and experiences
Risk identification is an opportunity to raise awareness of IT risk management early in
the process. that IT may not possess.
Executive Participation:
• CIO participation is integral when building a comprehensive register of risk events
impacting IT. Info-Tech Insight
While IT personnel are better equipped to identify IT
• CIOs and IT directors possess a holistic view of all of IT’s functions. risk than anyone, IT does not always have an accurate
• view of the business’ exposure to IT risk. Strive to
CIOs and IT directors are uniquely placed to identify how IT affects other business
maintain a 3 to 1 ratio of IT to non-IT personnel
units and the attainment of business objectives. If applicable, CRO and CTO
involved in the process.
participation is also critical.
Risk Scenario: An abstract profile representing Risk Event: Specific threats and vulnerabilities that fall under a
common risk groups that are more specific than risk particular risk scenario. Organizations are able to identify anywhere
categories. Typically, organizations are able to between 1 and 20 events for each scenario. See the Appendix of the
identify two to five scenarios for each category. Risk Management Program Manual for a list of risk event examples.
Instructions:
2. List risk scenarios (organized by risk category) in the Risk Events/Threats column.
3. Disseminate the list to key stakeholders who were unable to participate and solicit their
feedback. Materials Participants
• Consult the RACI chart located in section 4.1 of the Risk Management Program
Manual. • IT risk council
• Risk Register Tool
• Relevant business
4. Attack one scenario at a time, exhausting all realistic risk events for that grouping stakeholders
before moving onto the next scenario. Each scenario should take approximately 45-60 • Representation from senior
management team
minutes. • Business risk owners
• CRO (if applicable)
Tip: If disagreement arises regarding whether a specific risk event is relevant to the
organization or not and it cannot be resolved quickly, include it in the list. The applicability
of these risks will become apparent during the assessment process.
Record the results in the Risk Register Tool.
Info-Tech Research Group | 49
2.1.3 Augment the risk event list using COBIT
2019 processes (Optional)
1-3 hours
Other industry-leading frameworks provide alternative ways of conceptualizing the functions and
responsibilities of IT and may help you uncover additional risk events.
1. Managed IT Management Framework 21. Managed IT Change Acceptance and Transitioning
2. Managed Strategy 22. Managed Knowledge Instructions
3. Managed Enterprise Architecture 23. Managed Assets
1. Review COBIT 2019’s 40 IT
4. Managed Innovation 24. Managed Configuration
5. Managed Portfolio 25. Managed Projects processes and identify additional
6. Managed Budget and Costs 26. Managed Operations risk events.
7. Managed Human Resources 27. Managed Service Requests and Incidents
8. Managed Relationships 28. Managed Problems 2. Match risk events to the
9. Managed Service Agreements 29. Managed Continuity corresponding risk category and
10. Managed Vendors 30. Managed Security Services scenario and add them to the Risk
11. Managed Quality 31. Managed Business Process Controls Register Tool.
12. Managed Risk 32. Managed Performance and Conformance Monitoring
13. Managed Security 33. Managed System of Internal Control
14. Managed Data 34. Managed Compliance with External Requirements
15. Managed Programs 35. Managed Assurance
16. Managed Requirements Definition 36. Ensured Governance Framework Setting and Maintenance
17. Managed Solutions Identification and Build 37. Ensured Benefits Delivery
18. Managed Availability and Capacity 38. Ensured Risk Optimization
19. Managed Organizational Change Enablement 39. Ensured Resource Optimization
Info-Tech Research Group | 50
20. Managed IT Changes 40. Ensured Stakeholder Engagement
2.1.4 Finalize your risk register by conducting
a PESTLE analysis (Optional)
1-3 hours
Explore alternative identification techniques to incorporate external factors and avoid “groupthink.”
Consider the External Environment – PESTLE Avoid “Groupthink” – Nominal Group Technique
Analysis The Nominal Group Technique uses the silent generation of ideas and an
enforced “safe” period of time where ideas are shared but not discussed to
Despite efforts to encourage equal participation in the risk identification
encourage judgement-free idea generation.
process, key risks may not have been shared in previous exercises.
• Ideas are generated silently and independently.
Conduct a PESTLE analysis as a final safety net to ensure that all key
risk events have been identified. • Ideas are then shared and documented; however, discussion is delayed
until all of the group’s ideas have been recorded.
List the following factors influencing the risk event:
• Political factors • Idea generation can occur before the meeting and be kept anonymous.
• Economic factors
Note: Employing either of these techniques will lengthen an already time-consuming process.
• Social factors Only consider these techniques if you have concerns regarding the homogeneity of the ideas
being generated or if select individuals are dominating the exercise.
• Technological factors
Info-Tech Research Group | 51
• Legal factors
Step 2.2 This step involves the following
participants:
1
Establish business-approved risk
thresholds for acceptable and (Annually, bi-annually, etc.)
unacceptable risk. Assessment accuracy
Percentage of risk assessments that are substantiated by later occurrences or testing
Ratio of cumulative actual costs to expected costs
2
Conduct a streamlined assessment of Assessment consistency
all risks to separate acceptable and Percentage of risk assessments that are substantiated by third-party audit
unacceptable risks. Assessment rigor
Percentage of identified risk events that undergo first-level assessment (severity scores)
Percentage of identified risk events that undergo second-level assessment (expected cost)
Perform a deeper, cost-based assessment of
3
Stakeholder oversight and participation
prioritized risks. Level of executive participation in IT risk assessment (attend in person, receive report, etc.)
Number of business stakeholder reviews per risk assessment
Info-Tech Insight
Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will
be.
Info-Tech Research Group | 53
Review risk assessment
fundamentals
Risk assessment provides you with the raw materials to conduct an informed cost-benefit analysis and
make robust risk response decisions.
In this section, you will be prioritizing your IT risks according to their risk severity, which is a reflection of their expected cost.
e.g. $250,000 or “High” e.g. 10% or “Low” e.g. $25,000 or “Medium” CBA
Cost-benefit analysis
1 2 3
Engage the Business During Assessment Verify the Risk Impact and Assessment Identify Where the Business Focuses
Process Attention
Asking business stakeholders to make If IT has ranked risk events appropriately, While verifying, pay attention to the risk events
significant contributions to the assessment the business will be more likely to offer that the business stresses as key risks. Keep
exercise may be unrealistic (particularly for their input. Share impact and likelihood these risks in mind when prioritizing risk
members of the senior leadership team, other values for key risks to see if they agree responses as they are more likely to receive
than the CIO). with the calculated risk severity scores. funding.
Ensure that they work with you to finalize Try to communicate the assessments of these
thresholds for acceptable or unacceptable risk. risk events in terms of expected cost to attract
the attention of business leaders.
Info-Tech Insight
If business executives still won’t provide the necessary information to update your initial risk assessments, IT should
approach business unit leaders and lower-level management. Lean on strong relationships forged over time between IT and
business managers or supervisors to obtain any additional information.
Info-Tech Research Group | 55
Info-Tech recommends a two-level approach to risk
assessment
Review the two levels of risk assessment offered in this blueprint.
Risk severity level assessment
(mandatory)Information Assess Likelihood Assess Impact Output
Number of risks: Risk Severity
1
Assess all risk events Negligible Negligible Level:
Moderate
identified in Phase 1. Low Low
Units of measurement:
Use customized likelihood Moderate X Moderate =
and impact “levels.” High High Chart risk events according to risk
Time required: One to severity as this allows you to
five minutes per risk Very High Very High
organize and prioritize IT risks.
event.
Assess all of your identified risk events with a risk severity-level assessment.
• By creating a likelihood and impact assessment scale divided into three to nine “levels” (sometimes referred to as “buckets”), you
can evaluate every risk event quickly while being confident that risks are being assessed accurately.
• In the following activities, you will create likelihood and impact scales that align with your organizational risk appetite and
tolerance.
• Severity-level assessment is a “first pass” of your risk list, revealing your organization’s most severe IT risks, which can be assessed
in greater detail by incorporating expected cost into your evaluation. Info-Tech Research Group | 56
Info-Tech recommends a two-level approach to risk
assessment (continued)
Expected cost assessment (optional)
Information Assess Likelihood Assess Impact Output
Number of risks:
2
Only assess high-priority Expected
risks revealed by severity- Cost:
level assessment. 15% X $100,000 = $15,000
Units of measurement:
Use actual likelihood values Expected cost is useful for
(%) and impact costs ($). High conducting cost-benefit analysis
Moderate
Time required: 10-20 and comparing IT risks to non-IT
minutes per risk event. risks and other budget priorities for
the business.
Conduct expected cost assessments for IT’s greatest risks.
For risk events warranting further analysis, translate risk severity levels into hard expected-cost numbers.
Why conduct expected cost assessments? Why is expected cost assessment optional?
• Expected cost represents how much you would expect to pay in an • Determining robust likelihood values and precise impact estimates can
average year for each risk event. be challenging and time consuming.
• Communicate risk priorities to the business in language they can • Some risk events may require extensive data gathering and industry
understand. analysis.
• While risk severity levels are useful for comparing one IT risk to Info-Tech Research Group | 57
• Risk appetite
• Threshold for risk identified
1-4 hours
Instructions:
There are times when the business needs to know about IT risks with high expected costs.
1. Create an expected cost threshold that defines what constitutes an acceptable and
unacceptable risk for the organization. This figure should be a concrete dollar value. In
the next exercises, you will build risk impact and likelihood scales with this value in
mind, ensuring that “high” or “extreme” risks are immediately communicated to senior Materials Participants
leadership.
2. Do not consider IT budget restrictions when developing this number. The acceptable
risk threshold should reflect the business’ tolerance/appetite for risk. • Risk Register Tool • IT risk council
• Risk Management Program • Relevant business
stakeholders
This threshold is typically based on the organization’s ability to absorb financial losses, and Manual • Representation from senior
its tolerance/appetite towards risk. management team
• Business risk owner
If your organization has ERM, adopt the existing acceptability threshold.
Record this threshold in section 5.3 of the Risk Management Program Manual
• Risk threshold
• Financial impact scale
created
1-4 hours
Instructions:
3. Attach labels to each point on the scale. Effective labels will easily distinguish • Risk Register Tool • IT risk council
between risks on either side of the unacceptable risk threshold. • Risk Management Program • Relevant business
stakeholders
Manual • Representation from senior
management team
• Business risk owner
Record the risk impact scale in section 5.3 of the Risk Management Program Manual
• While project overruns and service outages may have intangible impacts beyond the unexpected costs stemming from paying employees and lost revenue
(such as adding complexity to project management and undermining the business’ confidence in IT), these measurements will provide adequate impact
estimations for risk assessment.
$250,000 Extreme
• Remember, complex risk events can be analyzed further with an expected cost assessment.
Project Overruns $100,000 High
Number of Average cost per
Project Time (days) Estimated cost
employees employee (per day)
Moderate
$60,000
20 days 8 $300 $48,000
$35,000 Low
$10,000 Negligible
Service Outages
Service Time (hours) Lost revenue (per Estimated cost Impact scale
hour)
4. Social responsibility • Drops in share price attributable to reputation loss (for public companies)
Match this dollar value to the corresponding level on the impact scale
Based on your industry and the nature of the risk, select one of the
created in Activity 2.2.2.
three techniques described in this section to incorporate reputational
costs into your risk assessment.
• If you are not able to effectively translate all reputational costs into
Info-Tech Research Group | 62
financial costs, proceed to techniques 2 and 3 on the following slides.
2.2.3 Select a technique to measure
reputational cost (2 of 3)
1-3 hours
Technique #2 – Calculate the value of avoiding
reputational cost:
1. Imagine that the particular risk event you are assessing has occurred.
It is common for public sector or not-for-profit Describe the resulting reputational cost using qualitative language.
organizations to have difficulty putting a price tag on For example:
intangible reputational costs.
A data breach, which caused the unsanctioned disclosure of 2,000 client files, has
• For example, a government organization may be unable to inflicted high reputational costs on the organization. These have impacted the
organization in the following ways:
directly quantify the cost of losing the confidence and/or
support of the public. • Loss of organizational trust in IT
• IT’s reputation as a value provider to the organization is tarnished
• A helpful technique is to reframe how reputation is assigned • Loss of client trust in the organization
value.
• Potential for a public reprimand of the organization by the government to
restore public trust
2. Then, determine (hypothetically) how much money the organization would
be willing to spend to prevent the reputational cost from being incurred.
3. Match this dollar value to the corresponding level on the impact scale created
in Activity 2.2.2.
Info-Tech Research Group | 63
2.2.3 Select a technique to measure
reputational cost (3 of 3)
1-3 hours
If you feel that the other techniques have not reflected reputational impacts in the overall severity level of the risk, create a parallel scale that roughly
matches your financial impact scale.
• For example, if the media learns about a recent data breach, does that feel like a
$100,000 loss? Info-Tech Research Group | 64
2.2.4 Create a likelihood scale
1-3 hours
Instructions:
1. Create a scale to assess the likelihood that a risk event will occur over a given period of
time.
80–99% Extreme
• Info-Tech recommends assessing the likelihood that the risk event will occur over
a period of one year (the IT risk council should be reassessing the risk event no 60–79% High
less than once per year).
2. Ensure that the likelihood scale contains the same number of levels as the financial 40–59% Moderate
impact scale (3, 4, 5, 7, or 9).
3. The example provided is likely to satisfy most IT departments; however, you may 20–39% Low
customize the distribution of likelihood values to reflect the organization’s aversion
towards uncertainty. 1–19% Negligible
• For example, an extremely risk-averse organization may consider any risk event
with a likelihood greater than 20% to have a “High” likelihood of occurrence.
4. Attach the same labels used for the financial impact scale (Low, Moderate, High, etc.)
Record the risk impact scale in section 5.3 of the Risk Management Program Manual
Info-Tech Insight
Note: Info-Tech endorses the use of likelihood values (1-99%) rather than frequency (3 times per year) as a measurement.
For an explanation of why likelihood values lead to more precise and robust risk assessment, see the Appendix. Info-Tech Research Group | 65
Input Output
assessment likelihood of
occurrence and
impact for all
6-10 hours identified risk events
Instructions:
1. Document the “Risk Category” and “Existing Controls.” in the Risk Register Tool.
• (See the slide following this activity for tips on identifying existing controls.)
Info-Tech Insight
Identifying existing risk controls (past risk
responses) provides a clear picture of the
measures already in place to avoid, mitigate,
or transfer key risks. This reveals
opportunities to improve existing risk
Consider both tactical and strategic controls already in place when filling out risk event controls, or where new strategies are needed,
information in the Risk Register Tool. to reduce risk severity levels below business
thresholds.
Designate a member of the IT risk council to be responsible for each risk event.
Selecting the Appropriate Risk Owner Risk Owner Responsibilities
Risk ownership means that an individual is responsible for the following
Use the following considerations to determine the best owner for
activities:
each risk:
• Monitoring the threat or vulnerability for changes in the likelihood of
• The risk owner should be familiar with the process, project, or IT
occurrence and/or likely impact.
function related to the risk event.
• Monitoring changes in the market and external environment that may alter the
• The risk owner should have access to the necessary data to monitor severity of the risk event.
and measure the severity of the risk event.
• Monitoring changes of closely related risks with interdependencies.
• The risk owner’s performance assessment should reflect their
• Developing and using key risk indicators (KRIs) to measure changes in risk
ability to demonstrate the ongoing management of their assigned
severity.
risk events.
• Regularly reporting changes in risk severity to the IT risk council.
• Monitoring risk severity levels for risk events after a risk response has been
Use Info-Tech’s
Risk Costing Tool
to calculate the
expected cost of Use this tool to:
IT’s high-priority 1. Conduct a deeper analysis of severe risks.
risks • Determine specific likelihood and financial impact values to communicate the severity
of the risk in the Expected Cost tab.
(optional) • Identify the maximum financial impact that the risk event may inflict.
2. Assess the effectiveness of multiple risk responses for each risk event.
• Determine how proposed risk events will change the likelihood of occurrence and
financial impact of the risk event.
• Illustrate how spending decisions will impact the expected cost of the risk event over
time.
• With each successive questionnaire, responses will typically converge around a single Info-Tech Research Group | 73
intersubjective value.
This phase will walk you through the
3.1.5 Create multi-year cost projections • Risk responses identified and assessed
for top risks
Obtaining sign-off from the senior leadership team or from the ERM office is an important
step of the risk management process. The Risk Event Action Plan ensures that high-priority
risks are closely monitored and that changes in risk severity are detected and reported.
Clear documentation is a way to ensure that critical information is shared with management
so that they can make informed risk decisions. These reports should be succinct yet
comprehensive; depending on time and resources, it is good practice to fill out this form and
obtain sign-off for the majority of IT risks.
Info-Tech Research Group | 76
3.1.1 Develop key risk indicators (KRIs)
and escalation protocols
The risk owner should be held accountable for monitoring their
assigned risks but may delegate responsibility for these tasks.
What are KRIs?
• KRIs should be observable metrics that alert the IT risk
council and management when risk severity exceeds
Instructions:
1. Design key risk indicators (KRIs) for risks that measure changes in acceptable risk thresholds.
their severity and document them in the Risk Event Action Plan. • KRIs should serve as tripwires or early-warning indicators
• See the following slide for examples. that trigger further actions to be taken on the risk.
• Further actions may include:
2. Clearly document the risk owner and the individual(s) carrying out o Escalation to the risk owner (if delegated) or to a
risk monitoring activities (delegates) in the Risk Event Action Plan.
member of the senior leadership team.
o Reporting to the IT risk council or IT steering
Note: Examples of KRIs can be found on the following slide. committee.
o Reassessment.
Document KRIs, escalation thresholds, and escalation protocols for each risk in a Risk o Updating the risk monitoring schedule.
Event Action Plan.
Risk Event
Intermediate Intermediate
Step Step
KRI KRI
Measurement Measurement
Examples of KRIs
• Number of resources who quit or were fired who had access to • Number of employees who did not report phishing attempts
critical data • Amount of time required to get critical operations access to
• Number of risk mitigation initiatives unfunded necessary data
• Changes in time horizon of mitigation implementation • Number of days it takes to implement a new regulation or
compliance control Info-Tech Research Group | 78
3.1.2 Establish the reporting schedule
For each risk event, document how frequently the risk owner must report to the IT risk council in the Risk Event
Action Plan.
• A clear reporting schedule enforces accountability for each risk event, ensuring that risk owners are fulfilling their monitoring responsibilities.
• The ongoing discussion of risks between assessment cycles also increases overall awareness of how IT risks are not static but constantly evolving.
Reporting Risk Event
Weekly reports to ITRC Extreme
1
• Develop risk responses for all risk events pre-populated on the “2. Risk Register” sheet of the Risk
Register Tool.
• Document the root cause of the risk (Activity 3.1.3) and other contributing factors (Activity 3.1.4).
• Identify risk responses (Activity 3.1.5).
• Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and
impact of the risk (Activity 3.1.5).
• The tool will calculate the residual severity of the risk after applying the risk response.
Tool Information
2
• Continue your second-level risk analysis for top risks for which you calculated expected cost in section
2.2.
• Activity 3.1.5:
o Identify between one and four risk response options for each risk.
o Develop precise values for residual likelihood and impact.
o Compare expected cost of the risk event to expected residual cost.
o Select the risk response to recommend to senior leadership and document it in the Risk Register
[Optional] Tool.
Risk Costing Tool
Symptom Why?
Use the “Five Whys” methodology to identify the root cause and Network congestion
contributing/exacerbating factors for each risk event.
Why?
Diagnosing the root cause of a risk as well as the environmental factors that
increase its potential impact and likelihood of occurring allow you to Inadequate bandwidth for latency-sensitive
applications
identify more effective risk responses. Contributing
Why?
Factors
Risk responses that only address the symptoms of the risk are less likely to
Increased business use of latency-sensitive
succeed than responses that address the core issue. applications
Why?
Instructions:
Complete the following steps for each risk event. Document the following in the Risk Event Action Plan for each
1. Identify a risk response action that will help reduce the likelihood of risk event:
occurrence or the impact if the event were to occur. • Risk response actions
• Indicate the type of risk response (avoidance, mitigation, transfer,
acceptance, or no risk exists). • Residual likelihood and impact levels
2. Assign each risk response action a residual likelihood level and a residual • Residual risk severity level
impact level.
• Review the following slides about the four types of risk
• This is the same step performed in Activity 2.2.6, when initial likelihood
response to help complete the activity.
and impact levels were determined; however, now you are estimating the
likelihood and impact of the risk event after the risk response action has 1. Avoidance
been implemented successfully.
• The Risk Register Tool will generate a residual risk severity level for each 2. Mitigation
risk event. 3. Transfer
3. Identify the potential Risk Action Owner (Project Manager) if the response is
selected and turned into an IT project, and document this in the Risk Register 4. Acceptance
Tool.
Record the results in the Risk Event Action Plan.
• Risk mitigation actions can be to either implement new controls or enhance existing ones.
1. The loss must be accidental (the risk event cannot be insured if it could o The financial impact of a risk event can be transferred to a third party
have been avoided by taking reasonable actions). through clauses agreed to in a contract.
2. The insured cannot profit from the occurrence of the risk event. o For example, a vendor can be contractually obligated to assume all
costs resulting from failing to secure the organization’s data.
3. The loss must be able to be measured in monetary terms.
To… Insurance Co.
4. The organization must have an insurable interest (it must be the party Cc…
Send
that incurs the loss).
Subject IT Risk Transfer
5. An insurance company must offer insurance against that risk. Info-Tech Research Group | 87
Accept risks that fall below
established thresholds
Risk Acceptance
You may choose to accept a risk event for one of the following three reasons:
Accepting a risk means
1. The risk severity (expected cost) of the risk event falls below acceptability thresholds
tolerating the expected cost
and does not justify an investment in a risk avoidance, mitigation, or transfer measure.
of a risk event. It is a
2. The risk severity (expected cost) exceeds acceptability thresholds but all effective risk
avoidance, mitigation, and transfer measures are ineffective or prohibitively expensive. conscious and deliberate
3. The risk severity (expected cost) exceeds acceptability thresholds but there are no decision to retain the threat.
feasible risk avoidance, mitigation, and transfer measures to be implemented.
Info-Tech Insight
Constant monitoring and the assignment of responsibility and accountability for accepted risk
events is crucial for effective management of these risks. No IT risk should be accepted without
detailed documentation outlining the reasoning behind that decision and evidence of approval
by senior management.
Info-Tech Research Group | 88
3.1.4 Risk response cost-benefit analysis
(optional)
The purpose of a cost-benefit analysis (CBA) is to guide financial decision making.
This helps IT make risk-conscious investment decisions that fall within the IT budget and helps the organization make sound budgetary decisions for risk
response projects that cannot be addressed by IT’s existing budget.
Instructions:
1. Reopen the Risk Costing Tool. For each risk that you conducted an expected
cost assessment in section 2.2 for, find the Excel sheet that corresponds to the
risk number (e.g. R001).
2. Identify between one and four risk response options for the risk event and
document them in the Risk Costing Tool.
• The “Risk Response 1” field will be automatically populated with expected
cost data for a scenario where no action was taken (risk acceptance). This
will serve as a baseline for comparing alternative responses.
• For the following steps, go through the risk responses one by one.
3. Estimate the first-year cost for the risk response.
• This cost should reflect initial capital expenditures and first-year operating
expenditures.
Record the results in the Risk Costing Tool.
The tool will calculate the expected residual cost of the risk
event:
(Financial Impact x Likelihood) - Costs = Expected Residual
Cost
5. Select the highest value risk response and document it in the Risk Register Tool.
6. Document your analysis and recommendations in the Risk Event Action Plan.
Note: See Activity 3.1.5 to build multi-year cost projections for risk responses. Info-Tech Research Group | 90
3.1.5 Create multi-year cost projections
(optional)
Select between risk response options by projecting their costs and benefits over multiple years.
• It can be difficult to choose between risk response options that require different payment schedules. A risk response project with costs spread out over
more than one year (e.g. incremental upgrades to an IT system) may be more advantageous than a project with costs concentrated up front that may cost less
in the long run (e.g. replacing the system).
• However, the impact that risk response projects have on reducing risk severity is not necessarily static. For example, an expensive project like replacing a
system may drastically reduce the risk severity of a system failure. Whereas, incremental system upgrades may only marginally reduce risk severity in the
short term but reach similar levels as a full system replacement in a few years.
Instructions:
Calculate expected cost for multiple years using the Risk Costing Tool for:
• Risk events that are subject to change in severity over time.
• Risk responses that reduce the severity of the risk gradually.
• Risk responses that cannot be implemented immediately.
Copy and paste the graphs into the Risk Report and the Risk Event Action Plan for the
risk event. Record the results in the Risk Costing Tool.
Now that you have collected all of the necessary raw data, you must communicate your insights
and recommendations effectively.
Communicate IT risk management in A fundamental task of risk management is communicating risk information to senior
two directions: management. It is your responsibility to enable them to make informed risk decisions. This can
be considered upward communication.
1. Up to senior leadership (and ERM if
The two primary goals of upward communication are:
applicable)
1. Transferring accountability for high-priority IT risks to the ERM or to senior
2. Down to IT employees (embedding risk leadership.
awareness) 2. Obtaining funds for risk response projects recommended by the ITRC.
Senior Leadership Good risk management also has a trickle-down effect impacting all of IT. This can be
considered downward communication.
The two primary goals of downward communication are:
3. Fostering a risk-aware IT culture.
4. Ensuring that the IT risk management program maintains momentum and runs
effectively.
Task:
All IT risks that were flagged for exceeding the organization’s severity thresholds must obtain sign-off by the CIO or another member of the senior
leadership team.
• In the assessment phase, you evaluated risks using severity thresholds approved by the business and determined whether or not they justified a risk response.
• Whether your recommendation was to accept the risk or to analyze possible risk responses, the business should be made aware of most IT risks.
Info-Tech Research Group | 94
3.2.2 Socialize the risk report
Create a succinct,
impactful document
that summarizes the The Risk Report contains:
outcomes of risk • An executive summary page highlighting the main takeaways for
assessment and senior management:
highlights the IT risk o A short summary of results from the most recent risk
assessment
council’s top o Dashboard
Info-Tech Insight
If risk management responsibilities are not built into performance assessments, it is less likely that they
will invest time and energy into these tasks. Adding risk management metrics to performance assessments
directly links good job performance with good risk management, making it more likely that ITRC activities
and initiatives gain traction throughout the IT department.
Job descriptions:
Changing job titles to reflect the focus of an individual’s role on managing IT risk may be a good way to distinguish personnel tasked with developing
KRIs and monitoring risks on a week-to-week basis.
• Some examples include IT Risk Officer, IT Risk Manager, and IT Risk Analyst.
Info-Tech Research Group | 98
3.2.3 Transfer ownership of risk responses
to project managers
Once risk responses have obtained approval and funding, it is time to transform them into fully-fledged
projects.
• Assign responsibility for executing the specific risk response action to a project manager.
• For advice on how to optimize project management, read Info-Tech’s blueprint Tailor IT Project Management Processes to Fit Your Projects.
Perform regular health checks to keep your finger on the pulse of the key risks
threatening the business and your reputation. of small businesses haven’t
To continue the momentum of your newly forged IT risk management program, read implemented controls to respond
Info-Tech’s research on conducting periodic risk assessments and “health checks”: to the threat of cyber attacks
Revive Your Risk Management Program With a Regular Health Check Source: Insurance Bureau of Canada, 2021,
Threat An event that can create a negative outcome (e.g. hostile cyber/physical attacks, human errors).
Vulnerability A weakness that can be taken advantage of in a system (e.g. weakness in hardware, software, business processes).
Risk The systematic application of principles, approaches, and processes to the tasks of identifying and assessing risks,
and then planning and implementing risk responses. This provides a disciplined environment for proactive decision
Management making (Office of Government Commerce, 2007).
Distinct from a risk event, a category is an abstract profile of risk. It represents a common group of risks. For
Risk Category example, you can group certain types of risks under the risk category of IT Operations Risks.
A specific occurrence of an event that falls under a particular risk category. For example, a phishing attack is a risk
Risk Event event that falls under the risk category of IT Security Risks.
An organization’s attitude towards risk taking, which determines the amount of risk that it considers acceptable.
Risk Appetite Risk appetite also refers to an organization’s willingness to take on certain levels of exposure to risk, which is
influenced by the organization’s capacity to financially bear risk.
Enterprise Risk (ERM) – A strategic business discipline that supports the achievement of an organization’s objectives by addressing the
full spectrum of organizational risks and managing the combined impact of those risks as an interrelated risk portfolio
Management (RIMS, 2015).
Info-Tech Research Group | 102
Appendix II: Likelihood vs. Frequency
The basic formula of Likelihood x Impact = Severity is a common methodology used across risk management frameworks. However, some
frameworks measure likelihood using Frequency rather than Likelihood.
Frequency is typically measured as the number of instances an event occurs over a given period of time (e.g. once per month).
• For risk assessment, historical data regarding the frequency of a risk event is commonly used to indicate the likelihood that the event
will happen in the future.
Likelihood is a numerical representation of the “degree of belief” that the risk event will occur in a given future timeframe (e.g. 25%
likelihood that the event will occur within the next year).
False Objectivity
While some may argue that frequency provides an objective measurement of likelihood, it is well understood in the field of likelihood
theory that historical data regarding the frequency of a risk event may have little bearing over the likelihood of that event happening in the
future. Frequency is often an indication of future likelihood but should not be considered an objective measurement of it.
Likelihood scales that use frequency underestimate the magnitude of risks that lack historical precedent. For example, an IT department
that has never experienced a high-impact data breach would adopt a very low likelihood score using the frequentist approach. However, if
all of the organization’s major competitors have suffered a major breach within the last two years, they ought to possess a much higher
degree of belief that the risk event will occur within the next year.
Likelihood is a more comprehensive measurement of future likelihood, as frequency can be used to inform the selection of a likelihood
value. The process of selecting intersubjective likelihood values will naturally internalize historical data such as the frequency that the
event occurred in the past. Further, the frequency that the event is expected to occur in the future can be captured by the expected impact
value. For example, a risk event that has an expected impact per occurrence of $10,000 that is expected to occur three times over the next
year has an expected impact of $30,000.
Info-Tech Research Group | 103
Appendix III: Should max impacts sway decision making?
Don’t just fixate on the most likely impact – be aware of high-impact outcomes.
Fig. 1
During assessment, risks are evaluated according to their most likely financial impact. Normal Likelihood
• For example, a service outage will likely last for two hours and may have an expected cost of Distribution
$14,000.
Naturally, focusing on the most likely financial impact will exclude higher impacts that – while
Likelihood
theoretically possible – are so unlikely that they do not warrant any real consideration.
• For example, it is possible that a service outage could last for days; however, the likelihood for such
an event may be well below 1%.
While the risk severity level assessment allows you to present impacts as a range of values (e.g.
$50,000 to $75,000), the expected cost assessment requires you to select specific values.
Financial Impact
• However, this analysis may fail to consider much higher potential impacts that have non-negligible
Fig. 2
likelihood values (likelihood values that you cannot ignore).
• What you consider “non-negligible” will depend on your organizational risk tolerance/appetite. Fat-Tailed Likelihood
Distribution
Most Likely
Impact
Sometimes called Black Swan events or Fat-Tailed outcomes, high-impact events may occur when the
far right of the likelihood distribution – or the “tail” – is thicker than a normal distribution (see fig. 2).
Likelihood
• A good example is a data breach. While small to medium impacts are far more likely to occur than a
devastating intrusion, the high-impact scenario cannot be ignored completely.
Fat-Tailed
For risk events that contain non-negligible likelihoods (too high to be ignored) consider elevating Outcomes
the risk severity level or expected cost.
Financial Impact
Info-Tech Insight
Security risk management equals cost effectiveness.
Time spent upfront identifying and prioritizing risks can mean the
difference between spending too much and staying on budget.
Chris Warner
Milena Litoiu Daisha Pennie Consulting Director- Security
Principal Research Director IT Risk Management Info-Tech Research Group
Info-Tech Research Group Oklahoma State University
Anne Leroux
Director
ES Computer Training
*Plus 10 additional interviewees who wish to remain anonymous. Info-Tech Research Group | 107
Bibliography
“2021 State of the CIO.” IDG, 28 January 2021. Web. Eden, C. and F. Ackermann. Making Strategy: The Journey of Strategic
Management. Sage Publications, 1998.
“4 Reasons Why CIOs Lose Their Jobs.” Silverton Consulting, 2012. Web.
“Enterprise Risk Management Maturity Model.” OECD, 9 February 2021.
Beasley, Mark, Bruce Branson, and Bonnie Hancock. “The State of Risk Web.
Oversight,” AICPA, April 2021. Web.
Ganguly, Saptarshi, Holger Harreis, Ben Margolis, and Kayvaun
COBIT 2019. ISACA, 2019. Web. Rowshankish. “Digital Risks: Transforming risk management for the 2020s.”
“Cognyte jeopardized its database exposing 5 billion records, including McKinsey & Company, 10 February 2017. Web.
earlier data breaches.” SecureBlink, 21 June 2021. Web. “Governance Institute of Australia Risk Management Survey 2020.”
Culp, Steve. “Accenture 2019 Global Risk Management Study, Financial Governance Institute of Australia, 2020. Web.
Services Report.” Accenture, 2019. Web. “Guidance on Enterprise Risk Management.” COSO, 2022. Web.
Curtis, Patchin, and Mark Carey. “Risk Assessment in Practice.” COSO Henriquez, Maria. “The Top 10 Data Breaches of 2021” Security Magazine,
Committee of Sponsoring Organizations of the Treadway Commission, 9 December 2021. Web.
Deloitte & Touche LLP, 2012. Web.
Holmes, Aaron. “533 million Facebook users’ phone numbers and personal
“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web. data have been leaked online.” Business Insider, 3 April 2021. Web.
Eccles, Robert G., Scott C. Newquist, and Roland Schatz. “Reputation and
Its Risks.” Harvard Business Review, February 2007. Web.