Risk management frameworks Provide balance: – enable the organization to move forward – achieve its goals whilst ensuring that information risk issues receive appropriate attention Set the direction: – provide the vehicle by which directors articulate the organization’s information risk objectives set the risk management principles and policy to be followed by all staff Maintain the course: – enable directors, through effective reporting arrangements, to verify that directives are being followed information risks are being appropriately mitigated
Risk management frameworks Risk management frameworks : establish – Scope. Identify the nature of the organization’s information assets The stakeholders (specific and general) who have an interest in how the organization uses and safeguards those assets – Ownership. Identify who owns the different types of information – Some information will be owned by customers, or – by the person about whom the information relates, or – by third parties providing the information as part of fulfilling a service – Risk tolerance. Document the organization’s information risk objectives, and its tolerance for information risk This will dictate the priority afforded to information risk mitigation in comparison with other types of risk.
Risk management frameworks Risk management frameworks : establish – Setting direction. Describe the means by which directors set the information risk principles and policy to be followed by all staff – Allocation of accountability. Specify how accountability for the use and protection of information is allocated Risk management accountability will follow operational accountability, i.e. – those in control of the organization’s operations are accountable both for the uses made of information within those operations and for the safeguarding of that information – Each person should be held accountable for the actions they as individuals perform on information, and for not using information illegally.
Risk management frameworks Risk management frameworks : establish – Delegated authority. Describe the processes by which decisions affecting the use and protection of information are to – be made, – be monitored and – reviewed – Allocation of responsibility. Define the responsibilities needed to ensure information is properly safeguarded – Reporting and assurance. Define the reporting and assurance arrangements – ensure that their mandates and policies are being followed correctly – information control and protection obligations are being fulfilled
Governance Frameworks CEO Financial reporting function CIO Specific IT function IT security function COSO ITIL CobiT ISO 27000 family Security Guidelines Governance Frameworks
Governance Frameworks CobiT (Control Objectives for Information and Related Technology) – is a framework created by ISACA ( Information Systems Audit and Control Association ) for information technology (IT) management and IT governance – focuses specially on controlling the entire IT function – defines a set of generic processes for the management of IT – Dominance in the United States
Governance Frameworks ISO/IEC 27000 family of standards specially addresses IT security – a family of ISO/IEC Information Security Management Systems (ISMS) standards, – explains the purpose of an Information Security Management System – used to manage information security risks and controls within an organization พระราชกฤษฎีกา ว่าด้วยวิธีการแบบปลอดภัยในการ ทําธุรกรรมทางอิเล็กทรอนิกส์ พ. ศ. ๒๕๕๓
Governance Frameworks ISO/IEC 27000 family of standards – Eleven areas Security policy Organization of information security Asset management Human resources security Physical and environmental security Communication and operations management Assess control
Governance Frameworks ISO/IEC 27000 family of standards – Eleven areas Information system acquisition, development, and maintenance Information security incident management Business continuity management compliance
Governance Frameworks ITIL : Information Technology Infrastructure Library – a set of practices for IT service management (ITSM) (financial)IT service management (financial) – focuses on aligning IT services with the needs of business – describes processes, procedures, tasks and checklists that are not organization-specific, used by an organization for establishing integration with the organization's strategy
COSO The Committee of Sponsoring Organizations of the Treadway Commission (COSO) A joint initiative of 5 private sector organizations – American Accounting Association (http://aaahq.org/)http://aaahq.org/ – American Institute of CPAs (http://www.aicpa.org/Pages/default.aspx)http://www.aicpa.org/Pages/default.aspx – Financial Executives International (http://www.financialexecutives.org/KenticoCMS/home.asp x)http://www.financialexecutives.org/KenticoCMS/home.asp x – The Association of Accountants and Financial Professionals in Business (http://www.imanet.org/ima_home.aspx)http://www.imanet.org/ima_home.aspx – The Institute of Internal Auditors (https://na.theiia.org/Pages/IIAHome.aspx)https://na.theiia.org/Pages/IIAHome.aspx
COSO Objective : – to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. Report of the National Commission on Fraudulent Financial Reporting (1987) Internal Control Issues in Derivatives Usage (1996) Internal Control over Financial Reporting — Guidance for Smaller Public Companies (2006) Enterprise Risk Management — Integrated Framework (2004) Internal Control — Integrated Framework (2013)
COSO Risk Management Framework Strategic objectives – กำหนดวัตถุประสงค์เชิงกลยุทธ์ ขององค์กร เป้าหมายของการประสบความสำเร็จ Operational objectives – effective and efficient use of resources Reporting objectives – reliable internal and external reporting Compliance objectives – conformance with applicable laws and regulations
COSO Risk Management Framework 1. risk management philosophy 2. risk appetite 3. board of directors 5. integrity and ethical values 6. commitment to competence 4. organization structure 7. assignment of authority & responsibility
COSO Risk Management Framework The process of establishing strategic goals for an entity. The achievement of strategic goals necessitates development of operational, reporting, and compliance objectives. Objectives are set taking into consideration the risk tolerance and risk appetite of the entity. ตัวอย่าง การเดินทางไป กทม. ไปอย่างไร ไปถึงเมื่อไหร่ จะทำอย่างไร หากเกิดปัญหา ต่างๆ
COSO Risk Management Framework Determines which events may affect an entity and whether these events represent opportunities or risks to the achievement of objectives. Opportunities factor into setting the strategic objectives. Risks require management attention for assessment and response.
COSO Risk Management Framework Occurs when management evaluates the potential impact of specific risks on the entity. There are two dimensions that are considered using qualitative and quantitative analysis: Likelihood (probability) Impact (amount)
COSO Risk Management Framework Likelihood Impact Extreme High Medium Low Negligible Remote unlikely possible probable certain 0-10% 10-25% 25-50% 50-90% 90-100%
COSO Risk Management Framework Acceptance. No action is taken and the entity accepts the risk rather than deploy resources to address Avoidance. Exiting or divesting of the activities giving rise to the risk Reduction. Actions are taken to reduce risk by for example, implementing controls Sharing. Actions are taken to transfer or share risk for example by: purchasing insurance, engaging in hedging, or outsourcing an activity
COSO Risk Management Framework Likelihood Impact Extreme High Medium Low Negligible Remote unlikely possible probable certain 0-10% 10-25% 25-50% 50-90% 90-100% Avoidance Reduction & Sharing Acceptance
COSO Risk Management Framework Inherent risk = the total amount of the risk in the absence of any management actions. Residual risk = amount of risk left over after management takes actions to alter either the likelihood or the impact of a risk. The policies and procedures that - help ensure the risk responses are carried out, and - are most often associated with risk reduction strategies Occur at all levels and in all functions throughout the organization Control activities Preventive Detective Manual Automated Entity level Process level. Control activities Preventive Detective Manual Automated Entity level Process level.
COSO Risk Management Framework Information must embody these characteristics: Appropriate and at the right level of detail Available when needed Timely, current, and recent Accurate and reliable Accessible to those who need it Communication streams must be established for efficient delivery of information top down bottom up across the organization between internal and external stakeholders ( suppliers and customers) top down bottom up across the organization between internal and external stakeholders ( suppliers and customers)
COSO Risk Management Framework The assessment of the ERM continuously to ensure it continues to function as designed and is effective Monitoring activities done by internal auditors any deficiencies are reported to the appropriate level of management, or the board depending on the severity. Change !!