5Risk management frameworks Provide balance:enable the organization to move forwardachieve its goals whilst ensuring that information risk issues receive appropriate attentionSet the direction:provide the vehicle by which directorsarticulate the organization’s information risk objectivesset the risk management principles and policy to be followed by all staffMaintain the course:enable directors, through effective reporting arrangements, toverify that directives are being followedinformation risks are being appropriately mitigated
6Risk management frameworks Risk management frameworks : establishScope.Identify the nature of the organization’s information assetsThe stakeholders (specific and general) who have an interest in how the organization uses and safeguards those assetsOwnership.Identify who owns the different types of informationSome information will be owned by customers, orby the person about whom the information relates, orby third parties providing the information as part of fulfilling a serviceRisk tolerance.Document the organization’s information risk objectives, and its tolerance for information riskThis will dictate the priority afforded to information risk mitigation in comparison with other types of risk.
7Risk management frameworks Risk management frameworks : establishSetting direction.Describe the means by which directors set the information risk principles and policy to be followed by all staffAllocation of accountability.Specify how accountability for the use and protection of information is allocatedRisk management accountability will follow operational accountability, i.e.those in control of the organization’s operations are accountable both for the uses made of information within those operations and for the safeguarding of that informationEach person should be held accountable for the actions they as individuals perform on information, and for not using information illegally.
8Risk management frameworks Risk management frameworks : establishDelegated authority.Describe the processes by which decisions affecting the use and protection of information are tobe made,be monitored andreviewedAllocation of responsibility.Define the responsibilities needed to ensure information is properly safeguardedReporting and assurance.Define the reporting and assurance arrangementsensure that their mandates and policies are being followed correctlyinformation control and protection obligations are being fulfilled
10Governance Frameworks COSOCEOCOSOCobiTCIOFinancial reporting functionISO familyITILSeveral security governance frameworks -> baseline/guideline that specify how to do security planning and implementation.Specific IT functionIT security functionSecurity Guidelines Governance Frameworks
11Governance Frameworks CobiT (Control Objectives for Information and Related Technology)is a framework created by ISACA ( Information Systems Audit and Control Association ) for information technology (IT) management and IT governancefocuses specially on controlling the entire IT functiondefines a set of generic processes for the management of ITDominance in the United States
12Governance Frameworks ISO/IEC family of standards specially addresses IT securitya family of ISO/IEC Information Security Management Systems (ISMS) standards,explains the purpose of an Information Security Management Systemused to manage information security risks and controls within an organizationพระราชกฤษฎีกา ว่าด้วยวิธีการแบบปลอดภัยในการทําธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. ๒๕๕๓
13Governance Frameworks ISO/IEC family of standardsEleven areasSecurity policyOrganization of information securityAsset managementHuman resources securityPhysical and environmental securityCommunication and operations managementAssess control
14Governance Frameworks ISO/IEC family of standardsEleven areasInformation system acquisition, development, and maintenanceInformation security incident managementBusiness continuity managementcompliance
15Governance Frameworks ITIL : Information Technology Infrastructure Librarya set of practices for IT service management (ITSM) (financial)focuses on aligning IT services with the needs of businessdescribes processes, procedures, tasks and checklists that are not organization-specific,used by an organization for establishing integration with the organization's strategy
16COSOThe Committee of Sponsoring Organizations of the Treadway Commission (COSO)A joint initiative of 5 private sector organizationsAmerican Accounting Association (http://aaahq.org/)American Institute of CPAs (http://www.aicpa.org/Pages/default.aspx)Financial Executives International (http://www.financialexecutives.org/KenticoCMS/home.aspx)The Association of Accountants and Financial Professionals in Business (http://www.imanet.org/ima_home.aspx)The Institute of Internal Auditors (https://na.theiia.org/Pages/IIAHome.aspx)CPA = certified public accountant
17COSOObjective :to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.Report of the National Commission on Fraudulent Financial Reporting (1987)Internal Control Issues in Derivatives Usage (1996) Internal Control over Financial Reporting — Guidance for Smaller Public Companies (2006) Enterprise Risk Management — Integrated Framework (2004) Internal Control — Integrated Framework (2013)
19COSO Risk Management Framework Objectives :Strategic objectives – กำหนดวัตถุประสงค์เชิงกลยุทธ์ขององค์กร เป้าหมายของการประสบความสำเร็จOperational objectives – effective and efficient use of resourcesReporting objectives – reliable internal and external reportingCompliance objectives – conformance with applicable laws and regulations
20COSO Risk Management Framework Risk Management Framework ActivitiesInternal Environment :1. risk management philosophy7. assignment of authority & responsibility6. commitment to competence2. risk appetite3. board of directors5. integrity and ethical values4. organization structure
21COSO Risk Management Framework Risk Management Framework ActivitiesObjective settingThe process of establishing strategic goals for an entity.The achievement of strategic goals necessitates development of operational, reporting, and compliance objectives.Objectives are set taking into consideration the risk tolerance and risk appetite of the entity.ตัวอย่าง การเดินทางไป กทม.ไปอย่างไรไปถึงเมื่อไหร่จะทำอย่างไรหากเกิดปัญหา ต่างๆ
22COSO Risk Management Framework Event identificationDetermines which events may affect an entity and whether these events represent opportunities or risks to the achievement of objectives.Opportunities factor into setting the strategic objectives.Risks require management attention for assessment and response.
24COSO Risk Management Framework Risk assessmentOccurs when management evaluates the potential impact of specific risks on the entity.There are two dimensions that are considered using qualitative and quantitative analysis:Likelihood (probability)Impact (amount)
29ตัวอย่างเกณฑ์การประเมินความเสี่ยง กำหนดเกณฑ์ความเสี่ยงแบบต่อเนื่อง (Consequence Ranking)LevelDescriptionด้านการเงินด้านความปลอดภัย1Insignificantไม่มีผลLow financial lossNo injuries2Minorเล็กน้อยMedium financial lossFirst aid treatment, on-site release immediately contained3ModerateปานกลางHigh financial lossMedium treatment required, on-site release contained with outside assistance4MajorมากMajor financial lossExtensive required, off-side release with no detrimental effects5CatastrophicสูงมากHuge financial lossDeath, toxic release, off-side with detrimental effects (เป็นอันตราย)
30ตัวอย่างเกณฑ์การประเมินความเสี่ยง กำหนดเป็นเกรดในการประเมินความเสี่ยงGrade: Combined effect of Likelihood/SeriousnessLikelihoodseriousnessLowMediumHighextremeEDCAB
31COSO Risk Management Framework Risk responsesAvoidance. Exiting or divesting of the activities giving rise to the riskReduction. Actions are taken to reduce risk by for example, implementing controlsSharing. Actions are taken to transfer or share risk for example by: purchasing insurance, engaging in hedging, or outsourcing an activityAcceptance. No action is taken and the entity accepts the risk rather than deploy resources to address
34COSO Risk Management Framework Control activities The policies and procedures that- help ensure the risk responses are carried out, and- are most often associated with risk reduction strategiesOccur at all levels and in all functions throughout the organizationControl activitiesPreventiveDetectiveManualAutomatedEntity levelProcess level.Inherent risk = the total amount of the risk in the absence of any management actions. Residual risk = amount of risk left over after management takes actions to alter either the likelihood or the impact of a risk.
35COSO Risk Management Framework Information and CommunicationInformation must embody these characteristics:Appropriate and at the right level of detailAvailable when neededTimely, current, and recentAccurate and reliableAccessible to those who need ittop downbottom upacross the organizationbetween internal and external stakeholders ( suppliers and customers)Communication streams must be established for efficient delivery of information
36COSO Risk Management Framework Monitoring Change !!The assessment of the ERM continuouslyto ensure it continues to function as designed and is effectiveMonitoring activitiesdone by internal auditorsany deficiencies are reported tothe appropriate level of management, orthe boarddepending on the severity. Change !!