GS BUSA 497 CH 6 Risk Management

Risk management ensures that losses do not prevent organizations' management from

seeking its goals of conserving assets and realizing the expected value from investments.

LEARNING OBJECTIVES 1. Discuss the risk management process, and how it plays an important role in protecting organizations' information from IT threats. 2. Describe the Enterprise Risk Management—Integrated Framework, as well as its eight risk and control components, and how they apply to objectives set by management.

3. Explain what risk assessment is in the context of an organization. 4. Summarize professional standards that provide guidance to auditors and managers about risk assessments. 5. Support the need of insurance coverage as part of the risk assessment process for IT operations.

COSO Enterprise Risk Management (ERM) Framework Committee of Sponsoring Organizations of the Treadway Commission

A process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.†

7 of 8 : ERM Integrated Framework : Information and Communication Information is data organized and processed to provide meaning and, thus, improve decision making. Information is useful when it is: 1. Relevant : pertinent 2. Reliable : no bias 3. Complete : no valid omissions 4. Timely : in time to make decisions 5. Understandable : meaningful 6. Verifiable : independent conclusions 7. Accessible : available when needed

Communication refers to the process of providing, sharing, and obtaining necessary information in a continuing and frequent basis. An information and communication system, such as an accounting information system (AIS), should gather, record, process, store, summarize, and communicate information about an organization.

2 of 8 : ERM Integrated Framework : Objective Setting Objectives refer to the goals the company wants to achieve. • established at various levels within a company • Where we see ourselves in the future

Compliance objectives ensure all applicable industry-specific, local, state, and federal laws are properly followed and observed. Failure to comply with these can result in serious consequences, leaving the company vulnerable to lawsuits, on-demand audits, and sanctions that can ultimate lead to dissolution.

ERM Integrated Framework 6.1 The top four columns are the objectives management typically establishes in order to achieve the company goals. The right side of the model shows the four units that a company may be composed of. The ERM Integrated Framework takes a risk-based rather than a controls-based approach when evaluating internal controls. The ERM risk-based approach resulted from the addition of four elements to the previous IC framework: • Objective Setting, • Event (or Risk) Identification, • Risk Assessment, and • Risk Response.

Eight specific interrelated components of the ERM 1. Internal Environment 2. Objective Setting 3. Event (or risk) identification 4. Risk Assessment 5. Risk Response 6. Control Activities 7. Information & Communicate 8. Monitoring

Insurance as Part of IT Risk Assessments Insurance distributes losses so that a devastating loss to an individual or business is spread equitably among a group of insured members. Insurance neither prevents loss nor reduces its cost; it merely reduces the risk. The types of insurance policies that cover these risks include property, liability, business interruption, and fidelity-bonding insurance. These policies, especially written for IT-related risks, should examine: ◾ Coverage of hardware and equipment ◾ Coverage of the media and information stored thereon. ◾ Coverage of the replacement or reconstruction cost and the cost of doing business as usual (i.e., business interruption). ◾ Coverage of items such as damage to media from magnets, damage from power failure (blackout) or power cut (brownout), and damage from software failure.

IT Risks Typically Insured In the IT environment, there are special risks that are commonly handled by insurance, including: ◾ Damage to computer equipment ◾ Cost of storage media ◾ Cost of acquiring the data stored on the media ◾ Damage to outsiders ◾ Business effects of the loss of computer functions

Available Guidance COBIT : COBIT helps organizations create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use. address the areas of regulatory compliance and risk management. ISO/IEC The ISO/IEC 27000 family of standards includes techniques that help organizations secure their information assets. The ISO/IEC 27005:2011 standard does not specify nor recommend any specific risk management method, but does suggest a process consisting of a structured sequence of continuous activities, which include: ◾ Establishing the risk management context, including the scope, compliance objectives, approaches/methods to be used, and relevant policies and criteria (e.g., organization's risk tolerance, risk appetite, etc.) ◾ Assessing quantitatively or qualitatively relevant information risks considering information assets, threats, vulnerabilities, and existing controls. ◾ Determining, based on the risk level, how will management react or respond to identified risks ◾ Maintaining stakeholders aware and informed throughout the information security risk management process. ◾ Monitoring and reviewing risks, risk treatments, risk objectives, obligations, and criteria continuously. ◾ Identifying and responding appropriately to significant changes.

National Institute of Standards and Technology (NIST) NIST standards and guidelines are issued as Federal Information Processing Standards (FIPS) for government-wide use. 1974 FIPS 31, "Guidelines for Automatic Data Processing Physical Security and Risk Management." 2006, NIST issued FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems," where federal agencies were responsible for including within their information "policies and procedures that ensure compliance with minimally acceptable system configuration requirements, as determined by the agency." When assessing risks related to IT, particular attention should be provided to NIST SP 800-30 guide, "Guide for Conducting Risk Assessments."* The NIST SP 800-30 guide provides a common foundation for organizations' personnel with or without experience, who either use or support the risk management process for their IT systems.

Institute of Internal Auditors (IIA) Established in 1941, the IIA serves more than 85,000 members in internal auditing, governance and internal control, IT audits education, and security in more than 120 countries. Guides to the Assessment of IT Risk, or GAIT. for "IT General Controls Deficiency Assessment" is a top-down and risk-based approach to assessing IT general controls. • The GAIT for "Business and IT Risk," or GAIT-R, is a risk-based audit methodology to align IT audits to business risks.

Performance Standard 2110 titled "Risk Management," Implementation Standard 2110.A2 (Assurance Engagements) stipulates that the internal audit activity should evaluate risk exposures relating to the organization's governance, operations, and IS regarding: ◾ Reliability and integrity of financial and operational information ◾ Effectiveness and efficiency of operations ◾ Safeguarding of assets ◾ Compliance with laws, regulations, and contracts

Risk Assessment • the first step in the risk management methodology • determine the extent of potential threats and evaluate the risks associated with IT systems • results of the above assist management in identifying and implementing appropriate IT controls for reducing and/or eliminating those threats and risks Risk assessments should be reviewed and reconsidered each year. • adding any new risks to the business unit due to new products or services • assess whether the ratings for each risk were warranted or may need to be adjusted. • of business with good risk management practices should be rewarded. • Periodic audits by external auditors and regulatory bodies are also a necessary part of IT risk management program.

Risk assessments provide a framework for allocating resources to achieve maximum benefits. • both a tool and a technique that can be used to self-evaluate the level of risk of a given process or function • should be completed by the line of business with assistance from the IT risk management coordinator or internal audit

4 of 8 : ERM Integrated Framework : Risk Assessment automated systems require a separate analysis, especially when these systems are the sole source of critical information to the company • computer viruses, • theft of information or data, • electronic sabotage

Risks are assessed from two perspectives: Likelihood and Impact. Likelihood: refers to the probability that the event will occur Impact the estimated potential loss should such particular event occurs Risks are categorized as follows: ◾ Critical—exposures would result in bankruptcy, for instance. ◾ Important—possible losses would not lead to bankruptcy, but require the company to take out loans to continue operations. ◾ Unimportant—exposures that could be accommodated by existing assets or current income without imposing undue financial strain.

Committee of Sponsoring Organizations of the Treadway Commission (COSO) formed in 1985 as an independent, voluntary, private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

The COSO ERM—Integrated Framework, discussed previously, was developed by the global accounting firm, PriceWaterhouseCoopers, and issued in September 2004.

ISACA ISACA (formerly known as the Information Systems Audit and Control Association) is a worldwide not-for-profit association of more than 28,000 practitioners dedicated to IT audit, control, and security in over 100 countries.

The ISACA's guideline titled "Use of Risk Assessment in Audit Planning" specifies the level of audit work required to meet a specific audit objective; it is a subjective decision made by the IT auditor.

Government Accountability Office (GAO) The GAO is a nonpartisan agency within the legislative branch of the government. • conducts audits, surveys, investigations, and evaluations of federal programs. • done at the request of congressional committees or members, or to fulfill specifically mandated or basic legislative requirements

The U.S. federal government has invested an extraordinary amount of resources in examining risk dating back to the early 1960s • Government Accounting Standards (GAS) and • GAO's Information Management and Technology (IMTEC) IMTEC 8.1.4, "Information Technology: An Audit Guide for Assessing Acquisition Risk," is used in planning and conducting risk assessments of computer hardware and software, telecommunications, and system development acquisitions.

The IT risk management coordinator can give insight and information to the line of business regarding the specific risks faced by the application or system. The IT department, headed by the chief technology officer (CTO), would be evaluating, managing, and accepting the risks associated with this type of enterprise-wide technology.

The business manager would be able to assess these in light of the overall risk facing the line of business.

3 of 8 : ERM Integrated Framework : Event (or Risk) Identification Events impact companies internally or externally. • can significantly affect goals, objectives, and/or strategy. (1) What could go wrong? (2) How can it go wrong? (3) What is the potential harm? (4) What can be done about it? Risks are classified as either • inherent (they exist before plans are made to control them) or • residual (risks left over after being controlled)

The key is to identify potential events or risks that can significantly impact business operations and revenues. ◾ Audits or inspections by managers, workers, or independent parties of the company's operational sites or practices ◾ Operations or process flowcharts of the company's operations ◾ Risk analysis questionnaires where information can be captured about the company's operations and ongoing activities ◾ Financial statement analyses to depict trends in revenue and cost areas, identifying asset exposure analysis ◾ Insurance policy checklists

Reduction and Retention of Risks Risks that are not insurable can be managed in other ways: reduced or retained. Risk reduction • accomplished through loss prevention and control • if the possibility of loss can be prevented, the risk is eliminated; • even reducing the chance of the loss from occurring is a significant improvement

The reduction method is frequently used with insurance to lessen the premiums. ◾ Is there a comprehensive, up-to-date disaster recovery plan or business continuity plan? ◾ What efforts have been made to check that both plans are workable? ◾ Are there off-site backups of the appropriate file? ◾ Are the procedures and practices for controlling accidents adequate? ◾ Have practical measures been taken to control the impact of a disaster?

6 of 8 : ERM Integrated Framework : Control Activities procedures management implement to safeguard assets, keep accurate and complete information, as well as achieve established business goals and objectives. Implementing controls is an effective way to: (1) reduce identified risks to acceptable levels; (2) comply with company policies, procedures, laws, and regulations; and (3) enhance efficiency of existing operations. Once in place, controls must be monitored for effective implementation.

There are three types of controls: Preventive, Detective, and Corrective. Preventive controls, for instance, deter problems from occurring and are usually superior than detective controls. Ex : hiring qualified personnel, segregating employee duties, and controlling physical access. Detective controls, are intended to discover problems that cannot be prevented Ex : performing reconciliations of bank accounts, trial balances • designed to trigger when preventive controls fail corrective controls "react to what just happened Examples include maintaining backup copies of files and correcting data entry errors.

8 of 8 : ERM Integrated Framework : Monitoring occur to ensure that the information and communication system (i.e., AIS) is implemented effectively and, most importantly, operates as designed. Deficiencies are to be documented, evaluated, and communicated. Deficiencies are communicated to management and to the Board as appropriate.

monitoring activities may include • internal audits or internal control evaluations; • assessing for effective supervision; • monitoring against established and approved budgets; • tracking purchased software and mobile devices; • conducting periodic external, internal, and/ or network security audits; • bringing on board a Chief Information Security Officer and forensic specialists; • installing fraud detection software; and • implementing a fraud hotline,

According to an article in Harvard Business Review: "The key to success, for the vast majority of companies, is

no longer to seek a vantage aggressively but to manage costs and risks meticulously."

procedures to control risk

accept, avoid, diversify, share, or transfer risk

Historically, risk management in even the most successful businesses has tended to be in "silos"

the insurance risk, the technology risk, the financial risk, and the environmental risk— all managed independently in separate compartments

Risk Management

the process of identifying and assessing risk, followed by implementing the necessary procedures to reduce such risk to acceptable levels

Risk Management • Enables organizations to focus on high impact areas.

• Should be part of strategic and operational planning, project management, resource allocation, etc. • Enterprise Risk Management (ERM)!

American Institute of Certified Public Accountants (AICPA) An example in applying audit risk and materiality concepts comes with the issuance of SAS 47, "Audit Risk and Materiality in Conducting an Audit," which relates to risk assessment.

• Statements on Auditing Standards (SAS) risk is defined as the possibility of a misstatement occurring in an account balance or class of transactions that (1) could be material when aggregated with misstatements in other balances or classes and (2) will not be prevented or detected on a timely basis by the system of internal control.

Why establish ERM?

• To identify, measure, mitigate, and monitor risk. • Increase organizational oversight Business risks are increasing - failure to manage risk evidenced by recent financial crisis/meltdowns

Enterprise Risk Management (ERM)

• a process • created by BOD and management • applied at strategy setting • applied across entity • identifies risks that may affect the entity • manages risks identified to be within the entity's risk appetite • provides reasonable assurance regarding the achievement of entity objectives

Risk Management Businesses have experienced numerous risk-associated reversals that have resulted in: Mismanagement of Risk Could result in:

• considerable financial loss, • decrease in shareholder value, • damage to the organization reputation, • dismissals of senior management, and, • dissolution of the business.

Cyber Insurance • Center for Strategic and International Studies estimated annual costs from cybercrime to range between $375 billion and $575 billion for mid-to-large organizations. • Another study performed by Symantec in 2016 (and documented as part of its Internet Security Threat Report) indicated that 43% of all 2016 attacks targeted small businesses (i.e., organizations with less than 250 employees).

• cyber insurance is either excluded from traditional commercial general liability policies, or not specifically defined in traditional insurance products This specific type of insurance covers expenses related to first-party losses or third-party claims. Coverage typically includes: ◾ losses from data destruction, extortion, theft, hacking, and denial of service attacks ◾ losses to others caused by errors and omissions, failure to safeguard data, or defamation

Chief Risk Officer (CRO) primary responsibility of reducing risk throughout the enterprise (creating depts hiring ppl)

• determines risk limits the organization is willing to take on • should not be static but should be subject to change • each business manager will be held accountable for assessing the line of business' risks, creating a risk action plan, and determining if their risks fall within or outside of the established tolerances

IT risk management focuses on risks resulting from IT systems with threats such as

• fraud, • erroneous decisions, • loss of productive time, • data inaccuracy, • unauthorized data disclosure, and • loss of public confidence that can put organizations at risk.

ERM has become more widely accepted as a means of managing organizations.

• over 90% of respondents believed that ERM is or will be part of their business processes • integrate ERM with all other classes of risks into truly enterprise-wide risk management frameworks • integrated systems that aggregate credit, market, liquidity, operational, and other risks generated by business units in a consistent framework across the organization Consistency may become a necessary condition to regulatory approval of internal risk management models.

After the risk assessment is filled out and all risks the particular line of business is facing are fully identified,

• review the risks and associated controls. • compared to applicable regulatory requirements and Board-approved limits to risk taking • CRO and the business management work together to find solutions to lower the risks to acceptable levels

Enterprise Risk Management—Integrated Framework The strongest defense against operational risk and losses resides and flows from the highest level of the organization—the Board and senior management. Regulators and shareholders have already signaled that they will hold the Board and executives accountable for managing operational risk.

• the management team they hire, and the policies they develop, all set the tone for an organization • must be acutely attuned to market reaction to negative news • responsible for policy matters relative to corporate governance, including, but not limited to, setting the stage for the framework and foundation for ERM.

5 of 8 : ERM Integrated Framework : Risk Response process starts with companies evaluating their inherent risks, then selecting the appropriate response technique, and finally assessing the residual risk. Management can react or respond to identified risks in one of the following four ways: Avoid, Prevent, Reduce, or Transfer.

◾ Avoid or completely eliminate the risk. ◾ Prevent a risk through implementing IT controls, 1. Performing validity checks 2. Cleaning disk drives 3. logical security ◾ Reduce the risk through taking mitigation actions • controls detecting errors after data are complete ◾ Transfer all or part of the risk to a third party • acquiring insurance or outsourcing (subcontracting) services A last option would involve management assuming / accepting or retaining the risk. • Would a customer be as forgiving of the risks accepted by the organization.

1 of 8 : ERM Integrated Framework : Internal Environment It refers to its culture, its behaviors, its actions, its policies, its procedures, its tone, its heart. A strong internal environment often prevents a company from breakdowns in risk management and control. The internal environment is the base and infrastructure for all other seven ERM components, and consists of:

◾ Management's beliefs, attitudes, operating style, and risk appetite. ◾ Management's commitment to integrity, ethical values, and competence. ◾ Management's oversight over the company's internal control and structure. ◾ Methods of assigning authority and responsibility through the establishment of formal policies and procedures that are consistent with goals and objectives. ◾ Human resource policies, procedures, and practices overseeing existing working conditions, job incentives, promotion, and career advancement. ◾ Procedures in place to comply with industry external requirements, as well as regulatory laws, such as those imposed by banks, utilities, insurance companies, the SEC and the PCAOB, among others.

NIST guidelines, including the SP 800-30, have assisted federal agencies and organizations in significantly improving their overall IT security quality by:

◾ providing a standard framework for managing and assessing organizations' IS risks, while supporting organizational missions and business functions; ◾ allowing for making risk-based determinations, while ensuring cost-effective implementations; ◾ describing a more flexible and dynamic approach that can be used for monitoring the information security status of organizations' IS; ◾ supporting a bottom-up approach in regards to information security, centering on individual IS that support the organization; and ◾ promoting a top-down approach related to information security, focusing on specific IT-related issues from a corporate perspective.

Uninsurable risks can also be retained depending on the organization's awareness of the risks. The retention method, which is sometimes referred to as self-insurance, should be voluntary and meet the following criteria:

◾The risk should be spread physically so that there is a reasonably even distribution of exposure to loss over several locations. ◾ A study should be made to determine the maximum exposure to loss. ◾ Consideration should be given to the possibility of unfavorable loss experience and a decision reached as to whether this contingency should be covered by provision for self-insurance reserves. ◾ A premium charge should be made against operations that are adequate to cover losses and any increase in reserves that appear advisable. ◾ If retained, risks should be consistent with management objectives and risk analysis