Risk Management using the `Cube` Approach to Risk

Transcription

Risk Management using the `Cube` Approach to Risk
Risk Management using the
‘Cube’
Richard Cascarino, CISM, CRMA,
CIA, CFE
About Richard Cascarino, MBA, CIA,
CISM, CFE, CRSA

Principal of Richard Cascarino &
Associates based in Colorado USA
 Over 30 years experience in IT
audit training and consultancy
 Past President of the Institute of
Internal Auditors in South Africa
 Member of ISACA
 Member of ACFE
 Author of Auditor's Guide to IT
Auditing and Corporate Fraud
and Internal Control (due out soon)
2
Risk Assessment
Where does it fit in?
Monitoring
Control
Procedures
Risk Assessment
Control Environment
Integrity, Ethics and Competence
3
Risk Management
 A methodology for risk identification
 A process for analyzing risk
 A family of risk measures to evaluate
performance
 An organization the recognizes the impact of
risk on corporate performance
 Three components
 Risk identification
 Assessment of magnitude and potential
effect
 Exploration of mitigation techniques
4
Risk Analysis and Internal Auditing
Opportunity
Compliance and
Prevention
Operating
Performance
Strategic
Initiatives
Uncertainty
Hazard
Internal
Auditor
Manager
Director
CEO
5
Risk Classification
 Inherent Risk
 The pure risk as part of the nature of the activity
 Control risk
 The risk that an established control will fail to function
as intended
 Detection Risk
 The risk of management and/or auditors failing to
detect a risk
 Planning Risk
 The risk of the managers and/or auditors choosing the
wrong plan
 Residual Risk
 The risk remaining after all controls are in place and
6
effective
The Cube
7
Developed from the FitzGerald
Matrix Approach
Jerry FitzGerald CDP, CISA
Used to identify high-impact areas for auditing
Looks at systems via their components and threats
–Threat identification
–Threat evaluation
–Control identification
–Control evaluation
–Audit work selection
–Recommendation formulation
Allows the use of nested matrices
8
Steps in the Matrix Approach
–1
–2
–3
–4
–5
–6
–7
–8
Identify the components and threats in a
given audit unit
Rank the components and threats
Create the control matrix identifying the
high-risk quartile and the low-risk quartile
Identify controls known / believed to be in place
Evaluate the effectiveness and cost/benefits of the
systems of internal control
Make recommendations where controls
are deemed to be inadequate
Test key controls to ensure their effectiveness
Re-evaluate based on known control
effectiveness and make recommendations
9
where appropriate
Identifying the Components and
Threats
Done in conjunction with management and the
auditees
Components
–One specific part of the audit unit
 may be part of a computer system
 may be one function carried out by an auditee dept.
 may be different components of an auditee dept.
Threats
–Potential adverse occurrence
 theft
 disaster
 unauthorized disclosure
10
Means of Identifying
Brainstorming session
–Auditors
–Auditees
–Managers
Frank discussion on the possible threats
Development of a written list of components and
threats
Summarized into a manageable size
–No more than six is ideal
One or two sentences to define each threat as
understood by the group
11
Risk Ranking
Objective to arrive at "just enough" control
Comparison Risk Ranking
–similar to AHP but only three choices
 A is more important
 B is more important
 both are equally important
–Risk ranking team may be the same as for threat
identification
–All participants must be up-to-date on real threats to the
audit unit (a Delphi team)
–All team members have one vote every time
12
Comparison Risk Ranking
Fraud
Fraud
Unavail
Non-Compl
Loss of
Conf.
Unavail
Non-Compl
Loss of
Conf.
13
Using the Evaluation Sheet
Place all the threats in the boxes marked in blue
Taking each pair of threats, each member present
votes on the relative seriousness
Votes are placed on the matrix (white)
–on the left if voting for the left
–on the right if voting for the top
Votes are counted:
– horizontally on the left plus
–vertically on the right
This gives a comparative ranking to all
identified
threats
14
Drawing up the Matrix
Threats
Components
15
Identifying the Quartiles
Threats
Components
16
Cube Starting Point
17
Customer-Facing Systems
Threats
Components
NonComp
Loss of
Integrity
Unavail.
Loss of
Confid.
Fraud
Poor Perf.
Coms /Infrast.
People
Data
Software
Hardware
18
Layer By Layer
19
Customer-facing Controls
Risks
compliance
integrity
availability
1 3 11 14 16 20 21 60 1 9 10 11 12 14 16 18 1 6 7 16 25 33 60
21 62
confidentiality
fraud
1 3 10 11 14 16 21 62 1 7 10 11 12 16 60
performance
1 3 6 12 16 20 25
external coms
Elements
3 8 9 14 16 60
3 9 16 60
16 21
8 1 3 16 21
1 3 8 16 20
11 60
8 11 19 20 21 23 60 62 6 20 25 33
8 9 11 16 18 19 65
8 9 11 18 19 21
3 7 8 9 12 16 17 60
3 7 8 9 16 18 19 21 22 14 16 18
60
3 11 12 16
3 19 21
3 8 9 12 14 16 20
3 9 10 12 65
1 3 7 9 10
137
1 3 7 11
3 8 9 12 14 16 20
people
data
software
1 2 3 4 6 16 21
hardware
20
Customer-facing Key Controls
Risks
external coms
compliance
integrity
availability
1 3 11 14 16 20 21 60 1 9 10 11 12 14 16 18 1 6 7 16 25 33 60
21 62
confidentiality
fraud
1 3 10 11 14 16 21 62 1 7 10 11 12 16 60
16 21
8 1 3 16 21
performance
1 3 6 12 16 20 25
3 8 9 14 16 60
3 9 16 60
1 3 8 16 20
11 60
8 11 19 20 21 23 60 62 6 20 25 33
8 9 11 16 18 19 65
8 9 11 18 19 21
3 7 8 9 12 16 17 60
3 7 8 9 16 18 19 21 22 14 16 18
60
3 11 12 16
3 19 21
3 8 9 12 14 16 20
3 9 10 12 65
1 3 7 9 10
137
1 3 7 11
3 8 9 12 14 16 20
Elements
people
data
software
1 2 3 4 6 16 21
hardware
21
Workstation Key Controls
Risks
Integrity
1 3 8 9 14 15 16 21 24 26
50 51 60 62
Confidentiality
3 8 15 16 21 24 26 50 60 64
Compliance
Availability
Performance
3 8 9 14 16 21 24 26 49
50 60
3 6 8 12 17 25 34 50 51
60 64
2 3 8 9 12 14 20 26 50
3 6 7 16 17 18 19 20 21 22 7 11 12 16 17 18 19 21 26 62
49 51 62
7 9 12 13 14 16 17 22
6 7 9 12 13 16 17 18 19
20 21 22 25 35 62 64
3 7 8 9 12 14 16 18 19 20
22
1 2 3 12 13 14 15 21 22
1 3 7 9 12 14 16 26 49 62 1 2 3 4 6 7 8 9 10 12 13
65
14 25 34 49 55
People
Elements
Software
1 9 12 16 20
2 3 7 8 9 12 14 16 20 22 64
Hardware
6 8 9 11 12 18 19 20 21 22 1 8 9 11 12 14 18 19 21 24 26 1 7 8 9 11 12 13 14 18 19 1 6 7 14 18 19 20 21 23
23 24 51 62
49 50 60 62 63 65
20 21 23 24 51 60 65
24 25 26 63
8 9 18 19 20 23 60
Data
22
Control List
2012 Controls
Critical in 4 or more areas
I Series
i-Series N/wrk Servers
Network
Workstation
Customer
1. Physical Access
2. Climate controls
3. Acquisition standards
4. UPS
5. Secureworks
6. Backups
7. Change management
8. Knowledge
9. Standards and best practices
10. Technical Controls
11. Encryption
12. Vendor Support
13. Warranty
14. Monitoring
15. Bonding
16. Contracts
17. Documentation
18. Software Controls
19. Malware / Antivirus
20. Active user base
21. Logical access
23
Mapping Key Controls
2012 Controls
Critical in 4 or more areas
I Series
i-Series N/wrk Servers
Network
Workstation
Customer
1. Physical Access
2. Climate controls
3. Acquisition standards
4. UPS
5. Secureworks
6. Backups
7. Change management
8. Knowledge
9. Standards and best practices
10. Technical Controls
11. Encryption
12. Vendor Support
13. Warranty
14. Monitoring
15. Bonding
16. Contracts
17. Documentation
18. Software Controls
19. Malware / Antivirus
20. Active user base
21. Logical access
24
Risk management cycle
Review Risks
and Controls
Identify
Risks
Implement
Mitigating
Actions
Assess/Rank
Risks
Define your
Risk
Management
Plan
25
Controls
CONTINUOUSLY ASSESS BUSINESS RIS
Unacceptable
K
“The Five A’s” of Risk Management
Assess risk
Accept or reject risk
Avoid risk , transfer risk or reduce risk
to an acceptable level
Analyze performance gaps
Act to improve
Reject
Identify
Source
Risk/ Reward
Balance
Continuously
Monitor
Decision
Measure
Acceptable
Accept
At Existing
Level of Risk
If Risk is
Transferred
If Risk is
Reduced to an
Acceptable
Level
Three Elements of Integrated Process:
The Organization:
Speaks a common business risk language,
Has a control structure that keeps it in touch
with reality and aligns business risk
management strategies with that reality, and
Implements effective processes to execute its
business risk management strategies.
Ten Warning Signs of Ineffective
Business Risk Management:
No linkage of risk to value
No effort to anticipate
Ineffective strategic control
No business risk policy
Not a priority
No integrated risk assessment framework
Fragmented effort
Narrow focus
Poor risk communications
Too little, too late
CONTINUOUSLY ASSESS BUSINESS RISK CONTROL PROCESSES
Yes
Business Risk
Control Processes
In Place?
No
Design and Install
a Risk Control
Process
Continuously
Assess by
Comparing to
Best Practices
to Identify
and Close
Performance
Gaps
26
Questions?
Please feel free to contact us at:
Richard Cascarino & Associates
PO Box 775524
PO Box 67282
Steamboat Springs Bryanston
(970 )291 1497 +27 South Africa +27 (0)78 980 7685
www.rcascarino.com
info@rcascarino.com