Risk Management using the `Cube` Approach to Risk
Transcription
Risk Management using the `Cube` Approach to Risk
Risk Management using the ‘Cube’ Richard Cascarino, CISM, CRMA, CIA, CFE About Richard Cascarino, MBA, CIA, CISM, CFE, CRSA Principal of Richard Cascarino & Associates based in Colorado USA Over 30 years experience in IT audit training and consultancy Past President of the Institute of Internal Auditors in South Africa Member of ISACA Member of ACFE Author of Auditor's Guide to IT Auditing and Corporate Fraud and Internal Control (due out soon) 2 Risk Assessment Where does it fit in? Monitoring Control Procedures Risk Assessment Control Environment Integrity, Ethics and Competence 3 Risk Management A methodology for risk identification A process for analyzing risk A family of risk measures to evaluate performance An organization the recognizes the impact of risk on corporate performance Three components Risk identification Assessment of magnitude and potential effect Exploration of mitigation techniques 4 Risk Analysis and Internal Auditing Opportunity Compliance and Prevention Operating Performance Strategic Initiatives Uncertainty Hazard Internal Auditor Manager Director CEO 5 Risk Classification Inherent Risk The pure risk as part of the nature of the activity Control risk The risk that an established control will fail to function as intended Detection Risk The risk of management and/or auditors failing to detect a risk Planning Risk The risk of the managers and/or auditors choosing the wrong plan Residual Risk The risk remaining after all controls are in place and 6 effective The Cube 7 Developed from the FitzGerald Matrix Approach Jerry FitzGerald CDP, CISA Used to identify high-impact areas for auditing Looks at systems via their components and threats –Threat identification –Threat evaluation –Control identification –Control evaluation –Audit work selection –Recommendation formulation Allows the use of nested matrices 8 Steps in the Matrix Approach –1 –2 –3 –4 –5 –6 –7 –8 Identify the components and threats in a given audit unit Rank the components and threats Create the control matrix identifying the high-risk quartile and the low-risk quartile Identify controls known / believed to be in place Evaluate the effectiveness and cost/benefits of the systems of internal control Make recommendations where controls are deemed to be inadequate Test key controls to ensure their effectiveness Re-evaluate based on known control effectiveness and make recommendations 9 where appropriate Identifying the Components and Threats Done in conjunction with management and the auditees Components –One specific part of the audit unit may be part of a computer system may be one function carried out by an auditee dept. may be different components of an auditee dept. Threats –Potential adverse occurrence theft disaster unauthorized disclosure 10 Means of Identifying Brainstorming session –Auditors –Auditees –Managers Frank discussion on the possible threats Development of a written list of components and threats Summarized into a manageable size –No more than six is ideal One or two sentences to define each threat as understood by the group 11 Risk Ranking Objective to arrive at "just enough" control Comparison Risk Ranking –similar to AHP but only three choices A is more important B is more important both are equally important –Risk ranking team may be the same as for threat identification –All participants must be up-to-date on real threats to the audit unit (a Delphi team) –All team members have one vote every time 12 Comparison Risk Ranking Fraud Fraud Unavail Non-Compl Loss of Conf. Unavail Non-Compl Loss of Conf. 13 Using the Evaluation Sheet Place all the threats in the boxes marked in blue Taking each pair of threats, each member present votes on the relative seriousness Votes are placed on the matrix (white) –on the left if voting for the left –on the right if voting for the top Votes are counted: – horizontally on the left plus –vertically on the right This gives a comparative ranking to all identified threats 14 Drawing up the Matrix Threats Components 15 Identifying the Quartiles Threats Components 16 Cube Starting Point 17 Customer-Facing Systems Threats Components NonComp Loss of Integrity Unavail. Loss of Confid. Fraud Poor Perf. Coms /Infrast. People Data Software Hardware 18 Layer By Layer 19 Customer-facing Controls Risks compliance integrity availability 1 3 11 14 16 20 21 60 1 9 10 11 12 14 16 18 1 6 7 16 25 33 60 21 62 confidentiality fraud 1 3 10 11 14 16 21 62 1 7 10 11 12 16 60 performance 1 3 6 12 16 20 25 external coms Elements 3 8 9 14 16 60 3 9 16 60 16 21 8 1 3 16 21 1 3 8 16 20 11 60 8 11 19 20 21 23 60 62 6 20 25 33 8 9 11 16 18 19 65 8 9 11 18 19 21 3 7 8 9 12 16 17 60 3 7 8 9 16 18 19 21 22 14 16 18 60 3 11 12 16 3 19 21 3 8 9 12 14 16 20 3 9 10 12 65 1 3 7 9 10 137 1 3 7 11 3 8 9 12 14 16 20 people data software 1 2 3 4 6 16 21 hardware 20 Customer-facing Key Controls Risks external coms compliance integrity availability 1 3 11 14 16 20 21 60 1 9 10 11 12 14 16 18 1 6 7 16 25 33 60 21 62 confidentiality fraud 1 3 10 11 14 16 21 62 1 7 10 11 12 16 60 16 21 8 1 3 16 21 performance 1 3 6 12 16 20 25 3 8 9 14 16 60 3 9 16 60 1 3 8 16 20 11 60 8 11 19 20 21 23 60 62 6 20 25 33 8 9 11 16 18 19 65 8 9 11 18 19 21 3 7 8 9 12 16 17 60 3 7 8 9 16 18 19 21 22 14 16 18 60 3 11 12 16 3 19 21 3 8 9 12 14 16 20 3 9 10 12 65 1 3 7 9 10 137 1 3 7 11 3 8 9 12 14 16 20 Elements people data software 1 2 3 4 6 16 21 hardware 21 Workstation Key Controls Risks Integrity 1 3 8 9 14 15 16 21 24 26 50 51 60 62 Confidentiality 3 8 15 16 21 24 26 50 60 64 Compliance Availability Performance 3 8 9 14 16 21 24 26 49 50 60 3 6 8 12 17 25 34 50 51 60 64 2 3 8 9 12 14 20 26 50 3 6 7 16 17 18 19 20 21 22 7 11 12 16 17 18 19 21 26 62 49 51 62 7 9 12 13 14 16 17 22 6 7 9 12 13 16 17 18 19 20 21 22 25 35 62 64 3 7 8 9 12 14 16 18 19 20 22 1 2 3 12 13 14 15 21 22 1 3 7 9 12 14 16 26 49 62 1 2 3 4 6 7 8 9 10 12 13 65 14 25 34 49 55 People Elements Software 1 9 12 16 20 2 3 7 8 9 12 14 16 20 22 64 Hardware 6 8 9 11 12 18 19 20 21 22 1 8 9 11 12 14 18 19 21 24 26 1 7 8 9 11 12 13 14 18 19 1 6 7 14 18 19 20 21 23 23 24 51 62 49 50 60 62 63 65 20 21 23 24 51 60 65 24 25 26 63 8 9 18 19 20 23 60 Data 22 Control List 2012 Controls Critical in 4 or more areas I Series i-Series N/wrk Servers Network Workstation Customer 1. Physical Access 2. Climate controls 3. Acquisition standards 4. UPS 5. Secureworks 6. Backups 7. Change management 8. Knowledge 9. Standards and best practices 10. Technical Controls 11. Encryption 12. Vendor Support 13. Warranty 14. Monitoring 15. Bonding 16. Contracts 17. Documentation 18. Software Controls 19. Malware / Antivirus 20. Active user base 21. Logical access 23 Mapping Key Controls 2012 Controls Critical in 4 or more areas I Series i-Series N/wrk Servers Network Workstation Customer 1. Physical Access 2. Climate controls 3. Acquisition standards 4. UPS 5. Secureworks 6. Backups 7. Change management 8. Knowledge 9. Standards and best practices 10. Technical Controls 11. Encryption 12. Vendor Support 13. Warranty 14. Monitoring 15. Bonding 16. Contracts 17. Documentation 18. Software Controls 19. Malware / Antivirus 20. Active user base 21. Logical access 24 Risk management cycle Review Risks and Controls Identify Risks Implement Mitigating Actions Assess/Rank Risks Define your Risk Management Plan 25 Controls CONTINUOUSLY ASSESS BUSINESS RIS Unacceptable K “The Five A’s” of Risk Management Assess risk Accept or reject risk Avoid risk , transfer risk or reduce risk to an acceptable level Analyze performance gaps Act to improve Reject Identify Source Risk/ Reward Balance Continuously Monitor Decision Measure Acceptable Accept At Existing Level of Risk If Risk is Transferred If Risk is Reduced to an Acceptable Level Three Elements of Integrated Process: The Organization: Speaks a common business risk language, Has a control structure that keeps it in touch with reality and aligns business risk management strategies with that reality, and Implements effective processes to execute its business risk management strategies. Ten Warning Signs of Ineffective Business Risk Management: No linkage of risk to value No effort to anticipate Ineffective strategic control No business risk policy Not a priority No integrated risk assessment framework Fragmented effort Narrow focus Poor risk communications Too little, too late CONTINUOUSLY ASSESS BUSINESS RISK CONTROL PROCESSES Yes Business Risk Control Processes In Place? No Design and Install a Risk Control Process Continuously Assess by Comparing to Best Practices to Identify and Close Performance Gaps 26 Questions? Please feel free to contact us at: Richard Cascarino & Associates PO Box 775524 PO Box 67282 Steamboat Springs Bryanston (970 )291 1497 +27 South Africa +27 (0)78 980 7685 www.rcascarino.com info@rcascarino.com