Chapter 6: Risk Management

Risk Management
Risk management plays an important role in protecting organizations’ information
from IT threats. For instance, IT risk management focuses on risks resulting from IT systems
with threats such as fraud, erroneous decisions, loss of productive time, data inaccuracy,
unauthorized data disclosure, and loss of public confidence that can put organizations at
risk. Risk management ensures that losses do not prevent organizations’ management from
seeking its goals of conserving assets and realizing the expected value from investments.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30*
defines risk management as the process of identifying and assessing risk, followed by
implementing the necessary procedures to reduce such risk to acceptable levels.
Enterprise Risk Management – Integrated Framework
In 2010, the Basel Risk Management Committee issued updated guidance on
managing operational risk that further highlights the importance of enterprise risk
management. Meanwhile, shareholders are aware of operational risks that can add up to
billions of dollars every year and include frequent, low-level losses and also infrequent but
catastrophic losses that have actually wiped-out businesses. Regulators and shareholders
have already signalled that they will hold the Board and executives accountable for
managing operational risk.
Internal Environment
The internal environment of a company is everything. It refers to its culture, its
behaviours, its actions, its policies, its procedures, its tone, its heart. The internal
environment is crucial in setting the company’s goals, strategies, and objectives; establishing
procedures to assess or mitigate risk business areas; and identifying and implementing
adequate controls to respond to those risk areas.
 Management’s beliefs, attitudes, operating style, and risk appetite.
 Management’s commitment to integrity, ethical values, and competence.
 Management’s oversight over the company’s internal control and structure.
 Methods of assigning authority and responsibility through the establishment
of formal policies and procedures that are consistent with goals and
objectives.
 Human resource policies, procedures, and practices overseeing existing
working conditions, job incentives, promotion, and career advancement.
 Procedures in place to comply with industry external requirements, as well as
regulatory laws, such as those imposed by banks, utilities, insurance
companies, the SEC and the PCAOB, among others.

Objective Setting
Objectives refer to the goals the company wants to achieve. Objectives are
established at various levels within a company. That is, companies may set objectives at the
top/management level, say to guide their direction or strategy (e.g., become the best seller
in the market, acquire a separate business, merge with a competitor, etc.); or at lower
levels, like improving existing operations (e.g., hiring quality personnel, improving current
processes, implementing controls to address additional risks, maintaining certain levels of
production, etc.).

Event (or Risk) Identification

Events impact companies internally or externally. For instance, events could occur
outside the company (e.g., natural disasters, enactment of new laws and regulations, etc.)
that can significantly affect its goals, objectives, and/or strategy. Identification of these
events or risks can result from responding to management questions, such as: (1) What
could go wrong? (2) How can it go wrong? (3) What is the potential harm? and (4) What can
be done about it? An example would be an office desk manufacturer that relies on sourcing
the wood necessary to build the desks from specific regions in the Caribbean.
the management questions from above with hypothetical responses to identify internal or
external events:
 1. What could go wrong? Shipment of wood may fail or may not be received on
time resulting in not having enough supplied wood to meet customer demands
and/or required production levels.
2. How can it go wrong? Weather conditions (e.g., hurricanes, flooding, etc.) may
affect safe conditions to cut trees and prepare the necessary wood; or prevent
timely shipment of the wood to the manufacturing site.
3. What is the potential harm? The lack of or limited supply may prompt the
manufacturer higher costs which could translate into higher costs and prices to
customers.
4. What can be done about it? Solutions may include identifying at least one or two
additional suppliers (outside of the Caribbean), and/or having higher amounts of
wood inventory on hand. These will help in preventing or mitigating the issues
just identified, and ensure that minimum production levels are kept consistent
with organizational objectives.

Risks are classified as either inherent (they exist before plans are made to control them)
or residual (risks left over after being controlled), and can be identified through:

◾ Audits or inspections by managers, workers, or independent parties of the

company’s operational sites or practices

◾ Operations or process flowcharts of the company’s operations

◾ Risk analysis questionnaires where information can be captured about the

company’s operations and ongoing activities

◾ Financial statement analyses to depict trends in revenue and cost areas, identifying
asset exposure analysis

◾ Insurance policy checklists

Risk Assessment
IT facilities and hardware are often included in the company’s overall plant and
property review; however, automated systems require a separate analysis, especially when
these systems are the sole source of critical information to the company as in today’s e-
business environments. There are many risks that affect today’s IT environment.
Some examples of resources to assist in the identification and evaluation of these IT-
related risks include:
 ◾ [Link]. The NIST has been a leader in providing tools and techniques to support
IT. It has a number of support tools that can be used by private small-to-large organizations
for risk assessment purposes.

◾ [Link]. The U.S. Government Accountability Office (GAO) has provided a number
of
audit, control, and security resources as well as identification of best practices in managing
and reviewing IT risk in many areas.

◾ Expected loss approach. A method developed by IBM that assesses the probable
loss and the frequency of occurrence for all unacceptable events for each automated system
or data file. Unacceptable events are categorized as either: accidental or deliberate
disclosure; accidental or deliberate modification; or accidental or deliberate destruction.

◾ Scoring approach. Identifies and weighs various characteristics of IT systems. The

approach uses the final score to compare and rank their importance.
on the other hand, is the estimated potential loss should such particular event occurs.
Risks are categorized as follows:

◾ Critical—exposures would result in bankruptcy, for instance.

◾ Important—possible losses would not lead to bankruptcy, but require the company
to take out loans to continue operations.

◾ Unimportant—exposures that could be accommodated by existing assets or

current income without imposing undue financial strain.

Risk Response
After assessing risks, the next step is to put an action plan together and determine
the applicable technique(s) to respond to the identified risks. Typically, the risk response
process starts with companies evaluating their inherent risks, then selecting the appropriate
response technique, and finally assessing the residual risk. Management can react or
respond to identified risks in one of the following four ways: Avoid, Prevent, Reduce, or
Transfer.
Once the appropriate technique has been chosen, it must be implemented. The techniques
implemented must be evaluated and reviewed on a frequent basis. This is important
because variables that went in the selection of a previous technique may change.
Techniques that were appropriate last year may not be so this year, and mistakes may
occur. The application of the wrong technique(s) must be detected early and corrected.

Control Activities
COBIT defines control activities as the “policies, procedures, practices, and
organization structures designed to provide reasonable assurance that business objectives
will be achieved and that undesired events will be prevented or detected and corrected.”
There are three types of controls: Preventive, Detective, and Corrective.
Preventive controls, for instance, deter problems from occurring and are usually
superior than detective controls. The second type of controls, detective controls, are
intended to discover problems that cannot be prevented. Detective controls are designed to
trigger when preventive controls fail. Corrective controls, the third type of controls, are
designed to identify, correct, and recover from the problems identified. Similar to detective
controls, corrective controls “react to what just happened.”

Information and Communication

1. Relevant: information is pertinent and applicable to make a decision (e.g., the
decision to extend customer credit would need relevant information on
customer balance from an Accounts Receivable aging report, etc.).
2. Reliable: information is free from bias, dependable, trusted.
 3. Complete: information does not omit important aspects of events or
activities.
4. Timely: information needs to be provided in time to make the decision.
5. Understandable: information must be presented in a meaningful manner.
6. Verifiable: two or more independent people can produce the same
conclusion.
7. Accessible: information is available when needed.

Monitoring
Monitoring activities, either on a continuing or separate basis, must occur to ensure
that the information and communication system (i.e., AIS) is implemented effectively and,
most importantly, operates as designed. Monitoring assessments that are performed
separately vary in scope and frequency, and are conducted depending on how effective they
are, the results from risk assessments, and specific management goals and objectives.

Risk Assessment
Risk assessment forms the first step in the risk management methodology. Risk
assessments, based on NIST, are used by organizations to determine the extent of potential
threats and evaluate the risks associated with IT systems. Risk assessments provide a
framework for allocating resources to achieve maximum benefits.
Risk Assessment Chief Risk Officer (CRO) - In collaboration with the Board of Directors
(Board), should determine risk limits the organization is willing to take on. These risk limits
should not be static but should be subject to change—a working document.

Available Guidance
There are several professional standards that provide guidance to auditors and
managers involved in the risk assessment process. These standards come from widely
recognized organizations like COBIT and the ISO/IEC. Other standards for risk assessments
are available from NIST, GAO, American Institute of Certified Public Accountants, ISACA,
Institute of Internal Auditors, and the Committee of Sponsoring Organizations of the
Treadway Commission.

COBIT
COBIT is a well-known IT governance framework that helps organizations in the areas
of regulatory compliance and alignment of IT strategy and organizational goals. COBIT is also
crucial to organizations in the area of risk management. Specifically, COBIT’s international
set of generally accepted IT practices or control objectives help employees, managers,
executives, and auditors in: understanding IT systems, discharging fiduciary responsibilities,
managing and assessing IT risks, and deciding adequate levels of security and controls.

ISO/lEC
The ISO/IEC 27000 family of standards includes techniques that help organizations
secure their information assets. The ISO/IEC 27005:2011 Information Technology—Security
Techniques—Information Security Risk Management, for example, provides guidelines for
the satisfactory management of information security risks.
The ISO/IEC 27005:2011 standard does not specify nor recommend any specific risk
management method, but does suggest a process consisting of a structured sequence of
continuous activities, which include:
 Establishing the risk management context, including the scope, compliance
objectives, approaches/methods to be used, and relevant policies and criteria
(e.g., organization’s risk tolerance, risk appetite, etc.).
 Assessing quantitatively or qualitatively relevant information risks
considering information assets, threats, vulnerabilities, and existing controls.
This assessment will be helpful in determining the probability of incidents or
incident scenarios, and the predicted business consequences if they were to
occur (i.e., risk level).
 Determining, based on the risk level, how will management react or respond
to identified risks (i.e., whether management will completely avoid, reduce,
transfer to a third party, or finally accept the risk).
 Maintaining stakeholders aware and informed throughout the information
security risk management process.
 Monitoring and reviewing risks, risk treatments, risk objectives, obligations,
and criteria continuously.
 Identifying and responding appropriately to significant changes.

National Institute of Standards and Technology (NIST)

NIST develops FIPS when there are compelling federal government requirements for
IT standards related to security and interoperability, and there are no acceptable industry
standards or solutions. When assessing risks related to IT, particular attention should be
provided to NIST SP 800-30 guide, “Guide for Conducting Risk Assessments.” The NIST SP
800-30 guide provides a common foundation for organizations’ personnel with or without
experience, who either use or support the risk management process for their IT systems.
NIST guidelines, including the SP 800-30, have assisted federal agencies and
organizations in significantly improving their overall IT security quality by:
 providing a standard framework for managing and assessing organizations’ IS
risks, while supporting organizational missions and business functions;
  allowing for making risk-based determinations, while ensuring cost-effective
implementations;
 describing a more flexible and dynamic approach that can be used for
monitoring the information security status of organizations’ IS;
 supporting a bottom-up approach in regards to information security,
centering on individual IS that support the organization; and
 promoting a top-down approach related to information security, focusing on
specific IT-related issues from a corporate perspective.

Government Accountability Office (GAO)

The GAO is a nonpartisan agency within the legislative branch of the government.
The GAO conducts audits, surveys, investigations, and evaluations of federal programs.

American Institute of Certified Public Accountants (AICPA)

Statements on Auditing Standards (SAS) are issued by the Auditing Standards Board
of the AICPA and are recognized as interpretations of the 10 generally accepted auditing
standards. As mentioned in earlier chapters, the AICPA has played a major role in the
issuance of guidance to the accounting and control profession.

ISACA
ISACA (formerly known as the Information Systems Audit and Control Association) is
a world-wide not-for-profit association of more than 28,000 practitioners dedicated to IT
audit, control, and security in over 100 countries. The ISACA guideline provides guidance in
applying IT auditing standards. The IT auditor should consider such guidance in determining
how to achieve implementation of the preceding standards, use professional judgment in its
application, and be prepared to justify any departure.

Institute of Internal Auditors (IIA)

It provides additional guidance in the form of Implementation Standard 2110.A1
(Assurance Engagements) with which the internal audit activity should monitor and evaluate
the effectiveness of the organization’s risk management system.
 Reliability and integrity of financial and operational information
 Effectiveness and efficiency of operations
 Safeguarding of assets
 Compliance with laws, regulations, and contracts
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
The COSO was formed in 1985 as an independent, voluntary, private-sector
organization dedicated to improving the quality of financial reporting through business
ethics, effective internal controls, and corporate governance. The COSO ERM—Integrated
Framework, discussed previously, was developed by the global accounting firm,
PriceWaterhouseCoopers, and issued in September 2004.

Insurance as Part of IT Risk Assessments

Risk assessments related to IT operations also include insurance. A clear
understanding of insurance and risk management is necessary to review the adequacy of an
organization’s IT insurance. IT management and data security administrators must be aware
of the relationship between risk and insurance to understand the reasons behind insurance
choices and the types of insurance that are most applicable to the IT environment.

IT Risks Typically Insured

In the IT environment, there are special risks that are commonly handled by
insurance, including:
 Damage to computer equipment
 Cost of storage media
 Cost of acquiring the data stored on the media
 Damage to outsiders
 Business effects of the loss of computer functions
The types of insurance policies that cover these risks include property, liability, business
interruption, and fidelity-bonding insurance. These policies, especially written for IT-related
risks, should examine:
 Coverage of hardware and equipment (i.e., network, mass storage devices,
terminals, printers, and central processing units).
 Coverage of the media and information stored thereon. For example, a disk
drive that is destroyed can be replaced at the cost of a new drive. If the drive
or mass storage device contains important information, the value of the new
replacement drive plus the value of the lost information must be recovered.
 Coverage of the replacement or reconstruction cost and the cost of doing
business as usual (i.e., business interruption). This might involve renting time
on equivalent equipment from a nearby company or outsourcing to a vendor,
paying overtime wages for reconstruction, and detective work. In this area,
logging of daily electronic business activity resulting in financial transactions
is extremely important to identify business interruption or loss due to
spamming or information theft.
  Coverage of items such as damage to media from magnets, damage from
power failure(blackout) or power cut (brownout), and damage from software
failure.

Cyber Insurance
Another study performed by Symantec in 2016 (and documented as part of its
Internet Security Threat Report) indicated that 43% of all 2016 attacks targeted small
businesses (i.e., organizations with less than 250 employees). Organizations must decide
whether cyber insurance is now a viable option to mitigate such losses and their resulting
excessive costs.
This specific type of insurance covers expenses related to first-party losses or third-party
claims. Coverage typically includes:
 losses from data destruction, extortion, theft, hacking, and denial of service
attacks
 losses to others caused by errors and omissions, failure to safeguard data, or
defamation

Reduction and Retention of Risks

Risks that are not insurable can be managed in other ways: reduced or retained. Just
because a risk is insurable does not mean that insurance is the only way to handle it. Risk
reduction can be accomplished through loss prevention and control.
Examples of questions leading to determine whether IT risks can be reduced include:
 Is there a comprehensive, up-to-date disaster recovery plan or business
continuity plan?
 What efforts have been made to check that both plans are workable?
 Are there off-site backups of the appropriate file?
 Are the procedures and practices for controlling accidents adequate?
 Have practical measures been taken to control the impact of a disaster?
 Is physical security effective to protect property and equipment?
 Is software security adequate to protect confidential or sensitive
information?
 Are there appropriate balancing and control checks made at key points in the
processing?
 Are there appropriate control checks on the operations?
 Are there appropriate control checks during the development and
modification of systems?
 Are network firewalls tested weekly?
 Have firewalls been certified on a semiannual basis?
  Do contracts for purchases or leases have terms and conditions and remedies
that adequately protect the company if there is a problem?
 Have contracts been prepared by legal counsel who has expertise in IT and
legal issues?
 Are facilities, equipment, and networks maintained properly?
The retention method, which is sometimes referred to as self-insurance, should be
voluntary and meet the following criteria:
 The risk should be spread physically so that there is a reasonably even
distribution of exposure to loss over several locations.
 A study should be made to determine the maximum exposure to loss.
 Consideration should be given to the possibility of unfavorable loss
experience and a decision reached as to whether this contingency should be
covered by provision for self-insurance reserves.
 A premium charge should be made against operations that are adequate to
cover losses and any increase in reserves that appear advisable.

Conclusion
Risk assessment forms the first step in the risk management methodology. They are
used by organizations to determine the extent of potential threats and the risks associated
with particular systems. Risk assessments should be completed by the line of business with
assistance from the IT risk management coordinator or internal audit. Organizations must
develop a sound risk management program to be able to determine the adequacy of their IT
insurance coverage. Insurance distributes losses so that a devastating loss to an individual or
business is spread equitably among a group of insured members.
Another major step in developing an effective risk management program is learning
the methods of risk retention and reduction. Risks that are not insurable are either reduced
or retained. Risk reduction can be accomplished through loss prevention and control, and
typically lessens insurance premiums. Uninsurable risks can also be retained depending on
the organization’s awareness of the risks.