My classes on IT risk management. Recommendations do you expect to cover in a course on IT risk management and governance?
#riskmanagement #risk #governance #cybersecurity #security #informationsecurity #ciso #ITgovernance #ITRIsk #cyberrisk
2. Risk governance covers
the culture of an
organization to be aware
of and tolerate risk as part
of the strategy
3. Objectives of IT risk governance
DECIDE
Make risk-aware
business desions
INTEGRATE
Execute controls in
practices to address
IT risks
CONSOLIDATE
Maitain a oommon
view of risks
AWARENESS CULTURE
TOLERANCE
4. Risk management covers
the process and capability
to balance the costs of
risks and controls to meet
business objectives
6. Risk management covers
the process and capability
to balance the costs of
risks and controls to meet
business objectives
7. IT risk governance derives in a policy
based on the choosen framework >
Accountabilities of senior
management
IT risk management derives in an
standard operating procedures based
on practices from supplemental
materials of the choosen framework >
CIA responsibilities
8. Principles of IT Risk Management
INTEGRATED
IT risks to the
stategy
BALANCED
Exposures and costs
OBJETIVES
Undestand
assumptions
ACCOUNTABILITY MATURITY
Continuous
improvements
TRANSPARENT
Promote
communication
Assign personal
ownerships from the
top to bottom
13. The cost of risk
mitigation options
affects the
tolerance
14. Appetite > Amount
Unwilling to accept
risks higher than 1M
USD in expected losses
Tolerance > Variance
Unwilling to accept risks
decreasing more than 10%
this objective
Time
Output
Culture
15. Risk culture covers how
open decision-makers
discuss the acceptable
levels of risks aligned
to the set direction for
tolerance and controls
25. Loss
Min Max
#
cases
Confidence
Ln (Max) + Ln (Min)
2 Standard Error
P(A), μ = , σ =
Single
Loss =
Ln
Ln (Max) - Ln (Min)
Confidence Interval
Standard
Error
80% 2.56
90% 3.29
95% 3.92
99% 5.15
+LOGNORM.INV(RAND(),(LN(Min)+LN(Max))/2,(LN(Max)-
LN(Min))/Standard Error)
Quantative model
26. Loss Exceedance Curve
0 100%
Acum
Loss
Reserves for IT incidents
Cost of IT controls
Cyber insurance policies
Outsourcing
Extra assurance costs
No-go decision
27. IT risks may create non-
IT losses such as
productivity issues, over
costs, fines, frauds and
wrong decision-making
28. • Internal loss data
External statistics
Simulations
Decision trees
Business impact analysis
34. Systematic Industry wide effects
Contagious Caused by a third-
party
Emerging
Weak signals of a
new evolving risk
(obscure)
35. External enviroment factors of IT
risks > non controlable
● Regulations for cyber compliance
● Technologies
● Locations with natural hazards
36. ● Risk culture and incentives
● Organization of staff IT
● Operational fraud
● Change and complexity of IT operations
● Strategic priorities
Internal enviroment factors of IT
risks > prevented by discipline
37. ● Framework
● Tolerance communication
● Culture
● Management of IT investments
● IT risk evaluation and response
IT Governance factors of IT risks
38. ● Organization and definition of IT operations
● Acquisition and implementation
● Planning, delivery and support
● Monitoring of operations
● Evaluation of operations
IT capability factors of IT risks
39. ● Business unit performance
● Operational plans
● Portfolio management
● Investment management
● Unit cost targets
● Customer satisfaction
IT-related business
capability factors of IT risks
50. CREDITS: This presentation template was
created by Slidesgo, including icons by Flaticon,
and infographics & images by Freepik.
How to
report and
monitor
risks
57. CREDITS: This presentation template was
created by Slidesgo, including icons by Flaticon,
and infographics & images by Freepik.
THANKS!
@Hewyler
/hernanwyler
Please keep this slide for attribution.