In Defense of Verbal Risk Labels
I have spent the better part of a decade advocating for the use of quantitative methods in assessing and reporting risk, so it may come as a shock to some that I firmly believe that there are times when using a verbal risk label is an important component of risk communication.
A verbal risk label is the result of a risk assessment; the label you typically see is high, medium or low (although some organizations use different words). Many novices in the risk profession choose directly from these labels, eschewing any type of analysis at all. Still others choose verbal risk labels from some combination of risk factors (e.g., low vulnerability + high probability = medium risk). Using verbal labels this way could cloud decision making because much of the detail is hidden behind the mental heuristics and inherent biases of the assessor. That said, it is important to render the results of risk assessments into some sort of scale that approximates the actions you expect management to take. For instance, at certain levels of risk, expressed in terms of potential loss (in a local currency) and the frequency at which you expect loss to happen, there should be corresponding actions roughly correlating to: no action needed, monitor for potential action and take action.
Sometimes, we need verbal labels to help cut through the mental fog of decision making. One great example of this is those that suffer from Type 1 diabetes. This autoimmune disorder can cause blood glucose levels to drop dangerously low. Having low blood glucose makes it difficult to make decisions even about self-treatment of the condition. Blood glucose meters and continuous glucose monitors (devices utilized for testing blood sugar) display blood glucose as a quantitative measure; however, when that measure drops above or below a certain value it simply displays the words “low” or “high.” Sometimes, these meters try to generate action by saying “urgent low” or “treat your low blood sugar.” While it is very difficult for these devices to be accurate above or below certain ranges, they know when glucose levels are beyond a normal range and simply display those verbal labels or prompts.
Some health meters let their users know when to act. Likewise, risk professionals need to make sure that management knows that at certain levels of risk, they should act. Sometimes this is hard, especially if we are constantly sending urgent messages to them (which speaks to the need to use these labels in a responsible way). But we also have to rise above the din of everyone else in the organization trying to get attention for their issues. Using uniform verbal risk labels for issues and incidents helps management know that action is needed and ensures that risk is appropriately managed. So use these terms sparingly, but be sure that your organization has its own version of the “treat your high risk” messaging.
Jack Freund, Ph.D., CISA, CRISC, CISM, is senior manager of cyberrisk framework for TIAA, a member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, and 2016 inductee into the Cybersecurity Canon.
Cyber News Converges in The Nexus: Subscribe Now
Farhan /Getty Images
Busy security professionals need to stay current on the latest cyber security news and information. ISACA’s Cybersecurity Nexus (CSX) program offers valuable resources including The Nexus, a monthly newsletter where all things cyber security converge.
The Nexus delivers original CSX thought leadership and knowledge from CSX leaders and key cyber security innovators around the world, news and updates on CSX, and a collection of the best cyber security articles from a variety of sources to your inbox every month. The Nexus also contains information on the newest CSX resources available for your use.
Visit The Nexus subscription page of the ISACA website to subscribe now.
Gain Practical Guidance With ISACA Journal Blog
Practitioners with busy schedules need practical guidance, but may not have the time to read lengthy white papers or articles. The ISACA Journal’s Practically Speaking blog provides short practical guidance blog posts that IS audit, cyber security and governance professionals can implement. These brief practical guidance blog posts are published every Monday. Practically Speaking blog posts are available to the public.
Authors of Practically Speaking blog posts include Journal contributors and experts in the field. The blog enables contributors to exchange practical information and connect with other industry professionals. Because of the conversational nature of the blog, the content will be useful to practitioners at any skill level.
Blog posts can be viewed on the Practically Speaking page of the ISACA website. Those who are interested in submitting a blog post can contact firstname.lastname@example.org.
COBIT 5: Taking IT Governance and Management to the Next Level
A Big 4 professional services firm in the Middle East was selected by a leading retail bank in the region to assist in finding solutions to pressing problems related to IT governance and IT management. The bank was and continues to be heavily dependent on IT infrastructure and IT application systems to deliver an efficient and effective banking experience to its customers.
The head of IT division (HoITD), senior management and the board of directors were in agreement that strong IT governance and management practices could enhance the ability of the HoITD to deliver higher-value IT services while optimally managing costs and risk. Therefore, the bank made the decision to establish an IT governance division under the chief operating officer (COO) to serve as an independent body to have oversight of the enterprise IT. The COBIT 5 framework was adopted to serve as the guiding framework for their journey. Furthermore, a decision was made to engage a trusted and reputable professional services firm to assist in this journey. This decision was made to allow the independent professional services firm to bring with it a fresh perspective and deliver the tough recommendations that internal staff may not have been able to make on their own.
The following steps were performed:
- Prioritization of COBIT 5 processes—It was understood that covering all 37 COBIT 5 processes at the same time for assessment and improvement would be very difficult to manage for the bank as it would lead to too much disruption and change all at once. Therefore, the Big 4 firm assisted the bank in prioritization of COBIT 5 processes. The Big 4 firm conducted interviews and workshops with different stakeholders inside and outside the technology group to explain what each COBIT 5 process was and to help stakeholders understand which of these processes were the most important to the bank. The Big 4 firm utilized the inputs of all stakeholders and arrived at 15 processes that were perceived to be most important. At least 1 COBIT 5 process from each domain (Evaluate, Direct and Monitor [EDM]; Align, Plan and Organize [APO]; Build, Acquire and Implement [BAI]; Deliver, Service and Support [DSS]; and Manage, Evaluate and Assess [MEA]) was selected. Therefore, a number of enterprise IT management processes and 2 enterprise IT governance processes became part of the selection.
- Maturity assessment using COBIT 5 self-assessment tool kit—Using the COBIT Process Assessment Model (PAM): Using COBIT 5, the Big 4 firm assisted process owners to conduct a COBIT 5 maturity assessment for each of the selected/prioritized 15 processes. As per PAM, the enterprise’s current maturity for each process was evaluated and assigned one of the following classifications:
Clear guidance is provided in COBIT Self-assessment Guide: Using COBIT 5 to support practitioners in measuring the maturity of each process in scope. The published guidance allowed the Big 4 firm and the bank’s management and governance professionals to reach a conclusion on the maturity of each process efficiently.
- Incomplete (level 0)
- Performed (level 1)
- Managed (level 2)
- Established (level 3)
- Predictable (level 4)
- Optimizing (level 5)
- Development of a road map—As part of the project, the bank requested that the Big 4 firm develop a road map to guide the improvement of maturity of the selected 15 processes. The Big 4 firm conducted a series of workshops with process owners and stakeholders to understand their views. These workshops helped to develop a road map tailored to the needs of the bank. The Big 4 firm used the guidelines provided in COBIT Process Assessment Model (PAM): Using COBIT 5 to recommend the following for each of the selected processes:
The recommendations were well received by management and governance layers at the bank. All stakeholders believed that improving maturity levels of each of the selected processes would certainly help overall management and governance of enterprise IT (GEIT).
- Establish target maturity to achieve given the priorities of the entity as a whole.
- Determine how to progress toward higher levels of maturity and what steps need to be undertaken to reach higher maturity.
- Determine the time line required.
- Define interdependencies.
- Development of a balanced scorecard (BSC)—COBIT 5 successfully organizes the different elements typically measured for performance reporting of enterprise IT into an easily digestible manner for non-IT professionals to understand. In this case, Financial, Internal, Learning and Growth, and Customer areas were included. Furthermore, COBIT 5: Enabling Processes suggests a large number of key performance indicators (KPIs) to measure IT management and IT governance practices. The Big 4 firm was able to utilize all this information to develop a balanced scorecard (BSC) (which the bank referred to as an “integrated scorecard”) that gave senior management and governing bodies a much better and more comprehensive view of the overall performance of enterprise IT in terms which are familiar to them (Financial, Internal, Learning and Growth, and Customer).
Read the full COBIT Focus article, “COBIT 5: Taking IT Governance and Management to the Next Level” and be sure to subscribe for COBIT Focus monthly emails to receive the latest COBIT Focus articles and COBIT-related news directly.