Risk scenario analysis is an important component of enterprise risk management (ERM). This technique is a powerful tool because it helps describe risk in terms that are easier for business leaders to understand. ISACA recently issued Risk Scenarios Using COBIT 5 for Risk to provide guidance to professionals who are responsible for helping the enterprise manage its risk portfolio.
“Risk scenario analysis is a valuable technique that makes IT more understandable and helps the business respond more effectively when implementing business strategies that include IT-related risk,” said Robert E Stroud, CGEIT, CRISC, international president of ISACA.
Risk Scenarios Using COBIT 5 for Risk is a practical guide on how to use COBIT 5 for Risk to prepare IT-related risk scenarios that can be used for risk analysis and assessment. It provides readers with potential scenarios to consider in their own organisation and allows these to be tailored; scenarios can be added, removed and amended to provide a focused set of relevant scenarios that fits their organisation’s specific risk, risk appetite and business needs.
Risk analysis is the process used to estimate the frequency and magnitude of IT-related risk scenarios. Risk assessment is a process used to identify and evaluate risk, its potential effects and evaluation of the probabilities of a particular event. Risk assessment is slightly broader and includes the preliminary and ancillary activities of risk analysis (i.e., the identification of detailed risk scenarios and the definition of responses, such as mitigation plans and the description of existing controls). Combined, risk analysis and assessment constitute a core approach to bring realism, insight, organisational engagement, improved analysis and structure to the complex matter of IT risk. Risk scenarios are the tangible and assessable representation of risk, and they are one of the key information items needed to identify, analyse and respond to risk.
Risk is not always to be avoided. Doing business is about taking risk that is consistent with the risk appetite of an enterprise. Many business propositions require IT risk to be taken to achieve the required outcome and realise enterprise goals and objectives; in these circumstances, the risk should be managed and not necessarily avoided. Risk scenarios should be used to describe a possible IT-related event that, when occurring, will have an uncertain positive or negative impact on the achievement of business objectives.
The main components of a risk scenario include:
- Actor—Who generates the threat that exploits a vulnerability? Actors can be internal or external, and they can be human or non-human. Not every type of threat requires an actor (e.g., failures or natural causes).
- Threat type (the nature of the event)—Is it malicious? If not, is it accidental or is it a failure of a well-defined process? Is it a natural event?
- Event—Is it disclosure of confidential information, interruption of a system or of a project, theft, or destruction? Action also includes ineffective design of systems or processes, inappropriate use, changes in rules and regulations that will materially impact a system, or ineffective execution of processes (e.g., change management procedures, acquisition procedures, project prioritisation processes).
- Asset/resource—An asset is any item of value to the enterprise that can be affected by the event and lead to business impact. A resource is anything that helps to achieve IT goals. Assets and resources can be identical (e.g., IT hardware is a resource because IT applications use it and, at the same time, an asset because it has a certain value to the enterprise). Assets/resources include:
- People and skills
- Organisational structures
- IT processes (e.g., modelled as COBIT 5 processes) or business processes
- Physical infrastructure, facilities or equipment
- IT infrastructure, including computing hardware, network infrastructure and middleware
- Other enterprise architecture (EA) components, including information and applications
Assets and resources are further classified as critical or non-critical. Critical assets and resources may be the target of more attacks or represent greater disruption during failure; therefore, frequent risk assessments should be scheduled to determine if risk responses in place are still adequate.
- Time—Dimension, where the following could be described, if relevant to the scenario:
- The duration of the event, e.g., extended outage of a service or data centre
- The timing (Does the event occur at a critical moment?)
- Detection (Is detection immediate or delayed?)
- Time lag between the event and consequence (Is there an immediate consequence, e.g., network failure, immediate downtime, or a delayed consequence, e.g., an incorrect IT architecture with accumulated high costs over a time span of several years?)
Risk scenarios must be realistic, unbiased and reliable to provide assurance that management is making decisions based on quality information. The benefits of using risk scenarios as part of ERM are significant, and risk professionals should become proficient in the preparation of this important information item to help management identify, analyse and respond to risk.
Read ISACA’s Risk Scenarios Using COBIT 5 for Risk to learn more on this topic.
Steven Babb, CGEIT, CRISC, ITIL
Is technology risk, compliance and assurance leader at Vodafone (UK). He began his career with Bass, an international brewer, and has more than 20 years of consulting and assurance experience, which he gained globally in roles at companies including KPMG and Betfair. He is an international vice president of ISACA, chair of ISACA’s Knowledge Board and a member of the Strategic Advisory Council. He has served as chair of the Framework Committee and the COBIT 5 for Risk Task Force, and as a member of ISACA’s COBIT Market Growth Strategy Task Force and COBIT 5 Task Force.