Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

COBIT Focus - IT Risk is Business Risk

Join author Mike Gill as he responds to ISACA member questions beginning 23 April 2012. Add your questions by responding to this post!

You must be logged in and be a member of this group* to participate.
*After logging in click "Join this Community" to the right and then return to this page by clicking the back button. As a member of this topic you can now view this and other discussions from the topic homepage.


To make a dangerously sweeping generalisation, most folks outside the risk management, finance and technical control sectors frequently see information security and controls as ‘getting in the way’—an inconvenience to business as usual.Often, business colleagues trying to launch state-of-the art systems to support marketing initiatives, or perhaps newly redesigned business processes, say they could do without the “hassle” of jumping through all those security hoops (i.e., pre-launch controls assessments and gate reviews). IT risk management is often seen in a negative light when important deadlines are looming. Too often, IT risk (business risk relating to IT usage) is treated as an afterthought, possibly even overlooked completely. Why does this happen? Read the rest of the article
You must sign in to rate content.
(Unrated)

Comments

RE: COBIT Focus - IT Risk is Business Risk

Hi Everybody!

I hope that you enjoy this article. I would be very interested to hear your feedback and answer any questions that you may have on this subject.

Warmest Regards
Mike
Michael320Observer at 4/24/2012 7:50:00 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Mike - I like your key message "IT risk is a business risk" and would like to challenge you on some of your comments getting there. Firstly, IMHO your opening few paragraphs make a few semantic errors and simplifications that perpetuate significant confusion. The discussion is on "IT risk" (more about that later), but you focus on IT security (e.g. "... information security and controls ..."; "IT security is often seen as something that can be sacrificed..."). These statements are often interpreted in a way that narrowly focuses "IT risk" to only "IT security". I would argue that "IT security" is not even a risk (security is a control mechanism to mitigate some risk(s). My opinion is that we, as so called IT risk professionals need to get our language right (and consistent) if we ever hope to have non-IT risk professionals (even risk professionals in finance and technical control sectors) understand what we are saying. Secondly, I think we need to stop talking about "IT risk". Nobody knows what it is, and many think that IT is the risk (lots of Risk Management Frameworks I have seen identify IT as a component of the risk universe). Not only that - but for the most part no one understands what we mean by "IT", and as risk professionals we are never consistent with how we use the term. For example - do we mean the "department known as IT"? Or do we mean the hardware and software? But what about the data - arguably that even isn't "IT". In most instances people have to infer a definition for the term "IT" based on the context in which we use it. This strikes me as a pretty poor attempt at developing a "common language" that is essential for effective enterprise risk management. It seems to me that what we are really talking about is the business risk associated with an organization's information (and incidentally the resources, including people, systems and technologies that process and use that information). I like to refer to these as the business risks associated with the organization's "information assets". It is much easier to talk to a non-IT risk professional about risks related to "assets" (even information assets) than it is to talk about "IT". Thirdly (and I will stop the verbal diarrhea here) I would challenge your perspective on RiskIT. It seems to me that RiskIT does NOT "introduce a framework that allows IT risk to be aligned and integrated with operational risk models". To me, RiskIT is really only an attempt to put IT words around pre-established business risk management frameworks/approaches. That is not necessarily a bad thing - maybe it helps IT people understand business risk management frameworks - but I think it will be a losing battle to hope that somehow RiskIT will help non-IT risk professionals and ordinary business people better understand the risks related to information assets. In my view - we need to reinforce point #2 above - (repeat after me - there is no such thing as IT risk). As you mention in your conclusion "IT Risk is business risk". We don't need an IT risk framework (like RiskIT) to talk about risks related to information assets - we should be using existing business and operational risk frameworks to position the "business risks" related to information assets. If we can do that successfully then I think we will more easily progress towards your goal of "the management of IT-related business risk is aligned with the overall enterprise risk management (ERM) initiatives". Just my two cents worth (and deliberately trying to be somewhat provocative) - others care to comment?
Gary BakerLively at 4/25/2012 8:13:59 PM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - IT Risk is Business Risk

Wow, I had carriage returns in that when I wrote it - not sure how or why they were removed. Sorry about that.
Gary BakerLively at 4/25/2012 8:15:39 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Hi Gary!

First of all, let me say thank you for “starting the ball rolling” with such an extensive opener; it's nice to know that at least one other person has read the article :)

I'm glad you liked, and got, the key message. To be honest, I would happily have taken out a full-page ad that simply read "IT Risk IS Business Risk – Now get over it and move on!" and left it at that, but apparently more padding is required in articles these days...

You make some excellent points and clarifications on semantics, thank you. I immediately put my hands up and admit that I, perhaps lazily, allow(ed) terminology to become intertwined (though this particular message is aimed squarely at IT Security and Controls professionals, via COBIT Focus / ISACA).

That said, I do truly believe that terms, phrases, lingo, “buzz-words”, processes, tools, methodologies, and the “See section DSS.0.x and / or A.y.z” type discussions are often key distractions to folks outside this space, and they switch off, truly they do, which is one of the key points I'm making.

When I go into boardrooms to discuss risk status, at that level, we get straight into a service continuity / cost vs. benefit discussion, in the purest form: "How long will my business process likely be interrupted for? How much will this interruption cost the business? What's the likelihood of this really happening? How much would it cost to mitigate? Are there any other treatment options other than mitigation available?” – It’s that simple, and a basic spread sheet usually hits the spot nicely.

Clearly though, I’m not denouncing the need for frameworks, processes, tools and methodologies, that would be self-destructive madness, any vehicle that lends itself to addressing risk is fair game to be used. For me, it’s about translation of risk into plain language, business terms. I tend to use whatever “tool” is already in use by my clients, whether that has an ISACA flavour to it, ISO-based - I’m really not too fussy.

So, I think we are in violent agreement on the first point, and this discussion itself will hopefully lead to improvements in understanding all round.

With regards to the second point, again I completely agree, we could happily drop any reference to technology and improve communication ten-fold; at senior level, frankly, there is no interest in the details around password controls or server patching issues, simply that those issues may lead to business interruption, lost sales, reputational damage, ethical issues, etc.

Third-point, on RiskIT, I’ll let the creators of the framework chip-in and fill in the detail (and there should be a few of them on here), but at a high level, it attempts to pull together IT Risk (I know you don’t like that term) with Business Risk under key activity RG2.2 (< I broke my own rule about cross-referencing!). OK, it doesn’t actually DO the work for you, but it does have a trigger point close to the start of the process that forces the issue to be addressed and resolved.

In addition to your excellent points, I do think the phrase “IT” has become something altogether different over the years, what with smartphones, tablet PCs, social networking, etc. blurring the lines, and potentially opening up new “technical” risk channels.

The term “Information assets” certainly works for me, and I’m already seeing that kind of terminology emerge from the ISO 31000 arena, and to be fair, COBIT5 and RiskIT do infer this, even if not with outright use of that precise phrase.

Provocative is good, anything that advances discussions and process improvements on risk management is healthy, in my opinion!

I’ve probably not answered all your points, but generally speaking, I think we are in agreement. Let me know if I’ve skipped anything though.

Good to talk!

 

Michael320Observer at 4/26/2012 7:53:54 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

I am not seeing a great deal of feedback on this subject :) does this mean it struck a chord and everyone went off to have a conversation with their board? Is it too complicated? Too obvious? Let me know that you are out there and alive!
Michael320Observer at 5/25/2012 3:00:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

I am not seeing a great deal of feedback on this subject :) does this mean it struck a chord and everyone went off to have a conversation with their board? Is it too complicated? Too obvious? Let me know that you are out there and alive!
Michael320Observer at 5/25/2012 3:00:53 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Hi Gary!

First of all, let me say thank you for “starting the ball rolling” with such an extensive opener; it's nice to know that at least one other person has read the article :)

I'm glad you liked, and got, the key message. To be honest, I would happily have taken out a full-page ad that simply read "IT Risk IS Business Risk – Now get over it and move on!" and left it at that, but apparently more padding is required in articles these days...

You make some excellent points and clarifications on semantics, thank you. I immediately put my hands up and admit that I, perhaps lazily, allow(ed) terminology to become intertwined (though this particular message is aimed squarely at IT Security and Controls professionals, via COBIT Focus / ISACA).

That said, I do truly believe that terms, phrases, lingo, “buzz-words”, processes, tools, methodologies, and the “See section DSS.0.x and / or A.y.z” type discussions are often key distractions to folks outside this space, and they switch off, truly they do, which is one of the key points I'm making.

When I go into boardrooms to discuss risk status, at that level, we get straight into a service continuity / cost vs. benefit discussion, in the purest form: "How long will my business process likely be interrupted for? How much will this interruption cost the business? What's the likelihood of this really happening? How much would it cost to mitigate? Are there any other treatment options other than mitigation available?” – It’s that simple, and a basic spread sheet usually hits the spot nicely.

Clearly though, I’m not denouncing the need for frameworks, processes, tools and methodologies, that would be self-destructive madness, any vehicle that lends itself to addressing risk is fair game to be used. For me, it’s about translation of risk into plain language, business terms. I tend to use whatever “tool” is already in use by my clients, whether that has an ISACA flavour to it, ISO-based - I’m really not too fussy.

So, I think we are in violent agreement on the first point, and this discussion itself will hopefully lead to improvements in understanding all round.

With regards to the second point, again I completely agree, we could happily drop any reference to technology and improve communication ten-fold; at senior level, frankly, there is no interest in the details around password controls or server patching issues, simply that those issues may lead to business interruption, lost sales, reputational damage, ethical issues, etc.

Third-point, on RiskIT, I’ll let the creators of the framework chip-in and fill in the detail (and there should be a few of them on here), but at a high level, it attempts to pull together IT Risk (I know you don’t like that term) with Business Risk under key activity RG2.2 (< I broke my own rule about cross-referencing!). OK, it doesn’t actually DO the work for you, but it does have a trigger point close to the start of the process that forces the issue to be addressed and resolved.

In addition to your excellent points, I do think the phrase “IT” has become something altogether different over the years, what with smartphones, tablet PCs, social networking, etc. blurring the lines, and potentially opening up new “technical” risk channels.

The term “Information assets” certainly works for me, and I’m already seeing that kind of terminology emerge from the ISO 31000 arena, and to be fair, COBIT5 and RiskIT do infer this, even if not with outright use of that precise phrase.

Provocative is good, anything that advances discussions and process improvements on risk management is healthy, in my opinion!

I’ve probably not answered all your points, but generally speaking, I think we are in agreement. Let me know if I’ve skipped anything though.

Good to talk!

 

Michael320Observer at 4/26/2012 7:53:54 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Wow, I had carriage returns in that when I wrote it - not sure how or why they were removed. Sorry about that.
Gary BakerLively at 4/25/2012 8:15:39 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Mike - I like your key message "IT risk is a business risk" and would like to challenge you on some of your comments getting there. Firstly, IMHO your opening few paragraphs make a few semantic errors and simplifications that perpetuate significant confusion. The discussion is on "IT risk" (more about that later), but you focus on IT security (e.g. "... information security and controls ..."; "IT security is often seen as something that can be sacrificed..."). These statements are often interpreted in a way that narrowly focuses "IT risk" to only "IT security". I would argue that "IT security" is not even a risk (security is a control mechanism to mitigate some risk(s). My opinion is that we, as so called IT risk professionals need to get our language right (and consistent) if we ever hope to have non-IT risk professionals (even risk professionals in finance and technical control sectors) understand what we are saying. Secondly, I think we need to stop talking about "IT risk". Nobody knows what it is, and many think that IT is the risk (lots of Risk Management Frameworks I have seen identify IT as a component of the risk universe). Not only that - but for the most part no one understands what we mean by "IT", and as risk professionals we are never consistent with how we use the term. For example - do we mean the "department known as IT"? Or do we mean the hardware and software? But what about the data - arguably that even isn't "IT". In most instances people have to infer a definition for the term "IT" based on the context in which we use it. This strikes me as a pretty poor attempt at developing a "common language" that is essential for effective enterprise risk management. It seems to me that what we are really talking about is the business risk associated with an organization's information (and incidentally the resources, including people, systems and technologies that process and use that information). I like to refer to these as the business risks associated with the organization's "information assets". It is much easier to talk to a non-IT risk professional about risks related to "assets" (even information assets) than it is to talk about "IT". Thirdly (and I will stop the verbal diarrhea here) I would challenge your perspective on RiskIT. It seems to me that RiskIT does NOT "introduce a framework that allows IT risk to be aligned and integrated with operational risk models". To me, RiskIT is really only an attempt to put IT words around pre-established business risk management frameworks/approaches. That is not necessarily a bad thing - maybe it helps IT people understand business risk management frameworks - but I think it will be a losing battle to hope that somehow RiskIT will help non-IT risk professionals and ordinary business people better understand the risks related to information assets. In my view - we need to reinforce point #2 above - (repeat after me - there is no such thing as IT risk). As you mention in your conclusion "IT Risk is business risk". We don't need an IT risk framework (like RiskIT) to talk about risks related to information assets - we should be using existing business and operational risk frameworks to position the "business risks" related to information assets. If we can do that successfully then I think we will more easily progress towards your goal of "the management of IT-related business risk is aligned with the overall enterprise risk management (ERM) initiatives". Just my two cents worth (and deliberately trying to be somewhat provocative) - others care to comment?
Gary BakerLively at 4/25/2012 8:13:59 PM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - IT Risk is Business Risk

Hi Everybody!

I hope that you enjoy this article. I would be very interested to hear your feedback and answer any questions that you may have on this subject.

Warmest Regards
Mike
Michael320Observer at 4/24/2012 7:50:00 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Mike - I like your key message "IT risk is a business risk" and would like to challenge you on some of your comments getting there. Firstly, IMHO your opening few paragraphs make a few semantic errors and simplifications that perpetuate significant confusion. The discussion is on "IT risk" (more about that later), but you focus on IT security (e.g. "... information security and controls ..."; "IT security is often seen as something that can be sacrificed..."). These statements are often interpreted in a way that narrowly focuses "IT risk" to only "IT security". I would argue that "IT security" is not even a risk (security is a control mechanism to mitigate some risk(s). My opinion is that we, as so called IT risk professionals need to get our language right (and consistent) if we ever hope to have non-IT risk professionals (even risk professionals in finance and technical control sectors) understand what we are saying. Secondly, I think we need to stop talking about "IT risk". Nobody knows what it is, and many think that IT is the risk (lots of Risk Management Frameworks I have seen identify IT as a component of the risk universe). Not only that - but for the most part no one understands what we mean by "IT", and as risk professionals we are never consistent with how we use the term. For example - do we mean the "department known as IT"? Or do we mean the hardware and software? But what about the data - arguably that even isn't "IT". In most instances people have to infer a definition for the term "IT" based on the context in which we use it. This strikes me as a pretty poor attempt at developing a "common language" that is essential for effective enterprise risk management. It seems to me that what we are really talking about is the business risk associated with an organization's information (and incidentally the resources, including people, systems and technologies that process and use that information). I like to refer to these as the business risks associated with the organization's "information assets". It is much easier to talk to a non-IT risk professional about risks related to "assets" (even information assets) than it is to talk about "IT". Thirdly (and I will stop the verbal diarrhea here) I would challenge your perspective on RiskIT. It seems to me that RiskIT does NOT "introduce a framework that allows IT risk to be aligned and integrated with operational risk models". To me, RiskIT is really only an attempt to put IT words around pre-established business risk management frameworks/approaches. That is not necessarily a bad thing - maybe it helps IT people understand business risk management frameworks - but I think it will be a losing battle to hope that somehow RiskIT will help non-IT risk professionals and ordinary business people better understand the risks related to information assets. In my view - we need to reinforce point #2 above - (repeat after me - there is no such thing as IT risk). As you mention in your conclusion "IT Risk is business risk". We don't need an IT risk framework (like RiskIT) to talk about risks related to information assets - we should be using existing business and operational risk frameworks to position the "business risks" related to information assets. If we can do that successfully then I think we will more easily progress towards your goal of "the management of IT-related business risk is aligned with the overall enterprise risk management (ERM) initiatives". Just my two cents worth (and deliberately trying to be somewhat provocative) - others care to comment?
Gary BakerLively at 4/25/2012 8:13:59 PM Quote
You must sign in to rate content.
(1 ratings)

RE: COBIT Focus - IT Risk is Business Risk

Hi Everybody!

I hope that you enjoy this article. I would be very interested to hear your feedback and answer any questions that you may have on this subject.

Warmest Regards
Mike
Michael320Observer at 4/24/2012 7:50:00 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Wow, I had carriage returns in that when I wrote it - not sure how or why they were removed. Sorry about that.
Gary BakerLively at 4/25/2012 8:15:39 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

Hi Gary!

First of all, let me say thank you for “starting the ball rolling” with such an extensive opener; it's nice to know that at least one other person has read the article :)

I'm glad you liked, and got, the key message. To be honest, I would happily have taken out a full-page ad that simply read "IT Risk IS Business Risk – Now get over it and move on!" and left it at that, but apparently more padding is required in articles these days...

You make some excellent points and clarifications on semantics, thank you. I immediately put my hands up and admit that I, perhaps lazily, allow(ed) terminology to become intertwined (though this particular message is aimed squarely at IT Security and Controls professionals, via COBIT Focus / ISACA).

That said, I do truly believe that terms, phrases, lingo, “buzz-words”, processes, tools, methodologies, and the “See section DSS.0.x and / or A.y.z” type discussions are often key distractions to folks outside this space, and they switch off, truly they do, which is one of the key points I'm making.

When I go into boardrooms to discuss risk status, at that level, we get straight into a service continuity / cost vs. benefit discussion, in the purest form: "How long will my business process likely be interrupted for? How much will this interruption cost the business? What's the likelihood of this really happening? How much would it cost to mitigate? Are there any other treatment options other than mitigation available?” – It’s that simple, and a basic spread sheet usually hits the spot nicely.

Clearly though, I’m not denouncing the need for frameworks, processes, tools and methodologies, that would be self-destructive madness, any vehicle that lends itself to addressing risk is fair game to be used. For me, it’s about translation of risk into plain language, business terms. I tend to use whatever “tool” is already in use by my clients, whether that has an ISACA flavour to it, ISO-based - I’m really not too fussy.

So, I think we are in violent agreement on the first point, and this discussion itself will hopefully lead to improvements in understanding all round.

With regards to the second point, again I completely agree, we could happily drop any reference to technology and improve communication ten-fold; at senior level, frankly, there is no interest in the details around password controls or server patching issues, simply that those issues may lead to business interruption, lost sales, reputational damage, ethical issues, etc.

Third-point, on RiskIT, I’ll let the creators of the framework chip-in and fill in the detail (and there should be a few of them on here), but at a high level, it attempts to pull together IT Risk (I know you don’t like that term) with Business Risk under key activity RG2.2 (< I broke my own rule about cross-referencing!). OK, it doesn’t actually DO the work for you, but it does have a trigger point close to the start of the process that forces the issue to be addressed and resolved.

In addition to your excellent points, I do think the phrase “IT” has become something altogether different over the years, what with smartphones, tablet PCs, social networking, etc. blurring the lines, and potentially opening up new “technical” risk channels.

The term “Information assets” certainly works for me, and I’m already seeing that kind of terminology emerge from the ISO 31000 arena, and to be fair, COBIT5 and RiskIT do infer this, even if not with outright use of that precise phrase.

Provocative is good, anything that advances discussions and process improvements on risk management is healthy, in my opinion!

I’ve probably not answered all your points, but generally speaking, I think we are in agreement. Let me know if I’ve skipped anything though.

Good to talk!

 

Michael320Observer at 4/26/2012 7:53:54 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - IT Risk is Business Risk

I am not seeing a great deal of feedback on this subject :) does this mean it struck a chord and everyone went off to have a conversation with their board? Is it too complicated? Too obvious? Let me know that you are out there and alive!
Michael320Observer at 5/25/2012 3:00:53 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.