At next week’s Governance, Risk and Control conference in Phoenix, Arizona, Ernst & Young Executive Director Debbie Lew and Senior Manager Neill Masterson host a session titled “Developing a COSO ERM and COBIT 5-based IT Risk Management Program.” Below, the two chatted about aligning COBIT 5 with COSO, comprehensive risk assessments and changes on the horizon.
How do COSO ERM and COBIT 5 complement one another?
Debbie: Neill, COBIT 5 just came out last April. One of the advantages of using a framework like COBIT5 is that it is aligned to many frameworks such as COSO.
Neill: COSO ERM recommends four risk categories: financial, operational, compliance and strategic—how does COBIT align to that when you are designing and implementing an IT risk management program?
Debbie: It is no different than what you do for enterprise risk management (ERM). If there is no ERM in place when designing the IT risk-management program, risk-governance processes still need to be developed, including the determination of risk appetite and tolerance leveraging COSO ERM's risk categories. This will position you to be aligned with a future ERM program.
In a nutshell, what are the keys to developing a COSO ERM and COBIT 5-based IT risk-management program?
Neill: Understanding the principles that underpin both frameworks, then relying on these principles as guideposts for developing the program. At their core, both frameworks share many underlying features of assessing the needs of the business—identifying and prioritizing risks to achieving these objectives, then managing and monitoring these risks and related activities.
Debbie: I agree. Having a common taxonomy is helpful. Developing an IT risk-management program is not significantly different from establishing an ERM program; the focus may be different (a type of operations) but the risk-management principles/concepts are the same. Frameworks like COSO ERM and COBIT 5 provide good guidance in developing an IT risk-management program that is (or will be) aligned to an organization's ERM.
How important is it for the IT pro to be able to complete a comprehensive risk assessment? Why?
Neill: The risk is two-fold and comes down to allocation of resources. Without a comprehensive risk assessment, we find that our clients often struggle with one or two key challenges. On one hand, they have individuals and groups that are spending significant time managing IT risks that they believe are important to the company, but in comparison to the overall risk profile, may be lower in priority and less beneficial to manage. Meanwhile, management may fail to recognize the impact and likelihood of certain risks, which could result in significant impacts to their business, and therefore do not allocate sufficient resources to manage these risks. A comprehensive risk assessment can provide the measuring stick by which all new and existing risks can be compared, so that resource allocation is based on objective, risk-based measures rather than personal risk tolerances or department budget cycles.
Debbie: It comes down to what risks are important to the organization to focus on and manage, given that there are limited resources.
How has the world of risk management changed in recent years and what is on the horizon?
Neill: Competencies and practices around risk identification, prioritization and ownership have uniformly improved, such that speaking day-to-day in terms of risk is more common among executives and employees. Next is increasing the linkage and impact of risk management on strategic and operational decisions, so that risk management is more consistently applied up front in key business decisions.
Debbie: In the IT world, I see risk management becoming more pervasive. IT is everywhere and business often relies on technology to enable business strategies and objectives. The regulators are asking enterprises, “How do you know what your significant risks are?” “How are you identifying them and how are you managing them?” Our clients are asking more questions and requesting assistance regarding IT governance and risk management. ISACA is doing a great job fulfilling the needs of our IT risk executives and practitioners from providing the initial Risk IT framework and the Risk IT Practitioner Guide, to the development of the successful Certified in Risk and Information Systems Control (CRISC) certification, education offerings, and the upcoming COBIT5 for Risk. There is a strong desire to obtain risk intelligence—a strong desire to manage compliance effectively and efficiently, leading to informed business decisions and better business outcomes.
Want more? Join Debbie and Neill at the Governance, Risk and Control conference, co-hosted by ISACA and The IIA. Click here to learn more and join us in Phoenix from 19-21 August 2013.