SlideShare una empresa de Scribd logo

ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk Enterprise in Governance of IT - shared

R
rahmatmoelyana

ISACA Indonesia Special Technical Session, 9 September 2013 @ Gran Sahid, Jakarta, Indonesia, featuring Prof Erik Guldentops, CISA,CISM

TecnologíaEmpresarialesEconomía y finanzas
1 de 20
Descargar para leer sin conexión
EG – Sep 20013 – page 1 of 60 REFLECTIONS ON RISK AND VALUE IN ENTERPRISE GOVERNANCE OF IT A story of risk, value, uncertainty, aircraft carriers, racing cars and sailing trips. ISACA Indonesia Expert Event September 2013 Erik Guldentops, Antwerp Management School, Belgium EG – Sep 20013 – page 2 of 60 RISK AND VALUE Positioning risk and value within enterprise governance of IT ISACA Indonesia Expert Event September 2013
EG – Sep 20013 – page 3 of 60 3 º Likely to achieve its objectives º Resilient enough to learn and adapt º Judiciously managing its resources º Appropriately recognising opportunities º Obtain enterprise value from IT enabled business initiatives º Applying “due care” about IT related risks From “The IT Governance Briefing”, ITGI. www.isaca.org Enterprise Governance of IT Top management needs to know that IT is Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT EG – Sep 20013 – page 4 of 60 4 º Essentially two things º Risk and Value From “CobiT5 : A Business Framework, www.isaca.org Enterprise Governance of IT Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT
EG – Sep 20013 – page 5 of 60 5 º Essentially two things º Risk and Value º Entirelly intertwined From “ValIT Governance of IT Investments, www.isaca.org Enterprise Governance of IT Value = (Benefits – Costs) adjusted for Risk Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT EG – Sep 20013 – page 6 of 60 Translate strategy into action • Increase automation (make the business effective) • Decrease cost (make the enterprise efficient) • Manage risks (security, reliability & compliance) Set Objectives • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly • IT-related risks are managed appropriately Translate direction into strategy Measure and report performance Provide direction Evaluate performance IT GOVERNANCE IT MANAGEMENT IMPLEMENTING IT GOVERNANCE www.isaca.org
EG – Sep 20013 – page 7 of 60 IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 8 of 60 IMPLEMENTING IT GOVERNANCE Are we doing the right things? Are we doing them the right way? Are we doing them well? Are we getting the benefits? Are we governing things properly?
EG – Sep 20013 – page 9 of 60 The Board providing high level direction and control. Line Management translating plans into action and ensuring adequate performance. Executive Management translating direction into plans, focussing on the bottom-line results. IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 10 of 60 The engines of IT Governance Where do we want to be? Objectives IT Strategy •Delivery Performance •Service Quality •Resource Utilisation •Benefits Realisation •Risk Reduction IT Scorecards How do we know we are progressing? Portfolio • Programmes • Projects • Services • Resources What are we doing to achieve them? IT Business Cases IMPLEMENTING IT GOVERNANCE
EG – Sep 20013 – page 11 of 60 +8% +20%%1 0 +2% ManagementPracticesScore Intensity of IT deployment McKinsey & London School of Economics surveying 100 companies – Oct 2005 Why invest in better governance of IT Risk and IT Value ? IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 12 of 60 RISK AND VALUE How well are we doing in respect of minimising risk and optimising value of IT? ISACA Indonesia Expert Event September 2013
EG – Sep 20013 – page 13 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT One thousand 1000,- EG – Sep 20013 – page 14 of 60 RISK AND VALUE How well is the industry doing in respect of minimising risk and optimising value of IT? ISACA Indonesia Expert Event September 2013
EG – Sep 20013 – page 15 of 60 ITGI, ING and IBM – 2006 – in support of ValIT How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 16 of 60 ITGI, ING and IBM – 2006 – in support of ValIT How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
EG – Sep 20013 – page 17 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT IT Solution Delivery IT Operational Implementation Business changes Business integration Business Operation Benefit Realisation IT Service Delivery Programme design and initiation ü X X X EG – Sep 20013 – page 18 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT Hope is not a method!
EG – Sep 20013 – page 19 of 60 How are we doing about Value? €200m Expected Benefits €114 m -€ 100 m € 100 m Budgeted ROI = * 100% = Expected Budget ROI as expected in the Business Case + 14% Actual ROI = € 114 m x 84 % x 1 1.12 € 100 m x 124 % * 100 %= - 38% Budget Overrun +24% Actual ROI allowing for typical solution delivery performance Actual ROI allowing for typical solution delivery performance 0.5 - € 100 m x 124 % + 14% Functionality achieved -16% Approximately 6 months delay, so benefits discounted at 12% After - Tax Rate Actual ROI after corrections SDP. ROI= -38% Expected. ROI = 14% Cumulative cashflow(€) Time à Actual ROI after corrections SDP. ROI= -38% Expected. ROI = 14% Cumulative cashflow(€) Time à We don’t learn from our past EG – Sep 20013 – page 20 of 60 How are we doing about Value? We don’t learn from our past -5 0 5 10 15 20 1.5 3 1.5 Good fit Theoretical curve -5 0 5 10 15 20 4.5 4 3.5 3 2.5 2 Solution Delivery Performance Good fit Theoretical curve Empirical curve Correctioninthebusinesscase
EG – Sep 20013 – page 21 of 60 CIONet and ISACA – Survey of 56 CIO’s – Aug 2009 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 22 of 60
EG – Sep 20013 – page 23 of 60 CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s Depth Frequency Mechanism Cost Effectiveness Agile/Innovation Risk How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 24 of 60 CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s Depth Frequency Mechanism Cost Effectiveness Agile/Innovation Risk How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
EG – Sep 20013 – page 25 of 60 How are we dealing with Risk and Value ? List of IT Outsourcing Risks from one of the most important academic sources on the subject H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 26 of 60 How are we dealing with Risk and Value ? Lack of appropriate governance Unhappy users Biased portrayal by vendor Low process maturity Hidden costs VULNERABILITY VULNERABILITYIMPACT IMPACTTHREAT RISK = a important threat that applied to an applicable vulnerability, results in an significant business impact Risk Scenarios An important mechanism for risk management and especially to debate and decide on risk relevance and mitigation H d li ith Ri k d V l ? Enterprise Governance of IT
EG – Sep 20013 – page 27 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up The right terminology? EG – Sep 20013 – page 28 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up I. Threat a. Unintentional 5. Acts of Gods 6. Accidents 7. Errors of Omission 8. Errors of Commission b. Intentional 9. Fraud 10. Damage 11. Sabotage The right terminology?
EG – Sep 20013 – page 29 of 60 II. Vulnerability a. Inherent Susceptibility 1. Type of Business (internal) 2. Environment (external) b. Control Deficiency 3. Absence of Controls 4. Ineffectiveness of Controls Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up The right terminology? EG – Sep 20013 – page 30 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Impact Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up III. Impact a. Tangible 12. Financial 13. People b. Intangible 14. Reputation 15. Business Continuity 16. Competitiveness The right terminology?
EG – Sep 20013 – page 31 of 60 3 1 Resource Assessment Threat Assessment Vulnerability Assessment Impact Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up I. Vulnerability a. Inherent Susceptibility 1. Type of Business (internal) 2. Environment (external) b. Control Deficiency 3. Absence of Controls 4. Ineffectiveness of Controls II. Threat a. Unintentional 5. Acts of Gods 6. Accidents 7. Errors of Omission 8. Errors of Commission b. Intentional 9. Fraud 10. Damage 11. Sabotage III. Impact a. Tangible 12. Financial 13. People b. Intangible 14. Reputation 15. Business Continuity 16. Competitiveness IT Risk Analysis Threat Assessment Vulnerability Assessment Impact Assessment R I S K EG – Sep 20013 – page 32 of 60 Insiders Collusion Outsiders 70 25 5 Based on combined sources from 2006 •ISF, E&Y, CSI etc Note: Within the largest group ‘Internal Errors & Omissions’ there are significantly more errors of commission than omission. The right focus?
EG – Sep 20013 – page 33 of 60 1. Just over one third is theft either ◦ in collusion with outsiders (22%) ◦ by insiders (10%) ◦ by outsiders (3%) 2. Just under one third is errors by commission ◦ no or bad instructions ◦ wrong instructions ◦ wrong examples 3. Well under one third is errors by omission ◦ awareness, training & education ◦ discipline & motivation ◦ remuneration & enforcement The right focus? EG – Sep 20013 – page 34 of 60 How are we dealing with Risk and Value ? Enterprise Governance of IT
EG – Sep 20013 – page 35 of 60 3 5 Developing IT Risk Scenarios Scenario Probability of Occurrence Im pact Nr Description H, M, L H, M, L <an important business impact caused by a significant threat exploiting an applicable vulnerability> Vandalism to the production chain (V) by disgruntled employees (T) results in delivery of faulty products (I) Faulty products delivered to customers (T) is followed by litigation (V) resulting in fines and lawyer fees (I) <an important business impact caused by a significant threat exploiting an applicable vulnerability> EG – Sep 20013 – page 36 of 60 For both risk and value, accept uncertainty and deal with it! How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
EG – Sep 20013 – page 37 of 60 How should we be dealing with Risk and Value ? º Simple model º Clear responsibilities and accountabilities º Monitor, direct and evaluate º Tools: Scorecards and Business Cases º Structured interactions How should we be dealing with Risk and Va Enterprise Governance of IT EG – Sep 20013 – page 38 of 60 How should we be dealing with Risk and Value ? º Manage uncerainty º Portfolio management of all major inititiatives º Business cases take into account past history, all activities to achieve the benefits and the full economic lifecycle of the initiative º Business cases assign clear accountabilities and are continuously kept up-to-date º Focus on initiatives that fit with strategy, reuse resources and have top management’s support How should we be dealing with Risk and Va Enterprise Governance of IT
EG – Sep 20013 – page 39 of 60 How should we be dealing with Risk and Value ? º Accept and manage uncertainty º Define risk tolerance at the top º Continuous pragmatic approach º Identification, awareness, responsiveness º Less focus on big risks and more on day-to-day value preservation º Clarity of definitions and concepts and the use of risk scenarios º Awareness of bias (capability, subjectivity, sensational) How should we be dealing with Risk and Va Enterprise Governance of IT

Recomendados

Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...
Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...
Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...
Basuki Rahmad
 
ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...
ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...
ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...
rahmatmoelyana
 
Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...
Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...
Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...
rahmatmoelyana
 
COBIT5-IntroductionS
COBIT5-IntroductionSCOBIT5-IntroductionS
COBIT5-IntroductionS
samaila istifanus Amlai
 
About tipping edge consulting v1d
About tipping edge consulting v1dAbout tipping edge consulting v1d
About tipping edge consulting v1d
Madhav Chablani
 
Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013
Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013
Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013
rahmatmoelyana
 
Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012
Ir. Zakaria, M.M
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introduction
Mulyadi Yusuf
 

Recomendados

Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...
Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...
Unlocking Patterns of EA Program Failure: Lessons learned about the barriers ...
Basuki Rahmad
 
ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...
ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...
ISACA Indonesia Special Technical Session feat Erik Guldentops - Indonesia Re...
rahmatmoelyana
 
Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...
Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...
Portfolio Management (Program & Project) by Rahmat Mulyana at OMM 43 PMI Indo...
rahmatmoelyana
 
COBIT5-IntroductionS
COBIT5-IntroductionSCOBIT5-IntroductionS
COBIT5-IntroductionS
samaila istifanus Amlai
 
About tipping edge consulting v1d
About tipping edge consulting v1dAbout tipping edge consulting v1d
About tipping edge consulting v1d
Madhav Chablani
 
Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013
Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013
Rahmat mulyana isaca tech session - mapping cobit 5 & per-02-mbu-2013
rahmatmoelyana
 
Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012Modul 8 enterprise architecture-2012
Modul 8 enterprise architecture-2012
Ir. Zakaria, M.M
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introduction
Mulyadi Yusuf
 
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
rahmatmoelyana
 
The Foundations of Cloud Data Storage
The Foundations of Cloud Data StorageThe Foundations of Cloud Data Storage
The Foundations of Cloud Data Storage
Jan-Erik Finlander
 
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Mulyadi Yusuf
 
Cobit 5 for Information Security
Cobit 5 for Information SecurityCobit 5 for Information Security
Cobit 5 for Information Security
Seto Joseles
 
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra YulistiaSNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
rahmatmoelyana
 
Project, Program & Portofolio Management Contribution, an Article from the PM...
Project, Program & Portofolio Management Contribution, an Article from the PM...Project, Program & Portofolio Management Contribution, an Article from the PM...
Project, Program & Portofolio Management Contribution, an Article from the PM...
rahmatmoelyana
 
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
rahmatmoelyana
 
Information security in healthcare - a perspective on EMR Security
Information security in healthcare - a perspective on EMR SecurityInformation security in healthcare - a perspective on EMR Security
Information security in healthcare - a perspective on EMR Security
Madhav Chablani
 
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - FinalOPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
mdesai005
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)
Basuki Rahmad
 
portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...
portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...
portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...
rahmatmoelyana
 
Teguh arifiyadi ls skse
Teguh arifiyadi ls skseTeguh arifiyadi ls skse
Teguh arifiyadi ls skse
Directorate of Information Security | Ditjen Aptika
 
Uji Publik RPM SMPI Fetri Miftah
Uji Publik RPM SMPI Fetri MiftahUji Publik RPM SMPI Fetri Miftah
Uji Publik RPM SMPI Fetri Miftah
Directorate of Information Security | Ditjen Aptika
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim GautamaDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Directorate of Information Security | Ditjen Aptika
 
RPM SMPI 20150805 Hasim Gautama
RPM SMPI 20150805 Hasim GautamaRPM SMPI 20150805 Hasim Gautama
RPM SMPI 20150805 Hasim Gautama
Directorate of Information Security | Ditjen Aptika
 
Konny sagala skema kelaikan se
Konny sagala skema kelaikan seKonny sagala skema kelaikan se
Konny sagala skema kelaikan se
Directorate of Information Security | Ditjen Aptika
 
Fetri Miftach_Uji publik rpm tata kelola
Fetri Miftach_Uji publik rpm tata kelolaFetri Miftach_Uji publik rpm tata kelola
Fetri Miftach_Uji publik rpm tata kelola
Directorate of Information Security | Ditjen Aptika
 
Hasyim Gautama_Tata kelola tik 20151118
Hasyim Gautama_Tata kelola tik 20151118Hasyim Gautama_Tata kelola tik 20151118
Hasyim Gautama_Tata kelola tik 20151118
Directorate of Information Security | Ditjen Aptika
 
Sosialisasi Keamanan Informasi_Sektor Kesehatan
Sosialisasi Keamanan Informasi_Sektor KesehatanSosialisasi Keamanan Informasi_Sektor Kesehatan
Sosialisasi Keamanan Informasi_Sektor Kesehatan
Directorate of Information Security | Ditjen Aptika
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made WiryawanDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Directorate of Information Security | Ditjen Aptika
 
Evolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architectureEvolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architecture
EY
 
Enterprise risk magazine - IRM India Affiliate
Enterprise risk magazine - IRM India Affiliate Enterprise risk magazine - IRM India Affiliate
Enterprise risk magazine - IRM India Affiliate
IRM India Affiliate
 

Más contenido relacionado

Destacado

ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
rahmatmoelyana
 
The Foundations of Cloud Data Storage
The Foundations of Cloud Data StorageThe Foundations of Cloud Data Storage
The Foundations of Cloud Data Storage
Jan-Erik Finlander
 
Cobit 5 for Information Security
Cobit 5 for Information SecurityCobit 5 for Information Security
Cobit 5 for Information Security
Seto Joseles
 
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra YulistiaSNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
rahmatmoelyana
 
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
rahmatmoelyana
 
Information security in healthcare - a perspective on EMR Security
Information security in healthcare - a perspective on EMR SecurityInformation security in healthcare - a perspective on EMR Security
Information security in healthcare - a perspective on EMR Security
Madhav Chablani
 
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - FinalOPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
mdesai005
 

Destacado (20)

ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
ISACA Indonesia Technical Session - feat Erik Guldentops - panelist Rahmat Mu...
 
The Foundations of Cloud Data Storage
The Foundations of Cloud Data StorageThe Foundations of Cloud Data Storage
The Foundations of Cloud Data Storage
 
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
 
Cobit 5 for Information Security
Cobit 5 for Information SecurityCobit 5 for Information Security
Cobit 5 for Information Security
 
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra YulistiaSNI ISO/IEC 38500 IT Governance - Chandra Yulistia
SNI ISO/IEC 38500 IT Governance - Chandra Yulistia
 
Project, Program & Portofolio Management Contribution, an Article from the PM...
Project, Program & Portofolio Management Contribution, an Article from the PM...Project, Program & Portofolio Management Contribution, an Article from the PM...
Project, Program & Portofolio Management Contribution, an Article from the PM...
 
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
ISACA Indonesia Special Technical Session feat Erik Guldentops Panelist Widha...
 
Information security in healthcare - a perspective on EMR Security
Information security in healthcare - a perspective on EMR SecurityInformation security in healthcare - a perspective on EMR Security
Information security in healthcare - a perspective on EMR Security
 
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - FinalOPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
OPEN_GROUP_HYBRID_CLOUD_CASE_MGMT2 - Final
 
Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)Information System Audit - UNIKOM Seminar (Nov 2015)
Information System Audit - UNIKOM Seminar (Nov 2015)
 
portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...
portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...
portfolio-program-project-management-by-rahmat-mulyana-at-gtc-itb-pmi-indones...
 
Teguh arifiyadi ls skse
Teguh arifiyadi ls skseTeguh arifiyadi ls skse
Teguh arifiyadi ls skse
 
Uji Publik RPM SMPI Fetri Miftah
Uji Publik RPM SMPI Fetri MiftahUji Publik RPM SMPI Fetri Miftah
Uji Publik RPM SMPI Fetri Miftah
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim GautamaDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_DR Hasyim Gautama
 
RPM SMPI 20150805 Hasim Gautama
RPM SMPI 20150805 Hasim GautamaRPM SMPI 20150805 Hasim Gautama
RPM SMPI 20150805 Hasim Gautama
 
Konny sagala skema kelaikan se
Konny sagala skema kelaikan seKonny sagala skema kelaikan se
Konny sagala skema kelaikan se
 
Fetri Miftach_Uji publik rpm tata kelola
Fetri Miftach_Uji publik rpm tata kelolaFetri Miftach_Uji publik rpm tata kelola
Fetri Miftach_Uji publik rpm tata kelola
 
Hasyim Gautama_Tata kelola tik 20151118
Hasyim Gautama_Tata kelola tik 20151118Hasyim Gautama_Tata kelola tik 20151118
Hasyim Gautama_Tata kelola tik 20151118
 
Sosialisasi Keamanan Informasi_Sektor Kesehatan
Sosialisasi Keamanan Informasi_Sektor KesehatanSosialisasi Keamanan Informasi_Sektor Kesehatan
Sosialisasi Keamanan Informasi_Sektor Kesehatan
 
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made WiryawanDiskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
Diskusi Publik RPM Perangkat Lunak Sistem Elektronik_I Made Wiryawan
 

Similar a ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk Enterprise in Governance of IT - shared

Enterprise risk magazine - IRM India Affiliate
Enterprise risk magazine - IRM India Affiliate Enterprise risk magazine - IRM India Affiliate
Enterprise risk magazine - IRM India Affiliate
IRM India Affiliate
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
Julen Mohanty
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016
PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016
PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016
Liam Palmer
 
2015-ISBS-Technical-Report-blue-digital
2015-ISBS-Technical-Report-blue-digital2015-ISBS-Technical-Report-blue-digital
2015-ISBS-Technical-Report-blue-digital
James Fisher
 
Cyber security 2013 - Technical Report
Cyber security 2013 - Technical Report Cyber security 2013 - Technical Report
Cyber security 2013 - Technical Report
Mandar Kharkar
 
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
Neil Curran MSc CISSP CRISC CGEIT CISM CISA
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінаруЯк долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
E-5
 
Jeffery and Sons Investments
Jeffery and Sons InvestmentsJeffery and Sons Investments
Jeffery and Sons Investments
Mr_JohnJeffery
 

Similar a ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk Enterprise in Governance of IT - shared (20)

Evolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architectureEvolution of cyber threats and the development of new security architecture
Evolution of cyber threats and the development of new security architecture
 
Enterprise risk magazine - IRM India Affiliate
Enterprise risk magazine - IRM India Affiliate Enterprise risk magazine - IRM India Affiliate
Enterprise risk magazine - IRM India Affiliate
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
 
Info sec 2011 julen c mohanty
Info sec 2011 julen c mohantyInfo sec 2011 julen c mohanty
Info sec 2011 julen c mohanty
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
The role of AI in identifying emerging risks in financial services
The role of AI in identifying emerging risks in financial servicesThe role of AI in identifying emerging risks in financial services
The role of AI in identifying emerging risks in financial services
 
PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016
PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016
PA Cost Out Maturity Benchmark - Full 10 Sector Report v 141016
 
Information Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT RisksInformation Risk Management - Cyber Risk Management - IT Risks
Information Risk Management - Cyber Risk Management - IT Risks
 
2015-ISBS-Technical-Report-blue-digital
2015-ISBS-Technical-Report-blue-digital2015-ISBS-Technical-Report-blue-digital
2015-ISBS-Technical-Report-blue-digital
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Cyber security 2013 - Technical Report
Cyber security 2013 - Technical Report Cyber security 2013 - Technical Report
Cyber security 2013 - Technical Report
 
Building the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your CompanyBuilding the Information Governance Business Case Within Your Company
Building the Information Governance Business Case Within Your Company
 
Digital Energy Summit
Digital Energy SummitDigital Energy Summit
Digital Energy Summit
 
Digital Summit
Digital SummitDigital Summit
Digital Summit
 
Digital Energy Summit
Digital Energy SummitDigital Energy Summit
Digital Energy Summit
 
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінаруЯк долучити команду до роботи з проєктними ризиками | Презентація до вебінару
Як долучити команду до роботи з проєктними ризиками | Презентація до вебінару
 
Finding Your 'ESG Mindset' with Invest Europe
Finding Your 'ESG Mindset' with Invest EuropeFinding Your 'ESG Mindset' with Invest Europe
Finding Your 'ESG Mindset' with Invest Europe
 
Jeffery and Sons Investments
Jeffery and Sons InvestmentsJeffery and Sons Investments
Jeffery and Sons Investments
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 

Último (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

ISACA Indonesia - 9 sept 2013 - Erik Guldentops - Reflections on Value & Risk Enterprise in Governance of IT - shared

  • 1. EG – Sep 20013 – page 1 of 60 REFLECTIONS ON RISK AND VALUE IN ENTERPRISE GOVERNANCE OF IT A story of risk, value, uncertainty, aircraft carriers, racing cars and sailing trips. ISACA Indonesia Expert Event September 2013 Erik Guldentops, Antwerp Management School, Belgium EG – Sep 20013 – page 2 of 60 RISK AND VALUE Positioning risk and value within enterprise governance of IT ISACA Indonesia Expert Event September 2013
  • 2. EG – Sep 20013 – page 3 of 60 3 º Likely to achieve its objectives º Resilient enough to learn and adapt º Judiciously managing its resources º Appropriately recognising opportunities º Obtain enterprise value from IT enabled business initiatives º Applying “due care” about IT related risks From “The IT Governance Briefing”, ITGI. www.isaca.org Enterprise Governance of IT Top management needs to know that IT is Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT EG – Sep 20013 – page 4 of 60 4 º Essentially two things º Risk and Value From “CobiT5 : A Business Framework, www.isaca.org Enterprise Governance of IT Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT
  • 3. EG – Sep 20013 – page 5 of 60 5 º Essentially two things º Risk and Value º Entirelly intertwined From “ValIT Governance of IT Investments, www.isaca.org Enterprise Governance of IT Value = (Benefits – Costs) adjusted for Risk Resource Management ITIT GovernanceGovernance DomainsDomains Resource Management Enterprise Governance of IT EG – Sep 20013 – page 6 of 60 Translate strategy into action • Increase automation (make the business effective) • Decrease cost (make the enterprise efficient) • Manage risks (security, reliability & compliance) Set Objectives • IT is aligned with the business • IT enables the business and maximises benefits • IT resources are used responsibly • IT-related risks are managed appropriately Translate direction into strategy Measure and report performance Provide direction Evaluate performance IT GOVERNANCE IT MANAGEMENT IMPLEMENTING IT GOVERNANCE www.isaca.org
  • 4. EG – Sep 20013 – page 7 of 60 IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 8 of 60 IMPLEMENTING IT GOVERNANCE Are we doing the right things? Are we doing them the right way? Are we doing them well? Are we getting the benefits? Are we governing things properly?
  • 5. EG – Sep 20013 – page 9 of 60 The Board providing high level direction and control. Line Management translating plans into action and ensuring adequate performance. Executive Management translating direction into plans, focussing on the bottom-line results. IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 10 of 60 The engines of IT Governance Where do we want to be? Objectives IT Strategy •Delivery Performance •Service Quality •Resource Utilisation •Benefits Realisation •Risk Reduction IT Scorecards How do we know we are progressing? Portfolio • Programmes • Projects • Services • Resources What are we doing to achieve them? IT Business Cases IMPLEMENTING IT GOVERNANCE
  • 6. EG – Sep 20013 – page 11 of 60 +8% +20%%1 0 +2% ManagementPracticesScore Intensity of IT deployment McKinsey & London School of Economics surveying 100 companies – Oct 2005 Why invest in better governance of IT Risk and IT Value ? IMPLEMENTING IT GOVERNANCE EG – Sep 20013 – page 12 of 60 RISK AND VALUE How well are we doing in respect of minimising risk and optimising value of IT? ISACA Indonesia Expert Event September 2013
  • 7. EG – Sep 20013 – page 13 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT One thousand 1000,- EG – Sep 20013 – page 14 of 60 RISK AND VALUE How well is the industry doing in respect of minimising risk and optimising value of IT? ISACA Indonesia Expert Event September 2013
  • 8. EG – Sep 20013 – page 15 of 60 ITGI, ING and IBM – 2006 – in support of ValIT How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 16 of 60 ITGI, ING and IBM – 2006 – in support of ValIT How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
  • 9. EG – Sep 20013 – page 17 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT IT Solution Delivery IT Operational Implementation Business changes Business integration Business Operation Benefit Realisation IT Service Delivery Programme design and initiation ü X X X EG – Sep 20013 – page 18 of 60 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT Hope is not a method!
  • 10. EG – Sep 20013 – page 19 of 60 How are we doing about Value? €200m Expected Benefits €114 m -€ 100 m € 100 m Budgeted ROI = * 100% = Expected Budget ROI as expected in the Business Case + 14% Actual ROI = € 114 m x 84 % x 1 1.12 € 100 m x 124 % * 100 %= - 38% Budget Overrun +24% Actual ROI allowing for typical solution delivery performance Actual ROI allowing for typical solution delivery performance 0.5 - € 100 m x 124 % + 14% Functionality achieved -16% Approximately 6 months delay, so benefits discounted at 12% After - Tax Rate Actual ROI after corrections SDP. ROI= -38% Expected. ROI = 14% Cumulative cashflow(€) Time à Actual ROI after corrections SDP. ROI= -38% Expected. ROI = 14% Cumulative cashflow(€) Time à We don’t learn from our past EG – Sep 20013 – page 20 of 60 How are we doing about Value? We don’t learn from our past -5 0 5 10 15 20 1.5 3 1.5 Good fit Theoretical curve -5 0 5 10 15 20 4.5 4 3.5 3 2.5 2 Solution Delivery Performance Good fit Theoretical curve Empirical curve Correctioninthebusinesscase
  • 11. EG – Sep 20013 – page 21 of 60 CIONet and ISACA – Survey of 56 CIO’s – Aug 2009 How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 22 of 60
  • 12. EG – Sep 20013 – page 23 of 60 CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s Depth Frequency Mechanism Cost Effectiveness Agile/Innovation Risk How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 24 of 60 CIO/CEO Discussion topics by priority – CIONet and ISACA Survey Aug 2012 of 90 CIO’s Depth Frequency Mechanism Cost Effectiveness Agile/Innovation Risk How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
  • 13. EG – Sep 20013 – page 25 of 60 How are we dealing with Risk and Value ? List of IT Outsourcing Risks from one of the most important academic sources on the subject H d li ith Ri k d V l ? Enterprise Governance of IT EG – Sep 20013 – page 26 of 60 How are we dealing with Risk and Value ? Lack of appropriate governance Unhappy users Biased portrayal by vendor Low process maturity Hidden costs VULNERABILITY VULNERABILITYIMPACT IMPACTTHREAT RISK = a important threat that applied to an applicable vulnerability, results in an significant business impact Risk Scenarios An important mechanism for risk management and especially to debate and decide on risk relevance and mitigation H d li ith Ri k d V l ? Enterprise Governance of IT
  • 14. EG – Sep 20013 – page 27 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up The right terminology? EG – Sep 20013 – page 28 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up I. Threat a. Unintentional 5. Acts of Gods 6. Accidents 7. Errors of Omission 8. Errors of Commission b. Intentional 9. Fraud 10. Damage 11. Sabotage The right terminology?
  • 15. EG – Sep 20013 – page 29 of 60 II. Vulnerability a. Inherent Susceptibility 1. Type of Business (internal) 2. Environment (external) b. Control Deficiency 3. Absence of Controls 4. Ineffectiveness of Controls Resource Assessment Threat Assessment Vulnerability Assessment Risk Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up The right terminology? EG – Sep 20013 – page 30 of 60 Resource Assessment Threat Assessment Vulnerability Assessment Impact Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up III. Impact a. Tangible 12. Financial 13. People b. Intangible 14. Reputation 15. Business Continuity 16. Competitiveness The right terminology?
  • 16. EG – Sep 20013 – page 31 of 60 3 1 Resource Assessment Threat Assessment Vulnerability Assessment Impact Assessment Determine safeguards Risk Management Decision Cost/Benefit follow up I. Vulnerability a. Inherent Susceptibility 1. Type of Business (internal) 2. Environment (external) b. Control Deficiency 3. Absence of Controls 4. Ineffectiveness of Controls II. Threat a. Unintentional 5. Acts of Gods 6. Accidents 7. Errors of Omission 8. Errors of Commission b. Intentional 9. Fraud 10. Damage 11. Sabotage III. Impact a. Tangible 12. Financial 13. People b. Intangible 14. Reputation 15. Business Continuity 16. Competitiveness IT Risk Analysis Threat Assessment Vulnerability Assessment Impact Assessment R I S K EG – Sep 20013 – page 32 of 60 Insiders Collusion Outsiders 70 25 5 Based on combined sources from 2006 •ISF, E&Y, CSI etc Note: Within the largest group ‘Internal Errors & Omissions’ there are significantly more errors of commission than omission. The right focus?
  • 17. EG – Sep 20013 – page 33 of 60 1. Just over one third is theft either ◦ in collusion with outsiders (22%) ◦ by insiders (10%) ◦ by outsiders (3%) 2. Just under one third is errors by commission ◦ no or bad instructions ◦ wrong instructions ◦ wrong examples 3. Well under one third is errors by omission ◦ awareness, training & education ◦ discipline & motivation ◦ remuneration & enforcement The right focus? EG – Sep 20013 – page 34 of 60 How are we dealing with Risk and Value ? Enterprise Governance of IT
  • 18. EG – Sep 20013 – page 35 of 60 3 5 Developing IT Risk Scenarios Scenario Probability of Occurrence Im pact Nr Description H, M, L H, M, L <an important business impact caused by a significant threat exploiting an applicable vulnerability> Vandalism to the production chain (V) by disgruntled employees (T) results in delivery of faulty products (I) Faulty products delivered to customers (T) is followed by litigation (V) resulting in fines and lawyer fees (I) <an important business impact caused by a significant threat exploiting an applicable vulnerability> EG – Sep 20013 – page 36 of 60 For both risk and value, accept uncertainty and deal with it! How are we dealing with Risk and Value ?H d li ith Ri k d V l ? Enterprise Governance of IT
  • 19. EG – Sep 20013 – page 37 of 60 How should we be dealing with Risk and Value ? º Simple model º Clear responsibilities and accountabilities º Monitor, direct and evaluate º Tools: Scorecards and Business Cases º Structured interactions How should we be dealing with Risk and Va Enterprise Governance of IT EG – Sep 20013 – page 38 of 60 How should we be dealing with Risk and Value ? º Manage uncerainty º Portfolio management of all major inititiatives º Business cases take into account past history, all activities to achieve the benefits and the full economic lifecycle of the initiative º Business cases assign clear accountabilities and are continuously kept up-to-date º Focus on initiatives that fit with strategy, reuse resources and have top management’s support How should we be dealing with Risk and Va Enterprise Governance of IT
  • 20. EG – Sep 20013 – page 39 of 60 How should we be dealing with Risk and Value ? º Accept and manage uncertainty º Define risk tolerance at the top º Continuous pragmatic approach º Identification, awareness, responsiveness º Less focus on big risks and more on day-to-day value preservation º Clarity of definitions and concepts and the use of risk scenarios º Awareness of bias (capability, subjectivity, sensational) How should we be dealing with Risk and Va Enterprise Governance of IT