September 23, 2014 - To help executives understand IT-related risk, IT risk managers should develop and test risk scenarios. A new guide and tool kit from global IT association ISACA provide 60 risk scenario examples covering 20 categories of risk that organizations can customize for their own use.
Risk Scenarios Using COBIT 5 for Risk provides an understanding of risk assessment and risk management concepts in business terms, based on the principles of the globally recognized COBIT framework. It also outlines six key steps to effectively using risk scenarios to improve risk management:
1. Use generic risk scenarios, such as those presented in this publication, to define a set that is tailored to your organization.
2. Validate the risk scenarios against the business objectives of the organization, ensuring that the scenarios address business impacts.
3. Refine the selected scenarios based on this validation and ensure their level of detail is in line with their criticality to the business.
4. Reduce the number of scenarios to a manageable set.
5. Keep all scenarios in a list so they can be reevaluated.
6. Include in the scenarios an unspecified event (an incident not covered by other scenarios).
“The scenarios included in this guide help enterprises develop a tangible and assessable representation of risk to determine the business impact and the enterprise’s preparation levels,” said Steven Babb, chair of ISACA’s Knowledge Board and ISACA international vice president. “Well-developed risk scenarios that are linked to real business risk using these six steps help support risk management activities and make them realistic and relevant to the enterprise.”
Risk Scenarios provides scenario examples across categories such as IT investment decision making, staff operations, infrastructure, software, regulatory compliance, geopolitical, malware, acts of nature and innovation.
“Risk scenario analysis is a valuable technique that helps IT professionals understand and handle vulnerabilities, while helping businesses respond more effectively when implementing strategies that could affect IT-related risk,” said Robert E Stroud, CGEIT, CRISC, international president of ISACA. “The new Risk Scenarios publication provides key guidance based on the globally respected COBIT framework to help enterprises identify, analyze and respond to risk and understand its impact on the business.”
The publication also provides guidance on how to respond to risk that exceeds the organization’s tolerance level and how to use COBIT 5 to accomplish key risk management activities.
