FOR

RISK
COBIT 5 Product Family

COBIT 5
COBIT 5 Enabler Guides
COBIT 5: Enabling Processes COBIT 5: Enabling Information Other Enabler Guides

COBIT 5 Professional Guides

COBIT 5 Implementation COBIT 5 for Information Security COBIT 5 for Assurance COBIT 5 for Risk Other Professional Guides

COBIT 5 Online Collaborative Environment

Source: COBIT 5 for Risk, gure 1

COBIT 5 Principles

1. Meeting Stakeholder Needs

5. Separating Governance From Management

2. Covering the Enterprise End-to-end

COBIT 5 Principles

4. Enabling a Holistic Approach

3. Applying a Single Integrated Framework

Source: COBIT 5, gure 2

3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org Web site: www.isaca.org
2013 ISACA. A
L L R i G H T s R E s E R V E D

FOR

RISK
COBIT 5 Goals Cascade Overview

Stakeholder Drivers (Environment, Technology Evolution, )

Influence

Stakeholder Needs
Benefits Realisation Risk Optimisation Resource Optimisation Cascade to

Enterprise Goals
Cascade to

IT-related Goals
Cascade to

Enabler Goals

Source: COBIT 5, gure 4

Selected Guidance From the COBIT 5 Family

These charts and figures are elements of COBIT 5 and its supporting guides. This excerpt is available as a complimentary PDF (www.isaca.org/cobit) and for purchase in hard copy (www.isaca.org/bookstore). It provides an overview of the COBIT 5 guidance, its five principles and seven enablers. We encourage you to share this document with your enterprise leaders, team members, clients and/or consultants. COBIT enables enterprises to maximise the value and minimise the risk related to information, which has become the currency of the 21st century. COBIT 5 is a comprehensive framework of globally accepted principles, practices, analytical tools and models that can help any enterprise effectively address critical business issues related to the governance and management of information and technology. Additional information is available at www.isaca.org/cobit.

2013 ISACA. A

L L

R i G H T s

R E s E R V E D

FOR

RISK
Governance and Management in COBIT 5

Governance Objective: Value Creation Benefits Realisation Risk Optimisation Resource Optimisation

Governance Enablers

Governance Scope

Roles, Activities and Relationships

Source: COBIT 5, gure 8

Key Roles, Activities and Relationships

Roles, Activities and Relationships

Owners and Stakeholders
Delegate Accountable

Governing Body

Set Direction

Management
Monitor

Instruct and Align Report

Operations and Execution

Source: COBIT 5, gure 9

COBIT 5 Governance and Management Key Areas

Business Needs

Governance
Evaluate

Direct

Management Feedback

Monitor

Management
Plan (APO) Build (BAI) Run (DSS) Monitor (MEA)

Source: COBIT 5, gure 15 2013 ISACA. A

L L R i G H T s R E s E R V E D

FOR

RISK
Two Perspectives on Risk

Risk Function Perspective

COBIT 5 Enablers
The risk function perspective describes how to build and sustain a risk function in the enterprise by using the COBIT 5 enablers.
Processes Organisational Structures Culture, Ethics and Behaviour

Risk Management Perspective

The risk management perspective looks at core risk governance and risk managment processes and risk scenarios. This perspective describes how risk can be mitigated by using COBIT 5 enablers.

Risk Function Perspective

Principles, Policies and Frameworks Services, Infrastructure and Applications People, Skills and Competencies

Risk Management Perspective

Information

Source: COBIT 5 for Risk, gure 8

Scope of COBIT 5 for Risk

COBIT 5 for Risk

COBIT 5 Enablers for the Risk Function
Processes Organisational Structures Culture, Ethics and Behaviour Core Risk Processes

Principles, Policies and Frameworks Services, Infrastructure and Applications People, Skills and Competencies

Risk Function Perspective

Risk

Risk Management Perspective

Risk Scenarios

Mapping Scenarios to COBIT 5 Enablers

COBIT 5 Framework COBIT 5: Enabling Processes

Information

COSO ERM

ISO 31000

ISO/IEC 27005

Others

ITIL. ISO/IEC 20000

ISO/IEC 27001/2

Others

Enterprise Risk Management Standards

IT Management Frameworks

Source: COBIT 5 for Risk, gure 10

2013 ISACA. A

L L

R i G H T s

R E s E R V E D

FOR

RISK
Risk Scenario Overview The Risk Management Process (AP012)

All Related Enablers

Principles, Policies and Frameworks Organisational Structures Culture, Ethics and Behaviour Information Services, Infrastructure and Applications People, Skills and Competencies

APO12.01 Collect Data

Top Down
Business Goals

Risk Factors

APO12.02 Analyse Risk

APO12.03 Maintain a Risk Profile

Identify business objectives. Identify scenarios with highest impact on achievement of business objectives.

Internal Environmental Factors

External Environmental Factors

Risk Scenarios
APO12.04 Articulate Risk Risk Management Capabilities

APO12.05 Define a Risk Management Action Portfolio

Identify hypothetical scenarios. Reduce through high-level analysis.

Generic Risk Scenarios Bottom Up

IT-related Capabilities

APO12.06 Respond to Risk

Source: COBIT 5 for Risk, gure 34

Risk Scenario Structure

Event

Threat Type

Malicious Accidental Error Failure Nature External requirement

Disclosure Interruption Modification Theft Destruction Ineffective design Ineffective execution Rules and regulations Inappropriate use

Asset/Resource

People and skills Organisational structures Process Infrastructure (facilities) IT infrastructure Information Applications

Actor

Time Risk Scenario

Internal (staff, contractor) External (competitor, outsider, business partner, regulator, market)

Duration Timing occurrence (critical or non-critical) Detection Time lag

Source: COBIT 5 for Risk, gure 36

2013 ISACA. A

L L

R i G H T s

R E s E R V E D

Supporting Processes for the Risk Function

Processes for Governance of Enterprise IT

Evaluate, Direct and Monitor

EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency

EDM01 Ensure Governance Framework Setting and Maintenance

FOR

RISK

Align, Plan and Organise

APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources

Monitor, Evaluate and Assess

APO01 Manage the IT Management Framework

APO02 Manage Strategy

APO08 Manage Relationships APO10 Manage Suppliers APO11 Manage Quality

APO09 Manage Service Agreements APO12 Manage Risk APO13 Manage Security

MEA01 Monitor, Evaluate and Assess Performance and Conformance

2013 ISACA. A
BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organisational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning BAI10 Manage Configuration DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls

Build, Acquire and Implement

MEA02 Monitor, Evaluate and Assess the System of Internal Control

L L

BAI01 Manage Programmes and Projects

BAI02 Manage Requirements Definition

R i G H T s

R E s E R V E D

BAI08 Manage Knowledge

BAI09 Manage Assets

.
MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

Deliver, Service and Support

DSS01 Manage Operations

DSS02 Manage Service Requests and Incidents

Processes for Management of Enterprise IT

This gure highlights the key supporting COBIT 5 processes (shown in dark pink), as well as the other supporting processes (shown in light pink). The core risk processes are shown in light blue. Source: COBIT 5 for Risk, gure 18

FOR

RISK
COBIT 5 Enterprise Enablers

2. Processes

3. Organisational Structures

4. Culture, Ethics and Behaviour

1. Principles, Policies and Frameworks

5. Information

6. Services, Infrastructure and Applications

7. People, Skills and Competencies

Resources
Source: COBIT 5, gure 12

COBIT 5 Enablers: Generic

Enabler Dimension

Stakeholders
Internal Stakeholders External Stakeholders

Goals
Intrinsic Quality Contextual Quality (Relevance, Effectiveness) Accessibility and Security

Life Cycle
Plan Design Build/Acquire/ Create/Implement Use/Operate Evaluate/Monitor Update/Dispose

Good Practices
Practices Work Products (Inputs/Outputs)

Enabler Performance Management

Are Stakeholders Needs Addressed?

Are Enabler Goals Achieved?

Is Life Cycle Managed?

Are Good Practices Applied?

Metrics for Achievement of Goals (Lag Indicators)

Metrics for Application of Practice (Lead Indicators)

Source: COBIT 5, gure 13

2013 ISACA. A

L L

R i G H T s

R E s E R V E D

FOR

RISK
The Seven Phases of the Implementation Life Cycle

7H

ow

m going? mentu e mo h t eep ek w viewness do Re

1 What a

ive ect f f e

Initiat e pr ogr am me
Establ is to ch h des ang ire e
Recog need nise act to

re th ed rive rs?

re?

n stai Su

2W

ms and probleities ine un Def opport

Realise ben efits

6 Did we get the

re we now? here a

Embed n approach ew es

r nito Mo and ate alu ev

Operate and measur e

ementation impl rm team Fo

Programme management
(outer ring)

ss Asseent curr te sta

Change enablement
(middle ring)

dm

th e

re ?

P la n p ro g ra m m e

4 W hat n eeds to be d one?

Source: COBIT 5, gure 17 and COBIT 5 Implementation, gure 6

Wh

Summary of the COBIT 5 Process Capability Model

Generic Process Capability Attributes

Performance Attribute (PA) 1.1 Process Performance
PA 2.1 Performance Management PA 2.2 Work Product Management PA 3.1 Process Definition PA 3.2 PA 4.1 Process Process Deployment Management PA 4.2 Process Control PA 5.1 Process Innovation PA 5.2 Process Optimisation

Incomplete Process

Performed Process

Managed Process

Established Process

ed

er

ow

De

ew

la

I d e n tif y r o l e pla ye rs

oa

er

fi n

ant

to b

e?

m Co o

ap

B u il d i m pro ve m e nts

m ut u ni co c a m e te

le m I m p o ve m r imp

fi rg n e ta e t te

e en n t ts

De

ta

Continual improvement life cycle (inner ring)

at er O p d us an

E xe
cu

COBIT 5 Process Assessment ModelPerformance Indicators Process Outcomes Base Practices (Management/ Governance Practices) Work Products (Inputs/ Outputs) Generic Practices

Source: COBIT 5, gure 19

5H
ow

te
ge

do
we

Predictable Process

Optimising Process

COBIT 5 Process Assessment ModelCapability Indicators

Generic Resources

Generic Work Products

2013 ISACA. A

L L

R i G H T s

R E s E R V E D