Introduction
In 2012 the NZ Public were once again exposed to the failure of IT-related internal controls within Public Sector organisations. This level of reputational damage goes to show, yet again, that IT-related risks when not appropriately treated - have the potential to impact the performance of the whole organisation. There is a lot more that can be done to integrate risk information into the critical decision making of large and complex organisations. For the public sector in this region, this is a dire need.
Also in 2012, the mainstream adoption of IT rose to new heights. For instance, Cisco System's estimate of mobile connections this year exceeds the population of the world. This phenomenon has been heralded by business leaders as a new era of opportunity for business growth. Globally, mobile traffic doubled in 2011 and then again in 2012.
All this brings with it greater challenges for IT assurance professionals. There is a greater need to apply professional practice. For example, ISACA qualified practitioners can help organisations drive value from IT intensive investments and better protect business and the Public against loss through utilising their IT domain expertise. ISACA has had a long history of high quality professional guidance and standards to address such challenges.
However, as it is customary in the assurance field, ISACA has always stated that it has designed the standards and guidance as the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics. Utilisation of ISACA guidance and standards in itself does not assure a successful outcome.
ISACA stipulates that practitioners need to have a solid understanding of the enterprise’s business functions and industry risks to utilise its expert guidance. The code of audit practice limits, via the Independence requirements, the level of involvement in risk mitigation action. Therefore, in many ways, the responsibility of getting improved outcomes results rests on the relationship between the client and practitioner - with success in most part being largely determined by the level of organisational commitment for professionally managed risk demonstrated in both political and monetary terms.
ISACA's COBIT - once used largely by auditors, is now enjoying broader acceptance by IT Line Management, CIOs and some select business owners. This is a welcome development.
What is in this paper?
In this paper, I am going to examine systematically how ISACA's expert guidance - past and present deals with risk management. In this context, I shall examine COBIT 5.0, a major refresh of ISACA's guidance. I also look at corresponding developments in the Enterprise Risk Management field relevant to ISACA practitioners.
Finally, I will provide a few suggestions for helping develop the integration of ERM into the mainstream of business and ICT management.
How do these multiple frameworks fit together?
Practitoners typically utilise many skills to be effective. Among these this one has become increasingly critical: -- the ability to utilise multiple frameworks, standards practices and expert knowledge from a variety of dependable sources within ISACA's expert body of knowledge and externally. Business and IT practices are changing at a fast pace and practitioners need to develop ways to apply what is relevant for clients.
Up to this point, ISACA's IT Assurance Framework had served as a single point of reference for practitioners who needed to find guidance, research policies, obtain audit and assurance programs that they need to develop effective reports and assurance advice. ISACA has provided specific guidance in this regard:
Standards Issued by other Standard Setting bodies
The IT audit and assurance professional may:
• Use ISACA Standards in conjunction with professional standards issued by other authoritative bodies
• Cite the use of other standards apart from ISACA Standards in their reports
When the IT audit and assurance professional is using standards other than the ISACA Standards, care should be taken to ensure conflicts do not arise between the standards.
- IT Assurance Framework, 2008
COBIT 5.0
ISACA has undertaken a major refresh of its professional guidance with the release of COBIT 5.0. This is a milestone release and consolidates previous development of COBIT 4.1, ValIT 2.0, RiskIT,and draws on the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF)
In COBIT 5.0 the intent of integrating multiple sources of expert knowledge has been recognised from the top down. Its PRINCIPLE 3 is about "Applying a Single, Integrated Framework". The COBIT Framework Integrator is a standard process that defines how past ISACA expert knowledge, external expert knowledge and its current knowledge base will be integrated and maintained over time. This is a sincere attempt to bring a higher level of architectural maturity (rules governing the structure of components and evolution over time) to ISACA's already large knowledge base.
So, specifically, how has Enterprise Risk Management integrated into ISACA's body of knowledge? I am going to examine this question from the perspective of those in Australia/New Zealand who work closely with the Public Sector.
Evolution of ISACA COBIT and Risk Management
As risk and assurance landscape has changed significantly over the past twenty years, it is worthwhile examining some of the key influences that have influenced the evolution of the COBIT 5.0 product family and also, more generally, Enterprise Risk Management knowledge:
This list is certainly not exhaustive. Nor is the intent to present a comparison of features. However, this highlights
- ISACA, in large part, has reponded to industry developments in internal control and risk management. It has been issuing risk related guidance over and above what used to be the core COBIT framework and
- Risk management professional frameworks have been, and are being developed simultaneously across multiple professional groups; and ISO's ERM framework has built on the long history of AS/NZ 4360 adoption in this region.
Let us examine these aspects more closely:
How has Risk Management been incorporated into ISACA Guidance?
ISACA has structured its guidance to be modular. ISACA ITAF, COBIT 4, ValIT 2 and underlying guidance have never directly discussed the fundamental construct of Risk. To illustrate, the ITAF Practice Guidance mentions risk in 160 locations but does not define the core concept of risk per se. Derivative constructs of risk are however defined, such as Assurance risk.
The IS Auditing Guideline G13 - "Use of Risk Assessment in Audit Planning" did not define Risk. Instead, it called for the Selection of Risk Assessment Methodology (sec 2.1) and provided the linkages to COBIT 4.1 via COBIT 4.1's Control Objective PO9: Assess & Manage IT Risk - which discusses (at a very high level) the need to define and maintain a risk management framework.
The two example go to show that the original intent of ISACA was to work with whatever formal risk management methodology was adopted by the practitioner/organisation.
ISACA provides an authoritative definition for risk for the first time in The RiskIT framework. The Appendix of the RiskIT Practitioner Guide contains key definitions and comparisons with other ERM frameworks: COSO ERM and ISO 31000:2009.
RiskIT's (Business) Risk definition: A probable situation with uncertain frequency and magnitude of loss (or gain)
The definition is comparable to the COSO ERM and ISO definitions of risk and importantly, incorporates both the upside and downside of risk effects.
RiskIT has been designed so as to complement authoritative, formal Enterprise Risk Management Framework across all industries, globally. This involves COSO's ERM Integrated Framework but this is not limited to COSO. Comparative evaluation against ISO 31000:2009 is also provided. Whilst authoritative Enterprise Risk Management frameworks provide an over-arching framework for Entity level risk (and an attempt to be relevant at many levels of the organisation) - they do not address IT risks specifically. RiskIT therefore provides a foundation of IT-risk management practices for those organisations committed to ISO 31000:2009, COSO ERM or others still.
A good example of providing this foundation is RiskIT's group of Risk Evaluation (RE) processes. This process family: (Collect Data, Analyse Risk, Maintain Risk Profile) cuts to the core of IT-specific risks that need to be better analysed and reported. This provides an opportunity of contributing to the wider Risk Management community in the area of IT-Risk management through the ability to share risk information more comprehensively.
This intent above has been further supported via the 2012 exposure draft of the ITAF framework - in particular Standard 1202 "Use of Risk Assessment in Audit Planning". ITAF's Business Continuity Management Audit/Assurance programme is an example of detailed guidance made available that covers Risk Assessment. However, even this programme does not provide specific IT-related models, standards, metrics or analysis templates. It is hoped that COBIT 5.0's new product family will provide more prescriptive guidance of IT-risk evaluation , requiring the capture and analysis of IT risk severity, frequency in a standardised way. If this is prescribed and adopted by practitioners, it could go some way in providing Audit Committees in this region useful risk information to help their decision making.
However, standards such as ISACA's will require industry support from the ICT sector for them to be truly effective. In the Finance sector for instance, Value at Risk (VaR) is a commonly adopted method to evaluate loss due to Market Risk. The ICT industry does not have a common approach for developing IT-related risk models - and hence their analysis, evaluation and communication is not mature.
Mapping ISACA guidance with the UK's Best Management Practice / OGC
ISACA has historically not focused on OGC Management of Risk (MoR) and to date, there is no direct cross-reference to MoR in COBIT 5.0. Whilst OGC's ITIL framework has featured in comparisons and mappings with COBIT literature, ISACA has not treated OGC's MoR with the same level of rigour.
Equally, OGC's MoR 2010 guidance provides "risk specialisms" in various categories of risk: such as Business Continuity Management, Security Risk Management, Financial Risk Management and so on - but it does not discuss IT Risk Management in any great length.
For Public Sector practitioners, particularly in New Zealand, UK Best Management Practice/ OGC is being adopted for Programmes (Managing Successful Programmes), Projects (PRINCE2) and Service Management (ITIL). At the same time, the AS/NZ 4360:2004 and ISO 310000:2009 are being increasingly utilised in this region. It will be useful to provide more detailed guidance tailored to these frameworks so that risk information is better integrated into decision making in major programme Governance and Audit Committees - especially for IT related matters.
Conclusions
There has been significant work done by ISACA to keep up with the pace of changes in the risk and assurance services sector. However, practitioners will have to be alert as to how professional frameworks from other sources are being adopted in this region and map into ISACA's body of work. ISACA practitioners in this region have the opportunity to leverage the long history of AS/NZ 4360 based risk management practices by adopting ISO 31000:2009 in their work. They can use COBIT Framework Integrator to better link ISACA guidance with OGC's Managing Successful Programmes (MSP) and MoR frameworks and vice versa.This will provide benefits of closer integration of IT-related risk information within public sector environments.
There is a need for the ICT industry to invest and provide standardised risk models and benchmarks - preferably in line with ISO 31000:2009 so that ISACA's standards and COBIT 5.0 best practices can be better applied.
The availability of better quality risk information, a better informed practitioner base sharing common IT-specific risk analysis models will better help Public Sector decision makers make better informed ICT-related decisions. This is much needed to maintain public trust in major ICT investments and leverage the emerging business opportunities due to the rapid commoditisation of IT.
References
[1] Visual Networking Index (VNI) Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011–2016
[2] COBIT 5.0 Framework, ISACA
[3] COBIT 5.0 Enabling Processes, ISACA
[4] IT Assurance Framework, ISACA
[5] ValIT Framework, ISACA
[6] RiskIT Framework, ISACA
[7] RiskIT Framework Practitioner Guide, ISACA
[8] Risk and Value Management in Construction Projects,Achieving Excellence Series, OGC, UK Cabinet Office
[9] Management of Risk, Best Management Practice / OGC, UK Cabinet Office
[10] ISO 31000:2009, ISO
[11] COSO ERM - Integrated Framework, COSO
Author:
Nitish Verma
Member, NZ SRM, MInstD(NZ), CISA(ISACA), MSP-F, BSc.
Nitish Verma is a senior advisor who brings a design-led approach to planning for results. He has worked in Risk and Assurance, Programme Management and internal consulting roles for SOEs and Central Govt Agencies in NZ and for F500 and Hi-growth start-ups in the USA, Europe and Asia. He has also successfully led the design of large scale, high-risk ICT projects.
More information, visit: http://essencenetworks.com
