The document outlines the principles and processes of information risk management, emphasizing the importance of cultivating an organizational culture that is aware of and tolerates risk. It details the frameworks and methodologies, such as ISACA and COBIT, used to govern IT risks and make informed business decisions, while balancing costs and exposures. Additionally, it covers the steps for creating risk scenarios, responding to risks, and monitoring key risk indicators to ensure effective risk management and communication within the organization.

1. Information Risk
Management
Prof. Hernan Huwyler, MBA CPA

2. Risk governance covers
the culture of an
organization to be aware
of and tolerate risk as part
of the strategy

3. Objectives of IT risk governance
DECIDE
Make risk-aware
business desions
INTEGRATE
Execute controls in
practices to address
IT risks
CONSOLIDATE
Maitain a oommon
view of risks
AWARENESS CULTURE
TOLERANCE

4. Risk management covers
the process and capability
to balance the costs of
risks and controls to meet
business objectives

5. Good risk
management saves
money and time by
impacting the
productivity

6. Risk management covers
the process and capability
to balance the costs of
risks and controls to meet
business objectives

7. IT risk governance derives in a policy
based on the choosen framework >
Accountabilities of senior
management
IT risk management derives in an
standard operating procedures based
on practices from supplemental
materials of the choosen framework >
CIA responsibilities

8. Principles of IT Risk Management
INTEGRATED
IT risks to the
stategy
BALANCED
Exposures and costs
OBJETIVES
Undestand
assumptions
ACCOUNTABILITY MATURITY
Continuous
improvements
TRANSPARENT
Promote
communication
Assign personal
ownerships from the
top to bottom

9. ISACA IT Risk Framework

10. ISACA Risk IT practitioner guide
TECHNIQUES
IMPLEMENTATION TOOLS

11. NIST 800-37 Risk Management Framework

12. COBIT 5 Implementation in IT governance

13. The cost of risk
mitigation options
affects the
tolerance

14. Appetite > Amount
Unwilling to accept
risks higher than 1M
USD in expected losses
Tolerance > Variance
Unwilling to accept risks
decreasing more than 10%
this objective
Time
Output
Culture

15. Risk culture covers how
open decision-makers
discuss the acceptable
levels of risks aligned
to the set direction for
tolerance and controls

16. Risk culture has
rewards to own
risks and quickly
respond to
emerging threats

17. How to
create risk
scenarios

18. Determine the
value of the IT
assets and services
at risk for the
business objectives

19. Identify
vulnerabilities of
the IT assets and
services at risks

20. Identify potential threat
vectors and actors as
factors capable to
exploit vulnerabilities
and generate losses

21. A list of generic risk
scenarios helps to
define few
concrete risks for a
decision-making

22. Analyze the impact
value of potential losses
that a threat vector can
produce in exploiting a
vulnerability

23. Confidently
Integrity
Availability
Compliance
Efficiency
Efficacy
Reliability
COBIT information criteria

24. CIA
objective
Threat
Vulner
ability
Secondary
loss
Secondary
loss
Primary
loss
Secondary
loss
Causes Probability Consequences Impact
Asset

25. Loss
Min Max
#
cases
Confidence
Ln (Max) + Ln (Min)
2 Standard Error
P(A), μ = , σ =
Single
Loss =
Ln
Ln (Max) - Ln (Min)
Confidence Interval
Standard
Error
80% 2.56
90% 3.29
95% 3.92
99% 5.15
+LOGNORM.INV(RAND(),(LN(Min)+LN(Max))/2,(LN(Max)-
LN(Min))/Standard Error)
Quantative model

26. Loss Exceedance Curve
0 100%
Acum
Loss
Reserves for IT incidents
Cost of IT controls
Cyber insurance policies
Outsourcing
Extra assurance costs
No-go decision

27. IT risks may create non-
IT losses such as
productivity issues, over
costs, fines, frauds and
wrong decision-making

28. • Internal loss data
External statistics
Simulations
Decision trees
Business impact analysis

29. Identify current
controls reducing
the impact of
probabilities of risks

30. Analyze the
probability of a
potential scenario to
materialize in an
event

31. Analyze scenarios
by decomposing
how CIA
components could
be degraded

32. Evaluate the
cascading effect of
a risk in other
scenarios in the
timeframe

33. • Cause/effect analysis
Fault trees
Sensitivity analysis

34. Systematic Industry wide effects
Contagious Caused by a third-
party
Emerging
Weak signals of a
new evolving risk
(obscure)

35. External enviroment factors of IT
risks > non controlable
● Regulations for cyber compliance
● Technologies
● Locations with natural hazards

36. ● Risk culture and incentives
● Organization of staff IT
● Operational fraud
● Change and complexity of IT operations
● Strategic priorities
Internal enviroment factors of IT
risks > prevented by discipline

37. ● Framework
● Tolerance communication
● Culture
● Management of IT investments
● IT risk evaluation and response
IT Governance factors of IT risks

38. ● Organization and definition of IT operations
● Acquisition and implementation
● Planning, delivery and support
● Monitoring of operations
● Evaluation of operations
IT capability factors of IT risks

39. ● Business unit performance
● Operational plans
● Portfolio management
● Investment management
● Unit cost targets
● Customer satisfaction
IT-related business
capability factors of IT risks

40. How to
respond to
risk

41. Compare the risk
levels against the
tolerance in order
to prioritize risks

42. Identify available
response options
assessing costs,
feasibility and
effectiveness

43. Perform a
cost/benefit
analysis of the
response

44. Assess alternatives
to treat several
risks with a
response plan

45. Monitor the
execution of the
risk response plans
and communicate
deviations

46. Prepare incident
response plans
with recovery time
objectives and
escalations

47. Test how enhanced
controls are being
deployed

48. Reassess and
communicate the
risk when the
response plan is
executed

49. Monitor changes in
the environment
and lessons learnt
from events

50. CREDITS: This presentation template was
created by Slidesgo, including icons by Flaticon,
and infographics & images by Freepik.
How to
report and
monitor
risks

51. Provide good
advice to
decision makers

52. Key risk indicators
are early warnings
of trends in the
risk levels and
correlations

53. Key risk indicators
identify potential
changes in the
threat size and
intensity

54. Key risk indicators
are owned to
adjust priorities
and correct
actions

55. Key risk indicators
have targets
related to the
tolerance

56. Key risk indicators
• sensitivity
• scope
• time coverage

57. CREDITS: This presentation template was
created by Slidesgo, including icons by Flaticon,
and infographics & images by Freepik.
THANKS!
@Hewyler
/hernanwyler
Please keep this slide for attribution.