The document discusses enterprise IT risk management. It notes that IT is now core to business and a top audit committee concern. IT risk management covers more than just information security, including risks from late projects, lack of value from IT, compliance issues, outdated architecture, and service problems. IT risk does not come solely from the IT department but from various external partners and users. The document discusses who should own IT risk and outlines frameworks and maturity models for assessing an organization's IT risk posture.

1. ENTERPRISE IT RISK MANAGEMENT
“EXPLORING THE RIGHT POSTURE”
PARAG DEODHAR
27 J 2012 ‐
27 JULY 2012 BANGALORE

2. EVOLUTION OF IT WITHIN THE ORGANISATION
IT
TRANSFORMER
ENABLER
SUPPORT TEAM
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 2

3. ENTERPRISE RISK & IT
& IT
• IT is now CORE to Business
• Top 3 areas which Audit
Committees want to spend more
time on (Source: KPMG Survey)
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 3

4. IT RISK MANAGEMENT IS MUCH MORE THAN
IT SECURITY
• N li i d i f
Not limited to information security. It covers all IT l d
i i I ll IT‐related
risks, including:
• Late project delivery
Late project delivery
• Not achieving enough
value from IT
• Compliance
C li
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
p
problems
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 4

5. IT RISK DOES NOT EMANATE FROM THE IT
DEPARTMENT ALONE
• Mergers and Acquisitions
• Purchasing software as a service
• Investing in application enhancements
• Outsourcing and offshoring
Outsourcing and offshoring
• Integrating diverse applications
i S li k C
– Business Partners, Suppliers, Banks, Customers…
• End Users
• Consultants and Auditors!!!
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 5

6. WHO OWNS IT RISK?
IT R
• IT Risk Management ‐ Organisation Structure &
Reporting line
– IT team
– Risk Management Team
– External Vendors
– Group Team
WHO’S NECK IS ON THE LINE WHEN
DISASTER STRIKES?
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 6

7. CIO
CIO REPORT TO THE AUDIT COMMITTEE
(Source: KPMG Survey)
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 7

8. IT R
IT RISK UNIVERSE
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 8

9. EMERGING IT RISKS IN THE BORDERLESS
ENTERPRISE
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 9

10. MANAGING IT RISKS
IT R
• N
New threats are emerging every day
h i d
• Basic measures like – Anti‐Virus, Firewalls are no longer
enough
• Tools like SIEM, IPS, DLP, DRM… are now standard
requirement
requirement
• Only tools are not enough, continuous updates, 24x7
monitoring and response is required
monitoring and response is required
• Do you have the resources – money, time, human
resources???
• What is your risk posture? What do you tell the Board?
• How do you manage compliance?
y g p
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 10

11. GUIDING PRINCIPLES
Source: ISACA
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 11

12. IT R
IT RISK MANAGEMENT FRAMEWORK
Source: ISACA •Responsibility and
accountability for risk
•Risk appetite and tolerance
•Awareness and
communication
Ri k lt
•Risk culture
• Key risk indicators (KRIs)
•Risk response definition and
prioritisation
• Risk scenarios
Risk scenarios
•Business impact
descriptions
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 12

13. IT R
IT RISK – MATURITY MODEL TO ASSESS POSTURE
Source: ISACA
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 13

14. Its not a Goal – But a journey…
Its not a Goal But a journey
THANK YOU
THANK YOU
27 July 2012 ENTERPRISE IT RISK MANAGEMENT COLLOQUIUM PARAG DEODHAR 14