If I had a £1 for every time a client said “it won’t happen to us,” I would be a very rich man and probably would not be writing this blog!
Risk management is about minimizing the chance that it will happen to us, by anticipating what might occur to affect the successful delivery of an enterprises’ business goals or objectives and to implement an appropriate risk response to minimize the risk of an adverse business impact materializing.
This is how risk management is usually seen. However, a good risk management process can also be used to help achieve the successful delivery of a business goal or objective.
In life, we all make mistakes, but the important thing is to learn from the experience. Even better is to learn from the mistakes of others. The use of risk scenarios in an enterprise’s risk management process helps us do just that.
Building a library of risk scenarios will help an enterprise foresee potential risk and select suitable risk responses to reduce the impact to within its risk appetite and risk tolerance. The ISACA publications COBIT 5, COBIT 5 for Risk, and Risk Scenarios for COBIT 5 for Risk provide some very helpful tools to the risk practitioner.
COBIT 5 defines two risk-related process enablers: EDM03, a governance process, and APO12, a management process.
COBIT 5 for Risk Expands on Process Enablers
A key tool in the risk management process is the use of risk scenarios. COBIT 5 for Risk, which expands upon EDM03 and APO12 process enablers, also has a small section providing some generic risk scenarios. However, the risk professional should arm themselves with Risk Scenarios Using COBIT 5 for a comprehensive library of risk scenarios.
Risk Scenarios Using COBIT 5
But what is a risk scenario? A risk scenario is a description of a possible event that, if it occurs, will have an uncertain impact on the enterprise. The core of a risk management process requires risk to be identified and assessed and a suitable risk response to be implemented. Well-developed risk scenarios support these activities and make them realistic and relevant to the enterprise.
Source: ISACA, COBIT 5 for Risk, USA, 2013
Scenarios Inform on Suitable Risk Response
The risk scenario then provides some guidance on a suitable risk response. When a risk assessment identifies that risk is not within the risk appetite and tolerance of the enterprise, then one of four risk responses is required:
- Avoid: Stop doing that activity.
- Mitigate: Implement mitigation actions to reduce the inherent risk.
- Share/Transfer: Transfer the risk, such as the use of insurance.
- Accept: Do nothing and live with the risk.
If the selected risk response is mitigate, then the risk scenario gives some pointers to the COBIT 5 process enablers that could be implemented to appropriately manage the risk.
Risk Mitigation in an Elevator
One final thought: even risk professionals get it wrong. Risk Scenarios for COBIT 5 for Risk was developed by a group of nine risk professionals from around the world. Just imagine that these nine arrive at ISACA headquarters 08.00 one Sunday morning and all step into the same elevator to go up the 10th floor. There is no one else expected in the building until 07.00 the following morning.
These nine highly experienced risk professionals failed to effectively assess the risk of all getting into the same elevator, and, yes, you’ve guessed it—the elevator jammed just past the 2nd floor. Fortunately, after only few minutes (which seemed a lot longer) of panic, they were able to pry open the doors and the lift so everyone was able to easily step out. But like all good risk professionals, they then learned from their experience and broke into two groups and took two separate lifts to continue their journey to the 10th floor.
How do I know? I was one of the nine! If only we had had a book of risk scenarios we could have consulted.
As part of your member benefits, Risk Scenarios Using COBIT 5 for Risk is available as a no cost pdf download.
Editor’s Note: Risk Scenarios Using COBIT 5 for Risk is the ISACA Bookstore’s June Book of the Month. Click here to download.
Mike Hughes, CISA, CGEIT, CRISC, ISACA Central UK Immediate Past President, Principal Director, HWgrc
[ISACA Now Blog]