ES234423 - IT Risk Management

Week 4: Understanding IT Risk Management (Part 2)

Information Systems Department

Institut Teknologi Sepuluh Nopember - 2024
Learning Objectives
By the end of this week, students will be able to understand the frameworks
for managing risks.

2
Course Content

• Frameworks in Managing Risks

• Best practices for managing IT risks

• Class Activity

3
IT Risks

4
IT Risks: Definition
• Any potential threats and vulnerabilities that can
negatively impact an organization’s IT systems and : “Your business or your
daily life relies on
data: technology?”
• Financial losses : “Yes!”
• Business continuity, operational disruptions
:” Then be aware of any
• Reputational damage threats and vulnerabilities
• Legal consequences that make up those risks!”

• Etc.

5
Risk Management: Definition
• A risk management is “a coordinated set of activities and methods
that is used to direct an organization and to control the many risks
that can affect its ability to achieve objectives” (ISO 31000).
• It helps businesses anticipate any impacts due to the potential
risks that might happen.

6
IT Risk Management
• The process of identifying, assessing, and mitigating risks that may
impact an organization’s information technology systems.
• It includes potential threats to data, systems, and networks.
• The idea is that despite potential challenges that might occur, the
focus is to ensure that the organization’s objectives are met.

7
Importance
• Protecting organizational assets
• Ensuring business continuity
• Complying with regulations
• Enhancing trust and organizations’ reputation
• Adaptability for any changing threat landscapes

8
Frameworks for Managing Risks

9
What is a risk management framework?
• a structured set of guidelines,
processes, and best practices that
organizations use to identify,
assess, manage, and mitigate
risks.
• A framework provides a systematic
approach to make sure that risks
are managed consistently across
all units in an organization.

10
Why need frameworks?
In an environment where there are many risks and uncertainties,
frameworks are necessary because:
• provide a structured and systematic approach in managing risks
• provide a more thorough risks response and recovery
• standardize risks analysis, communication, and monitoring
• ensure compliance with regulatory requirements

11
Standards
• a set of specific requirements or
criteria that an organization must SNI helm vs. non-SNI
meet to achieve a certain level of
compliance or certification.
• Some areas that are often mandated
by industry, government, or
regulatory bodies to comply with a
certain level of compliance.
• Often used for certification or
auditing purposes.
• Standards are more rigid than
frameworks; while frameworks are a
methodology, can be tailored based
on needs.
12
13
Frameworks for Managing Risks
• Enterprise Risks: COSO ERM, ISO 31000, Octave
• IT-related Risks: ISO 27001, COBIT, NIST Risk Management
Framework (RMF)
• Project-related Risks: PMP, Prince2

14
Enterprise Risks: ISO 31000 (2009)

Contains the principals, risk

management framework, and
processes in managing risks.

15
Enterprise Risks:
ERM COSO

16
 Download the TEMPLATE
• Download the CA template on Classroom
• Your assignment won’t be graded if you do not use the template

17
Class Activity 01: Understanding COSO ERM

Objective:
Students are able to comprehend the framework in managing
enterprise risks

Submission extension: Microsoft Word (Refer to: The template)

Type: Group activity
Tools: MS Office
Duration: 45 minutes
18
ERM COSO-- the newest version
• Go to:
https://www.coso.org/_files/ugd/3059fc_5f9c50e005034badb07f9
4e9712d9a56.pdf

• Answer the questions (next slide).

19
Answer! Note: You can copy and paste any diagrams from the doc

1. Five interrelated components of the COSO ERM framework. Using a

diagram, illustrate the five interrelated components of the COSO ERM
framework and briefly explain the purpose of each component in managing
risks within an organization.
2. Identifying risks
1. In which principle?
2. What are the approaches for identifying risks? Explain!
3. Assess severity of risks
1. Which principle?
2. How to assess the likelihood of occurrence explained in the document?
3. How to assess the impact of compliance risks mentioned in the
document?

20
Answer! Note: You can copy and paste any diagrams from the doc

4. Prioritizing risks
1. What does it mean by “prioritizing risks”?
2. How to prioritize risks mentioned in the document?

21
Present your work & Q&A
• Your group will be randomly selected to present your work.

22
Stages in Managing IT Risks
• Risk Identification
• Input: Asset inventory, risk inventory, other documents
• Output: Risk register
• Risk Assessment
• Risk Treatment ~ Decision to respond risks
• Risk Monitoring and Review

23
The decision to respond to risks

AVOID REDUCE/MITIGATE TRANSFER ACCEPT

• Take actions/change • Mitigate through • Shift the responsibility • Accept or take the risk
plans, systems or specific actions that for managing the risk (budget for
processes to reduce risk’s impact. to another party contingency costs) to
completely eliminate • It doesn't eliminate (through contracts, pursue an opportunity
the possibility of risks the risk entirely but insurance, or
to occur reduces the impact. outsourcing).

9/25/2024 24
 Risk Acceptance-Examples
• An event planning company organizes outdoor festivals
and accepts the risk of adverse weather conditions.
• A technology company introduces a new software product
with known bugs, as they believe the advantages of
launching it outweigh the downsides of a delayed launch.
They accept the risk of potential user discontent.
• In a software project management, a PM decided to
accept the risk of delivering the product on-time because
of changes in requirements. The PM decided not to
allocate more resources to meet the original deadline.

9/25/2024 25
 Risk Avoidance-Examples

• A manufacturing company decides not to use specific

hazardous materials or chemicals due to the dangers of
handling and storing them.
• Event planners avoid the risk of adverse weather
conditions by scheduling outdoor events during periods
when historically, weather conditions are favorable.
• People and organizations can stay out of legal liabilities
by abstaining from things that are known to be against
the law or could get them into big legal problems.
• And many other examples, such as extreme sports
avoidance, health risk avoidance, etc.

9/25/2024 26
 Risk Reduction/Mitigation
• DPTSI ITS installs firewalls to reduce the risk of
unauthorized access to its network and systems, regularly
patches and updates their information systems and
software to mitigate the risks of cyberattacks.
• Project management requests for a spare budget to
mitigate any other uncertainties/unforeseen risks so that
the project schedule and scope can still be met.
• ITS gives comprehensive safety training to employees to
reduce the risk of workplace accidents.
• ITS develops disaster preparedness plans to reduce the
impact of hurricane and other natural disasters.
• Taking supplements to reduce the risks of vitamin
deficiency.

9/25/2024 27
 Risk Transfer-Examples
• People buy health insurance to shift the financial burden of
medical bills and healthcare expenses to the insurance
provider.
• A company leases desktop computers and laptops to a
third-party provider, transferring the operational,
maintenance, and security risks associated with managing
the computers to the third party.
• A construction company subcontract some tasks to other
companies to transfers some of the risks involved in the
project.
• Travelers purchase travel insurance that includes various
coverages (trip cancellations, medical emergencies, lost
luggage, etc.).

9/25/2024 28
Class Activity 02: Simple Risk Assessment

Objective:
Students are able to comprehend the framework in managing risks

Submission extension: Microsoft Word (Refer to: The template)

Type: Group
Tools: MS Office
Duration: 30 minutes
29
Risk Assessment

• You are given a risk inventory. Go

to: https://intip.in/H1PJ
• Your task is to do risk assessment
based on the probability and
impact given in the excel
template.
• Complete the RBS (Risk
Breakdown Structure)
• Conduct risk assessment

30
Risk Inventory

31
Submit your work
• Submit your work to the file sharing provided by your lecturer.

32
Let us discuss your work!

33
Have a wonderful week!

34