This document discusses the key aspects of IT risk management and auditing including risk management planning, risk environment, identifying risks, performing qualitative analysis, and performing quantitative analysis. The learning outcomes are to describe the fundamental concepts of IT risk management and auditing frameworks and techniques, and to understand how each technique works. Risk management planning involves assessing risks systematically. Qualitative analysis involves organizing identified risks, rating their impact and probability, testing assumptions, and modeling risks.
This document discusses the key aspects of IT risk management and auditing including risk management planning, risk environment, identifying risks, performing qualitative analysis, and performing quantitative analysis. The learning outcomes are to describe the fundamental concepts of IT risk management and auditing frameworks and techniques, and to understand how each technique works. Risk management planning involves assessing risks systematically. Qualitative analysis involves organizing identified risks, rating their impact and probability, testing assumptions, and modeling risks.
This document discusses the key aspects of IT risk management and auditing including risk management planning, risk environment, identifying risks, performing qualitative analysis, and performing quantitative analysis. The learning outcomes are to describe the fundamental concepts of IT risk management and auditing frameworks and techniques, and to understand how each technique works. Risk management planning involves assessing risks systematically. Qualitative analysis involves organizing identified risks, rating their impact and probability, testing assumptions, and modeling risks.
This document discusses the key aspects of IT risk management and auditing including risk management planning, risk environment, identifying risks, performing qualitative analysis, and performing quantitative analysis. The learning outcomes are to describe the fundamental concepts of IT risk management and auditing frameworks and techniques, and to understand how each technique works. Risk management planning involves assessing risks systematically. Qualitative analysis involves organizing identified risks, rating their impact and probability, testing assumptions, and modeling risks.
Download as PPT, PDF, TXT or read online from Scribd
Download as ppt, pdf, or txt
You are on page 1of 48
The Risk Management Structure
Week 03- Session 03
IT Risk Management and Audit Outline • Risk Management Planning • Risk Environment • Identify Risks • Perform Qualitative Analysis • Perform Quantitative Analysis Learning Outcome • LO1: Describe the fundamental concept of IT Risk Management and Auditing, and know its various frameworks/techniques of them.. • LO2: Describe the characteristics of various techniques of IT Risk Management and Auditing and understand how each of them works. . Outline • Risk Management Planning • Risk Environment • Identify Risks • Perform Qualitative Analysis • Perform Quantitative Analysis Risk Management Planning • Risk—present in some form and to some degree in most human activity—is characterized by the following principles: – Risk is usually (at least) partially unknown. – Risk changes with time. – Risk is manageable in the sense that the application of human action may change its form and degree of effect. Risk Management Planning • The purpose of risk management planning is simply to compel project managers to devote organized, purposeful thought to project risk management and to provide organizational infrastructure to aid them as they attempt to – Determine which risks are worth an investment of time and energy – Isolate and optimize risk – Eliminate negative risk and enhance positive risk where possible and practical – Develop alternative courses of action Risk Management Planning • The purpose of risk management planning is simply to compel project managers to devote organized, purposeful thought to project risk management and to provide organizational infrastructure to aid them as they attempt to – Establish time and money reserves to cover threats that cannot be mitigated – Ensure that organizational and project cultural risk boundaries are not breached Risk Management Planning Risk Management Planning • As an integral part of normal project planning and management, risk planning is sensibly done and repeated and should occur at regular intervals. Some of the more obvious times for evaluating the risk management plan include – In preparation for major decision points and changes – In preparation for and immediately following evaluations – As significant unplanned change occurs that influences the project Risk Management Planning • Most major projects are guided by a series of plans that provide the rationale and intended processes through which projects will be executed. – A risk management plan is recommended as part of this suite of guiding documents. Such a plan would publish the results or the latest status of the risk management planning process Risk Management Planning • Compared to some other plans, risk planning has not been developed as much in terms of content and format, which allows project managers some latitude to establish documents that suit their situation. One approach to the content of a risk management plan is illustrated in Table 3.1, Risk Management Planning Outline • Risk Management Planning • Risk Environment • Identify Risks • Perform Qualitative Analysis • Perform Quantitative Analysis Risk Environment • In every project, there is a risk environment. There are threats that must be faced and opportunities that may present themselves, and there are myriad different ways to deal with them. • Risk management planning is the effort, organizationally, to draw together the risk policies, practices, and procedures of the organization into a cohesive whole that will address the nature of risk peculiar to the project. Risk Environment • According to the Project Management Institute, they are the scope statement, the cost, schedule and communications management plans, organizational process assets, and environmental factors. • The process assets can be reduced to the organizational risk management policy, stakeholder risk tolerances, and a template for the organization’s risk management plan. In many organizations, these conventions simply do not exist. • They are essential to risk management success. Risk Environment • Not only must the environment for the producing organization be considered, the client organization and their environment must also be taken into account. Their risk culture may, in some situations, supersede that of the producing organization. • The levels of depth and detail and their effect on the project risk management effort should be communicated in the organizational risk management policies. • In some organizations, such policies are scant, if they exist at all. Risk management policies will offer insight into the amount of information and risk reporting that is required on projects, as well as general guidance on risk qualification, quantification, and response development. Risk Environment • Stakeholder risk tolerances are a vital input because different members of the customer, project, and management teams may have different perspectives on what constitutes “acceptable” risk. • This is rarely preordained or predetermined. • Project managers must gather this information by vigorously pursuing the key stakeholders to identify what they are and are not willing to accept. Risk Environment • In some organizations, risk management is sufficiently well entrenched that there are standard forms and formats for risk management plans. • This is more common in organizations where there is a project management office (PMO) or project support office (PSO). • These formats encourage consistency and knowledge transfer as risk management history is Outline • Risk Management Planning • Risk Environment • Identify Risks • Perform Qualitative Analysis • Perform Quantitative Analysis Identify Risks Identify Risks • A critical step in the risk management process, risk identification is an organized, thorough approach to finding real risks associated with a project. • It is not, however, a process of inventing highly improbable scenarios in an effort to cover every conceivable possibility. • Risks cannot be assessed or managed until realistic possibilities are identified and described in an understandable way. Identify Risks • The tools and techniques that are applied in risk identification are as varied as the projects they serve. • However, some groups of tool and technique types are most commonly applied. According to PMI•, they include documentation reviews, information-gathering techniques (including SWOT analysis), checklists, assumptions analysis, and diagramming techniques. Outline • Risk Management Planning • Risk Environment • Identify Risks • Perform Qualitative Analysis • Perform Quantitative Analysis Perform Qualitative Analysis • The identification process produces a well- documented description of project risks. • As analysis begins, it helps to organize and stratify the identified risks. • By using the information for conducting risk identification plus the outputs from risk identification, it’s possible to begin a basic analysis of the risks identified. Baselining Risk • Risk exists only in relation to the two absolute states of uncertainty: total uncertainty (usually expressed as 0 percent probability) and total certainty (usually expressed as 100 percent probability). • Risk will always fall somewhere within this range. Risk qualification is a first, best effort to sort risk in relation to its probabilities and impacts. • The process is simplified significantly by defining the total failure and total success so that the full range of possibilities can be understood. Baselining Risk • Defining one or both of the performance measurement baselines (cost and schedule) helps set a benchmark on the curves (see Figure 3.3). Rating Schemes and Definitions • The degree of risk assigned in a given situation reflects the personality of the risk analyst. Twenty people can look at the same situation, and each would come up with a different risk value. • Consequently, a risk-rating scheme built against an agreed-to set of criteria helps minimize discrepancies. Rating Schemes and Definitions Rating Schemes and Definitions Assumptions Testing • During risk identification, assumptions are identified and validated. • During qualification, assumptions are tested. Such testing is performed not to establish the validity of the assumption; presumably, that has already been done. Assumptions Testing • Rather, the assumption tests evaluate stability and consequences. – Stability—This is the evaluation of the potential for change in a given assumption. Some assumptions, by their very nature, will change; they will not remain stable. This assessment should be used to determine the degree of stability for a given assumption. – Consequences—This is the evaluation of the potential impact to the project if the assumption proves invalid. Risk Modeling • The technique consists of constructing a set of questions that, when answered candidly, will provide a metric value as to the overall risk and opportunity associated with a project. • The questions should span the organization’s experiences and concerns and should reflect the organization’s risk tolerances. • Because this involves a clear understanding of what risk tolerances exist within an organization, it is prudent to develop rating schemes prior to attempting to build an organizational risk model. Risk Modeling Risk Modeling Using Analogies • Analogy comparison is an attempt to learn from other projects or situations and is used for many actions, such as cost estimating and scheduling. • It is important to distinguish between analogous projects and projects with analogous risks. Conducting Data Quality Assessments • Data quality assessments need to be done at some point during this process to ensure that the sources of data are sufficiently valid to warrant inclusion of the data in the process. – Bad data quality means weak qualification; – good data quality improves the chances that the risk qualification will be valid. Risk Categorization • In the PMBOK• Guide (2013), the risk breakdown structure is identified as a categorization tool . • Other tools, such as the affinity diagram or the work breakdown structure, can also serve as structures against which to sort project risks. Sorting and categorizing risks during risk qualification can provide a sense of which areas of risk are driving the greatest concern and which (by sheer volume) warrant greater attention. Risk Categorization Outline • Risk Management Planning • Risk Environment • Identify Risks • Perform Qualitative Analysis • Perform Quantitative Analysis Perform Quantitative Analysis • Quantitative risk analysis is the effort to examine risk and assign hard metric values to both the project risk as a whole and to the most significant risks (as established through risk qualification). • Project managers conduct risk quantification to establish the odds of achieving project goals, to justify contingency reserves, to validate targets associated with the triple constraint, and to conduct in-depth “what-if” analyses. Experts Interview • The interviews provide the basis for taking qualitative information and transforming it into quantitative risk estimates. • Nearly all risk analysis techniques require some expert judgment. • The expert interview technique is relatively simple. – Basically, it consists of identifying appropriate experts and then methodically questioning them about risks in their areas of expertise as related to the project. Experts Interview • The technique can be used with individuals or groups of experts. • The process normally obtains information on risk associated with all three facets of the classic triple constraint: schedule, cost, and performance. • In addition, the process may identify risks associated with other environmental and organizational considerations. Expected Monetary Value (EMV) • Expected monetary value is a statistical concept that takes into account the probability and impact of risks by multiplying those values together to generate a numeric value to be applied in risk decision making Decision Tree Analysis • Decision trees are classic project risk tools that provide a wealth of information in an easy-to- interpret format. They are particularly helpful in risk quantification as they provide information on the options, the probabilities of events associated with those options, the expected value of those options, and the potential impacts of all possible outcomes. Program Evaluation and Review Technique • The program evaluation and review technique takes the network analyses (briefly mentioned under risk identification) a step further by embedding multi-data-point duration estimates to establish risk values for schedules. Sensitivity Analysis • Sensitivity analysis examines risk from a one-at- a-time perspective. In a sensitivity analysis, individual variables are modified one by one to assess their relative impact on the project’s outcomes. Sensitivity analyses are normally conducted in the context of a risk simulation. Simulations • Both cost and schedule risks can be evaluated using risk simulation tools, the most popular of which is the Monte Carlo analysis. • These tools provide ranges of possible outcomes and the likelihood of achieving these outcomes. Thank You
(Download PDF) Crisc Certified in Risk and Information Systems Control All in One Exam Guide Second Edition 2Nd Edition Peter H Gregory Bobby E Rogers Dawn Dunkerley Full Chapter PDF