Issuu on Google+

IT Security Special

cover story | community view: JulEn C Mohanty

COSO ERM: It’s an integrated framework supporting strategies, operational risk management, reporting and adherence to compliance laws. FAIR: It’s a method of ensuring safety dwelling upon the impact of IT-related risks on productivity, response, legal and replacement costs, and an organisation’s reputation.

One of the challenges in IT risk management is identifying relevant risks. Given the pervasive presence of IT and a business’s dependence upon it, the scope of the task is expansive. One of the techniques to overcome this challenge is the development and use of risk scenarios. It’s a core approach to bring reality, insights, organisational engagement, improved analysis and structure to the complex matter of IT risk. Once scenarios are developed, they’re used during risk analysis to study risk frequency and business impacts. Risk scenarios can be derived via two approaches: Top–Down: Starting from the overall business objective. It analyses the most relevant and probable IT risk scenarios. Bottom–Up: A list of generic scenario used to define a set of concrete and customised scenarios. These approaches should be used simultaneously, as risk scenarios should be relevant to real business risks. Generic risk scenarios help to ensure that no risks are overlooked. Once the set of risk scenarios is defined, it can be used for analysis, during which a scenario’s frequency and impact are assessed. An important component of this assessment is the risk factors that influence the frequency or the business impact of risk scenarios. They can be classified in two categories environmental factors and capabilities. A well-defined business impact analysis and scenario development not just helps resolve a risk, but also prevents it from recurring. The cost of putting up tools and using methods to evaluate risks should cost around $1 million approximately for a typical financial services company. It’s benefits are, however, multifold.

photo gra phy: s.radhakrishna i maging: binesh sreedharan

Creating Risk Scenario

julen C Mohanty, Manager, Compliance & legal technology, CoE, Citicorp Services

j u ly 2 0 1 1 | Itnext


IT NEXT Issue 2 Volume 6