Risk Scenario Development Template

Risk Scenario Title
Risk Scenario
Category
High-level description of the category of scenario / ☐ 01-Portfolio establishment and maintenance
☐ 02-Programme/projects lifecycle management
☐ 03-IT investment decision making
☐ 04-IT expertise and skills
☐ 05-Staff operations
☐ 06-Information
☐ 07-Architecture
☐ 08-Infrastructure
☐ 09-Software
☐ 10-Ineffective business ownership of IT
☐ 11-Selection/performance of third-party suppliers
☐ 12-Regulatory compliance
☐ 13-Geo-political
☐ 14-Infrastructure theft
☐ 15-Malware
☐ 16-Logical attacks
☐ 17-Industrial action
☐ 18-Environmental
☐ 19-Acts of nature
Threat Type
The nature of the event – Is it malicious? If not, is it accidental or is it a failure of a well-defined process? Is it a natural event or is it an external requirement? / ☐Malicious
☐Accidental
☐Failure
☐Natural
☐External requirement
Actor
Who generates the threat that exploits a vulnerability. Actors can be internal or external, human or non-human / ☐Internalactors are within the enterprise, e.g. staff, contractors
☐Externalactors include outsiders, competitors, regulators and the market
Event
Is it disclosure (of confidential information), interruption (of a system, of a project), theft or destruction? Action also includes ineffective design (of systems, processes, etc.), inappropriate use, changes in rules and regulation (that will materially impact a system) or ineffective execution of processes (e.g. change management procedures, acquisition procedures, project prioritisation processes) / ☐Disclosure
☐Interruption
☐Modification
☐Theft
☐Destruction
☐Ineffective design
☐Ineffective execution
☐Rules and regulations
☐Inappropriate use
Asset
An asset is any item of value to the enterprise that can be affected and lead to business impact (Assets and resources can be identical, e.g. IT hardware is an important resource because all IT applications use it, and at the same time, it is an asset because it has a certain value to the enterprise). /
  1. Process, e.g. modelled as COBIT 5 processes, or business Processes
  2. People and organisation
  3. Physical Infrastructure(facilities, equipment etc.)
  4. IT Infrastructure (including computing hardware, networks, middleware)
  5. Information
  6. Applications

Resource
A resource is anything that helps to achieve goal (Assets and resources can be identical, e.g. IT hardware is an important resource because all IT applications use it, and at the same time, it is an asset because it has a certain value to the enterprise). /
  1. Process, e.g. modelled as COBIT 5 processes, or business Processes
  2. People and organisation
  3. Physical Infrastructure(facilities, equipment etc.)
  4. IT Infrastructure (including computing hardware, networks, middleware)
  5. Information
  6. Applications

Time /
  1. Timingof occurrence (critical, non-critical – Does the event occur at a critical moment?)
  2. Duration(extended – The duration of the event – e.g. extended outage of a service or data centre)
  3. Detection (slow ,moderate, instant)
  4. Time Lag (immediate, delayed – Lag between the event and the consequence – Is there an immediate consequence, e.g. Network failure, immediate downtime, or delayed consequence), e.g. wrong IT architecture with accumulated high costs, over a time span of several years?)

Risk scenario

Describe the risk/opportunityscenario, including a discussion of the negative and positive impact of the scenario. The description will clarify the threat/vulnerability type and include the actors, events, assets, and time issues.

Risk Type

Describe the risk type, include whether the risk type is primary or secondary, i.e., a higher or lower degree of fit.

Risk Types:

  • IT Benefit/Value Enablement:
    Associated with [missed] opportunities to use technology to improve efficiency or effectiveness of business processes, or as an enabler for new business initiatives
  • Technology enabler for new business initiatives
  • Technology enabler for efficient operations
  • IT Programme and Project Delivery:
    Associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes as part of investment portfolios.
  • Project quality
  • Project relevance
  • Project overrun
  • IT Operations and Service Delivery:
    Associated with all aspects of the business as usual performance of IT systems and services, which can bring destruction or reduction of value to the enterprise.
  • IT service interruptions
  • Security problems
  • Compliance issues

Risk Response

Describe how the enterprise will respond to the risk. The purpose of defining a risk response is to bring risk in line with the defined risk tolerance for the enterprise:

  • Risk Acceptance
  • Risk Sharing/Transfer
  • Risk Mitigation
  • Risk Avoidance

Risk Mitigation using COBIT 5 Enablers (see Appendix 4 – page 219 in Final Dev Draft C5 for Risk)

Describe how the enterprise will work to avoid the risk from materializing. For Risk Mitigation possibilities use COBIT 5 Management Practices (Enablers). Please provide the following information:

  • Reference, title and description of one or more concrete enablers that can help to mitigate the risk
  • The estimated effect that implementing this enabler will have on the frequency and impact of the risk. Use either Low, Medium or High.
  • Based on the two parameters frequency and impact give an indication whether this enabler is ‘essential’ (Key management practice to mitigate the risk) or not. An enabler is considered essential if it has a high effect on reducing either impact or frequency of the scenario.

Process
Reference / Title / Management
Practice / Effect
On
Frequency / Effect On
Impact / Essential