Weitere ähnliche Inhalte
Ähnlich wie Project risk assessment presentation feb 2013
Ähnlich wie Project risk assessment presentation feb 2013 (20)
Project risk assessment presentation feb 2013
- 2. A Little Background – Tom Festing
State of Ohio: 11 Years In The US Army - Captain:
Office of Budget & Management Communications & Automation
Internal Audit / IT General Controls Banking & Finance
Risk Assessments /Consulting support Have driven an Abrams M1 Tank (mighty fine)
Things, That If I Told You –
10 Years Internal Audit/Risk Management :
JP Morgan Chase & Prudential Home Mortgage Someone “May Come And Take Us Both Away”!
Risk assessments, Privacy, ITGC reviews Education/Certifications:
Infrastructure / Data Center Technology CISA/CRISC
BSBA In Accounting (Back When Dirt Was New)
1 Year CIO:
Been Working On A Masters Since 1981
Non-traditional Credit Card Industry
“Owned” IT functions 35 Years Married:
Wife & Two Children
10 Years Public Accounting:
Moved 17 times in 35 years
7 years with Arthur Andersen
Two Dogs
IT audit and consulting support
2 year old Grandson
IT Risk Assessment & Governance
© Thomas E. Festing – 2013 2
- 3. This is not a “technology” presentation
…. It is from a
“business risk”
perspective!
Today’s objective … but to make you
is not to make aware of a risk-based
you a “guru” … approach!
© Thomas E. Festing – 2013 3
- 4. Project Risk Assessment
• Why are we here?
• Definition – Risk Assessment
• The Business Problem
– Problem
– Solution
– Objective/Approach
• The Process
– Frame It
– Collect It
– Analyze It
– Tell All
• Life Cycle
• Questions/Comments
© Thomas E. Festing – 2013 4
- 5. Why Are We Here Today?
Risk professionals are confronted with developing processes that integrate with
holistic risk management strategy complementing Enterprise Risk management, IT
risk, privacy, and NIST 800-30 Risk Assessments.
This session provides an example of a repeatable survey-based process that aids in
assessing the business risks associated with managing large/complex projects.
These risks transcend traditional functionality and code testing - expanding to
potential business weaknesses within the areas of project governance,
management, business requirements, design /architecture, implementation, and
security.
Review an approach that provides quantifiable results supporting stratification of
potential issues by organization demographics - including business functions,
position, experience, and participation at both a business and IT levels.
Review deliverable examples that provide benchmark data that can be used by
senior management and project sponsors to support accountability and follow-on
assessments to evaluate changes in project communications and execution.
© Thomas E. Festing – 2013 5
- 6. The Business Solution
What do you really want!
Proactively identify areas where large project management
may be at risk.
Stratify possible risk areas based on demographics – who is “in
sync” and who is “out”.
Identify areas that can be adjusted
to help ensure success.
Understand how to make it easy!
What will you get!
Explanation/walkthrough of process.
Copy of sample survey questions.
Description of a “tool”.
CPE credits … and
© Thomas E. Festing – 2013
ME! 6
- 7. Extract - Holistic Risk Assessment Strategy
Enterprise Risk Management
IT Risk Assessment NIST 800-30
G ov na
er nce Se cur ity Ma na g me nt
e Monitoring D a ta Ma na g me nt
e Func ti na lity
o Re cove rability/A v ila bility
a
R edu ndan t
P i ci es and
ol P orman ce
erf Tran sact i n
o D t A vai l abi l i y/
aa t B / R & R cove ry
CD e
P erson nel V en dor M anage m nt
e C t ol C abi l t i s
on r ap i e E ase of U se E xposure Pop ul at i n
o E xt r al Faci ng
e n User S curi t A dm.
e y S uri y Moni t ori ng
ec t D t P r va cy
a a i C han ge A t vi t
c i y A / el easeL evel
ge R In vent ory
P r ced ures
o Moni t ori g
n Mon i ori ng
t I m ort ance
p Archi t ect re
u S eed
p
Suf f ci ent
i C f den t
on i No/L ow Ex posure S t on g
r Exp er
t Techn i al Supp ort
c NoE xt rna l Faci ng
e C t al i zed
en r I n Pl ace Est abl i h ed
s T racks D et ai A i vi y
l ct t Publ i c D at a C urrent Lo w Lo w I m act
p Lo w C ur r n t
e I mport ant
E xi t s
s Li i ed C onf denc e
mt i Moder at eE xposu r
e M r i nal
ag Some E per ence
x i D epar t en t l
m a I t er nal E xposu r
n e M xed E nvi onment
i r A d- Hoc A - oc
dH P er f l U ser s
ow u I t er nal
n I mpor t n t
a Medi m
u Medi um Med i m
u P ti l l
ar a y C t mer C i i cal
us o rt
D ef i i ent - N ne
c o No C nf i ence
o d Hi h E xposu r
g e Weak G eral U
en ser "Everyo ne" Ex t rna l Exp osure
e Decen t al i zed
r D es N ot E xi t
o s D oes N t Exi st
o D es N ot Ex i t
o s Pri vat e Hi ghl y I po r an t
m t Hi h
g Hi gh Lo w Hi gh Mi si on C t cal
s ri i
Optimized
Po l ci esan d
i Pe r orman ce
f T r nsact i n
a o D at aA vai l abi l t y/
i R edu ndan t BC / R & R ecove r
D y
Personn el V en dor M anage m nt
e C t ol C abi l t i s
on r ap i e E ase of U se E xposure Pop ul at i n
o E xt r al Faci ng
e n U r Secu ri y A m.
se t d Se curi y Moni t ori g
t n Dat aP r vacy
i C han ge A i vi y
ct t A / el easeL evel
ge R In vent ory
Procedu res Mon i ori ng
t M oni t r ng
oi Import ance Archi t ect re
u Sp eed
3 2 2 2 9 3 2 2 2 2 2 9 3 5 2 3 2 6
5 9 5 4 5 9 9 9 9 5 4 9 3 5 5 5 9 10
2 5 2 2 9 2 2 5 5 2 2 9 5 2 2 3 9 10
5 2 2 3 9 9 2 2 5 2 2 9 3 5 2 3 2 10
Risk Environment
5 10 2 9 9 9 9 2 6 3 9 9 5 8 10 3 5 10
5 9 6 5 5 5 2 5 5 2 2 9 3 8 3 3 2 10
5 9 9 2 6 9 9 9 2 8 2 9 3 5 2 3 2 6
5 6 2 2 7 6 2 6 5 3 2 9 3 5 2 3 2 10
Preparing For Ris k As s es s ment (U nders tand)
6 10 10 3 9 9 2 6 9 6 9 9 3 3 10 3 5 10
3 2 5 5 7 6 3 2 5 2 8 9 3 5 2 3 2 10
5 10 10 1 5 4 5 2 2 2 10 10 7 5 2 3 5 10
Execute
Audit
5 5 2 2 9 9 5 5 2 2 5 9 3 5 2 3 2 10
5 9 2 2 7 5 5 5 2 2 5 9 3 5 5 3 2 10
Identify Threat
3 5 2 5 9 9 9 5 5 9 9 9 5 2 5 3 2 10
5 5 2 2 3 2 9 5 2 2 2 9 3 5 2 3 2 10
Plan/Scope
5 9 5 2 2 10 10 5 7 5 2 9 3 5 2 3 2 10
Communications & Information Sharing (Deliverables )
Risk Assessment
5 9 5 2 2 2 1 5 2 5 2 9 3 5 2 3 2 10
Identify Vulnerabilities / Predis pos ing
Maintaining Ris k As s es s ment (Life Cycle)
5 5 5 3 5 10 10 5 5 5 Conditions
2 9 3 5 2 3 2 6
6 10 10 6 2 9 9 9 9 9 6 9 3 5 3 3 5 10
5 5 9 5 9 2 2 5 6 2 2 2 3 2 2 5 2 5
5 5 9 5 9 2 2 5 2 2 2 2 3 2 2 5 2 5
5 10 10 5 5 5 9 9 8 3 10 10 9 5 2 3 5 10
Determine Likelihood of Occurrence
IT Ris k As s es s ment
Hi Determine Impact
Control Effectiveness
gh
1 1
1 3 3
3
1 1 Determine Ris k
3 3
1 1
3 3
Regulatory
Availability
Efficiency
1
3
1 1
3 3
Likelihood
1
3
1
3
1
3 1
3
1
3
1
3 1
3
L
o H
w i
Impact g
h
IT Governance
Focus Enterprise Risk Mgmt Focus
• Assess IT technology risk drives Strategy • Regulatory requirement
Governance
• Creating A Multi-Year Audit Plan • Identifying security threats/ likelihood/ impact
• Technology device/process focus • Business focus
Focus
• Regulatory requirements
Focus GOVERNANCE APPLICATION
• Data Privacy
• Large/complex projects
STORAGE/
• Provides quantifiable TRANSIT REMOVABLE
analysis stratifying key
MEDIA
Common Linkage
governance areas
REPORTS Linkage to ERM
Project Risk Assessments Privacy Managing Change
© Thomas E. Festing – 2013 7
- 8. Risk Assessment
A Risk Assessment is a logical first step in a methodical risk
management process ...
that provides a framework for creating a quantifiable or
qualitative value of the risk ...
linking to threat sources and vulnerabilities …
supporting determining the inherent likelihood and impact ….
that could hinder an organization from attaining its business
goals and objectives in an efficient, effective, and controlled
manner – be it process, technology, people, or vendor generated.
© Thomas E. Festing – 2013 8
- 11. Project Risk Assessment – New Agenda
Nope… I used to think that 90% was all about
the journey – and thought everyone
was excited about the trek as I was.
The end was just the conclusion of the
“fun stuff”.
Well – its not.
You need to see what’s at the end so
you can see if the 90% is worth the
10%.
It also allows you to see why the path
is not “easy”.
So here’s the modified agenda.
© Thomas E. Festing – 2013 11
- 12. Project Risk Assessment – New Agenda
• A “Peek” To End Deliverables What do I get!
• Definition – Risk Assessment
• The Business Problem Why do I even want
– Problem to take this trip!
– Solution
– Objective/Approach What will I take the trip in … is it sound!
• The Process
10% - End Deliverable
– Tell All
– Frame It
– Collect It 90% - Fun Stuff
– Analyze It
– Tell All 10% - End Deliverable .. recap
• Life Cycle Sustain … don’t make the same trip twice
• Questions/Comments How many CPE did I get for this?
© Thomas E. Festing – 2013 12
- 14. The Peek
Wouldn’t it make more sense to be able to
get a peek at what we will “get … like:
Define critical project risk and demographic areas!
Strategy for collecting and analyzing data!
Understanding what/how to communicate results!
How you can track improvements.
Understand how this links to ERM and other risk
assessments!
May be handy – especially if we run out of time ……
© Thomas E. Festing – 2013 14
- 15. The Business Problem
Large projects tend to fail.
Need to find a way to identify potential risk areas.
Need to find a way to track improvements.
© Thomas E. Festing – 2013 15
- 16. Critical Risk Areas
Management Governance Need a common language.
Program Management Use a limited number of broad-based
“business relevant” control areas.
Business Requirements
They do need to link to standard
Design & Development control areas so they are “defendable”
and tie to audit & ERM.
Implementation/Operations
Build standard survey questions for
each “Control Area”.
Information Security
End results - 6 Categories / 22 Sub-areas / 47 Questions.
© Thomas E. Festing – 2013 16
- 17. Collect / Analyze Data By Demographics
Stratifying & consolidating data by
demographics provides a way to gauge
responses and provide different
perspectives.
Gaining input across different
“levels” and organizational groups
helps identify who is or is not ………
© Thomas E. Festing – 2013 17
- 18. Collect / Analyze Data By Demographics
Functional Need to:
Project Involvement
Area/Responsibility Identify demographics
Executive Leadership Collect input with anonymity Core Team Member
Line Of Business Keeps it relevant & limited Subject Matter Expert
Information Technology
Example demographics …. Tester
Vendor/Consultant None
Position Years Experience
Executive Management 1-3 Years
Senior Managers/ Use On-Line Survey 3-6 Years
Directors
Supervisors 6-9 Years
Staff > 9 Years
© Thomas E. Festing – 2013 18
- 19. Collect & Analyze Data
Success is not driven by
slogans, mandates, and
t-shirts – but by the
support of the
diversified team
© Thomas E. Festing – 2013 19
- 20. Collect & Analyze Data
Data Collection Import To Core
By Critical Risk Areas Risk Engine
(6 Categories / 22 Sub-areas)
Use On-Line Survey
Management Governance
(Survey Monkey)
Program Management
Business Requirements
Design & Development
CORE RISK ENGINE
Implementation/Operations
Information Security
By Demographics &
47 specific Question
“Crunch” Data
© Thomas E. Festing – 2013 20
- 21. Communicate To Management
A way to communicate Overall Top /
so management can Bottom 5 areas
“size” and “track”.
Baseline
1
i 1
H
9
h
g
1 9
6 1
2
5 0
4
1 3
3
8
Future Point In Time
2
1 7
4
4
1 2
6
1 1
Impact Project Success
1 2
5
2
6
2 1
5
1
H
h
g
7
i
7 9
1
Detail By Question
1 4
3 0
8
5
8 1
7
9
2 1 2
0
2
Area/Demographics
1
Impact Project Success
1 6 1
1
0
8 3 5
2 1
w
o
1
L
2 1 4
9 8 7 6 5 4 3 2 1 1
1
Extremely Confidence Level Not Confident 6
0
Confident 1
2 7
Risk Ares
1
3
2
0 1 1
8 9
Heat Map
w
o
L
Extremely Confidence Level Not Confident
Confident
© Thomas E. Festing – 2013 21
- 22. Communicate To Management
GOAL: CONCLUSION - RECOMMENDATION - PRIORITIZATION
Significant areas indicated a protracted lack of
confidence. Area average – except
Information Security – were lower at this
milestone than the previous two assessments.
© Thomas E. Festing – 2013 22
- 23. Coordinated ERM and Risk Assessments
LIFE
CYCLE 6 OTHER RISK
BUSINESS AREAS 8
ASSESSMENTS
Legal/Regulatory Various Risk Reports Project Risk
Risk Assessment Various Risk Reports
Assessment
Various Risk Reports
1
DR/BC Business
Impact Assessment CORE RISK ENGINE
Enterprise Risk
Management (ERM)
Business Process
Assessment
2 “What
Privacy Risk If”
Governance/Process Assessment
5
Preventative/Logical 6 PRIORITIZATION
Detective/Monitoring Threat Assessment RESIDUAL/INHERENT RISK
Change Management
NIST 800-30 4 TECHNOLOGY CHANGE
RISK TOLERANCE
Availability/Data Management
COMMON RISK TECHNOLOGY AREAS
Business Process
DRIVERS
Risk Driver
IT Risk Assessment Technology Device
3 Audit Plan
IT Business Plan
© Thomas E. Festing – 2013 23
- 24. Now the detail fun journey
for the “why” and “how”!
PEEK END
© Thomas E. Festing – 2013 24
- 26. Risk Assessments
For years we have convinced ourselves that all we needed to do was carry forward
our audit approach and strategy from year to year – or just focus on NIST.
We acknowledged that there was always “change”, and some
level of “business risk” that management would accept.
After all, what you didn’t know couldn’t hurt you! …or is
it “If it doesn’t kill you – it makes you stronger”?
No one disputes that project risk increases based on
the project size and duration.
Today – we have traditionally built structured risk-based
approaches based on a combination of financial risk
management, technology risk assessment framework, and
risk-based audit scoping that works in concert with the
overall enterprise risk management model to guide audit’s
assurance of “reasonable” levels of residual risk.
© Thomas E. Festing – 2013 26
- 27. The Business Problem
Organizations are confronted with having to develop efficient, effective,
and repeatable assessment tools to aid in assessing the business risks
with managing large enterprise projects.
Pressure is placed on more than just functionality and code testing, but
now expands to where to focus limited resources to target potential
weaknesses within the areas of project:
Governance,
Project Management,
Business Requirements,
Design/Architecture,
Implementation, and
Security.
Pressures are being applied by Audit Committees and Boards to
understand cost / benefits and what proactive steps are being taken to
reduce industry “failure” rates!
© Thomas E. Festing – 2013 27
- 28. The Business Problem
2012 Gartner – Survey “.. While larger projects are more likely to fail than smaller projects,
around half of all project failures, irrespective of project size, were
put down to functionality issues and substantial delays.”
“.. Failure rate of IT projects with budgets exceeding $1 million was
found to be almost 50% higher than for projects … below $350,000.”
“.. Smaller projects experienced a one-third lower failure rate than
large projects . keep small … not exceeding six months in duration …”
Specifically identified:
Cost:
Not identifying budget variances/
overruns early.
Changes in scope – with related impact
to cost vs. budget.
Functionality:
Not capturing business functionality
expectations.
Sounds like project Quality.
management & Infrequent project status meetings.
Governance to me! Misalignment with business strategy.
Late!
© Thomas E. Festing – 2013 28
- 29. The Real Business Solution
This session provides an example approach of a repeatable
survey-based process that:
Provides quantifiable analysis techniques gained by evaluating
input across demographic cross sections by:
• Functions,
• Position,
• Experience, and
• Participation at both a business and IT levels.
Provides quantifiable results support stratification of potential
issues both by project area and organization layer.
Delivers benchmark data to support:
• Audit focus during the project.
• Follow-on assessments to evaluate if changes in project
communications and execution are achieving the desired results.
© Thomas E. Festing – 2013 29