CHAPTER 5

COBIT 5 PROCESS REFERENCE GUIDE CONTENTS

Area: Management
APO12 Manage Risk Domain: Align, Plan and Organise
Process Description
Continually identify, assess and reduce IT-related risk within levels of tolerance set by enterprise executive management.
Process Purpose Statement
Integrate the management of IT-related enterprise risk with overall ERM, and balance the costs and benefits of managing
IT-related enterprise risk.
The process supports the achievement of a set of primary IT-related goals:
IT-related Goal Related Metrics
02 IT compliance and support for business compliance with external laws s #OST OF )4 NON COMPLIANCE INCLUDING SETTLEMENTS AND FINES AND THE
and regulations impact of reputational loss
s .UMBER OF )4 RELATED NON COMPLIANCE ISSUES REPORTED TO THE BOARD OR
causing public comment or embarrassment
s .UMBER OF NON COMPLIANCE ISSUES RELATING TO CONTRACTUAL AGREEMENTS

Align, Plan and Organise

with IT service providers
s #OVERAGE OF COMPLIANCE ASSESSMENTS
04 Managed IT-related business risk s 0ERCENT OF CRITICAL BUSINESS PROCESSES )4 SERVICES AND )4 ENABLED
business programmes covered by risk assessment
s .UMBER OF SIGNIFICANT )4 RELATED INCIDENTS THAT WERE NOT IDENTIFIED IN
risk assessment
s 0ERCENT OF ENTERPRISE RISK ASSESSMENTS INCLUDING )4 RELATED RISK
s &REQUENCY OF UPDATE OF RISK PROFILE
06 Transparency of IT costs, benefits and risk s 0ERCENT OF INVESTMENT BUSINESS CASES WITH CLEARLY DEFINED AND APPROVED
expected IT-related costs and benefits
s 0ERCENT OF )4 SERVICES WITH CLEARLY DEFINED AND APPROVED OPERATIONAL
costs and expected benefits
s 3ATISFACTION SURVEY OF KEY STAKEHOLDERS REGARDING THE LEVEL OF
transparency, understanding and accuracy of IT financial information
10 Security of information, processing infrastructure and applications s .UMBER OF SECURITY INCIDENTS CAUSING FINANCIAL LOSS BUSINESS DISRUPTION
or public embarrassment
s .UMBER OF )4 SERVICES WITH OUTSTANDING SECURITY REQUIREMENTS
s 4IME TO GRANT CHANGE AND REMOVE ACCESS PRIVILEGES COMPARED TO
agreed-on service levels
s &REQUENCY OF SECURITY ASSESSMENT AGAINST LATEST STANDARDS
and guidelines
13 Delivery of programmes delivering benefits, on time, on budget, and s .UMBER OF PROGRAMMESPROJECTS ON TIME AND WITHIN BUDGET
meeting requirements and quality standards s 0ERCENT OF STAKEHOLDERS SATISFIED WITH PROGRAMMEPROJECT QUALITY
s .UMBER OF PROGRAMMES NEEDING SIGNIFICANT REWORK DUE TO QUALITY DEFECTS
s #OST OF APPLICATION MAINTENANCE VS OVERALL )4 COST
Process Goals and Metrics
Process Goal Related Metrics
1. IT-related risk is identified, analysed, managed and reported. s $EGREE OF VISIBILITY AND RECOGNITION IN THE CURRENT ENVIRONMENT
s .UMBER OF LOSS EVENTS WITH KEY CHARACTERISTICS CAPTURED IN REPOSITORIES
s 0ERCENT OF AUDITS EVENTS AND TRENDS CAPTURED IN REPOSITORIES
2. A current and complete risk profile exists. s 0ERCENT OF KEY BUSINESS PROCESSES INCLUDED IN THE RISK PROFILE
s #OMPLETENESS OF ATTRIBUTES AND VALUES IN THE RISK PROFILE
3. All significant risk management actions are managed and under control. s 0ERCENT OF RISK MANAGEMENT PROPOSALS REJECTED DUE TO LACK OF
consideration of other related risk
s .UMBER OF SIGNIFICANT INCIDENTS NOT IDENTIFIED AND INCLUDED IN THE RISK
management portfolio
4. Risk management actions are implemented effectively. s 0ERCENT OF )4 RISK ACTION PLANS EXECUTED AS DESIGNED
s .UMBER OF MEASURES NOT REDUCING RESIDUAL RISK

                        

107
 : ENABLING PROCESSES

APO12 RACI Chart

3TEERING 0ROGRAMMES0ROJECTS #OMMITTEE

Chief Information Security Officer

Strategy Executive Committee

Information Security Manager

Business Continuity Manager
0ROJECT -ANAGEMENT /FFICE

Enterprise Risk Committee

Business Process Owners

6ALUE -ANAGEMENT /FFICE

Chief Information Officer

Head Human Resources
Chief Operating Officer

Head IT Administration
Chief Executive Officer
Chief Financial Officer

Business Executives

Head IT Operations
Head Development
Architecture Board
Chief Risk Officer

Service Manager
Head Architect

Privacy Officer
Compliance
Board

Audit
Key Management Practice
APO12.01
Align, Plan and Organise

I R R R R I C C A R R R R R R R R
Collect data.
APO12.02
I R C R C I R R A C C C C C C C C
Analyse risk.
APO12.03
I R C A C I R R R C C C C C C C C
Maintain a risk profile.
APO12.04
I R C R C I C C A C C C C C C C C
Articulate risk.
APO12.05
Define a risk management I R C A C I C C R C C C C C C C C
action portfolio.
APO12.06
I R R R R I C C A R R R R R R R R
Respond to risk.

APO12 Process Practices, Inputs/Outputs and Activities

Management Practice Inputs Outputs
APO12.01 Collect data. From Description Description To
Identify and collect relevant data to enable effective
EDM03.01 Evaluation of risk Data on the operating Internal
IT-related risk identification, analysis and reporting.
management activities environment relating
to risk
EDM03.02 s !PPROVED PROCESS Data on risk events and Internal
for measuring risk contributing factors
management
s +EY OBJECTIVES TO BE
monitored for risk
management
s 2ISK MANAGEMENT
policies
APO02.02 Gaps and risk related to Emerging risk issues EDM03.01
current capabilities and factors APO01.03
APO02.02
APO02.05 Risk assessment
APO10.04 Identified supplier
delivery risk
DSS02.07 Incident status and
trends report

108
                        

 CHAPTER 5
COBIT 5 PROCESS REFERENCE GUIDE CONTENTS

APO12 Process Practices, Inputs/Outputs and Activities (cont.)

APO12.01 Activities
1. Establish and maintain a method for the collection, classification and analysis of IT risk-related data, accommodating multiple types of events, multiple
categories of IT risk and multiple risk factors.
 2ECORD RELEVANT DATA ON THE ENTERPRISES INTERNAL AND EXTERNAL OPERATING ENVIRONMENT THAT COULD PLAY A SIGNIFICANT ROLE IN THE MANAGEMENT OF )4 RISK
3. Survey and analyse the historical IT risk data and loss experience from externally available data and trends, industry peers through industry-based
event logs, databases, and industry agreements for common event disclosure.
 2ECORD DATA ON RISK EVENTS THAT HAVE CAUSED OR MAY CAUSE IMPACTS TO )4 BENEFITVALUE ENABLEMENT )4 PROGRAMME AND PROJECT DELIVERY ANDOR )4
operations and service delivery. Capture relevant data from related issues, incidents, problems and investigations.
5. For similar classes of events, organise the collected data and highlight contributing factors. Determine common contributing factors across
multiple events.
6. Determine the specific conditions that existed or were absent when risk events occurred and the way the conditions affected event frequency

Align, Plan and Organise

and loss magnitude.
7. Perform periodic event and risk factor analysis to identify new or emerging risk issues and to gain an understanding of the associated internal and
external risk factors.
Management Practice Inputs Outputs
APO12.02 Analyse risk. From Description Description To
Develop useful information to support risk decisions that
DSS04.02 Business impact analyses Scope of risk Internal
take into account the business relevance of risk factors.
analysis efforts
DSS05.01 Evaluations of potential IT risk scenarios Internal
threats
Outside COBIT Threat advisories Risk analysis results EDM03.03
APO01.03
APO02.02
BAI01.10
Activities
1. Define the appropriate breadth and depth of risk analysis efforts, considering all risk factors and the business criticality of assets. Set the risk analysis
scope after performing a cost-benefit analysis.
 "UILD AND REGULARLY UPDATE )4 RISK SCENARIOS INCLUDING COMPOUND SCENARIOS OF CASCADING ANDOR COINCIDENTAL THREAT TYPES AND DEVELOP EXPECTATIONS FOR
specific control activities, capabilities to detect and other response measures.
3. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios. Take into account all applicable risk factors, evaluate known
operational controls and estimate residual risk levels.
4 Compare residual risk to acceptable risk tolerance and identify exposures that may require a risk response.
 !NALYSE COST BENEFIT OF POTENTIAL RISK RESPONSE OPTIONS SUCH AS AVOID REDUCEMITIGATE TRANSFERSHARE AND ACCEPT AND EXPLOITSEIZE 0ROPOSE THE
optimal risk response.
 3PECIFY HIGH LEVEL REQUIREMENTS FOR PROJECTS OR PROGRAMMES THAT WILL IMPLEMENT THE SELECTED RISK RESPONSES )DENTIFY REQUIREMENTS AND EXPECTATIONS
for appropriate key controls for risk mitigation responses.
 6ALIDATE THE RISK ANALYSIS RESULTS BEFORE USING THEM IN DECISION MAKING CONFIRMING THAT THE ANALYSIS ALIGNS WITH ENTERPRISE REQUIREMENTS AND VERIFYING
that estimations were properly calibrated and scrutinised for bias.

                        

109
 : ENABLING PROCESSES

APO12 Process Practices, Inputs/Outputs and Activities (cont.)

Management Practice Inputs Outputs
APO12.03 Maintain a risk profile. From Description Description To
Maintain an inventory of known risk and risk attributes
EDM03.01 s !PPROVED RISK Documented risk scenarios Internal
(including expected frequency, potential impact and
tolerance levels by line of business
responses) and of related resources, capabilities and
s 2ISK APPETITE GUIDANCE and function
current control activities.
APO10.04 Identified supplier Aggregated risk profile, EDM03.02
delivery risk including status of risk APO02.02
management actions
DSS05.01 Evaluations of
potential threats
Activities
1. Inventory business processes, including supporting personnel, applications, infrastructure, facilities, critical manual records, vendors, suppliers and
Align, Plan and Organise

outsourcers, and document the dependency on IT service management processes and IT infrastructure resources.
2. Determine and agree on which IT services and IT infrastructure resources are essential to sustain the operation of business processes. Analyse
dependencies and identify weak links.
3. Aggregate current risk scenarios by category, business line and functional area.
4. On a regular basis, capture all risk profile information and consolidate it into an aggregated risk profile.
5. Based on all risk profile data, define a set of risk indicators that allow the quick identification and monitoring of current risk and risk trends.
6. Capture information on IT risk events that have materialised, for inclusion in the IT risk profile of the enterprise.
7. Capture information on the status of the risk action plan, for inclusion in the IT risk profile of the enterprise.
Management Practice Inputs Outputs
APO12.04 Articulate risk. From Description Description To
Provide information on the current state of IT-related
Risk analysis and EDM03.03
exposures and opportunities in a timely manner to all
risk profile reports for EDM05.02
required stakeholders for appropriate response.
stakeholders APO10.04
MEA02.08
Review results of EDM03.03
third-party risk APO10.04
assessments MEA02.01
Opportunities for EDM03.03
acceptance
of greater risk
Activities
1. Report the results of risk analysis to all affected stakeholders in terms and formats useful to support enterprise decisions. Wherever possible, include
probabilities and ranges of loss or gain along with confidence levels that enable management to balance risk-return.
2. Provide decision makers with an understanding of worst-case and most-probable scenarios, due diligence exposures, and significant reputation, legal
or regulatory considerations.
3. Report the current risk profile to all stakeholders, including effectiveness of the risk management process, control effectiveness, gaps, inconsistencies,
redundancies, remediation status, and their impacts on the risk profile.
 2EVIEW THE RESULTS OF OBJECTIVE THIRD PARTY ASSESSMENTS INTERNAL AUDIT AND QUALITY ASSURANCE REVIEWS AND MAP THEM TO THE RISK PROFILE 2EVIEW
identified gaps and exposures to determine the need for additional risk analysis.
5. On a periodic basis, for areas with relative risk and risk capacity parity, identify IT-related opportunities that would allow the acceptance of greater risk
and enhanced growth and return.
Management Practice Inputs Outputs
APO12.05 Define a risk management From Description Description To
action portfolio.
0ROJECT PROPOSALS FOR APO02.02
Manage opportunities to reduce risk to an acceptable
reducing risk APO13.02
level as a portfolio.
Activities
1. Maintain an inventory of control activities that are in place to manage risk and that enable risk to be taken in line with risk appetite and tolerance.
Classify control activities and map them to specific IT risk statements and aggregations of IT risk.
2. Determine whether each organisational entity monitors risk and accepts accountability for operating within its individual and portfolio tolerance levels.
 $EFINE A BALANCED SET OF PROJECT PROPOSALS DESIGNED TO REDUCE RISK ANDOR PROJECTS THAT ENABLE STRATEGIC ENTERPRISE OPPORTUNITIES CONSIDERING
COSTBENEFITS EFFECT ON CURRENT RISK PROFILE AND REGULATIONS

110
                        

 CHAPTER 5
COBIT 5 PROCESS REFERENCE GUIDE CONTENTS

APO12 Process Practices, Inputs/Outputs and Activities (cont.)

Management Practice Inputs Outputs
APO12.06 Respond to risk. From Description Description To
Respond in a timely manner with effective measures to
EDM03.03 Remedial actions to Risk-related incident DSS02.05
limit the magnitude of loss from IT-related events.
address risk response plans
management deviations
Risk impact APO01.04
communications APO08.04
DSS04.02
Risk-related root causes DSS02.03
DSS03.01
DSS03.02
DSS04.02
MEA02.04

Align, Plan and Organise

MEA02.07
MEA02.08
Activities
1. Prepare, maintain and test plans that document the specific steps to take when a risk event may cause a significant operational or development
incident with serious business impact. Ensure that plans include pathways of escalation across the enterprise.
2. Categorise incidents, and compare actual exposures against risk tolerance thresholds. Communicate business impacts to decision makers as part of
reporting, and update the risk profile.
3. Apply the appropriate response plan to minimise the impact when risk incidents occur.
 %XAMINE PAST ADVERSE EVENTSLOSSES AND MISSED OPPORTUNITIES AND DETERMINE ROOT CAUSES #OMMUNICATE ROOT CAUSE ADDITIONAL RISK RESPONSE
requirements and process improvements to appropriate decision makers and ensure that the cause, response requirements and process improvement
are included in risk governance processes.

APO12 Related Guidance

Related Standard Detailed Reference
)3/)%#  Information security management systems—Requirements, Section 4
)3/)%# 
)3/)%#  6. Processes for Managing Risk

                        

111