Here Is an example of how to manage an IT risk using the COSO-ERM framework:
Let's say that a company wants to implement a new CRM IT system, for this example, it refers to both, on-prem and cloud platforms that will process sensitive customer data. The company's IT department identifies a risk associated with the new system, which is that the system may be vulnerable to cyber attacks that could compromise customer data.
To manage this IT risk using the COSO-ERM framework, the following steps could be taken:
- Establish risk appetite and tolerance: The company CISO should define its risk appetite and tolerance for IT risks with the business governance staff, which will help determine the level of risk that the company is willing to accept.
- Identify the risk vulnerability finding: The IT department or a project manager should identify the risk associated with the new IT system, which is the vulnerability to cyber-attacks.
- Assess the risk: The IT/Cyber security risk assessment team should assess the likelihood and impact of the risk occurring. For example, they may determine that there is a high likelihood of a cyber attack occurring and that the impact would be significant if customer data were compromised.
- Develop risk response/ Risk reduction tasks: Develop risk response and or reduction tasks to manage the risk. In this case, the risk response might include implementing security controls to prevent cyber attacks, such as firewalls, encryption, and access controls.
- Implement the risk response: Implement the risk response by putting in place the security controls identified in step 4.
- Monitor and review the risk: Monitor and review the risk on an ongoing basis to ensure that the risk response is effective in managing the risk. They may need to adjust the risk response if the risk changes or if the controls prove to be ineffective.
By following these 6 steps using the COSO-ERM framework, the company can effectively manage the IT / Cyber risk associated with the system.
