What are the drivers, benefits and target audience for COBIT5 for risk?

Fathi,You can simply refer to the following litterature with common definitions:http://www.isaca.org/Education/Conferences/Documents/NAISRM-2013-Presentations/123.pdfBut I prefer to be much more interactive with you...

Think about the following and try to answser to my asks before reading the answers...

What is the concept of an IT system for you?

- From a computer scientist and academic perspective:“Information systems are implemented within an organization for the purpose of improving the effectiveness and efficiency of that organization. Capabilities of the information system and characteristics of the organization, its work systems, its people, and its development and implementation methodologies together determine the extent to which that purpose is achieved”

For the rest of the population:

- CEO and board => A post of expenses we’d love to reduce.

- Managers => A “thing” for which we paid a fortune, but delivers some reports we may use for driving the company.

- “Standard” end-users => A recurrent, strong and annoying pain in the neck…

=>What’s the problem then ?

Maybe because the definition of an IT system is a non-definition ?

It tells us what it does, but not how it’s done !And also, possibly because it’s done by computer scientists …Literally trained to compute data, but not necessarily to valorise information.

=>Ok, but do we care ?

You might do, knowing that:

- IT projects are seriously expensive

-3/4 of computer scientists are working in maintenance

- Most IT systems are targeted for end-users but designed without them !

-90% of end-users are unsatisfied with their IT experience.

Hence, “Informatization” is an utter failure !

=> Is it that bad ?

AT Kearney Management Survey (May2007) on IT project success:

50% of all projects never produce a single deliverable

25% don’t bring any added value to their end-users

90% run beyond scheduleLarge projects run between25 and50% beyond schedule

=>Look at this hall of shame:

Project: Optimia Cible (1994 -2000)

Client: EDF - GDF (FR)

Vendor: Andersen Consulting, Cap Gemini, Bull and ultimately IBM

Reason for failure: nothing concrete, never passed the scope statements milestone !

Cost: $260m written off ($326M current)

Project: ARIANE5 (1987 -1996)

Client: European Spatial Agency

Vendor: Arianespace

Reason for failure: conversion from floating to integer

Cost: $350m (loss of satellites ($483M current)

Project: Warehouse Automation (2003 -2005)

Client: Sainsbury’s plc (UK)

Vendor: Unclear, internal or Accenture Reason for failure: bar-code reading errors

Cost: $265m  written off ($294M current)

Project: ASPIRE (2004 -2005)

Client: HRH Inland Revenue (UK)

Vendor: Electronic Data Systems (now HP Enterprise Services)

Reason for failure: “software error” (sic)

Cost: $3.45 bn of tax-credit overpayment($3.8 BN current)

So... Where are we missing the point?

The biggest share (≈90%) of IT activity lies in “management IT”: CRM, ERP, Account Receivables, etc.

Question: for these systems, where does the complexity lie ?

a. Basic mathematical operations: + - x ÷ average stddev, etc.

b. The underlying business organisation and concepts behind the system.

Should you answer b, would you suspect an IT consultant who:

a. can design a highly complex algorithm for very rare academic scenario but can’t quickly get his/her head round the simplest double-entry bookkeeping paradigm without two weeks solid of training.b. can’t design that complex algorithm but readily understands the double-entry bookkeeping paradigm.

If, just like me, you’d answer b and a, welcome to the Entreprise and Risk Management !

Cobit will help you to structure and improve your organization and the controls of your finance and your production but this is not the only answer to the risk management and IT Gouvernance, you can have look on other referentials and methods such as: Coso, ITIL, Agile, Prince2 and so on...

The study of the convergence and the comprehension of each of them is interesting but shouldn't be the target, you should just think that Risk Management is inherent in all activities.

- Risk is composed of knowledge of two characteristics of a possible negative future event: probability of occurrence and consequences of occurrence.

- Risk management is associated with a clear understanding of probability.

- Risk management is an essential and integral part of technical program management (systems engineering).

- Risks and uncertainties must be identified, analyzed, handled, and tracked.

- There are four basic ways of handling risk: avoidance, transfer, acceptance, and control.

- Program risks are classified as low, moderate, or high depending on consequences and probability of occurrence.

- Risk classification should be based on quantified data to the extent possible...

=> Finally never forget that the main subject which is to rule the cost of the risk, the cost of the answer to limitate it and how to drive your company the best way to reach your business goals!