CASE STUDY

As a regional chain based in the Caribbean, Blue Food had experienced rapid growth through new store openings and acquisitions. With a focus on supply-chain efficiencies, Blue Food distributes most products to its stores through a warehouse facility that also houses key offices and IT resources. In light of the risk associated with such a consolidated operation, the IT organization received a mandate from its board of directors to formally manage IT-related risk. The mandate specifically called for an initial high-level assessment of IT organizational risk, drawing largely from internal expertise. The board also requested that the IT organization demonstrate an ongoing program to manage risk.

The IT organization enjoyed a membership with TechHub Research group to access its best-practices research and vendor-selection guidance. Engaging with the company, TechHub to conduct a COBIT-based operations workshop on risk management was a natural next step.

TechHub based the workshop on COBIT 2019 because of COBIT 2019s clear and concise framework for capturing key IT processes (along with process interplay and documentation requirements). COBIT is a trusted framework used by IT auditors and other IT professionals, particularly in the strategy, security and risk areas of practice.

Throughout the week-long workshop, key members of the IT management team, as well as the chief information officer (CIO), worked with the facilitator to document their insights and understanding, using COBIT to draw out their knowledge of IT risk and arrange it in a manner suitable for analysis.

The risk assessment began by examining COBIT 2019s management practices, from the Evaluate, Direct and Monitor (EDM) and Align, Plan and Organize (APO) COBIT domains, respectively, and conducting a simple self-assessment to ascertain process capability. The IT organization identified that it had no functioning IT risk management processes in place and, thus, assigned level zero to its process capability. The team set a goal to achieve level two (managed process) capability with performance and work-product management attributes achieved. The IT organization leveraged the TechHub facilitator and methodology to conduct high-level team brainstorming with key team members, aimed at identifying IT risk factors relevant to the client organization.

The team then worked to brainstorm and document risk events, identifying actors and threat types. A prioritization rubric was developed and applied to sort the risk events. The team documented (where programs were in progress) or identified (net-new programs) the resources/time needed to mitigate the priority risk factors.

Finally, the team made critical decisions to determine the shape of the IT organizations ongoing risk management. These included definitions of roles and responsibilities, management activities, information-gathering activities, and communication plans.

As the decisions were achieved, each was codified in the relevant program manuals, standard operating procedures, assessment tools, project requests, and templates for policies and communication.

One of the key outputs from this workshop included:

A presentation to the firms board on the IT risk management assessment and programThis presentation described the progress made during the workshop, highlighted key risk factors and remediation, requested additional budget, and summarized the ongoing risk management program to the board.

Blue Food emerged from the workshop with all of the process documentation required to begin executing the process the following Monday, along with the relevant to-do items needed to mitigate the identified technology, people and process gaps. The following week, the CIO presented the workshop summary to the board, which noted the thoroughness of the initial IT risk assessment and the ongoing risk management program that was designed during the workshop. Two months later, progress toward risk remediation remains strong, and IT leaders remain committed to the ongoing risk management program.

Deliverable:

Assume the role of the CIO and prepare a PowerPoint presentation to the firms Board of Directors on the IT risk management assessment program. A presentation of 10 slides must be compiled, answer the following accordingly per slide.

Slide 1: Introduction

Brief overview of Blue Food's growth and focus on supply-chain efficiencies

Mention of the IT organization receiving a mandate to manage IT-related risk from the board of directors

Slide 2: Purpose of the presentation

Highlight the purpose of the presentation, which is to present the results of the IT risk management assessment program to the board of directors

Slide 3: Approach to risk management

Discuss the use of COBIT 2019 as a framework for the workshop

Explain the process of conducting a self-assessment, brainstorming risk events, prioritizing risks, and determining the shape of the IT organizations ongoing risk management program

Slide 4: Results of the risk assessment

Present the key findings from the risk assessment

Mention the lack of functioning IT risk management processes in place and the goal of achieving level two (managed process) capability

Slide 5: Priority risk factors

Highlight the priority risk factors that were identified during the workshop

Discuss the resources/time needed to mitigate the priority risk factors

Slide 6: Ongoing risk management program

Explain the ongoing risk management program that was designed during the workshop

Discuss the definition of roles and responsibilities, management activities, information-gathering activities, and communication plans

Slide 7: Progress towards risk remediation

Update the board on the progress towards risk remediation

Highlight the commitment of IT leaders to the ongoing risk management program

Slide 8: Additional budget

Request additional budget for the ongoing risk management program

Explain why additional budget is necessary for the program to be successful

Slide 9: Next steps

Outline the next steps for the IT organization in executing the ongoing risk management program

Emphasize the importance of continued commitment to the program for the success of Blue Food

Slide 10: Conclusion

Summarize the results of the IT risk management assessment program

Express gratitude to the board of directors for their support and the opportunity to present the results.