CASE STUDY

As a regional chain based in the Caribbean, Blue Food had experienced rapid growth through new store openings and acquisitions. With a focus on supply-chain efficiencies, Blue Food distributes most products to its stores through a warehouse facility that also houses key offices and IT resources. In light of the risk associated with such a consolidated operation, the IT organization received a mandate from its board of directors to formally manage IT-related risk. The mandate specifically called for an initial high-level assessment of IT organizational risk, drawing largely from internal expertise. The board also requested that the IT organization demonstrate an ongoing program to manage risk.

The IT organization enjoyed a membership with TechHub Research group to access its best-practices research and vendor-selection guidance. Engaging with the company, TechHub to conduct a COBIT-based operations workshop on risk management was a natural next step.

TechHub based the workshop on COBIT 2019 because of COBIT 2019s clear and concise framework for capturing key IT processes (along with process interplay and documentation requirements). COBIT is a trusted framework used by IT auditors and other IT professionals, particularly in the strategy, security and risk areas of practice.

Throughout the week-long workshop, key members of the IT management team, as well as the chief information officer (CIO), worked with the facilitator to document their insights and understanding, using COBIT to draw out their knowledge of IT risk and arrange it in a manner suitable for analysis.

The risk assessment began by examining COBIT 2019s management practices, from the Evaluate, Direct and Monitor (EDM) and Align, Plan and Organize (APO) COBIT domains, respectively, and conducting a simple self-assessment to ascertain process capability. The IT organization identified that it had no functioning IT risk management processes in place and, thus, assigned level zero to its process capability. The team set a goal to achieve level two (managed process) capability with performance and work-product management attributes achieved. The IT organization leveraged the TechHub facilitator and methodology to conduct high-level team brainstorming with key team members, aimed at identifying IT risk factors relevant to the client organization.

The team then worked to brainstorm and document risk events, identifying actors and threat types. A prioritization rubric was developed and applied to sort the risk events. The team documented (where programs were in progress) or identified (net-new programs) the resources/time needed to mitigate the priority risk factors.

Finally, the team made critical decisions to determine the shape of the IT organizations ongoing risk management. These included definitions of roles and responsibilities, management activities, information-gathering activities, and communication plans.

As the decisions were achieved, each was codified in the relevant program manuals, standard operating procedures, assessment tools, project requests, and templates for policies and communication.

One of the key outputs from this workshop included:

A presentation to the firms board on the IT risk management assessment and programThis presentation described the progress made during the workshop, highlighted key risk factors and remediation, requested additional budget, and summarized the ongoing risk management program to the board.

Blue Food emerged from the workshop with all of the process documentation required to begin executing the process the following Monday, along with the relevant to-do items needed to mitigate the identified technology, people and process gaps. The following week, the CIO presented the workshop summary to the board, which noted the thoroughness of the initial IT risk assessment and the ongoing risk management program that was designed during the workshop. Two months later, progress toward risk remediation remains strong, and IT leaders remain committed to the ongoing risk management program.

Deliverable:

Assume the role of the CIO and prepare a PowerPoint presentation to the firms Board of Directors on the IT risk management assessment program. The presentation should be ten (10) slides.