Managing Risks with an IT GRC Management Program

You can manage risks with an IT GRC program using the IT GRC Process Management Pack. You can create a new IT GRC management program to manage risks or you can add risks to an existing program. IT GRC control management and risk management can be performed in separate programs or in the same program. This scenario provides a simple example of how to manage the risks for a new e-commerce application that is being deployed into the production environment.

To add risks to your IT GRC program in the IT GRC Process Management Pack, complete the steps in the following list. Detailed information about each step is provided in the subsections that follow the list.

Create risks for the IT GRC management program.
Publish the new risks.
Add the risks to the risk management program.

Step 1: Create Risks for IT GRC Management Program

After you identify the risks you want to manage, you are ready to create risks for the IT GRC management program. Each risk has calculated values that help identify the inherent risk and any residual risk that has not been mitigated. The following table lists the risk configuration settings and their relationship to each other.

Setting	Description
Impact	Indicates the impact that the risk has on the success of the program and is measured on a scale from 1 to 5, where 1 represents the least impact and 5 represents the greatest impact.
Likelihood	Indicates the likelihood that the risk will occur and is measured on a scale from 1 to 5, where 1 represents the least likelihood and 5 represents the greatest likelihood.
Control Level	Indicates the level of control over the risk and is measured on a scale from 1 to 5, where 1 represents the least level of control and 5 represents the greatest level of control.
Inherent Risk	A calculated value that indicates the value of the risk without any account for the control of the risk. The value is calculated by multiplying the value in Impact by the value in Likelihood. For example, if the value in Impact is 2 and the value in Likelihood is 4, then Inherent Risk will be 8.
Residual Risk	A calculated value that indicates the residual value of the risk after factoring in the control of the risk. The value is calculated by multiplying the value in Impact by the value in Likelihood and dividing by the value in Control Level. For example, if the value in Impact is 2, the value in Likelihood is 4, and the value in Control Level is 4, then Residual Risk will be 2.
Risk Response	Specify what action to take regarding the risk based on the value in Residual Risk. The possible values are: · Accept, when both of the following are true: · Impact is greater than 1 but less than 3. · Likelihood is greater than 1 but less than 3. · Optimize, when both of the following are true: · Impact is greater than 1 but less than 3. · Likelihood is greater than 3 but less than 5. · Improve, when both of the following are true: · Impact is greater than 3 but less than 5. · Likelihood is greater than 1 but less than 3. · Monitor, when both of the following are true: · Impact is greater than 3 but less than 5. · Likelihood is greater than 3 but less than 5.

Create a risk using the following table and instructions.

Information needed	Value
<risk_title>	Servers are ready for deployment in production environment.
<risk_description>	Purchase, deliver, and burn-in of server computers must be completed in time to meet deployment schedule for new e-commerce application.
<risk_owner>	User account that is to be the owner of the new risk
<risk_assigned_to>	User account that is assigned the new risk
<risk_impact>	5
<risk_likelihood>	2
<risk_control_level>	5
<risk_response>	Reduce

To create a new risk

Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

The System Center Service Manager Console starts.
In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.
In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Risk Management/All Risks location.
In the Tasks pane, click Create Risk.

The Risk <RID> – New dialog box appears (where RID is the identifier of the new risk).

Complete the tabs on the Risk <RID>– New dialog box, and then click OK.

Tab

Description

General

Contains basic information about the risk, including:

Title of the risk.
Description of the risk.
Owner of the risk.
User who the risk is assigned to.
Impact of the risk, which can be a value from 1 to 5, where 1 represents the least impact and 5 represents the greatest risk.
Likelihood of the risk, which can be a value from 1 to 5, where 1 represents the least likelihood and 5 represents the greatest likelihood.
Control level of the risk, which can be a value from 1 to 5, where 1 represents the least control and 5 represents the greatest control.
Risk Response, which can be a value of Accept, Avoid, Reduce, or Share.
Response plan for mitigating the risk.
Associated activities.
Due date.

Framework

Contains a hierarchy of items within the program and buttons for adding the items, including program categories, risks, control objectives, and control activities.

Step 2: Publish the New Risks

After you create the new risk, you are ready to publish the risk. Publish the risk using the following table and instructions.

Information needed	Value
<risk_title>	Servers are ready for deployment in production environment.

To publish an existing risk

Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

The System Center Service Manager Console starts.
In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.
In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Risk Management/All Risks location.
In the Results pane, click <risk> (where risk is the name of the risk that you want to publish).
In the Tasks pane, click Publish Risk.

The Results pane in the All Risks <number> view refreshes to display the list of all risks (where number is the total number of risks). The status of a risk just after you create it is set to Draft. The status of risk after you publish it is set to Pending, and this action also initiates a Service Manager review activity. After the review activity is approved, the status of the risk is set to Published. After it is approved, the risk appears in the Risks: Published view.

Step 3: Add the Risks to the IT GRC Management Program

After you create the risks for the IT GRC management program you created, you are ready to add the risks to the program.

Add a risk to the program using the following table and instructions.

Information needed	Value
<program>	Credit Card Processing Compliance Program
<risk_title>	Servers are ready for deployment in production environment.

To add a risk to an existing program

Click Start, click All Programs, click Microsoft System Center, click Service Manager 2010, and then click Service Manager Console.

The System Center Service Manager Console starts.
In the Service Manager Console, in the Navigation pane, click Compliance and Risk Items.
In the Compliance and Risk Items pane, go to the All Compliance and Risk Items/Program Management/All Programs location.
In the Results pane, click <program> (where program is the name of the program that you want to modify).
In the Tasks pane, click Edit.

The Program Management property dialog box appears.
In the Program Management dialog box, on the Framework tab, click the arrow beside <program_name> to expand the program framework hierarchy.
In the Framework list box, select a category and then click Add Risk.

The Select objects dialog box appears and the list of existing risks is displayed.
On the Select objects dialog box, click <risk_title>, click Add, and then click OK (where risk_title is the title of the risk).

The risk appears in the Framework list box in the Program Management.
In the Program Management dialog box, click OK.

The results pane in the All Programs view refreshes to display the list of programs.