Add References to the COBIT Framework in the Risk Catalog

[MKQuantum]

Contact Details

markjpaulsen@gmail.com

What is the idea

The Risk Catalog currently references OWASP, NIST, EA AI Act, and others - and it might be a good idea to include references to the COBIT Framework as well. Many Banks (especially Canadian Banks) leverage COBIT for their control environments, risk management, and internal audit scope.

KPMG has done a similar exercise in their AI Risk and Controls Matrix, and I have done a similar exercise with the Vector Institute for AI. The Vector tool we created as part of the exercise is here and a risk and controls matrix can be downloaded here - which includes references to the MIT A Risk Repository as well as COBIT.

Why is it a good idea

The Banking industry would benefit from this because COBIT is used by many banks for their existing control frameworks and environments. Having a mapping between risk catalog items and their control frameworks would help highlight gaps, potential risks, and mitigation steps. As well as ensure Internal Audits are planned and executed wit the right scope and context.

How does it work?

The 3 Lines of Defence - including Risk Management groups, Control testers/managers/ and Internal Audit would probably be the main users.

primer

artificial intelligence

Any other key information

Code of Conduct

• I agree to follow the FINOS Code of Conduct

[alvin-c-shih]

I did a bit of searching around, but didn't get the sense that COBIT is down at the risks/mitigations level.
Seemed like guidance on how to do governance.

Not sure if that's in scope or how that would fit into the existing document structure.

Hopefully someone with more familiarity with it can talk through on a future call.

[MKQuantum]

I didn't have a chance to bring this up today, but here are some details that I hope will help.

• As I mentioned in the start of issue, COBIT is referenced in KPMG's AI Risk and Controls Matrix and we are referencing it, as well as NIST and the MIT AI Risk Repository, as part of the Vector Institute for AI tool which can be found here.
• In Canadian Banks (as well as some US Banks I've collaborated with), COBIT is used in several ways: 1. As a reference in the creation of controls and internal control frameworks. 2. To help plan Audits and understand the current control landscape as well as highlight any potential gaps. 3. As a guide for risk mitigations and audit deficiency action plans. Note: I'm an ex Internal Auditor so I have first-hand experience in this area.
• Other Frameworks (such as the NIST Cybersecurity Framework) usually have references to COBIT.

Happy to discuss this further in a future AI Governance weekly meeting or asynch as well.