IT Governance, Risk, and Compliance


August 12, 2010  6:40 PM

Compliance through Automation: Decision Support Systems – Part V

Robert Davis Robert Davis Profile: Robert Davis

There are many types of detail variables that may be associated with a mathematical model. Binary variables are employed for “go” and “no-go” decisions. Furthermore, discrete variables are utilized for any of a finite number of values. Questions of “which” and “when” are represented as specific discrete values. Such datum need not be continuous, however, continuous variables present an infinite number of possible values, and all the values will lie within a specific range. Among the other characteristics of variables, they can be random variables that model uncertainty and are expressed as probabilities. They can also be exogenous variables, ones that are external to the model and cannot be influenced by decision makers.

View Part I of the Compliance through Automation: Decision Support Systems series here

August 9, 2010  6:31 PM

Compliance through Automation: Decision Support Systems – Part IV

Robert Davis Robert Davis Profile: Robert Davis

At a minimum, compliance decision support systems should include word processing, database, spreadsheet, and modeling capabilities. Of these capabilities, modeling is crucial to reducing response uncertainty regarding circumstances that require a compliance decision. Rudimentarily, a model is comprised of variables and objectives; where the structure must reflect the purpose for construction. The variables in a quantitative model constitute a mathematical description of the relation between elements that can be classified as: decision, intermediate, or output variables. Decision variables are controlled by the decision maker and vary in accordance with the alternative selected. Whereas, intermediate variables link decisions to outcomes; thus functioning as consolidation variables. Lastly, output variables measure decision performance, and are referred to as ‘attributes’.

View Part I of the Compliance through Automation: Decision Support Systems series here


August 5, 2010  4:13 PM

Compliance through Automation: Decision Support Systems – Part III

Robert Davis Robert Davis Profile: Robert Davis

Generally, supporting decisions with software and hardware is wholly inadequate if there is no specific idea about the kinds of decisions to be made. There are different types of decisions regarding compliance. The first type, routine decisions, is commonly treated within the entity’s framework of policies and procedures. The second type, non-routine decisions, typically requires one-time or non-repetitive solutions based on environmental considerations. The third type, non-routine motley decisions, is generally ill-structured, complex, one-of-kind situations that rely on optimal responses through scientific assessments. Nevertheless, decision techniques have become largely synonymous with quantitative approaches or mathematical analysis; well suited for IT processes. Some types of the latter are financial and statistical analysis that depending on the circumstances may be addressed through game theory, linear programming, simulation, and operations research.

View Part I of the Compliance through Automation: Decision Support Systems series here


August 2, 2010  3:22 PM

Compliance through Automation: Decision Support Systems – Part II

Robert Davis Robert Davis Profile: Robert Davis

Reliable decision support systems should provide accurate and complete disclosure of available options, while maintaining required confidentiality and integrity to enable effective responses. The ‘quality of management’ depends heavily upon having managers evaluate alternatives and select (from the available options) as many correct responses as possible. To ensure managerial quality, most managers are under observation for situational responses impacting the entity. Thus, the ratio of decisional hits to misses must weigh favorably in the direction of hits to retain management status within most organizational formations. In other words, a regular pattern of failure in making appropriate decisions usually disqualifies an employee from retaining directional authority within an entity.

View Part I of the Compliance through Automation: Decision Support Systems series here


July 29, 2010  6:33 PM

Compliance through Automation: Decision Support Systems – Part I

Robert Davis Robert Davis Profile: Robert Davis

Control systems can be categorized as being either decision systems or technical systems. Nonetheless, decision-making process assistance may be contained in an IT decision support system (DSS). Classically, a DSS represents an information system, or analytic model, designed to aid managers and professionals in effective decision-making processes. Interpretively, a technology-based information system represents an architectural component that collects data, processes transactions, and communicates operational results, while an analytical model is a set of relationships — with a continuum of: complexity from one variable to many, uncertainty from deterministic to probabilistic, time from static to dynamic. Thus, through proper system or model construction, an entity-centric compliance DSS can enable evaluating alternative courses of actions and efficiently choosing from among the presented options to achieve the defined objective.


July 27, 2010  3:28 PM

Not-for-profit Risk Management – Part VIII

Robert Davis Robert Davis Profile: Robert Davis

Deploying Enterprise Governance bilaterally connected to IT Governance enables management to focus on value creation drivers that move an entity forward and sustain proper as well as adequate controls. IT risk management is important to delivering an entity’s strategic plan. In totality, the adopted IT risk management framework can provide structures, methodologies, procedures, and definitions that an entity has chosen to utilize for deploying risk management processes. At the detail level, process models can be adopted by IT to support risk management, thus providing a powerful tool for appropriate IT service management consistent with the entity’s strategic plan. Process and service management are certainly closely related to IT governance. Yet, without adequate risk management, IT governance is in jeopardy of not meeting expected value delivery benefits.

View Part I of the Not-for-profit Risk Management series here


July 23, 2010  6:25 PM

Not-for-profit Risk Management – Part VII

Robert Davis Robert Davis Profile: Robert Davis

Utilizing a maturity model can aid management in identifying risk issues. Procedurally, a maturity model provides a standard means to document and evaluate the state of controls. Collectively, the entity’s not-for-profit managers can contribute to identifying risk issues as well as rate controls — such as policies, procedures, standards, and rules. As for managing risks, it usually is prohibitively expensive to reduce risks to a tolerable level for all potential control weaknesses or deficiencies simultaneously. Therefore, a risk grading system should exist to assist in the evaluation and prioritization of control deployments consistent with the entity’s risk tolerance levels.

View Part I of the Not-for-profit Risk Management series here


July 20, 2010  5:10 PM

Not-for-profit Risk Management – Part VI

Robert Davis Robert Davis Profile: Robert Davis

An IT risk assessment consists of risk identification and risk analysis. For not-for-profit entities, risk identification includes examining external factors such as technological developments and economic changes; while considering internal factors such as personnel quality, the nature of the entity’s activities, and the characteristics of information processing. Wherefore, risk analysis involves estimating the significance of risks, assessing the likelihood of risks occurring, and considering how to manage the risks. To this end, documenting overall and detail control perimeters aids in assessing risk analysis process datum and decisions.

View Part I of the Not-for-profit Risk Management series here


July 16, 2010  5:16 PM

Not-for-profit Risk Management – Part V

Robert Davis Robert Davis Profile: Robert Davis

Adequate risk management provides processes whereby the entity methodically addresses risks impacting the IT architecture with the goal of achieving sustained benefit from each IT configuration and across the portfolio of IT configurations. Typical risks to IT configurations include illegal acts, errors, business interruptions, as well as ineffective and/or inefficient utilization of resources. Adoption of an appropriate risk process model can aid in defining how management will conduct risk assessments. In particular, through establishing IT value delivery monitoring, management can reduce risks to accomplishing information: effectiveness, efficiency, confidentiality, integrity, availability, reliability, and/or compliance.

View Part I of the Not-for-profit Risk Management series here


July 13, 2010  5:25 PM

Not-for-profit Risk Management – Part IV

Robert Davis Robert Davis Profile: Robert Davis

Management should monitor and evaluate the entity’s control system by reviewing the results generated through cyclical control activities and special evaluations. Cyclical control activities occur at regular intervals, yet they can vary in ambit. Cyclical control activities encompass comparing physical assets with recorded datum, conducting training seminars, as well as examinations by internal and external auditors. Special evaluations can be of varying frequency and ambit. Special evaluations encompass investigating the impact of an irregularity or illegal act. Deficiencies discovered during cyclical control activities are typically reported to the operational manager as well as senior and executive management; while deficiencies found during special evaluations are usually communicated to senior and executive management as well as the entity’s oversight committee (if one exists).

View Part I of the Not-for-profit Risk Management series here


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: