IT Governance, Risk, and Compliance » Enterprise Governance

Risk Management: Is it just another set of business buzzwords? – Part VIII

Robert Davis — Thu, 21 Mar 2013 01:02:03 +0000

IT policies, directives, standards, procedures, and rules should be deployed based on assessed effectiveness and efficiency in addressing managements risk appetite. Deployed controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. IT control policies and directives can be considered high-level governance documentation while standards, procedures, and rules can be considered detail-level governance documentation. Normally, oversight committees and executive management utilize high-level governance documents to provide general control direction. Whereby, lower-level management converts high-level governance documents into detail-level IT governance documents assisting in ensuring control objective achievement. Developing and implementing IT governance design effectiveness and efficiency can be a multidirectional, interactive, iterative, and adaptive process.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VII

Robert Davis — Sat, 16 Mar 2013 15:40:08 +0000

Management should establish standards as baselines for measuring quantity, weight, extent, value, or quality. Standards can be considered specific goals or objectives against which performance is compared. Selection of points where performance will be measured is critical to effective standards. Employee accountability affects responsibility for meeting standards. Consequently, responsibility for a standard should be directly correlated to activity responsibility. Without accountability, standards become ineffective measurement tools.

Procedures establish methods for accomplishing an activity, through specific performance, while simultaneously complying with prescribed policies. Prior to determining procedures, processes should be identified and classified to determine control objective impact. In order to create an adequate IT governance framework, management must understand and document operational procedures.

Rules are specific and detailed guides that confine and restrict behavior. Comparatively, rules are the simplest operational plan. A rule requires a specific action to be taken regarding a given situation. For example, “This building is a smoke free environment. Violators will be dismissed without exception.”

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VI

Robert Davis — Thu, 14 Mar 2013 01:10:44 +0000

Controlling and monitoring activities attempting to ensure acceptable risk responses include:

Policies
Directives
Standards
Procedures
Rules

Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions. For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.

Directives serve or intend to guide, govern, or influence actions or goals. Furthermore, directives should be considered orders or instructions. When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee. Internal or external central authorities may issue directives as well as individuals. For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing. Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention. Directives should receive the same due diligence as policies and procedures.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part V

Robert Davis — Fri, 08 Mar 2013 22:41:01 +0000

Usually, IT risk analysis has four primary goals:

Identifying assets and their associated values
Identifying vulnerabilities and threats
Quantifying the probability and business impact of potential threats
Providing an economic balance between threat impact and countermeasure cost

Normally, the IT Threat Assessment precedes the IT Vulnerability Assessment. However, Vulnerability Analysis results can identify relevant threats and Threat or Opportunity Analysis results can identify relevant vulnerabilities. The Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management business risk model categories can be mapped into IT risk analysis. For example, usually risk identification, description, and estimation are respectively included as asset valuation, action plan, and risk evaluation sub-processes.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part IV

Robert Davis — Thu, 07 Mar 2013 01:54:36 +0000

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:

Exposure Factor = Percentage of asset lost caused by identified risk
Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE) = SLE X ARO
Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part III

Robert Davis — Sat, 02 Mar 2013 16:38:44 +0000

Similar to business risk management, IT risk management is a continuous process that should be interlaced into the fabric of an entity. IT risks directly impact an entity’s ability to provide goods and/or services at an acceptable price. Inherently, computer hardware and software as well as personnel present potential risks to an entity achieving business objectives.

Through appropriate management, risks can be accepted, reduced, or transferred; however, IT related risk can never be completely eliminated. Minimally, IT governance risk management should address strategic alignment, value delivery, resource management, and performance measurement. Depending on the circumstances, entity and IT governance domain characteristics may overlap or have distinctiveness, yet IT controls continuity and stability can be sustained even when governance domain characteristics are mutually inclusive.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part II

Robert Davis — Thu, 28 Feb 2013 02:50:25 +0000

An entity’s business risk management framework should be a strategic axial enabled to accept diverse strategy spokes. Proactively, business risk management should represent the process whereby an entity methodically addresses risks attached to activities with the objective of achieving sustained benefit within each activity and across the activities portfolio.

Through project collaboration the Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management promote the following risk management process:

1. Identify Strategic Objectives

2. Perform Risk Assessment

2.1 Risk Analysis

2.1.1 Risk Identification

2.1.2 Risk Description

2.1.3 Risk Estimation

2.2 Risk Evaluation

3. Provide Risk Reporting

4. Decision (determine risk appetite)

5. Document Risk Treatment

6. Provide Residual Risk Reporting

7. Perform Monitoring

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part I

Robert Davis — Sat, 23 Feb 2013 18:44:08 +0000

Risk management is not an issue any ‘going concern’ should consider a platitude used to demonstrate effective leadership. Those responsible for governance within an enterprise must be, without reservation, administrators dedicated to appropriately handling the risks that their organization encounters. In particular, the risks associated with information and related technology must be comprehensively identified and appropriately managed based on careful consideration of the impact and likelihood of the projected occurrence of detrimental events. It is in this arena that organizational risk management commonly fails to accurately portray the environmental landscape enabling resource optimization of initial investments and operational maintenance for IT.

Are Organizations Potentially Falling Short?

Robert Davis — Tue, 07 Aug 2012 17:48:35 +0000

Current events posted by various news outlets, including Fox News, the Wall Street Journal, Forbes and Yahoo.com, concerning Knight Capital’s financial debacle, present some very serious allegations regarding managerial due diligence during system development lifecycles. In this case, the cost to the already troubled firm is an estimated $440,000,000.00 USD. An amount no financial-based institution can classify as immaterial.

Undoubtedly, an individual and/or group authorized activation of this critical new application. Yet, it appears adequate precautions, such as application processing testing, were not performed either prior to deployment, during implementation, or after installation by the project team.

Considering, as computing power has advanced, entities have become increasingly dependent on technology to carry out their operational requirements and to collect, process, maintain, and report essential data. This reliance on electronically encoded data and on the systems that affect managerial decisions are a major concern of audit professionals. Consequently, Information Technology (IT) auditors examine the adequacy of controls in information systems and related operations to assure effectiveness and efficiency in business processes. In addition, among other assurance services, IT auditors evaluate the reliability of computer generated data supporting financial statements and analyze specific programs and their processing results. Thus, my question regarding the circumstances that produced this extraordinary financial loss is: Did management assign an IT auditor to the software project team?

Not-for-profit Risk Management – Part VIII

Robert Davis — Tue, 27 Jul 2010 15:28:43 +0000

Deploying Enterprise Governance bilaterally connected to IT Governance enables management to focus on value creation drivers that move an entity forward and sustain proper as well as adequate controls. IT risk management is important to delivering an entity’s strategic plan. In totality, the adopted IT risk management framework can provide structures, methodologies, procedures, and definitions that an entity has chosen to utilize for deploying risk management processes. At the detail level, process models can be adopted by IT to support risk management, thus providing a powerful tool for appropriate IT service management consistent with the entity’s strategic plan. Process and service management are certainly closely related to IT governance. Yet, without adequate risk management, IT governance is in jeopardy of not meeting expected value delivery benefits.

“View Part I of the Not-for-profit Risk Management series here“