IT Governance, Risk, and Compliance » Information Technology

Risk Management: Is it just another set of business buzzwords? – Part VIII

Robert Davis — Thu, 21 Mar 2013 01:02:03 +0000

IT policies, directives, standards, procedures, and rules should be deployed based on assessed effectiveness and efficiency in addressing managements risk appetite. Deployed controlling and monitoring activities should reflect management’s strategy for ensuring an adequate IT control system. IT control policies and directives can be considered high-level governance documentation while standards, procedures, and rules can be considered detail-level governance documentation. Normally, oversight committees and executive management utilize high-level governance documents to provide general control direction. Whereby, lower-level management converts high-level governance documents into detail-level IT governance documents assisting in ensuring control objective achievement. Developing and implementing IT governance design effectiveness and efficiency can be a multidirectional, interactive, iterative, and adaptive process.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VII

Robert Davis — Sat, 16 Mar 2013 15:40:08 +0000

Management should establish standards as baselines for measuring quantity, weight, extent, value, or quality. Standards can be considered specific goals or objectives against which performance is compared. Selection of points where performance will be measured is critical to effective standards. Employee accountability affects responsibility for meeting standards. Consequently, responsibility for a standard should be directly correlated to activity responsibility. Without accountability, standards become ineffective measurement tools.

Procedures establish methods for accomplishing an activity, through specific performance, while simultaneously complying with prescribed policies. Prior to determining procedures, processes should be identified and classified to determine control objective impact. In order to create an adequate IT governance framework, management must understand and document operational procedures.

Rules are specific and detailed guides that confine and restrict behavior. Comparatively, rules are the simplest operational plan. A rule requires a specific action to be taken regarding a given situation. For example, “This building is a smoke free environment. Violators will be dismissed without exception.”

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part VI

Robert Davis — Thu, 14 Mar 2013 01:10:44 +0000

Controlling and monitoring activities attempting to ensure acceptable risk responses include:

Policies
Directives
Standards
Procedures
Rules

Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions. For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.

Directives serve or intend to guide, govern, or influence actions or goals. Furthermore, directives should be considered orders or instructions. When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee. Internal or external central authorities may issue directives as well as individuals. For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing. Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention. Directives should receive the same due diligence as policies and procedures.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part V

Robert Davis — Fri, 08 Mar 2013 22:41:01 +0000

Usually, IT risk analysis has four primary goals:

Identifying assets and their associated values
Identifying vulnerabilities and threats
Quantifying the probability and business impact of potential threats
Providing an economic balance between threat impact and countermeasure cost

Normally, the IT Threat Assessment precedes the IT Vulnerability Assessment. However, Vulnerability Analysis results can identify relevant threats and Threat or Opportunity Analysis results can identify relevant vulnerabilities. The Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management business risk model categories can be mapped into IT risk analysis. For example, usually risk identification, description, and estimation are respectively included as asset valuation, action plan, and risk evaluation sub-processes.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part IV

Robert Davis — Thu, 07 Mar 2013 01:54:36 +0000

The risk management process introduces a systematic approach for identifying, assessing, and reducing risks as well as maintaining defined acceptable risk levels. An IT risk assessment should be considered a key risk management practice area. When management institutionalizes an IT governance risk assessment methodology, quantitative and/or qualitative factors effecting business processes should be considered, evaluated, and documented to enable suitable event responses. Management’s IT processes risk assessment determines IT potential opportunity cost and control implementation criticality. Quantitative risk calculations include:

Exposure Factor = Percentage of asset lost caused by identified risk
Single Loss Expectancy (SLE) = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO) = Estimated frequency a threat will occur within a year
Annualized Loss Expectancy (ALE) = SLE X ARO
Safeguard Cost/Benefit Analysis = (ALE before implementing safeguard) – (ALE after implementing safeguard) – (annual cost of safeguard)

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part III

Robert Davis — Sat, 02 Mar 2013 16:38:44 +0000

Similar to business risk management, IT risk management is a continuous process that should be interlaced into the fabric of an entity. IT risks directly impact an entity’s ability to provide goods and/or services at an acceptable price. Inherently, computer hardware and software as well as personnel present potential risks to an entity achieving business objectives.

Through appropriate management, risks can be accepted, reduced, or transferred; however, IT related risk can never be completely eliminated. Minimally, IT governance risk management should address strategic alignment, value delivery, resource management, and performance measurement. Depending on the circumstances, entity and IT governance domain characteristics may overlap or have distinctiveness, yet IT controls continuity and stability can be sustained even when governance domain characteristics are mutually inclusive.

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part II

Robert Davis — Thu, 28 Feb 2013 02:50:25 +0000

An entity’s business risk management framework should be a strategic axial enabled to accept diverse strategy spokes. Proactively, business risk management should represent the process whereby an entity methodically addresses risks attached to activities with the objective of achieving sustained benefit within each activity and across the activities portfolio.

Through project collaboration the Association of Insurance and Risk Managers, the Association of Local Authority Risk Managers, and the Institute of Risk Management promote the following risk management process:

1. Identify Strategic Objectives

2. Perform Risk Assessment

2.1 Risk Analysis

2.1.1 Risk Identification

2.1.2 Risk Description

2.1.3 Risk Estimation

2.2 Risk Evaluation

3. Provide Risk Reporting

4. Decision (determine risk appetite)

5. Document Risk Treatment

6. Provide Residual Risk Reporting

7. Perform Monitoring

Source

Davis, Robert E. (2011). Assuring IT Governance. Available from http://www.amazon.com/Assuring-Governance-Assurance-Services-ebook/dp/B0058P58E0 and http://www.smashwords.com/books/view/70359

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

Risk Management: Is it just another set of business buzzwords? – Part I

Robert Davis — Sat, 23 Feb 2013 18:44:08 +0000

Risk management is not an issue any ‘going concern’ should consider a platitude used to demonstrate effective leadership. Those responsible for governance within an enterprise must be, without reservation, administrators dedicated to appropriately handling the risks that their organization encounters. In particular, the risks associated with information and related technology must be comprehensively identified and appropriately managed based on careful consideration of the impact and likelihood of the projected occurrence of detrimental events. It is in this arena that organizational risk management commonly fails to accurately portray the environmental landscape enabling resource optimization of initial investments and operational maintenance for IT.

IT Audit Follow-up: Assessing Recommendation Resolution – Part IV

Robert Davis — Mon, 22 Mar 2010 18:29:47 +0000

Depending on the ambit and terms of the engagement, external IT auditors may rely on an entity’s internal IT audit function to follow-up on their agreed-upon recommendations. Hence, a follow-up process should be established by the entity’s internal IT audit function to monitor, and ensure, managerial actions have been effectively implemented or senior management has accepted the risk of not taking action. Responsibility for these follow-up activities should be defined in the audit charter and/or engagement letter to enable proper consideration by clients.

“View Part I of the IT Audit Follow-up: Assessing Recommendation Resolution series here“

IT Audit Reporting: Communicating Results – Part VI

Robert Davis — Mon, 01 Mar 2010 18:41:35 +0000

The final audit report should clearly identify ‘gaps’ in controls and the source of the vulnerabilities. Of the potential vulnerabilities documented in the audit report, it is importance to identify any significant, or material, risks. It must also include recommendations to address the issues identified. Lastly, the executive summary of the final audit report must elaborate on the ‘state of controls’ within the audit area. In particular, weaknesses need to be clearly communicated to enable management by exception.

“View Part I of the IT Audit Reporting: Communicating Results series here“