IT Governance, Risk, and Compliance » Strategic Planning

Not-for-profit Risk Management – Part VIII

Robert Davis — Tue, 27 Jul 2010 15:28:43 +0000

Deploying Enterprise Governance bilaterally connected to IT Governance enables management to focus on value creation drivers that move an entity forward and sustain proper as well as adequate controls. IT risk management is important to delivering an entity’s strategic plan. In totality, the adopted IT risk management framework can provide structures, methodologies, procedures, and definitions that an entity has chosen to utilize for deploying risk management processes. At the detail level, process models can be adopted by IT to support risk management, thus providing a powerful tool for appropriate IT service management consistent with the entity’s strategic plan. Process and service management are certainly closely related to IT governance. Yet, without adequate risk management, IT governance is in jeopardy of not meeting expected value delivery benefits.

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part VII

Robert Davis — Fri, 23 Jul 2010 18:25:44 +0000

Utilizing a maturity model can aid management in identifying risk issues. Procedurally, a maturity model provides a standard means to document and evaluate the state of controls. Collectively, the entity’s not-for-profit managers can contribute to identifying risk issues as well as rate controls — such as policies, procedures, standards, and rules. As for managing risks, it usually is prohibitively expensive to reduce risks to a tolerable level for all potential control weaknesses or deficiencies simultaneously. Therefore, a risk grading system should exist to assist in the evaluation and prioritization of control deployments consistent with the entity’s risk tolerance levels.

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part VI

Robert Davis — Tue, 20 Jul 2010 17:10:13 +0000

An IT risk assessment consists of risk identification and risk analysis. For not-for-profit entities, risk identification includes examining external factors such as technological developments and economic changes; while considering internal factors such as personnel quality, the nature of the entity’s activities, and the characteristics of information processing. Wherefore, risk analysis involves estimating the significance of risks, assessing the likelihood of risks occurring, and considering how to manage the risks. To this end, documenting overall and detail control perimeters aids in assessing risk analysis process datum and decisions.

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part V

Robert Davis — Fri, 16 Jul 2010 17:16:03 +0000

Adequate risk management provides processes whereby the entity methodically addresses risks impacting the IT architecture with the goal of achieving sustained benefit from each IT configuration and across the portfolio of IT configurations. Typical risks to IT configurations include illegal acts, errors, business interruptions, as well as ineffective and/or inefficient utilization of resources. Adoption of an appropriate risk process model can aid in defining how management will conduct risk assessments. In particular, through establishing IT value delivery monitoring, management can reduce risks to accomplishing information: effectiveness, efficiency, confidentiality, integrity, availability, reliability, and/or compliance.

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part IV

Robert Davis — Tue, 13 Jul 2010 17:25:55 +0000

Management should monitor and evaluate the entity’s control system by reviewing the results generated through cyclical control activities and special evaluations. Cyclical control activities occur at regular intervals, yet they can vary in ambit. Cyclical control activities encompass comparing physical assets with recorded datum, conducting training seminars, as well as examinations by internal and external auditors. Special evaluations can be of varying frequency and ambit. Special evaluations encompass investigating the impact of an irregularity or illegal act. Deficiencies discovered during cyclical control activities are typically reported to the operational manager as well as senior and executive management; while deficiencies found during special evaluations are usually communicated to senior and executive management as well as the entity’s oversight committee (if one exists).

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part III

Robert Davis — Fri, 09 Jul 2010 17:28:36 +0000

To adequately govern not-for-profit IT, risk management must be addressed at multiple levels; including entity, project, and service layers. Those responsible for governance must understand the ubiquitous nature of technical and operational risks that each approved project presents and progressively meld initial assessments into an entity-wide, portfolio-focused and strategically driven comprehensive risk assessment. An entities managerial philosophy and operating style can be assessed by examining the nature of IT risks management accepts, the frequency of managements’ interaction with IT subordinates, and managements’ attitude toward monitoring IT processes; leading to designing and deploying specific compensating, mitigating, and/or enhancing activities.

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part II

Robert Davis — Tue, 06 Jul 2010 18:10:38 +0000

By definition, strategy is the skill in managing or planning an approach to achieving an end. It is crucial to accomplishing an entity’s long range plans. Strategy is concerned with controlling the entity’s destiny and achieving stated goals; while planning is a formalized procedure to produce an articulated expected outcome, in the form of an integrated system of decisions. However, as with most decisions there are risks. IT strategic risk is the current and prospective affect on value delivery arising from adverse decisions, improper deployment decisions, or lack of responsiveness to environment changes; whereas IT planning risk is the current and prospective affect on the control environment arising from incorrect identification, improper design decisions, or lack of reliable information. Thus, the prerequisite to sustaining a holistic strategy is adequate risk management planning.

“View Part I of the Not-for-profit Risk Management series here“

Not-for-profit Risk Management – Part I

Robert Davis — Thu, 01 Jul 2010 18:00:03 +0000

Crucial to achieving appropriate not-for-profit performance and conformance equilibrium is consideration of the entity’s strategic mission as well as risk management system. To empower performance and conformance through entity-centric risk management, not-for-profit’s must: establish a common definition of control that serves all organizational units, provide standards against which organizational units can assess their control systems and determine what improvements are necessary. Cascading from these requirements, not-for-profit entities that execute a strong balance between performance and conformance through appropriate value delivery risk management have the best long term prospects for thriving in their particular regulatory environment.

Not-for-profit Value Delivery – Part VIII

Robert Davis — Mon, 28 Jun 2010 18:32:28 +0000

Inasmuch as the cost of maintaining effective and efficient IT and the ability of IT to create strategic advantage when appropriately developed and deployed; having a sound entity IT architecture is vital to effective and efficient not-for-profit IT service delivery. Management’s dedication to a set of principles and practices applicable to value delivery processes such as configuration and application management, are critical. Consistent with adopting IT Governance principles and practices, once there is an understanding of strategic alignment requirements, management can take the value creation approach and identify what needs to be done to make things happen as conceived.

“View Part I of the Not-for-profit Value Delivery series here”

Not-for-profit Value Delivery – Part VII

Robert Davis — Thu, 24 Jun 2010 18:04:56 +0000

There are many components that are required to integrate and deploy effective and efficient IT service delivery. To reduce the possibility of misalignment, management must ensure that there is a clear understanding that value is derived from IT only when IT-enabled investments are managed as a portfolio of services that include the full cost of changes that the entity may have to make to optimize the benefit from IT capabilities in delivering the defined strategy. For IT service delivery, judgment is typically based on timely receipt and expected functionality. Thus, among other COBIT objectives, establishing configuration procedures to support management and logging of all changes to the configuration repository as well as integrating these procedures with change management and problem management activities enhances the potential for effective and efficient IT service delivery.

“View Part I of the Not-for-profit Value Delivery series here”