IT Governance, Risk, and Compliance

Mar 14 2013   1:10AM GMT

Risk Management: Is it just another set of business buzzwords? – Part VI

Robert Davis Robert Davis Profile: Robert Davis

Controlling and monitoring activities attempting to ensure acceptable risk responses include:

  • Policies
  • Directives
  • Standards
  • Procedures
  • Rules

Strategically; policies are definite courses or methods of action selected by management from alternatives, considering the environment, to guide as well as determine present and future decisions.  For example, an entity’s IT governance related policy may require IT management obtain signed Service Level Agreements (SLAs) for all deployed systems.

Directives serve or intend to guide, govern, or influence actions or goals.  Furthermore, directives should be considered orders or instructions.  When activated, entity proxy directives can be interpreted as conveying fiduciary requirements to the assignee.  Internal or external central authorities may issue directives as well as individuals.  For example, an external aviation agency may direct aircraft operators to carefully inspect a particular airplane wing.  Internally, directives are usually documented in memorandums and reflect matters requiring immediate attention.  Directives should receive the same due diligence as policies and procedures.


Davis, Robert E. (2011). Assuring IT Governance. Available from and

Davis, Robert E. (2006). IT Auditing: IT Governance. Mission Viejo: Pleier. CD-ROM.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: