it governance and risk management

8/8/2019 IT Governance and Risk Management

1/23


2/23


3/23

IT is essential to manage transactions,information and knowledge IT has become an integral part of business,fundamental to support, sustain and grow thebusiness Successful enterprises understand andmanage risks and constraints of IT

Source: Board Briefing on IT Governance


4/23

Take advantage of ITs enabling capacity fornew business model

Balance ITs increasing costs andinformations increasing value to obtain anappropriate return

Manage the risks of doing business in aninterconnected world

Manage ITs ability to build and maintainknowledge essential to sustain business

Avoid the failures of IT


5/23

Subset of Corporate Governance focused oninformation technology systems and theirperformance and risk

Implies a system that which all stakeholders(board, internal customers, finance, etc) havea say in the decision-making process

Specifying the decision rights and

accountability framework to encourage thedesirable use of IT

Source: www.wikipedia.org


6/23

..the leadership and organisational structures

and processes that ensure that theorganisations IT sustains and extends theorganisations strategies and objectives."

(IT Governance Institute)


7/23

..the leadership and organisational structures

and processes that ensure that theorganisations IT sustains and extends theorganisations strategies and objectives."

(IT Governance Institute)


8/23

Responsibility of executives and boardmembers, governance must flow throughvarious levels of the enterprise


9/23


10/23

Strategic alignment focus on aligning withbusiness and collaborative solutions

Value delivery concentrating on optimising theexpenses and proving the value of IT

Risk management addresses the safeguard of ITassests, disaster recovery and continuity ofoperations

Resource management optimising knowledge and

IT infrastrucure Performance management tracking project

delivery and monitoring IT services


11/23

Strategic alignment focus on aligning withbusiness and collaborative solutions

Value delivery concentrating on optimising theexpenses and proving the value of IT

Risk management addresses the safeguard of ITassests, disaster recovery and continuity ofoperations

Resource management optimising knowledge and

IT infrastrucure Performance management tracking project

delivery and monitoring IT services


12/23

Sabarnes-Oxley Act of 2002 Basel II

Regulatory policies of country


13/23

Enacted as reaction to a number of major corporatescandals

Also known as Public Company Accounting Reformand Investor Protection Act

all U.S. public company boards, management andpublic accounting firms

Contains 11 titles or sections ranging fromadditional board responsibilities to and requires

Securities and Exchange Commission (SEC) toimplement rulings on requirements.


14/23

Key Sections: Section 302 Disclosure of Internal Controls

Mandates set of internal procedures designed to accuratefinancial disclosure

Section 401 Disclosures in Periodic Reports

Financial statements are published by issuers are required to be

accurate and presented in a manner that doesnt containincorrect information

Section 404 Assessment of Internal Control

Requires management and the external auditor to report on theadequacy of the companys internal control over financial

reporting Section 409 Real Time Disclosures

Issuers are required to disclose to the public on an urgent basis,information on their operation.

Section 802 Criminal Penalties for Altering Documents

penalties of up to 20 years in imprisonment


15/23

Recommendations on banking laws and regulationsissued by the Basel Committee on BankingRegulation (initially published June 2004)

More comprehensive framework measure andminimum standard for capital adequacy

The following are the objectives: Ensuring that capital allocation is more sensitive

Separating operational risk from credit risk and quantifyingboth

Attempting to align economic and regulatory capital moreclosely to reduce the scope of regulatory arbitrage (where aregulated institution takes advantage of its real oreconomic risk and the regulatory position.


16/23

Control Objectives for Information Technology(COBIT) Set of best practices for information technology created by

Information Systems Audit and Control Association (ISACA)and IT Governance Institute in 1996

Provides managers, auditors and IT users with a set ofgenerally accepted measures, indicators, processes andbest practices in maximizing benefits of IT and establishingcontrols

IT Infrastructure Library (ITIL) Detailed framework on achieving a successful operational

service management of IT

Developed and maintained by UKs Office of GovernmentCommerce with IT Service Management Forum


17/23

ISO/IEC 27001 set of best practices in implementing a security program

IT Baseline/Protection Catalogs collection of documents from the German Federal Office for

Security in Information Technology used esp for detecting

and combating security-relevant weak points in IT Information Security Management Maturity Model

(ISM3) Process based on ISM maturity model for security

ISO/IEC 38500:2008 Provides a framework for effective governance of IT to

assist those at the highest level of organizations in thefulfillment of legal, regulatory and ethical obligations


18/23

ISO 2007 focus on IT security CMM the Capability Maturity Model

Six Sigma focus on quality assurance


19/23

Risk effect of uncertainty on objectives (whether positive or

negative (ISO 3100)

Risk Management Identification, assessment and prioritization of tasks

followed by coordinated and economical application ofresources to minimize, monitor, and control the probabilityand/or impact of unfortunate events (Douglas Hubbard)


20/23

Common examples of risk: Requirements may be unstable, immature,

unrealistic or execessive

If there is little or no user involvement during theearly development stages

If the project involves different or complexdomains, the spread of the applicationknowledge may be an issue

Violation of IT Governance and regulatory

standards


21/23

A risk management strategy involves the ff:

1. Identify the risks.

2. Determine the risk exposure

Probability P that it will actually occur and the effect Risk exposure is p x E

3. Develop strategies to mitigate risk

4. Handle risks


22/23

Risk Description1. Personal

shortfall

Inexperience in the domain, tools or

development techniques

2. Unrealistic

schedule/budget

Estimates may be unrealistic with respect to

the requirements

3. Wrong

functionality

Imperfect understanding of the customerneeds, complexity of communication with

client, insufficent domain knowledge of dev't

4. Wrong user

interface

User-friendliness of the interface is crucial to

the success

5. Gold plating

Developer may develop 'nice features' not

needed by the customers


23/23

Risk Description

6. Requirement

volatility

Many requirements change during development,

the amount of rework increases

7. Bad external

components

The quality or functionality of externally supplied

components may be below what is required

8. Bad external

tasks

Subcontractors may deliver inadequate products,or the skills obtained outside the team is

inadequate

9. Real-time

shortfalls

The real-time performance of system maybe

inadequate

10. Capability

shortfalls

An unstable environment or new or untried

technology pose a risk to the development

schedule