it governance and risk management
TRANSCRIPT
-
8/8/2019 IT Governance and Risk Management
1/23
-
8/8/2019 IT Governance and Risk Management
2/23
-
8/8/2019 IT Governance and Risk Management
3/23
IT is essential to manage transactions,information and knowledge IT has become an integral part of business,fundamental to support, sustain and grow thebusiness Successful enterprises understand andmanage risks and constraints of IT
Source: Board Briefing on IT Governance
-
8/8/2019 IT Governance and Risk Management
4/23
Take advantage of ITs enabling capacity fornew business model
Balance ITs increasing costs andinformations increasing value to obtain anappropriate return
Manage the risks of doing business in aninterconnected world
Manage ITs ability to build and maintainknowledge essential to sustain business
Avoid the failures of IT
-
8/8/2019 IT Governance and Risk Management
5/23
Subset of Corporate Governance focused oninformation technology systems and theirperformance and risk
Implies a system that which all stakeholders(board, internal customers, finance, etc) havea say in the decision-making process
Specifying the decision rights and
accountability framework to encourage thedesirable use of IT
Source: www.wikipedia.org
-
8/8/2019 IT Governance and Risk Management
6/23
..the leadership and organisational structures
and processes that ensure that theorganisations IT sustains and extends theorganisations strategies and objectives."
(IT Governance Institute)
-
8/8/2019 IT Governance and Risk Management
7/23
..the leadership and organisational structures
and processes that ensure that theorganisations IT sustains and extends theorganisations strategies and objectives."
(IT Governance Institute)
-
8/8/2019 IT Governance and Risk Management
8/23
Responsibility of executives and boardmembers, governance must flow throughvarious levels of the enterprise
-
8/8/2019 IT Governance and Risk Management
9/23
-
8/8/2019 IT Governance and Risk Management
10/23
Strategic alignment focus on aligning withbusiness and collaborative solutions
Value delivery concentrating on optimising theexpenses and proving the value of IT
Risk management addresses the safeguard of ITassests, disaster recovery and continuity ofoperations
Resource management optimising knowledge and
IT infrastrucure Performance management tracking project
delivery and monitoring IT services
-
8/8/2019 IT Governance and Risk Management
11/23
Strategic alignment focus on aligning withbusiness and collaborative solutions
Value delivery concentrating on optimising theexpenses and proving the value of IT
Risk management addresses the safeguard of ITassests, disaster recovery and continuity ofoperations
Resource management optimising knowledge and
IT infrastrucure Performance management tracking project
delivery and monitoring IT services
-
8/8/2019 IT Governance and Risk Management
12/23
Sabarnes-Oxley Act of 2002 Basel II
Regulatory policies of country
-
8/8/2019 IT Governance and Risk Management
13/23
Enacted as reaction to a number of major corporatescandals
Also known as Public Company Accounting Reformand Investor Protection Act
all U.S. public company boards, management andpublic accounting firms
Contains 11 titles or sections ranging fromadditional board responsibilities to and requires
Securities and Exchange Commission (SEC) toimplement rulings on requirements.
-
8/8/2019 IT Governance and Risk Management
14/23
Key Sections: Section 302 Disclosure of Internal Controls
Mandates set of internal procedures designed to accuratefinancial disclosure
Section 401 Disclosures in Periodic Reports
Financial statements are published by issuers are required to be
accurate and presented in a manner that doesnt containincorrect information
Section 404 Assessment of Internal Control
Requires management and the external auditor to report on theadequacy of the companys internal control over financial
reporting Section 409 Real Time Disclosures
Issuers are required to disclose to the public on an urgent basis,information on their operation.
Section 802 Criminal Penalties for Altering Documents
penalties of up to 20 years in imprisonment
-
8/8/2019 IT Governance and Risk Management
15/23
Recommendations on banking laws and regulationsissued by the Basel Committee on BankingRegulation (initially published June 2004)
More comprehensive framework measure andminimum standard for capital adequacy
The following are the objectives: Ensuring that capital allocation is more sensitive
Separating operational risk from credit risk and quantifyingboth
Attempting to align economic and regulatory capital moreclosely to reduce the scope of regulatory arbitrage (where aregulated institution takes advantage of its real oreconomic risk and the regulatory position.
-
8/8/2019 IT Governance and Risk Management
16/23
Control Objectives for Information Technology(COBIT) Set of best practices for information technology created by
Information Systems Audit and Control Association (ISACA)and IT Governance Institute in 1996
Provides managers, auditors and IT users with a set ofgenerally accepted measures, indicators, processes andbest practices in maximizing benefits of IT and establishingcontrols
IT Infrastructure Library (ITIL) Detailed framework on achieving a successful operational
service management of IT
Developed and maintained by UKs Office of GovernmentCommerce with IT Service Management Forum
-
8/8/2019 IT Governance and Risk Management
17/23
ISO/IEC 27001 set of best practices in implementing a security program
IT Baseline/Protection Catalogs collection of documents from the German Federal Office for
Security in Information Technology used esp for detecting
and combating security-relevant weak points in IT Information Security Management Maturity Model
(ISM3) Process based on ISM maturity model for security
ISO/IEC 38500:2008 Provides a framework for effective governance of IT to
assist those at the highest level of organizations in thefulfillment of legal, regulatory and ethical obligations
-
8/8/2019 IT Governance and Risk Management
18/23
ISO 2007 focus on IT security CMM the Capability Maturity Model
Six Sigma focus on quality assurance
-
8/8/2019 IT Governance and Risk Management
19/23
Risk effect of uncertainty on objectives (whether positive or
negative (ISO 3100)
Risk Management Identification, assessment and prioritization of tasks
followed by coordinated and economical application ofresources to minimize, monitor, and control the probabilityand/or impact of unfortunate events (Douglas Hubbard)
-
8/8/2019 IT Governance and Risk Management
20/23
Common examples of risk: Requirements may be unstable, immature,
unrealistic or execessive
If there is little or no user involvement during theearly development stages
If the project involves different or complexdomains, the spread of the applicationknowledge may be an issue
Violation of IT Governance and regulatory
standards
-
8/8/2019 IT Governance and Risk Management
21/23
A risk management strategy involves the ff:
1. Identify the risks.
2. Determine the risk exposure
Probability P that it will actually occur and the effect Risk exposure is p x E
3. Develop strategies to mitigate risk
4. Handle risks
-
8/8/2019 IT Governance and Risk Management
22/23
Risk Description1. Personal
shortfall
Inexperience in the domain, tools or
development techniques
2. Unrealistic
schedule/budget
Estimates may be unrealistic with respect to
the requirements
3. Wrong
functionality
Imperfect understanding of the customerneeds, complexity of communication with
client, insufficent domain knowledge of dev't
4. Wrong user
interface
User-friendliness of the interface is crucial to
the success
5. Gold plating
Developer may develop 'nice features' not
needed by the customers
-
8/8/2019 IT Governance and Risk Management
23/23
Risk Description
6. Requirement
volatility
Many requirements change during development,
the amount of rework increases
7. Bad external
components
The quality or functionality of externally supplied
components may be below what is required
8. Bad external
tasks
Subcontractors may deliver inadequate products,or the skills obtained outside the team is
inadequate
9. Real-time
shortfalls
The real-time performance of system maybe
inadequate
10. Capability
shortfalls
An unstable environment or new or untried
technology pose a risk to the development
schedule