Riskand Controls Management

In a 2004 survey of 200 IT professionals from 14 countries in the Americas, Asia/Pacific and Europe, the IT Governance Institute (ITGI) found that in 80% of organizations, IT management is solely responsible fordefining and addressing IT risk impact. This widespreadlack of involvement by business unit managers demon-strates a consistent—and alarming—gap in mapping technology risk to the business. Additionally, this gap alsshows that most organizations have inadequate IT riskassessment processes across their enterprises. After all,the consumers themselves—those people that require and use technology services—must share ownership of business-related IT risks with IT management and executive management....
Nội dung trích xuất từ tài liệu:
Riskand Controls Management Written and provided byExpert Reference Series of White Papers Controlling the Beast: Risk and Controls Management in Financial Services1-800-COURSES www.globalknowledge.com White PaperControlling the Beast:Risk and ControlsManagement inFinancial ServicesMargaret Brooks, VP Strategic SolutionsOctober 2006Executive Summary IntroductionWith regulatory responsibility falling on executives In a 2004 survey of 200 IT professionals from 14throughout the value chain and the danger of stringent countries in the Americas, Asia/Pacific and Europe, theand varied sanctions, enterprise risk management IT Governance Institute (ITGI) found that in 80% ofcontinues to grow in importance within the financial organizations, IT management is solely responsible forindustry. Accordingly, controls for mitigation of regulatory, defining and addressing IT risk impact. This widespreadoperational and reputational risks are now garnering the lack of involvement by business unit managers demon-same kind of attention and resources as an organizations strates a consistent—and alarming—gap in mappingmore traditional market, liquidity and credit risk manage- technology risk to the business. Additionally, this gap alsoment efforts. shows that most organizations have inadequate IT risk assessment processes across their enterprises. After all,Why the new found emphasis on enterprise risk the consumers themselves—those people that requiremanagement? Internal controls, which are essential and use technology services—must share ownershipto good risk management, now have a direct impact on of business-related IT risks with IT management andthe solvency and longevity of financial enterprises (due executive management.to increased public scrutiny). Further, the requirementsfor strong internal controls are unprecedented in their In only about one-third of the organizations surveyed, how-level of senior management awareness and accountability ever, does the CEO or board sign off on an organization’s IT(which include personal fines and even imprisonment). risk management plan. Yet without senior management’sThus, we are in a new era of risk management: one where review and approval of the risk action plan and agreement“controls” are the remedy for risk and the term is applied to priorities and commitment of the necessary resources toto any and all of a company’s risk mitigation processes, effectively execute it, the plan itself is not worth the paperprocedures, applications and data. it is printed on. That’s why ITGI recommends that boards oversee a consistent approach to the ownership of IT riskThus, John Flaherty, a former Committee of Sponsoring management by business and IT management, and ensureOrganizations (COSO) Chairman (whose framework was that all stakeholders are properly involved in the process.recognized by the SEC as the official one for establishinginternal controls over financial reporting in a June 2003 ITGI identifies five focus areas for IT governance:announcement) and former Vice President and General 1. Strategic alignmentAuditor for PepsiCo, says “every division in a company 2. Resource managementneeds to have a documented set of internal rules that 3. Performance measurementcontrol how data is generated, manipulated, recorded 4. Value deliveryand reported.” 5. Risk managementFor financial institutions and their partners, that’s botha good rule of thumb and a very tall order. However,executives are now on the hook for everything from the ic V De aluauthenticity of their financial statements to “the quality rateg ent liv eof information reporting and systems, the manner in St ignm er ywhich business risks and activities are aggregated andmanagement’s record in responding to emerging or ...