BT Technology Journal

, Volume 25, Issue 1, pp 19–29 | Cite as

Information risk management and compliance — expect the unexpected



This paper sets out to demonstrate how establishing an effective information risk management programme is a key element in an enterprise’s overall operational risk and governance programme. Establishing such a programme provides a golden opportunity to rationalise and align a number of processes and disciplines into an overall effective risk and compliance programme. This paper provides the opening steps for establishing such a programme to open up the possibility of such an opportunity. The business need has been created through legislation and regulation, accounting standards, best practice or contractual commitments for effective governance and appropriate risk management while meeting the need to generate profit and be cost effective. Aspects of financial risk, e.g. credit risk, are supported through mature processes and there is wide commercial experience in many of these finance related areas; however, other aspects of risk may be of such low frequency that little or no experience has been accumulated. For some risks the processes have not been developed to manage the risk — or where a risk management process is present, they are either immature or ineffective.


Risk Management Business Process Executive Management Risk Management Process Internal Audit Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    A publicly available sample proposal to assist a company with the development and implementation of a global enterprise risk management (ERM) strategy can be found at —
  2. 2.
  3. 3.
  4. 4.
  5. 5.
    COSO Enterprise Risk Management, Integrated Framework —
  6. 6.
    Typical commercial self-assessment tool —
  7. 7.
    Open reporting example — — this applies to the reporting of any breaches of agreed processes or systems.
  8. 8.
    Jones A: ’Risk framework for ICT security management version 1-0’ (EX013506-TR-004_D16-CSM3-Risk_Framework_for_ICT_Complete_Security_Management_V1-0_Final.doc), internal BT document.Google Scholar
  9. 9.
    UK Resilience and Emergency Preparedness —
  10. 10.
    ’A Risk Management Standard’, AIRMIC (2002) —
  11. 11.
    BT Risk Cockpit — (this is a BT ‘point of view’ paper, which examines how to unlock the business value of your operational risk management initiatives).
  12. 12.
    Evans G and Benton S: ’The BT Risk Cockpit — the visual approach to ORM’, BT Technol J, 25, No 1, pp 88–100 (January 2007).Google Scholar
  13. 13.
    Information Security Forum (ISF), Standards —
  14. 14.
  15. 15.
  16. 16.
    ISO-IEC27000 Series (security standards) —
  17. 17.
    IT Compliance Institute (ITCi) —
  18. 18.
    The IT Governance Institute —
  19. 19.
    A Management Briefing from the IT Governance Institute and the Office of Government Commerce — Display.cfm
  20. 20.
    Aligning COBIT, ITIL and ISO 17799: Guidance from the IT Governance Institute and UK Office of Government Commerce —
  21. 21.
    ’Information security: Protecting Your Business Assets’, (Information Protection Framework includes classification) —
  22. 22.
    Deming W E: ’Out of the Crisis’, Cambridge, Mass, MIT Centre for Advanced Engineering Study (1986).Google Scholar
  23. 23.

Copyright information

© Springer Science+Business Media, Inc. 2007

Authors and Affiliations

  • M. Drew

There are no affiliations available

Personalised recommendations