Information risk management and compliance — expect the unexpected
This paper sets out to demonstrate how establishing an effective information risk management programme is a key element in an enterprise’s overall operational risk and governance programme. Establishing such a programme provides a golden opportunity to rationalise and align a number of processes and disciplines into an overall effective risk and compliance programme. This paper provides the opening steps for establishing such a programme to open up the possibility of such an opportunity. The business need has been created through legislation and regulation, accounting standards, best practice or contractual commitments for effective governance and appropriate risk management while meeting the need to generate profit and be cost effective. Aspects of financial risk, e.g. credit risk, are supported through mature processes and there is wide commercial experience in many of these finance related areas; however, other aspects of risk may be of such low frequency that little or no experience has been accumulated. For some risks the processes have not been developed to manage the risk — or where a risk management process is present, they are either immature or ineffective.
KeywordsRisk Management Business Process Executive Management Risk Management Process Internal Audit Function
Unable to display preview. Download preview PDF.
- 1.A publicly available sample proposal to assist a company with the development and implementation of a global enterprise risk management (ERM) strategy can be found at — http://www.delcreo.com/delcreo/about_delcreo/ERM%20Implementation%20Narrative.doc
- 2.’The Orange Book’, — http://184.108.40.206/sdtoolkit/reference/org_library/related/orange-book.pdf
- 3.HM Treasury Risk Management Assessment Framework — http://www.hm-treasury.gov.uk./media/17A/81/17A8166B-BCDC-D4B3-16668DC702198931.pdf
- 4.US DoD briefing — http://www.defenselink.mil/transcripts/2002/t02122002_t212sdv 22.html
- 5.COSO Enterprise Risk Management, Integrated Framework — http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
- 6.Typical commercial self-assessment tool — http://www.gocsi.com/membership/securcompass.jhtml
- 7.Open reporting example — http://www.trinitymirror.com/governance/terms/tm_objectid=14107357&method=full&siteid=111046&headline=whistleblowers-charter-disclosure-policy-name_page.html — this applies to the reporting of any breaches of agreed processes or systems.
- 8.Jones A: ’Risk framework for ICT security management version 1-0’ (EX013506-TR-004_D16-CSM3-Risk_Framework_for_ICT_Complete_Security_Management_V1-0_Final.doc), internal BT document.Google Scholar
- 9.UK Resilience and Emergency Preparedness — http://www.ukresilience.info/preparedness/risk/communicatingrisk.pdf
- 10.’A Risk Management Standard’, AIRMIC (2002) — http://airmic.com/Downloads/Pubs/AIRMIC_Risk-Management-Standard.pdf
- 11.BT Risk Cockpit — http://www.btglobalservices.com/business/global/en/news/2005/edition_4g17_orm.html (this is a BT ‘point of view’ paper, which examines how to unlock the business value of your operational risk management initiatives).
- 12.Evans G and Benton S: ’The BT Risk Cockpit — the visual approach to ORM’, BT Technol J, 25, No 1, pp 88–100 (January 2007).Google Scholar
- 13.Information Security Forum (ISF), Standards — http://www.isfsecuritystandard.com/index_ie.htm
- 14.COBIT Framework — http://www.isaca.ch/files/CobitFramework.pdf
- 15.ITIL — http://www.itil.co.uk/
- 16.ISO-IEC27000 Series (security standards) — http://www.iso27001security.com/index.html
- 17.IT Compliance Institute (ITCi) — http://www.itcinstitute.com/
- 18.The IT Governance Institute — http://www.itgi.org/
- 19.A Management Briefing from the IT Governance Institute and the Office of Government Commerce — http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=22493&TEMPLATE=ContentManagement/Content Display.cfm
- 20.Aligning COBIT, ITIL and ISO 17799: Guidance from the IT Governance Institute and UK Office of Government Commerce — http://www.isaca.org/Template.cfm?Section=Whats_New1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=22487
- 21.’Information security: Protecting Your Business Assets’, (Information Protection Framework includes classification) — http://www.dti.gov.uk/bestpractice/assets/security/ispyba.pdf
- 22.Deming W E: ’Out of the Crisis’, Cambridge, Mass, MIT Centre for Advanced Engineering Study (1986).Google Scholar
- 23.Boyd J: ’OODA loop’, — http://www.d-n-i.net/fcs/ppt/boyds_ooda_loop.ptt