Risk management
June 24, 2008
Provide Information Systems audit services in occurrence with IS audit standards guidelines and best processes to assist organization to know that their IT and business systems are protected and controlled.
Risk Management
A risk can be said to be the potential a given threat will exploit vulnerabilities of a given asset to cause loss or damage. It can also be said to be “uncertainty that surrounds future events and outcomes ”. Risk is anything that can impact on interest of stakeholders or achievement of organization’s objectives. The impact of risk is based on probabilities of threats (likelihood and frequency e.g occurrence). Threats can be in form of errors, malicious damage, malicious attack, fraud, theft, equipment failure, software failure.
Vulnerabilities can be lack of user knowledge, use of untested technology, weak passwords, transmission over unprotected communication.
Risk management therefore entails identifying risks to information resources and deciding on appropriate controls to reduce risk to an acceptable level based on the value of Information resources to the organization. There is also the management problem i.e. that of achieving effective balance between risks and controls.
Risk management process involves three steps i.e. identify risks, evaluate controls, and managing risks i.e. reduce likelihood/impact of risk, transfer risk, avoid risk or accept to live with it. Risk management is a systematic, logical process that allows the organization to take advantage of opportunities and minimize losses.
The steps involved in the risk management process include:
-
Identifying information resources.
-
Identify threats.
-
Evaluate vulnerabilities.
-
Identify consequential impacts.
-
Identify controls to Prevent or reduce likelihood problems, Detect problem and report occurrence or Minimize impact.
-
Evaluate controls.
-
Determine and evaluate new or additional controls to further minimize risk.
-
Prioritize risks.
-
Identify and implement controls that are most effective and efficient.
When doing risk management one should also check on risk in the audit process thus one should have a planning guide that makes an assessment of the risk so as to:
-
Provide reasonable assurance that material items will be adequately covered during the audit work.
-
Identify areas with relative high risk of existence of material problems.
Components of an enterprise risk management:
-
Internal Environment i.e. the tone, philosophy and risk appetite of the organization i.e. the risk they are willing to accept to live with.
-
Objective setting i.e. the objective of the ERM
-
Event identification i.e. internal and external
-
Risk assessment i.e. the likelihood and the impact of the risk.
-
Risk response i.e. reduce likelihood, transfer, avoid, treat.
-
Control activities i.e. policies and procedures to carry out risk responses.
-
Information and communication: Identifying the flow of information downwards and upwards and across.
-
Monitoring: ongoing management activities, modifications.
IT Governance
June 24, 2008
Corporate Governance can be defined as ethical corporate behavior by directors or others charged with governance in the creation and presentation of wealth.
Corporate Governance spells out the rules and procedures for making decisions on corporate affairs. This helps in providing a structure through which company objectives are set and means of attaining those objectives and monitoring performance.
IT Governance tries to ensure that the organization and related technology support its resources i.e. resources are used responsibly, and its risks are managed.
IT has long been considered as an integral part of the overall organization’s strategy. IT helps achieve this overall strategy by efficiently and effectively deploying secure and reliable technology. The intent of IT Governance is to ensure:
-
Integrity of IT systems.
-
Inclusion of independent audit.
-
Inclusion of appropriate controls for monitoring IT risks, controlling IT assets, compliance with laws and regulations and record management.
-
Enable the enterprise by exploiting opportunities and maximizing benefits of IT
-
Ensure IT resources are used responsibly.
Factors driving IT Governance are:
-
Expanding role of IT into corporate/enterprise governance support, strategy initiative, knowledge management, privacy/security/continuity.
-
Proliferation of technology solutions.
-
Increased emphasis on accountability
-
Need to manage the management process.
-
Focus on organizational capital, value and balance.
-
Rapid advance of technology.
The key elements driving IT Governance are:
-
IT strategic planning
-
IT control performance
-
IT project management
-
IT asset management
-
IT policies/standards/processes i.e corporate, business units, information services.
IT Governance is concerned with two issues i.e. IT delivers value to the business and that IT risks are mitigated. The first issue is driven by strategic alignment of IT with business this is driven by embedding accountability into enterprise.
IT governance is the responsibility of the Board and Executive management. It is an integral part of the enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategy and objectives.
A key goal of IT governance is aligning of business and IT to achieve business value.
This key goal is achieved by aligning IT governance frameworks with best practices. Such a framework should be composed of:
IT governance .
-
Structures, processes and relational mechanism.
-
The key governance practices are:
-
IT strategic committee.
-
Risk management
-
Standard IT balanced scorecard.
BEST PRACTISES FOR IT GOVERNANCE:
Corporate governance is a set of responsibility and practices used by an organization’s management to provide strategic direction thereby ensuring that goals are achievable, risks are properly addressed and organization’s resources are properly utilized. IT Governance is a structure of relationship and processes used to direct and control the enterprise towards achievement of its goals by adding value while balancing risk vs return over IT and the processes.
