Enterprise Risk Management
Enterprise risk management is a fundamental governance responsibility. This site provides information, advice and guidance on risk management, and you can browse our extensive risk assessment book and tool online shop.
The board has, depending on jurisdiction, either a fiduciary or both a fiduciary and a statutory duty to identify and manage enterprise risk. While enterprise risk management ought to be the responsibility of a corporate risk management team, the IT governance practitioner has three specific contributions to make to the risk management activity and, for that reason, needs to have a practical, high level understanding of the key risk management issues and concepts.
The Enterprise Risk Management chapter of IT Governance Today: a Practitioner's Handbook provides a comprehensive introduction to, and overview of, the subject. Risk Management: A Management Guide is a quick yet thorough approach to best practice risk management.
Enterprise Risk Assessment and Business Impact Analysis is a key operational responsibility for all practitioners, and the OGC's guidance on Management of Risk is particularly useful to any organization. Information security risk assessment is another key area.
Combined Code and Turbull Report
The UK’s revised Combined Code, for instance, is now explicit in saying that all directors are required to ‘provide entrepreneurial leadership of the company within a framework of prudent and effective controls which enable risk to be assessed and managed.’
Sarbanes Oxley
The US Sarbanes Oxley Act mandated the adoption, by US listed companies, of an appropriate system of internal control and, in parallel, requires directors to monitor and report operational risk
COSO ERM framework
COSO, whose internal control framework has become the de facto standard for companies complying with SOX, started work on developing a separate risk management framework in 2001. This framework, the Enterprise Risk Management – Integrated Framework was designed to provide a common framework, ‘key principles and concepts, a common language, and clear direction and guidance.’ This framework expands on the internal control framework, providing a broader and more robust focus on enterprise risk management. Because it incorporates the internal control framework, organizations could (as COSO suggests) move toward implementing an ERM framework to satisfy their internal control needs as well as their broader business risk management needs.
Basel 2
Financial sector corporate governance means that organizations have to comply with the operational risk management guidance of the Basel Committee. The 10 principles set out in the Basel Committee's Risk Management Group's paper on the management and supervision of operational risk are best addressed from within an IT governance framework that ensures that measures taken to assess, control and monitor operational risk are integrated with the firm's overall risk and information management strategy.
Basel 2 has raised operational risk management right up the agenda of financial institutions around the world. Operational risk (see Sound Practices for the Management and Supervision of Operational Risk) is defined as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.’ Risk categories include systems risks, such as hardware or software failure, issues over availability and integrity of data, and utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure.)
IT Risk Management
IT risk management has become a hot IT topic over the last few years. As organizations become increasingly dependent on information technology and intellectual capital assets, the key areas of IT risk are usually seen as:
-
IT infrastructure and network security – rising from concerns about hackers, terrorists, cyber-criminals, insiders, outsiders, viruses, and so on
-
Data integrity, confidentiality and privacy – rising from regulatory and market pressure around protecting personal (e.g. data protection legislation), and corporate data (e.g. fair disclosure regulations), as well as financial and operational data (e.g. Sarbanes Oxley)
-
Business continuity – rising from concerns about the capability to continue in business after a natural or man-made disaster
-
IT management – rising from concerns about project failure, poor IT operational performance, inadequate IT infrastructure, etc
Information Risk and ISO 27001
The information security standard, ISO/IEC 27001:2005, is specifically risk-based. It recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify. While OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in BS7799-3:2006.
Information Security Risk Management for ISO27001/ISO17799 provides the most comprehensive guidance on the subject.
Risk assessment is an asset-level activity that is virtually impossible, for any but the smallest of organizations, without a risk assessment database and specialist tool such as vsRisk™
Management of Risk (M_o_R®)
Management of Risk (M_o_R) is the OGC Best Practice Methodology for managing risk.
Critical Risk Management Books and Tools
|
|
|
|
|
