This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here

Hide
Jump to navigation

Enterprise Risk Management

Enterprise risk management, which can be defined as the approach used to identify, assess and respond to internal and external risks and opportunities, is a fundamental governance responsibility.

Depending on jurisdiction, the corporate board has either a fiduciary, or both a fiduciary and a statutory, duty to identify and manage enterprise risk. While enterprise risk management ought to be the responsibility of a corporate risk management team, the IT governance practitioner needs to have a practical, high-level understanding of the key risk management issues and concepts.

On this page:

Operational Risk Management
Sarbanes-Oxley
Basel II / Basel III
Risk Management Standards
Management of Risk (M_o_R®)
Risk Management Resources

“Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. Major projects fail; customer shifts make our offers irrelevant; billion-dollar brands erode, then collapse; entire industries stop making money; technology shifts or unique competitors kill dozens of companies in one stroke; companies stagnate needlessly. When these risk events happen, thousands of jobs get lost, brilliant organizations are disassembled, expertise gets lost, and assets are destroyed. Yet all of these risks can be understood, identified, anticipated, mitigated, or reversed, thereby averting hundreds of billions of dollars in unnecessary losses.”

from The Upside, Adrian J. Slywotzky.

Operational Risk Management

Operational risk management, particularly in the financial sector, is essential. Operational risk management deals with the cyclical application of a process of risk assessment, decision making, and the implementation of controls to manage and mitigate risk.

Sarbanes-Oxley

The Sarbanes-Oxley Act (SOX) mandates the adoption by US-listed companies of an appropriate system of internal controls, and requires directors to monitor and report operational risk.

Under SOX, management is required to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system.

See our Sarbanes-Oxley information page for further guidance on the Act and links to resources that will help you comply with the Act’s requirements.

Basel II / Basel III

The Basel Accords (Basel I, II and III) are a series of banking regulations agreed (in 1988, 2004 and 2013 respectively) by The Basel Committee on Banking Supervision (BCBS), a group comprising representatives from 27 major financial centers. The purpose of the Accords is to regulate financial and banking practices on an international level, focusing on ensuring effective operational risk practices.

Basel II raised operational risk management up the agenda of financial institutions around the world by stipulating the minimal levels of capital they needed to put aside to offset potential losses from investment and lending.

Basel II defines operational risk as ‘the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events’.

Risk categories include systems risks, such as hardware or software failure, issues over the availability and integrity of data, utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure).

Basel III, a stronger version of the original accord requiring increased levels of offset capital, is due to supersede Basel II between 2012 and 2018.

See our Basel Accords information page for further guidance.

Risk Management Standards

  • BS31100:2008 – is the British Code of Practice for Risk Management, and provides advice and guidance on developing, implementing and maintaining proportionate and effective risk management fully aligned with ISO31000.
  • BS7799-3:2006 gives guidance to support the requirements given in BS ISO/IEC 27001:2005 regarding all aspects of an information security management system (ISMS) risk management cycle. This includes assessing and evaluating the risks, implementing controls to treat the risks, monitoring and reviewing the risks, and maintaining and improving the system of risk controls. The focus of this standard is effective information security through an ongoing program of risk management activities. This focus is targeted at information security in the context of an organization’s business risks.
  • ISO22301 is the international standard for Business Continuity, and specifies the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS).
  • The information security standard ISO/IEC 27001:2013 is specifically risk-based. It recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify.
  • While, for instance, OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in ISO/IEC 27005:2008.

All of these standards can be purchased through our Web Store.

Management of Risk (M_o_R®)

Management of Risk (M_o_R) is the UK Cabinet Office's route map for risk management, bringing together principles, interrelated processes and pointers to more detailed sources of advice on risk management techniques and specialisms.

M_o_R covers four key concepts:

  • M_o_R Principles: Seen as essential for the development of best practice risk management, all principles are derived from corporate governance principles in the recognition that risk management is a subset of any organization’s internal controls.
  • M_o_R Approach: These principles need to be adapted to suit each individual organization. Accordingly, an organization’s approach to these principles needs to be agreed and defined within a risk management policy, process guide and plans, and supported by the use of risk registers and issue logs.
  • M_o_R Processes: These six process steps describe the inputs, outputs and activities involved in ensuring that risk are identified, assessed and controlled.
  • Embedding and Reviewing M_o_R: Having put in place these principles, approaches and processes, for them to be effective an organization needs to ensure that they are consistently applied and that their application undergoes continual improvement.

Risk Management Resources

IT Governance supplies a wide range of Risk Management products, including standards, books, toolkits, training courses and software. We recommend the following:

  • Enterprise Risk Assessment and Business Impact Analysis is a comprehensive guide to risk management which illustrates issues, approaches and requirements from various countries, and focuses particularly on risk areas which are of generic value to the reader, while providing references and case studies relevant to specific market sectors.
  • The Information Security Risk Assessment Toolkit gives you the tools and skills you need to carry out quick, reliable, and thorough risk assessments. Using the tools and techniques in this book, you will be able to undertake quick, reliable and thorough risk assessments that provide reliable information and analysis upon which you can weigh your risk treatment options.
  • Information Security Risk Management for ISO27001/ISO17799 draws on international best practice, including ISO/IEC 27005, NIST SP800-30 and BS7799-3, to explain in practical detail how to carry out an information security risk assessment. It covers key topics such as risk scales, threats and vulnerabilities, selection of controls, and roles and responsibilities, and includes advice on choosing risk assessment software.
  • Risk assessment is an asset-level activity that is virtually impossible for any but the smallest of organizations without a risk assessment database and specialist tool such as vsRiskTM, and the new vsRiskTM 2 Standalone version automates and delivers an ISO/IEC 27001-compliant asset-based risk assessment through a few, simple and easy steps.

BUY Information Security BOOKS

Information Security Risk Management for ISO27001/ISO27002

Buy now

USA

Select your regional store:

Call: 1 877 317 3454