Enterprise Risk Management
Enterprise risk management, which can be defined as the approach used to identify, assess, and respond to internal and external risks and opportunities is a fundamental governance responsibility.
Depending on jurisdiction, the corporate board has either a fiduciary, or both a fiduciary and a statutory, duty to identify and manage enterprise risk. While enterprise risk management ought to be the responsibility of a corporate risk management team, the IT governance practitioner needs to have a practical, high-level understanding of the key risk management issues and concepts.
Operational Risk Management
Operational risk management, particularly in the financial sector, is essential. Operational risk management deals with the cyclical application of a process of risk assessment, decision-making, and the implementation of controls to manage and mitigate risk.
The Sarbanes–Oxley Act (SOX) mandates the adoption by US-listed companies of an appropriate system of internal controls and requires directors to monitor and report operational risk.
Under SOX, management is required to certify the company’s financial reports, and both management and an independent accountant are required to certify the organization’s internal controls. In almost every organization, financial reporting depends on the IT infrastructure, whether for the rendering of an invoice, the effective operation of an ERP system, or an integrated, organization-wide management information and control system.
See our Sarbanes–Oxley information page for further guidance on the Act and links to resources that will help you comply with the Act’s requirements.
Basel II / Basel III
The Basel Accords (Basel I, II and III) are a series of banking regulations agreed (in 1988, 2004, and 2013, respectively) by The Basel Committee on Banking Supervision (BCBS), a group comprising representatives from 27 major financial centers. The purpose of the Accords is to regulate financial and banking practices on an international level, focusing on ensuring effective operational risk practices.
Basel II raised operational risk management up the agenda of financial institutions around the world by stipulating the minimal levels of capital they needed to put aside to offset potential losses from investment and lending.
Basel II defines operational risk as "the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events."
Risk categories include systems risks, such as hardware or software failure, issues over the availability and integrity of data, utility failures, and external events (e.g. malware or hacker attack, terrorist attack, vandalism or supplier failure).
Basel III, a stronger version of the original accord requiring increased levels of offset capital, is due to supersede Basel II between 2012 and 2018.
See our Basel Accords information page for further guidance.
Risk Management Standards
- BS31100:2008 is the British Code of Practice for Risk Management and provides advice and guidance on developing, implementing, and maintaining proportionate and effective risk management fully aligned with ISO31000.
- ISO27005:2011 gives guidance to support the requirements given in ISO/IEC 27001:2013 and ISO27002:2013 regarding all aspects of an information security management system (ISMS) risk assessments. This includes assessing and evaluating the risks, implementing controls to treat the risks, monitoring and reviewing the risks, and maintaining and improving the system of risk controls. The standard is fully aligned with the International Standard for risk management, ISO 31000.
- ISO22301 is the international standard for Business Continuity and specifies the requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a business continuity management system (BCMS).
- The information security standard ISO/IEC 27001:2013 is specifically risk-based. It recommends, in effect, that organizations implement information security controls prioritized by, and in proportion to, the business and information risks they identify.
- While, for instance, OCTAVE (Operationally Critical Threat, Asset & Vulnerability Evaluation) is a clear risk assessment methodology, information security risk assessment can also now follow the guidelines contained in ISO/IEC 27005:2008.
All of these standards can be purchased through our store.
Management of Risk (M_o_R®)
Management of Risk (M_o_R) is the UK Cabinet Office's route map for risk management, bringing together principles, interrelated processes, and pointers to more detailed sources of advice on risk management techniques and specialisms.
M_o_R covers four key concepts:
- M_o_R Principles: Seen as essential for the development of best practice risk management, all principles are derived from corporate governance principles in the recognition that risk management is a subset of any organization’s internal controls.
- M_o_R Approach: These principles need to be adapted to suit each individual organization. Accordingly, an organization’s approach to these principles needs to be agreed and defined within a risk management policy, process guide and plans, and be supported by the use of risk registers and issue logs.
- M_o_R Processes: These six process steps describe the inputs, outputs, and activities involved in ensuring that risk are identified, assessed, and controlled.
- Embedding and Reviewing M_o_R: Having put in place these principles, approaches, and processes, for them to be effective, an organization needs to ensure that they are consistently applied and that their application undergoes continual improvement.
Speak to an expert
Please contact us to discuss your risk management needs using one of the methods below.