IT Governance and the Maturity of IT Risk Management Practices

2015 ◽  
Vol 31 (1) ◽  
pp. 59-77 ◽  
Author(s):  
Nishani Edirisinghe Vincent ◽  
Julia L. Higgs ◽  
Robert E. Pinsker
Keyword(s):  
Risk Management ◽  
Boards Of Directors ◽  
Management Practices ◽  
It Governance ◽  
Operational Risk ◽  
Operational Risk Management ◽  
It Risk Management ◽  
Customer Information ◽  
Reporting Structure ◽  
It Risk

ABSTRACT The Securities and Exchange Commission's enhanced disclosure rule on risk oversight, state laws requiring public disclosure of compromised customer information, and high-profile customer information breaches have caused Information Technology (IT) risk management practices to be a major concern for boards of directors and management. The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Enterprise Risk Management (ERM) framework emphasizes the importance of the board's oversight role while also bringing attention to the firm's reporting structure. Consequently, our study examines whether the maturity of IT risk management practices depends on Chief Information Officer (CIO) reporting structure and Chief Executive Officer (CEO)/Chairman duality. We develop a scale to measure strategic and operational maturity under the larger auspice of IT risk management and distribute a survey to high-level IT professionals. Our survey also captures the reporting structure of their firms. Consistent with our hypothesis, we find that the maturity of strategic IT risk management practices are higher when the CIO reports directly to the CEO. However, contrary to expectations, we do not find that operational risk management is more mature when the CIO reports to the Chief Financial Officer (CFO). Instead, operational risk management is higher when the CIO reports to the CEO. For public firms, the maturity of IT risk management practices are higher when the CEO is also the chairman of the board of directors. As C-level officers may have asymmetric access to the board, understanding reporting structures may inform firms, regulators, and interested stakeholders on how well IT risk is managed and factors that affect IT governance.

A probabilistic approach to IT risk management in the Basel regulatory framework

2017 ◽  
Vol 25 (2) ◽  
pp. 176-195 ◽  
Author(s):  
Semir Ibrahimovic ◽  
Ulrik Franke
Keyword(s):  
Risk Management ◽  
Banking Sector ◽  
Operational Risk ◽  
Capital Requirements ◽  
Basel Ii ◽  
Direct Impact ◽  
Content Type ◽  
Operational Risk Management ◽  
It Risk Management ◽  
It Risk

Purpose This paper aims to examine the connection between information system (IS) availability and operational risk losses and the capital requirements. As most businesses today become increasingly dependent on information technology (IT) services for continuous operations, IS availability is becoming more important for most industries. However, the banking sector has particular sector-specific concerns that go beyond the direct and indirect losses resulting from unavailability. According to the first pillar of the Basel II accord, IT outages in the banking sector lead to increased capital requirements and thus create an additional regulatory cost, over and above the direct and indirect costs of an outage. Design/methodology/approach A Bayesian belief network (BBN) with nodes representing causal factors has been used for identification of the factors with the greatest influence on IS availability, thus helping in investment decisions. Findings Using the BBN model for making IS availability-related decisions action (e.g. bringing a causal factor up to the best practice level), organization, according to the presented mapping table, would have less operational risk events related to IS availability. This would have direct impact by decreasing losses, related to those events, as well as to decrease the capital requirements, prescribed by the Basel II accord, for covering operational risk losses. Practical implications An institution using the proposed framework can use the mapping table to see which measures for improving IS availability will have a direct impact on operational risk events, thus improving operational risk management. Originality/value The authors mapped the factors causing unavailability of IS system to the rudimentary IT risk management framework implied by the Basel II regulations and, thus, established an otherwise absent link from the IT availability management to operational risk management according to the Basel II framework.

Impact of Ownership and Size on Operational Risk Management Practices: A Study of Banks in India

2017 ◽  
Vol 18 (3) ◽  
pp. 795-810 ◽  
Author(s):  
Deepak Tandon ◽  
Yogieta S. Mehra
Keyword(s):  
Risk Management ◽  
Factor Analysis ◽  
Data Collection ◽  
Management Practices ◽  
Operational Risk ◽  
Test Reliability ◽  
Operational Risk Management ◽  
Data Collection And Analysis ◽  
Loss Data ◽  
The Impact

The financial crisis and resulting failure of large banks worldwide has shaken the entire world. Improper management of operational risk has been touted as one of the reasons for this failure. In light of the rising importance of operational risk management (ORM) in banks, the study explores the range of ORM practices followed by a cross section of Indian banks and compares them with the banks worldwide. The study also analyses the impact of size and ownership of banks on these practices. Reliability analysis using Cronbach alpha model, Kaiser–Meyer–Olkin (KMO) measure of sampling adequacy and Bartlett’s test of sphericity was used to test reliability of questionnaire and justifies the use of factor analysis. Factor analysis was performed to extract the most important variables in ORM. The small size of bank was observed to be a deterrent to deep involvement of operational risk functionaries, collection and usage of external loss data and data collection and analysis. Further, the performance/preparedness of public sector and old private sector banks lagged behind peers in usage of key reporting components, such as risk and control self-assessment (RCSA), key risk indicators (KRI), scenarios, collection and usage of external loss data, data collection and analysis and quantification and modelling of operational risk.

Board and Management-Level Factors Affecting the Maturity of IT Risk Management Practices

2018 ◽  
Vol 33 (3) ◽  
pp. 117-135
Author(s):  
Nishani Edirisinghe Vincent ◽  
Julia L. Higgs ◽  
Robert E. Pinsker
Keyword(s):  
Risk Management ◽  
Internal Control ◽  
Management Practices ◽  
Factors Affecting ◽  
Management Level ◽  
It Risk Management ◽  
Top Managers ◽  
Risk Oversight ◽  
The Impact ◽  
It Risk

ABSTRACT The Securities and Exchange Commission's 2009 enhanced proxy disclosure requirements and the updated Committee of Sponsoring Organizations' (COSO) Internal Control Framework have caused organizations to increase their focus on risk management and consider the impact of information technology (IT) in enterprise risk management. Our study examines whether board involvement, board expertise, and top management's risk culture affect the maturity of IT risk management practices (maturity) in firms. We find that board involvement positively influences maturity while top managers' risk-taking behavior is associated with lower maturity. Even though board expertise influences maturity, board involvement is more important in explaining maturity. Maturity is higher in firms where risk oversight lies with a board-level, rather than a management, committee. However, the maturity of ITRM practices does not differ among firms whether risk oversight lies with the overall board, or any other board committee. The findings contribute to an under-researched area in IT governance.

scholarly journals THE EFFECT OF OPERATIONAL RISK MANAGEMENT PRACTICES ON THE FINANCIAL PERFORMANCE IN COMMERCIAL BANKS IN TANZANIA

2016 ◽  
Vol 1 (1) ◽  
pp. 29
Author(s):  
Kerongo Maatwa Meshack ◽  
Rose Wairimu Mwaura
Keyword(s):  
Risk Management ◽  
Credit Risk ◽  
Financial Performance ◽  
Commercial Banks ◽  
Management Practices ◽  
Operational Risk ◽  
Operational Efficiency ◽  
Primary Data ◽  
Operational Risk Management ◽  
Insolvency Risk

Purpose: The purpose of the study was to determine the effect of operational risk management practices on the financial performance in commercial banks in TanzaniaMethodology: The research problem was studied by use of a descriptive research design. The population of the study consisted of all commercial banks in Tanzania. The study used the sample size of 34 commercial banks in Tanzania. Therefore all the commercial banks participated in equally. Questionnaires were the primary data collection tool in this study. The data gathered from the respondents shall be analyzed and presented using descriptive statistics.Results: The study found that the three independent variables in the study credit risk, Insolvency risk and Operational efficiency influenced the financial performance for the period under study. Credit risk Insolvency risk   and Operational efficiency influenced commercial banks financial performance for the period of study.Unique contribution to theory, practice and policy: This study therefore recommends that the commercial banks should handle their operations appropriately as the changes in the factors like Insolvency and Credit risk bring about an effect on the profitability of commercial banks hence affecting their financial performance

IT Governance and IT Risk Management Principles and Methods for Supporting 'Always-On' Enterprise Information Systems

2010 ◽  
pp. 1-16 ◽  
Author(s):  
Mario Spremic
Keyword(s):  
Risk Management ◽  
Information Systems ◽  
Business Processes ◽  
It Governance ◽  
Enterprise Information ◽  
Enterprise Information Systems ◽  
It Risk Management ◽  
It Audit ◽  
Business Requirements ◽  
It Risk

Most organizations in all sectors of industry, commerce, and government are fundamentally dependent on their information systems (IS) and would quickly cease to function should the technology (preferably information technology–IT) that underpins their activities ever come to halt. The development and governance of proper IT infrastructure may have enormous implications for the operation, structure, and strategy of organizations. IT and IS may contribute towards efficiency, productivity, and competitiveness improvements of both interorganizational and intraorganizational systems. On the other hand, successful organizations manage IT function in much the same way that they manage their other strategic functions and processes. This, in particular, means that they understand and manage risks associated with growing IT opportunities, as well as critical dependence of many business processes on IT and vice-versa. IT risk management issues are not only marginal or ‘technical’ problems but become more and more a ‘business problem.’ Therefore, in this chapter, a corporate IT risk management model is proposed and contemporary frameworks of IT governance and IT audit explained. Also, it is depicted how to model information systems and supporting IT procedures to meet ‘always-on’ requirements that comes from the business. In fact, a number of IT metrics proposed in the chapter support the alignment of IT Governance activities with business requirements towards IT.

scholarly journals Effect of Risk Management Practices On Corporate Investment of Financial Institutions in Rwanda: A Case Study of Selected Commercial Banks

2019 ◽  
Vol 4 (4) ◽  
Author(s):  
Emmanuel Byamungu ◽  
Irechukwu Eugenia Nkechi ◽  
Henry Jefferson Ogoi
Keyword(s):  
Risk Management ◽  
Financial Institutions ◽  
Commercial Banks ◽  
Management Practices ◽  
Operational Risk ◽  
Corporate Investment ◽  
Market Risk ◽  
Operational Risk Management ◽  
Strategic Risk ◽  
Strategic Risk Management

Risk management practices are currently a subject of interest and a novel impression beneath research and application by diverse organizations. Nevertheless, there seems much to be debated on this subject in terms of a general strategic risk management practices statement. There is uncertainty like, when there should be a declaration for each principal risk category the organization experiences or should exist a general risk management practices for the organization. A risk management practice is about achieving corporate goals. For many financial institutions (FIs), dual goals exist such as the social and economic perspectives. This study sought to analyze the effect of strategic risk management practices on corporate investment of selected financial institutions in Rwanda. The study aimed at establishing the effect of operational risk management practices, market risk management practices, compliance risk management practices and governance risk management practices on corporate investment in selected commercial banks in Rwanda. The study adopted descriptive research design. The study targeted 95 managers from finance, internal audit, risk compliance and operations departments. The sample size was 77 respondents. The research was conducted using primary and secondary data, which includes survey forms (questionnaires), interviews as well as reports of the targeted institutions. Information for the research were gathered utilizing organized surveys forms that were distributed to the targeted respondents. Narrative information obtained from interviews and open-ended questions in the questionnaire were analyzed using qualitative approaches. Validity and reliability of the instruments were tested using the Cronbach Alpha test retest methods. With the aid of Statistical Package for Social Science version 21.0, both descriptive statistics such as the means, modes, standard deviation, variances and inferential statistics were analyzed. The research revealed that management of operational risk has a constructive effect financial outcomes performance of financial institutions in Rwanda. The study found that there is a correlation between both operational risk management and market risk management and performance of the financial institutions. The research findings revealed that operational risk management (r=0.096, p<0.01), market risk management (r=0.506, p<0.01) and compliance risk (r=0.612, p<0.01) on corporate investments.

scholarly journals Analisis IT Risk Management di Universitas Bina Darma Menggunakan ISO31000

2020 ◽  
Vol 11 (1) ◽  
Author(s):  
Yeni Erlika ◽  
Muhammad Izman Herdiansyah ◽  
A. Haidar Mirza
Keyword(s):  
Risk Management ◽  
Disaster Recovery ◽  
Management Practices ◽  
Current System ◽  
It Management ◽  
It Risk Management ◽  
Risk Management Process ◽  
Iso 31000 ◽  
The University ◽  
It Risk

<p class="SammaryHeader" align="center"><strong>Abstract</strong></p><p><em>The application of IT management needs to be evaluated to measure the level of IT risk management that occurs. This study aims to analyze and know the IT risk management process adopted at the University of Bina Darma Palembang using the ISO 31000 approach, and focus on evaluating IT management practices which include three stages; identification, analysis, and risk treatment. Bina Darma University is a university that has applied the use of information technology to support its business processes and in accordance with its vision and mission. The implementation of the entire system can be used to support the performance of employees, lecturers and to provide services to students, system managers namely the Directorate of Technology Systems, hereinafter referred to as DSTI. Risks that have occurred at the University of Bina Darma in terms of security standards for security, disaster recovery, to previously be able to cope with problems that occur, but there is no standard, manual, for example data backup using a hard disk. By using the risk assessment stage within the ISO 31000 framework, researchers found that Bina Darma University currently has not implemented ISO standards in dealing with their IT risk management. University management is in the process of designing to implement ISO. From interviews with IT staff and observations, researchers found that Bina Darma University had the ability to apply ISO 31000 in managing their risk. This research produces IT risk reports on current system applications.</em></p><p><strong><em>Keywords</em></strong><strong><em> </em></strong><strong><em>: </em></strong><em>IT Risk Management, ISO 31000, Assessment, Mitigation</em></p><p class="SammaryHeader" align="center"><strong>Abstrak</strong></p><p><em>Penerapan manajemen IT perlu dilakukan evaluasi untuk mengukur tingkat penanganan risiko IT yang terjadi. Penelitian ini bertujuan untuk menganalisis dan mengetahui proses manajemen risiko IT yang diadopsi di Universitas Bina Darma Palembang menggunakan pendekatan ISO 31000, dan berfokus pada evaluasi praktik manajemen IT yang mencakup tiga tahapan; identifikasi, analisis, dan perlakuan risiko. Universitas Bina Darma merupakan perguruan tinggi yang telah mengaplikasikan penggunaan teknologi informasi sebagai pendukung proses bisnisnya dan sesuai dengan visi dan misi nya. Penerapan seluruh sistem yang ada dapat digunakan untuk mendukung kinerja pegawai, dosen maupun untuk layanan kepada mahasiswa/i, pengelola sistem yaitu Direktorat sistem teknologi selanjutnya di sebut dengan DSTI. Risiko yang pernah terjadi pada Universitas Bina Darma dari segi keamanan standart untuk keamanan, disaster recovery, untuk sebelumnya bisa menanggulangi masalah yang terjadi, tetapi tidak ada standarnya, manual, misal backup data dengan menggunakan hardisk. Dengan menggunakan tahap penilaian risiko dalam kerangka kerja ISO 31000, peneliti menemukan bahwa Universitas Bina Darma saat ini masih belum menerapkan standar ISO dalam menangani manajemen risiko IT mereka. Manajemen universitas sedang dalam proses perancangan untuk mengimplementasikan ISO. Hasil wawancara dengan staf IT dan pengamatan, peneliti menemukan bahwa Universitas Bina Darma memiliki kemampuan untuk menerapkan ISO 31000 dalam mengelola risiko mereka. Penelitian ini menghasilkan laporan risiko TI pada aplikasi sistem saat ini.</em></p><strong><em>Kata kunci : </em></strong><em>IT Risk Management, ISO 31000, Penilaian, Mitigasi</em>

Sign in / Sign up

Export Citation Format

Share Document