IT Governance, Risk, and Compliance (ITGRC)

Businesses rely on their IT departments and resources for competitive advantages and business to business transactions and cannot afford to apply to IT anything less than the same level of commitment they devote company assets. IT offers extraordinary opportunities to transform the business; however IT must deliver value and enable the business, and IT-related risks must be mitigated. Governance of IT, Information Security, and Risk Management encompasses several initiatives for executive management. At a glance, they must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate and measure performance, understand risk and obtain assurance.

Corporate Governance:

Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.

Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.

Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.

IT Governance Role:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.

Who is Responsible for IT Governance and Risk Management:

Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:

• IT Governance is aligned with the overall Corporate Governance structure within the enterprise.
• IT Governance includes an alignment with the Enterprise Risk Management Program, which is a responsibility of the BODs and Management
• There is a balance of the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their enterprise’s business strategy and objectives.
• Risks and threats are identified, categorized and mitigated to acceptable levels.
• IT Governance obtains coordinated and integrated action from the top down.
• IT investments are not mismanaged or misdirected.
• IT Governance rules and priorities are established and enforced.
• Trust is demonstrated toward trading partners while exchanging electronic transactions.

In Closing:

IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:

• What decisions must be made to ensure effective management and use of IT?
• Who should make these decisions?
• How will these decisions be made and monitored?

Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.


Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Enterprise Risk Management Framework

Two important ERM frameworks are COSO and RIMS. Each describes an approach for identifying, analyzing, responding to, and monitoring risks or opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

1. Avoidance: exiting the activities giving rise to risk
2. Reduction: taking action to reduce the likelihood or impact related to the risk
3. Share or insure: transferring or sharing a portion of the risk, to reduce it
4. Accept: no action is taken, due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

COSO ERM framework:

The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as: "A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control -Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:

• Internal Environment
• Objective Setting
• Event Identification
• Risk Assessment
• Risk Response
• Control Activities
• Information and Communication
• Monitoring

The four objectives categories - additional components highlighted - are:

• Strategy - high-level goals, aligned with and supporting the organization's mission
• Operations - effective and efficient use of resources
• Financial Reporting - reliability of operational and financial reporting
• Compliance - compliance with applicable laws and regulations

RIMS risk maturity model for enterprise risk management:

Enterprise risk management (ERM) as defined by the Risk and Insurance Management Society (RIMS) is the culture, processes and tools to identify strategic opportunities and reduce uncertainty. ERM is a comprehensive view of risk from both operational and strategic perspectives and is a process that supports the reduction of uncertainty and promotes the exploitation of opportunities.

According to the RIMS Risk Maturity Model for ERM, the following seven core competencies, or attributes, measure how well enterprise risk management is embraced by management and ingrained within the organization. A maturity level is determined for each attribute and ERM maturity is determined by the weakest link.

1. ERM-based approach - Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory compliance across all processes, functions, business lines, roles and geographies. Degree of integration, communication and coordination of internal audit, information technology, compliance, control and risk management.

2. ERM process management - Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods, analysis, tools.

3. Risk appetite management – Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of measuring risk appetite that management deems acceptable.

4. Root cause discipline - Degree of discipline applied to measuring a problem’s root cause and binding events with their process sources to drive the reduction of uncertainty, collection of information and measurement of the controls’ effectiveness. The degree of risk from people, external environment, systems, processes and relationships is explored.

5. Uncovering risks - Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities. Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft® Word, Excel®, etc) to uncover dependencies and correlation across the enterprise.

6. Performance management - Degree of executing vision and strategy, working from financial, customer, business process and learning and growth perspectives, such as Kaplan’s balanced scorecard, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations.

7. Business resiliency and sustainability – Extent to which the ERM Process’s sustainability aspects are integrated into operational planning. This includes evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recovering technology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow volatility, business liquidity, etc.