Governance Risk and Compliance Solutions

Quality Control with Compliance Software

2009-04-30T00:04:00.000-07:00

Quality Control with Compliance Software:
You are probably well aware that the idea of compliance software was definitely an idea worth rejoicing over. However, though the idea itself is worthy of eureka-praises, the problem with compliance software is that there are so many varied solutions it is hard to know where to start. It’s like choosing a personal chef. Just getting up one morning and hiring someone with the title “chef” will never work. You have to take the time to find who (or what) works for your unique taste buds. With compliance software, the process is similar. You have to take the time to find a flexible solution that fits the needs of your company. However, before you run off to start reading compliance software reviews let this article provide you with a simple suggestion:

Start by finding compliance software that simultaneously manages your quality control processes.

Sound impossible? It’s not.

Quality Control and Compliance Solutions:
A “One-Two” Punch to the Regulatory Gut You may not have realized it but there are http://www.mastercontrol.com/solutions/quality_management_fb.html""> quality control software solutions that allow you to manage both quality-control related processes and regulatory compliance. For instance, when you look for compliance software look for a solution that will manage your regulatory compliance requirements and quality factors such as documents (quality control and other doc types), change control procedures, CAPA procedures, customer complaints, CAPA related training, additional training, audits, and submissions to regulatory parties such as the FDA. If you don’t want to invest in all of the solutions named, find a software solution that will allow you to mix and match the featured quality control applications that you need. With this type of flexible software, the weight of the quality control and regulatory compliance burdens will thankfully (and metaphorically) be akin to feather, a butterflies or objects equally sylphlike!

Quality Control and the Internal Audit
Once you have a quality control/compliance software solution, audits will be far easier to manage. However, audits can still be exasperatingly stressful since the behavior of employees and the speed and productivity of a workflow is still somewhat dependent on the efficiency of people who are of course prone to make mistakes. So, another way to gain control and to make the audit giant cower is to simply practice internal audits on a regular basis. After all, audits are not secretly clandestine efforts that you couldn’t plan and produce yourself. An Internal audit is simply the process of repeatedly observing a system or a process, and determining whether or not that system or process meets regulatory standards and the prioritized goals of your company.

Quality Control: Put the Internal Audit into Practice
Have a clever personnel member from your company devise an internal audit process. Do research on exactly what the FDA, the ISO and SOX are looking for and beat them to the punch! That way, when it’s time for 2nd and 3rd party audits, you and your employees will breeze through the process like you were born for it.

Remember! Effective quality control and compliance software research will help your company take the next few steps towards easier compliance and more effective productivity.

About The Author, Marci Lynn Crane
Marci Crane is a copywriter for MasterControl">http://www.mastercontrol.com/index.html"">MasterControl in Salt Lake City, Utah. For more information in regards to quality">http://www.mastercontrol.com/industries/general_man.html"">quality control, or audits management software, please feel free to contact">http://www.mastercontrol.com/company/contact.html"">contact a MasterControl representative.

Critical Role for the Chief Audit Executive: Aligning Risk Assessment

2009-01-30T03:10:00.000-08:00

When it comes to aligning risk assessment, the "risk intelligent" chief audit executive provides reassurance that management's reports are reliable, offers advice on improving risk mitigation, and implements value-added risk-management activities.

Risk permeates virtually every aspect of our personal and professional lives. Yet people and organizations are slow to acknowledge potential calamity and quick to believe that bad things always happen to the other guy.

For businesses, this flawed perception can be quite dangerous. In today's environment, which is marked by intensifying competition, increasing scrutiny, and growing threats, a frank and realistic assessment of the true risks a company faces is more important than ever.

Enter the chief audit executive (CAE). CAEs have a unique opportunity to make significant improvements in the efficiency and effectiveness of their organizations' risk-management initiatives. In previous columns, we've discussed the various roles of the Risk Intelligent CAE, such as keeping the organization's risk/reward picture in balance, incorporating risk-management activities into the internal audit function, and bridging silos to promote the sharing of information across organizational boundaries. All of which, in combination, can boost a company's risk-management capabilities.

This column addresses yet another critical role for the CAE: aligning risk assessment.

Aligning Risk Assessment

The traditional internal audit risk assessment starts with a blank sheet of paper as processes, systems, and individual entities are evaluated. In keeping with this typical approach, internal auditors audit those risks with the highest impact and probability of occurrence. Often, no distinction is made between inherent risk (the risk that exists before mitigation and controls are introduced) and residual risk (the risk that remains after mitigation and controls are implemented).

Furthermore, while vulnerability is certainly considered, too much weight is usually given to probability. Probability models work well when dealing with events that regularly occur, and for which reams of data have been compiled. But when dealing with more uncertain events—situations that have never occurred or perhaps can't even be imagined—probability should be subordinate to the notion of vulnerability.

Therefore, the risk intelligent enterprise adopts a different tack. In a risk intelligent organization, management also takes responsibility for:

Assessing inherent risk—even those that are high impact, yet low probability.
Evaluating the effectiveness of existing risk mitigation and controls.
Determining residual risk.
Deciding whether the risk exposure is within the appetite of the enterprise and further mitigating the risk, if necessary.
Providing reasonable assurance to the board that the controls are both effective and efficient.

If the risk exposure is not within the corporate appetite, it's internal audit's responsibility to advise management on how risk mitigation and control might be improved.

Value-Added Risk-Assessment Activities

In addition, the risk intelligent CAE can lead a number of value-added risk assessment activities. These include providing reassurance to management and the board that:

Key risks that affect both value preservation and value creation have been identified.
Different scenarios have been assessed and stress-tested.
Inherent versus residual risk has been reliably assessed.
Residual risk appears to be within the risk appetite of the company.
Controls are both effective and efficient.
Management's reports can be relied on.

What's Your Risk Intelligence Quotient?

To determine if their current risk-assessment models are risk intelligent, CAEs should ask themselves the following questions:

Are we speaking the language of management?
Are we assessing risks to future growth or are we focused exclusively on the protection of existing assets?
Are we assessing risks in isolation or are we looking at how these risks may interact and cascade?
Is there a uniform framework to align the various risk specializations regarding governance, risk, and compliance assessments, which will allow us to reduce the cost burden on the business?
Do existing risk assessments reliably and adequately assess inherent and residual risk exposures?
Do we have the means to assess whether residual exposures are within the risk appetite of the company?
Is there a robust risk-mitigation process?

CAEs can play a unique and important role in the risk intelligent enterprise. While recognizing that management and the board are responsible and accountable for risk, CAEs should provide both guidance and reassurance that risk is being properly and efficiently managed.

Author of this article are Mark Layton and Neil M.Brown.

To view the original article click here

Enterprise Risk Management's Components

2008-12-19T04:51:00.000-08:00

Enterprise risk management has 8 inter-related components, derived from the way company runs an enterprise & are integrated with the management process. These components are:

Internal Environment

The internal environment includes the atmosphere of an organization, & sets the fundamental for how risk is shown & called by an entity’s people, including risk management philosophy & risk appetite, integrity & honorable values, & the environment in which they function.

Objective Setting

Objectives must exist before management can recognize potential events affecting their achievement. Enterprise risk management assures that management has in place a process to set goal & that the selected objectives support & line up with the entity’s mission and are consistent with its risk appetite.

Event Identification

Internal & external events affecting achievement of an entity’s objectives must be recognized, distinguishing between risks & opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.

Risk Assessment

Risks are examined, considering likelihood & impact, as a basis for identifying how they should be dealt. Risks are assessed on an inherent & a residual basis.

Risk Response

Management chooses risk responses – avoiding, accepting, reducing, or sharing risk – creating a set of actions to align risks with the entity’s risk tolerances & risk appetite.

Control Activities

Policies & procedures are constituted & enforced to help ensure the risk reactions are effectively finished.

Information & Communication

Relevant data is linked up, caught, & communicated in a form & period of time that enable individuals to execute their duties. Effective communication also comes along in a wider sense, moving down, across, & up the entity.

Monitoring

The totality of enterprise risk management is supervised & changes made as necessary. supervising is carried out through on-going management activities, separate evaluations, or both.

Intergrated GRC Software – Regulatory Requirement & Business Benefits

2008-10-20T21:34:00.000-07:00

Hi All,

In today's blog, we are going to discuss about Intergrated GRC Software – Regulatory Requirement & its Business Benefits and i appreciate if anybody gets some time to comments over this blog. Thanks and cheers.

The increased regulations and past experiences of share and stakeholders require organizations to keep special attention on Enterprise, Operational, Technological and Financial risks and to manage them properly. Since technology these days is playing a pivotal role in every field so it is inevitable to use technology in the management of risk, compliance, controls management, IT governance and internal audit. The features offered in these GRC solutions include alerts and notifications, management of compliance and controls documentation, Business workflows and notification engine and Reports and Analytics.

Leading GRC solutions in the market delivers many Business benefits which provide perfect ROI (Return on investment) such as fulfilling reporting requirements on regular basis, managing bulk of data, monitoring and testing of controls for compliance, executive dashboards for custom, flexible searching, Business process workflows and performance management.

Multinational organizations or companies with several branches can get great benefits from these GRC solutions since they can have general and specific risks and several different branches of a business can subscribe to general risks defined as benchmarks/frameworks/best practices in a GRC central library/repository and can define their own as well which surely eliminate duplication of efforts, miscommunication and inconsistent processes.

There are different Continuous Controls monitoring (CCM) solutions which offer monitoring of financial transactions, filter data and provide notifications on different transactional issues. These CCM solutions can integrate with the existing financial systems running in the organizations but do not replace GRC because they do not offer the core GRC features such as compliance documentation management, Business process workflows and controls and risk management.

Since these GRC solutions offer automation of Business workflows hence they save time and cost plus they provide report templates for recursive reports which are required by different regulations. Many GRC vendors offer their solution in a ‘SaaS’(software as a service)/ on demand subscription based model which eliminate the extra burden of application deployments and management.

The very first step in implementing a GRC solution is to identify the regulatory and compliance requirements to be met and than evaluates the solution upon fulfilling those requirements. Most of the organizations require Sarbanes-Oxley (SOX) compliance but they should look for a solution which can mold into their future requirements and support multiple compliance regimes.

Understanding Enterprise Risk Management In-Depth

2008-06-30T03:25:00.001-07:00

In today’s blog, we will discuss “Understanding ERM In-Depth; Using the Right ERM Strategy as A Catalyst for Addressing Risk, While Improving Audit Outcome”.

Companies are under significant pressure to stay abreast of a wide array of business risks that may impact their organization’s success and sustainability. BODs and senior management’s risk oversight role is becoming as critical to the sound running of an organization, especially for companies with significant market risk exposures. This has caused BODs and corporate officers to become more involved in strategic ERM planning at early stages, rather than just reviewing and signing off on an ERM strategy after it has been fully developed by management. Furthermore, the increasing demands and high expectations from the BOD levels have caused a major shift in how audit committees and chief audit executives approach their internal audit programs. Internal auditors are encouraged to incorporate a risk-based approach to internal controls auditing.

ERM Framework and Strategy:

I’ve seen many clients undergo major efforts in developing an ERM framework that work for their business. Most of these frameworks, in my opinion, appear to be nothing more than an over-engineered process that could have been completed with a COSO-based or NIST-based ERM framework. Bottom line here is to take advantage of frameworks that have already been established so that you are not “re-inventing” the wheel. Your ERM framework should capture ALL key and critical business areas within your organization. Your framework should also account for both, business and information risks. Key word here….ENTERPRISE!

ERM and Internal Audit:

The role of the internal auditor and the internal audit process is quickly changing. Today, internal auditors are encouraged to take a risk-based approach to their audit programs. I am working with a particular client where they are using risk composites to drive or “trigger” their audits. The way it works is that when both the likelihood and the MOI (magnitude of impact) of the threat are equally high, the audit department is notified to audit the control(s) that are supposed to mitigate the risks or threats. As an auditor, I strongly encourage that your audit team employ a risk-based approach to your audit strategy. Additionally, getting integrated with your ERM division offers great rewards in this process. This strategy will also improve your audit outcome. Know the risk….employ the effective control(s)….mitigate the risk….you get the idea!

ERM and GRC (Governance, Risk, and Compliance):

I had a customer ask me. “What is the most critical component of the GRC Process”? Although this is a tough question and every component of the GRC process is important, it is my opinion that cornerstone of GRC is risk (R). Without knowing and understanding the risks that businesses face today, it would be difficult to provide BODs with risk oversight, identify controls that need continuous monitoring, and achieve a risk-based approach to compliance management. Once your risk appetite has been determined and your business risks have been identified, you can perform risk analytics and modeling to further enhance your ERM program and provide BODs and corporate officers with oversight of their enterprise risks. All in all you can see the importance and significance of ERM within a GRC or corporate governance strategy. I’m curious to hear other approaches to this thought.

I would like to hear your views on the following:

What is your approach to Enterprise Risk Management?
How do you incorporate risk into your GRC or Corporate Governance Strategy?
What ERM framework works best for your organization?

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

IT Governance, Risk, and Compliance (ITGRC)

2008-05-22T23:33:00.000-07:00

Businesses rely on their IT departments and resources for competitive advantages and business to business transactions and cannot afford to apply to IT anything less than the same level of commitment they devote company assets. IT offers extraordinary opportunities to transform the business; however IT must deliver value and enable the business, and IT-related risks must be mitigated. Governance of IT, Information Security, and Risk Management encompasses several initiatives for executive management. At a glance, they must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate and measure performance, understand risk and obtain assurance.

Corporate Governance:

Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.

Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.

Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.

IT Governance Role:

IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.

Who is Responsible for IT Governance and Risk Management:

Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:

IT Governance is aligned with the overall Corporate Governance structure within the enterprise.
IT Governance includes an alignment with the Enterprise Risk Management Program, which is a responsibility of the BODs and Management
There is a balance of the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their enterprise’s business strategy and objectives.
Risks and threats are identified, categorized and mitigated to acceptable levels.
IT Governance obtains coordinated and integrated action from the top down.
IT investments are not mismanaged or misdirected.
IT Governance rules and priorities are established and enforced.
Trust is demonstrated toward trading partners while exchanging electronic transactions.

In Closing:

IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:

What decisions must be made to ensure effective management and use of IT?
Who should make these decisions?
How will these decisions be made and monitored?

Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.

Thank you

James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

Concept of Governance, Risk, and Compliance (GRC) and its impact on your business

2008-05-15T01:59:00.000-07:00

In today’s blog, we will discuss the concept of Governance, Risk, and Compliance (GRC) and its impact on your business

Corporate Governance:

Before discussing Governance, Risk and Compliance, one must look at that broader term of GRC – Corporate Governance. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.

Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.

Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.

My definition of GRC:

As it relates to GRC, industry professionals and organizations have defined GRC in many ways. Not to say that they are wrong in defining the GRC concept but GRC in itself means different things in many ways. As such to minimize the ambiguity of the process, I have defined as the following:

A common business management framework that requires strategic collaboration and architecture to bring an enterprise view across governance, risk, and compliance initiatives within a company.

Let’s break out each letter of the process and I will share some insight to each. You really need all three to achieve good corporate governance.

Governance:

Corporate governance requires processes for providing Boards of Directors, Audit Committees, and Corporate Management with oversight of business culture, enterprise risks, policies, processes, laws, and regulations.

Risk:

Businesses should identify, analyze, assess, mitigate, and manage business and information risks and incorporate them in their business processes.

Compliance:

Compliance is about adhering to external laws, corporate policies and procedures, and regulations while providing a comprehensive framework that handles virtually all compliance regimes and control frameworks.

GRC Collaboration:

It has been a common myth that BODs and senior level managers are responsible for implementing GRC. I won’t get into the roles and responsibilities of GRC participants, but rather articulate the effectiveness of an Integrated GRC strategy. For GRC to be effective in today’s complex business environments, organizations must involve all business process areas in order to achieve an effective integrated GRC strategy. Based on experience, the effective GRC strategy included business unit representation from BODs, Audit Committees, Internal Audit, Legal, Risk Management, Compliance, Human Capital, Information Technology, Sales, Marketing and Strategist…you get the picture. In short, you need to include all key and critical business units in your GRC strategy. GRC is about the whole organization and not just a few parts of it.

James Sayles,
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions

IT GOVERNANCE FRAMWORK

2008-03-25T00:19:00.000-07:00

WHAT IS GOOD IT GOVERNANCE?

Forrester’s Business Technographics® November 2004 United States SMB Benchmark Study found that enterprises spend an average of 4.9% of revenues on IT. In 2005, we expect IT budgets to grow 7% over last year.1 IT is now at the core of most organizations’ ability to execute strategy. Recent legislation, such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes- Oxley (SOX), have elevated demands for improved compliance and risk management across the enterprise, and on IT organizations specifically. The result is a “perfect storm” of pressure on CIOs and their IT organizations for better IT governance.

IT Governance Defined:

At its most basic definition, IT governance is the process by which decisions are made around IT
investments. How decisions are made, who makes the decisions, who is held accountable, and how the results of decisions are measured and monitored are all parts of IT governance. Based on this definition, everyone has some form of IT governance. Unfortunately for many firms, the governance process is ad hoc and informal. There is no consistency across the enterprise, accountability is weak — if present at all — and there are no formal mechanisms to measure and monitor the outcomes of the decisions.

There is just too much at stake today for organizations to leave IT governance to chance or legacy processes. Optimizing IT investments must become a priority. There is a growing trend on the part of large organizations to elevate IT performance to the board of directors level. In addition to the traditional audit committee and compensation committee, boards are adding an IT oversight committee to become more involved in the role that IT plays in enabling and executing the enterprise’s strategy. For example, FedEx has established the Information Technology Oversight Committee to oversee major IT-related projects and technology architecture decisions.

Such executive commitments are only natural. IT governance can not exist in isolation but must
be a subset of enterprise governance. It is the responsibility not just of IT management but of
the board of directors and executive management. According to the IT Governance Institute,
IT governance “is an integral part of enterprise governance and consists of the leadership and
organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.”

Implementing good IT governance requires a framework based on three major elements:

Structure, Who makes the decisions? What structural organizations will be created, who will take part in these organizations, and what responsibilities will they assume?
Process. How are IT investment decisions made? What are the decision-making processes for proposing investments, reviewing investments, approving investments, and prioritizing investments?
Communication. How will the results of these processes and decisions be monitored, measured, and communicated? What mechanisms will be used to communicate IT investment decisions to the board of directors, executive management, business management, IT management, employees, and shareholders?

ESTABLISHING A FOUNDATION:

With a working definition of good IT governance at hand, the next step is to establish a foundation on which to build an IT governance framework. The foundation consists of three parts:
understanding the governance maturity, knowing how structural issues impact governance, and
understanding the four objectives of IT governance.

IT Governance Maturity:

Forrester recommends that organizations in the process of developing or evolving their current IT governance framework conduct an IT governance maturity assessment. Understanding where you are is extremely helpful in trying to formulate an IT governance strategy. Forrester’s IT Governance Maturity Model is comprised of four stages:

Stage 1: Ad hoc. There are no formal IT governance processes, and it’s not recognized by management as being a necessity. IT investments are made on a completely ad hoc basis. This scenario is almost always found in highly decentralized organizations, but it is not limited to them.
Stage 2: Fragmented. Here there is an attempt to formalize IT governance processes but on a fragmented basis. These formalized processes may exist in one or more business units and IT decisions within those business units may be optimized, but there is no enterprisewide effort to coordinate investment decisions or examine tradeoffs between business units or enterprisewide investments versus BU investments.
Stage 3: Consistent. At the third level of maturity, IT governance processes have been consistently applied across the enterprise. All business units/entities conform to the same set of IT governance processes. IT investment decisions are based on the enterprise view.
Stage 4: Best practices. At the fourth level of maturity, IT governance processes are fully evolved and optimized across the enterprise. A strong IT portfolio management process is in place to ensure that all IT investment decisions are themselves optimized, the CEO and executive team are active participants in the governance process, and IT strategy is part of the enterprise strategy.

Structural Issues In IT Governance:

Any attempt at developing and enforcing IT governance requires an understanding of the
structural, or organizational, pieces of the framework. Forrester has identified four major types of IT organizational structures. These four include: centralized, decentralized, federated, and projectbased organizations. Each organizational structure presents a different challenge in implementing IT governance as characterized by its decision-making process.

In a centralized IT organization, all IT decision-making and the IT budget are in one place, they are much easier to manage and require much less effort to organize. The CIO can take the lead in developing the governance processes and work directly with the CEO and executive team. The challenge for centralized IT organizations is to refrain from becoming a monarchy and to ensure that business units and operating groups have a voice in the process.
Decentralized organizations most often reach the fragmented stage because each decentralized IT function has developed its own IT governance processes, but there are no formal processes across business units or between business units and corporate. IT investment decisions may be optimized at the business unit level, but they are not optimized across the enterprise. This often results in duplicated infrastructure and applications, and little sharing of systems or expertise, if any. The challenge is to develop an enterprisewide IT governance process that enables the organization to make tradeoffs.
These are hybrid organizations that have both centralized and decentralized components. Most infrastructure and enterprisewide applications are centralized in a corporate IT organization and operated as a shared service with chargebacks, while business units retain control over BU-specific applications and development resources. This attempts to create the best of both worlds: centralized control for reduced costs, with applications development left with the business units where it can be more responsive. The challenge for federated IT organizations is to balance the needs of the business units for infrastructure investments and to conform to an enterprise architecture and standards.
Project-based. Project-based IT organizations are a relatively new phenomenon and take
their lead from professional services firms. They are a form of centralized IT in that all IT
resources are centrally located and report into a corporate CIO, but they differ mostly in the applications development area. Rather than the traditional applications development group, an organizational structure is built around resource pools, often called competence centers, consisting of like resources. Also the traditional line manager is replaced in favor of a resource manager or competence center manager who heads up each resource pool. This new role’s performance is measured on resource utilization and the ability to loan out qualified staff in sufficient quantity as required by the project portfolio and pipeline. For project-based IT organizations to be effective, they need a strong governance mechanism in place to ensure that the right projects are selected and funded. The challenge, then, in project-based organizations is the process around the project selection, funding, and prioritization process.

The Four Objectives Of IT Governance:

There are four objectives that drive IT governance: IT value and alignment, accountability,
performance measurement, and risk management. Each of these objectives must be addressed as part of the IT governance process.

IT value and alignment. One of the primary goals of IT governance is to ensure alignment between the business units and IT. By creating the necessary structures and processes around IT investments, management can ensure that only those IT projects that are aligned with strategic business objectives are approved, funded, and prioritized. Furthermore, alignment also deals with balance between investments that run the current business, grow existing businesses, and have the potential to transform the business, while delivering IT value by managing projects that are on time, on budget, and deliver expected results. Delivering value to the business typically means things like growing revenues, improving customer satisfaction, increasing market share, reducing costs, and enabling new products and/or services.
Risk management. With more of an organization’s value proposition built on IT, risks associated with IT are often the same as risks to the business. Therefore, managing IT risk is paramount. IT risks include security risks arising from hackers and denial of service attacks, privacy risks arising from identity thefts, recovery from disasters, resiliency of systems from outages, and the risks associated with project failures.
Accountability. At the end of the day, governance is about accountability. The Sarbanes-Oxley legislation is intended to hold senior executives accountable for the integrity and credibility of their financial information and controls. IT governance holds IT management accountable for the return on its investment in IT, as well as the credibility of IT’s own information and controls.
Performance measurement. Accountability in IT governance requires that you keep score, typically by implementing a form of balanced scorecard. The IT Balanced Scorecard consists of four perspectives: IT Value, User, Operational Excellence, and Future Orientation. Two of these perspectives contain measures for the two key governance objectives: IT value and risk management. The IT value perspective contains specific measures for IT/business alignment and IT value, while the operational excellence perspective contains specific measures for managing IT risk.

EXISTING FRAMEWORKS:

While there is no single, complete, off-the-shelf IT governance framework, there are a number of frameworks available that can serve as useful starting points for developing a governance model. As a result, most IT organizations today are “rolling their own” models, but borrowing heavily from existing frameworks. Most of the existing frameworks are complementary, with strengths in different areas, and so, a mix-and-match approach is often taken. Three of those frameworks are discussed in more depth below.

COBIT:

Control Objectives for Information and related Technologies (COBIT) was developed in 1996 by
the Information Systems Audit and Control Association (ISACA) and is now issued and maintained by the IT Governance Institute (ITGI) as a framework for providing control mechanisms over the information technology domain.4 Now in its third edition, COBIT has been extended to serve as an IT governance framework by providing maturity models, critical success factors, key goal indicators, and key performance indicators for the management of IT.
At the heart of COBIT are 34 high-level control objectives. These control objectives are grouped
into four main domains: planning and organization, acquisition and implementation, delivery
and support, and monitoring. Corresponding to each of the 34 control objectives are 318 detailed
control objectives (see Figure 4).

Planning and organizing. This domain covers a whole range of topics. Included are the strategy and tactics used by IT to achieve business objectives, strategy planning, strategy communication, strategy management, risk management, and resource management, which insures that the required technology infrastructure and human capital are in place.
Acquisition and implementation. For IT to realize its strategy, it must identify, develop or acquire, and implement solutions to business processes. Additionally, it must manage the life cycle of existing systems through maintenance, enhancements, and retirements.
Delivery and support. On its most basic level, IT delivers services to its customers (users). This domain concerns service and support issues including performance and security, and it also includes training.
Monitoring. All IT processes need to be regularly assessed for their quality and compliance with control requirements. The monitoring domain addresses management’s oversight of the organization’s control processes.

More recently, COBIT added a set of action-oriented management guidelines to provide management direction for monitoring achievement of organizational goals, for monitoring performance within each IT process, and for benchmarking organizational achievement.

Overall, COBIT represents a comprehensive framework for implementing IT governance with a
very strong auditing and controls perspective, which has increasing resonance in the era of Sarbanes-Oxley and other compliance-related regulations and legislation.

ITIL:

The IT Infrastructure Library (ITIL), initially developed in the UK by the Office of Government
Commerce (OGC), is gaining traction in the global IT community as a framework for IT governance.5 The library currently consists of eight books, including: “Software Asset Management,” “Service Support,” “Service Delivery,” “Security Management,” “Application Management,” “ICT Infrastructure Management,” “The Business Perspective,” and “Planning to Implement Service Management” (see Figure 5). ITIL is focused on identifying best practices in regards to managing IT service levels and is particularly process-oriented.

“Planning to Implement Service Management.” This book deals explicitly with the question of where to start with ITIL. It outlines the steps necessary to identify how the organization would benefit from ITIL. It helps identify current strengths and weaknesses and gives practical guidance on the evaluation of the current maturity levels of service management within the current organization.
“The Business Perspective.” “The Business Perspective” is designed to familiarize business management with the architecture and components of information and communications technology (ICT) —infrastructure required to support the business processes. The book helps business leaders better understand the benefits of best practices in IT service management.
“Software Asset Management.” This book encompasses the entire infrastructure and processes necessary for the effective management, control, and protection of the software assets within an organization, throughout all stages of their life cycle.
“Service Support.” “Service Support” focuses on ensuring that the customer has access to appropriate services to support their business functions. It covers configuration management and other support management issues including incident, problem, change, and release management.
“Service Delivery.” “Service Delivery” covers the service the business requires of IT to enable adequate support to the business users. This includes processes for service-level management, availability management, capacity management, financial management for IT services, and continuity management.
“Security Management.” The security management book of ITIL looks at security from the service provider perspective, identifying the relationship between security management and the IT security officer, as well as outlining how it provides the level of security necessary for the entire organization. It further focuses on the process of implementing security requirements identified in the IT service level agreement.
“ICT Infrastructure Management.” This covers all aspects of infrastructure management from identification of business requirements to acquiring, testing, installation, and deployment of infrastructure components. It includes the design and planning processes, deployment processes, operations processes, and technical support processes.

“Application Management.” “Application Management” addresses the complex subject of managing applications from initial business requirements through the application management lifecycle, up to and including retirement. A strong emphasis is placed on ensuring that IT projects and strategies are tightly aligned with those of the business throughout the applications life cycle. Once an application is approved and funded, it is tracked throughout its life cycle by the software asset management function of ITIL.

While COBIT takes the perspective of audit and control, ITIL takes the perspective of service
management. The two frameworks are more complementary than competitive and components of both can be taken to build a governance framework.

ISO 17799:

The International Organization for Standardization has developed the third major governance
framework, ISO 17799, titled “Information Technology — Code of Practice for Information Security Management.” It was first released by the ISO in December 2000. However, it is based on British Standard 7799, which was finalized in 1999. The intent of the standard is to focus on security and aid an organization in the creation of an effective IT security plan.

The standard has the following high-level groupings: security policy, organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, and compliance. The standard is very thorough and covers a great deal of material in a concise manner.

ISO 17799’s relatively narrow focus on security makes it unsuitable as the sole basis for an IT
governance framework, but since risk management is a component of IT governance, there is
relevance to ISO 17799, and parts of it can be adopted in building an overall IT governance
framework.

CONSTRUCTING YOUR FRAMEWORK:

The first three sections of this report laid the groundwork for developing an IT governance
framework. There is not necessarily one right IT governance framework. Governance frameworks must work within the context of an organization’s structure, culture, and strategy. Every IT governance framework must address three things: governance structures (the who of IT governance), governance processes (the how of IT governance), and governance communications to measure and communicate performance of the overall IT governance effort. Each of these is described in more detail below.

Governance Structures:

Governance structures relate to the organizational mechanisms created around the IT investment process. They include reporting relationships, governance-specific positions, and committees either created especially for or repurposed to execute the governance processes. Examples of governance structures include the following:

Reporting relationships. One of the more effective IT governance structures consists of the CIO reporting to the CEO. This ensures that IT is part of the executive team where most strategy discussions begin and end. Without this seat at the table, IT will almost always be limited to a support organization as opposed to an enabling organization.
Governance-specific positions. Some large IT organizations are actually creating the position of IT governance officer reporting to the CIO. This sends a strong message that IT governance is important and it provides a continual focus on the issue. It prevents IT governance from becoming the flavor of the month by dedicating a resource and holding a senior manager accountable for IT governance initiatives.

A second position that plays an important role in IT governance is the IT relationship manager.
The IT relationship manager acts as a go-between, communicating the implications of IT
governance to the business units while articulating the needs of the business units back to IT.
He is most successful when he can translate the benefits of IT governance into business terms
and demonstrate that while at times it may be inconvenient, governance delivers value to the
enterprise.

Committees. The bulk of IT governance work is carried out by committees and for many organizations, multiple committees work at different levels to carry out IT governance processes. As mentioned earlier, sometimes these committees are already in existence and add IT governance responsibilities to their list of activities, while other times new committees are formed specifically to address IT governance issues. These committees include executive or senior management, IT investment, IT architecture and standards, and IT/business councils. The actual committees you use depend on organizational structures, culture, and other issues and not all organizations will employ all of these committees at the same time.
IT governance is a collaborative process, so IT governance committees should be as inclusive as possible. There must be a healthy mix of business unit membership, corporate membership, and IT membership.

Governance Processes:

The governance structures above are tasked with enforcing the governance processes articulated below. They include IT portfolio management, service-level agreements, chargeback mechanisms, and IT demand management.

IT portfolio management. IT portfolio management is comprised of a number of subdisciplines, including IT asset management, application portfolio management, and project portfolio management. By rolling up all of these components, a complete and comprehensive view of the entire IT portfolio emerges, enabling better strategic decision-making.

The IT portfolio is proactive management of the collection of projects, applications, systems, etc., and they are evaluated as a group against criteria like balance, flexibility, risk, and their ability to drive value for making future investment decisions.
Service-level agreements. Service-level agreements (SLAs) list available services, alternative quality levels, and related costs provided by IT. SLAs are governance processes because they articulate what service(s) IT is providing to the user, at what service level, and at what cost. Users can negotiate with IT and trade service levels for cost. Once IT exposes service levels and costs in this way it often opens the door to competition from outside service providers (outsourcers), which typically results in market conditions and more efficient IT services. At the same time, SLAs often result in improved behavior from the business units. By exposing costs, the business units have a much better understanding of the implications of their requests for IT services. Ultimately, SLAs should help both IT and business units make better decisions about IT services.
Chargeback mechanisms. Chargeback mechanisms can work in tandem with SLAs or bythemselves. The objective is to chargeback the costs of shared services to the business units that consume them. By IT having a better understanding of its costs, it can demonstrate the savings and efficiencies that result from shared services. At the same time, the business units can better rationalize their behavior with respect to their requirements for IT. With full cost transparency, better decisions can be made by both IT and business units with respect to the acquisition and deployment of IT assets.
Demand management. Demands for IT resources come from all directions and in all forms. Some demand is routine, such as help desk requests and new employee provisioning, while other demand is strategic and complex, such as requests for new applications to support new business opportunities. Demand management forces all IT demand through a single point, where it can be consolidated, prioritized, and fulfilled. Demand management works hand in hand with IT portfolio management to manage current and future IT investments.

Governance Communications:

For IT governance to be effective, it has to be measured and communicated throughout the
enterprise. Communicating about IT governance takes on a number of objectives. At the beginning, all employees need to be educated about what IT governance actually does, its importance, and howit’s implemented across the enterprise. This communication needs to be continually reinforced.

Measurement is equally important, and a key piece of the communications strategy. The primary objective of IT governance is to optimize the investment in information technology through strong IT/business alignment, ensuring that these investments return value to the enterprise within an acceptable risk envelope.
· IT Balanced Scorecard. Once an IT governance model is developed for an organization, it
needs to be implemented and then measured. The IT Balanced Scorecard has proven to be an
effective tool with respect to IT governance, and consists of four perspectives: IT Value, User,
Operational Excellence, and Future Orientation. Two of the Scorecard perspectives contain
measures for the two key governance objectives: IT value and risk management. The IT value
perspective contains specific measures for IT/business alignment and IT value, while the
operational excellence perspective contains specific measures for managing IT risk.
· IT portal. Portals have become the premier method of choice for communicating company
information. The IT organization should create an IT governance Web site. This site can then be
used to communicate information about IT governance. It can also contain performance reports
and information about project status, as well as serving as a repository for governance-related
documents including architecture and standards documents, business case templates, and ROI
models.

Enterprise Risk Management Framework

2008-03-18T03:29:00.000-07:00

Two important ERM frameworks are COSO and RIMS. Each describes an approach for identifying, analyzing, responding to, and monitoring risks or opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

Avoidance: exiting the activities giving rise to risk
Reduction: taking action to reduce the likelihood or impact related to the risk
Share or insure: transferring or sharing a portion of the risk, to reduce it
Accept: no action is taken, due to a cost/benefit decision

Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

COSO ERM framework:

The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as: "A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control -Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:

Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
Monitoring

The four objectives categories - additional components highlighted - are:

Strategy - high-level goals, aligned with and supporting the organization's mission
Operations - effective and efficient use of resources
Financial Reporting - reliability of operational and financial reporting
Compliance - compliance with applicable laws and regulations

RIMS risk maturity model for enterprise risk management:

Enterprise risk management (ERM) as defined by the Risk and Insurance Management Society (RIMS) is the culture, processes and tools to identify strategic opportunities and reduce uncertainty. ERM is a comprehensive view of risk from both operational and strategic perspectives and is a process that supports the reduction of uncertainty and promotes the exploitation of opportunities.

According to the RIMS Risk Maturity Model for ERM, the following seven core competencies, or attributes, measure how well enterprise risk management is embraced by management and ingrained within the organization. A maturity level is determined for each attribute and ERM maturity is determined by the weakest link.

1. ERM-based approach - Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory compliance across all processes, functions, business lines, roles and geographies. Degree of integration, communication and coordination of internal audit, information technology, compliance, control and risk management.

2. ERM process management - Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods, analysis, tools.

3. Risk appetite management – Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of measuring risk appetite that management deems acceptable.

4. Root cause discipline - Degree of discipline applied to measuring a problem’s root cause and binding events with their process sources to drive the reduction of uncertainty, collection of information and measurement of the controls’ effectiveness. The degree of risk from people, external environment, systems, processes and relationships is explored.

5. Uncovering risks - Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities. Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft® Word, Excel®, etc) to uncover dependencies and correlation across the enterprise.

6. Performance management - Degree of executing vision and strategy, working from financial, customer, business process and learning and growth perspectives, such as Kaplan’s balanced scorecard, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations.

7. Business resiliency and sustainability – Extent to which the ERM Process’s sustainability aspects are integrated into operational planning. This includes evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recovering technology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow volatility, business liquidity, etc.