Abstract
This paper sets out to demonstrate how establishing an effective information risk management programme is a key element in an enterprise’s overall operational risk and governance programme. Establishing such a programme provides a golden opportunity to rationalise and align a number of processes and disciplines into an overall effective risk and compliance programme. This paper provides the opening steps for establishing such a programme to open up the possibility of such an opportunity. The business need has been created through legislation and regulation, accounting standards, best practice or contractual commitments for effective governance and appropriate risk management while meeting the need to generate profit and be cost effective. Aspects of financial risk, e.g. credit risk, are supported through mature processes and there is wide commercial experience in many of these finance related areas; however, other aspects of risk may be of such low frequency that little or no experience has been accumulated. For some risks the processes have not been developed to manage the risk — or where a risk management process is present, they are either immature or ineffective.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
A publicly available sample proposal to assist a company with the development and implementation of a global enterprise risk management (ERM) strategy can be found at — http://www.delcreo.com/delcreo/about_delcreo/ERM%20Implementation%20Narrative.doc
’The Orange Book’, — http://194.128.65.69/sdtoolkit/reference/org_library/related/orange-book.pdf
HM Treasury Risk Management Assessment Framework — http://www.hm-treasury.gov.uk./media/17A/81/17A8166B-BCDC-D4B3-16668DC702198931.pdf
US DoD briefing — http://www.defenselink.mil/transcripts/2002/t02122002_t212sdv 22.html
COSO Enterprise Risk Management, Integrated Framework — http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf
Typical commercial self-assessment tool — http://www.gocsi.com/membership/securcompass.jhtml
Open reporting example — http://www.trinitymirror.com/governance/terms/tm_objectid=14107357&method=full&siteid=111046&headline=whistleblowers-charter-disclosure-policy-name_page.html — this applies to the reporting of any breaches of agreed processes or systems.
Jones A: ’Risk framework for ICT security management version 1-0’ (EX013506-TR-004_D16-CSM3-Risk_Framework_for_ICT_Complete_Security_Management_V1-0_Final.doc), internal BT document.
UK Resilience and Emergency Preparedness — http://www.ukresilience.info/preparedness/risk/communicatingrisk.pdf
’A Risk Management Standard’, AIRMIC (2002) — http://airmic.com/Downloads/Pubs/AIRMIC_Risk-Management-Standard.pdf
BT Risk Cockpit — http://www.btglobalservices.com/business/global/en/news/2005/edition_4g17_orm.html (this is a BT ‘point of view’ paper, which examines how to unlock the business value of your operational risk management initiatives).
Evans G and Benton S: ’The BT Risk Cockpit — the visual approach to ORM’, BT Technol J, 25, No 1, pp 88–100 (January 2007).
Information Security Forum (ISF), Standards — http://www.isfsecuritystandard.com/index_ie.htm
COBIT Framework — http://www.isaca.ch/files/CobitFramework.pdf
ITIL — http://www.itil.co.uk/
ISO-IEC27000 Series (security standards) — http://www.iso27001security.com/index.html
IT Compliance Institute (ITCi) — http://www.itcinstitute.com/
The IT Governance Institute — http://www.itgi.org/
A Management Briefing from the IT Governance Institute and the Office of Government Commerce — http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=22493&TEMPLATE=ContentManagement/Content Display.cfm
Aligning COBIT, ITIL and ISO 17799: Guidance from the IT Governance Institute and UK Office of Government Commerce — http://www.isaca.org/Template.cfm?Section=Whats_New1&Template=/ContentManagement/ContentDisplay.cfm&ContentID=22487
’Information security: Protecting Your Business Assets’, (Information Protection Framework includes classification) — http://www.dti.gov.uk/bestpractice/assets/security/ispyba.pdf
Deming W E: ’Out of the Crisis’, Cambridge, Mass, MIT Centre for Advanced Engineering Study (1986).
Boyd J: ’OODA loop’, — http://www.d-n-i.net/fcs/ppt/boyds_ooda_loop.ptt
About this article
Cite this article
Drew, M. Information risk management and compliance — expect the unexpected. BT Technol J 25, 19–29 (2007). https://doi.org/10.1007/s10550-007-0004-x
Issue Date:
DOI: https://doi.org/10.1007/s10550-007-0004-x