SlideShare uma empresa Scribd logo

It and business risk alignment guide

Transferir como PPTX, PDF
A
AstalapulosListestos

Internal Audit

Saúde
1 de 10
IT & Business Risk Alignment Guide
BENEFITS OF IT AND BUSINESS RISK ALIGNMENT • Technology risks are identified and understood. • The business impact of technology risks is easily quantified. • Operational risk management is more effective. • Preventive capabilities are stronger. • Collaboration between IT and business is healthier and practiced more. • IT investment decision making is better and prioritized. • Approaches to risk and control solutions are less tactical and reactive, enabling a more strategic approach. • Funding battles over IT investments occur less. • Capital use is more effective. 2
KEY CHALLENGES OF ALIGNING IT SERVICES WITH BUSINESS SERVICES • IT operations are traditionally calibrated to IT components. • Existing environments are complex for the following reasons: − Decades of mergers and acquisitions activity − Layers upon layers of technology “plaque” accumulating over time − Duplicative, fragmented and overlapping solutions built in through line-of-business, product or departmental “silos.” • Change pace is accelerated, and outsourcing is common. Emerging and disruptive technologies are explosively adopted. • Rising technology investments are conducted outside the IT function. 3
SIGNS OF MISALIGNMENT • Technology risk reporting occurs just because or is seen as a compliance exercise. • Technology risk data is overwhelmingly high, but underwhelming amounts of technology risk information exist. • Technology risk metrics are expressed solely in IT terms (e.g., server or network availability, number of incidents, etc.). • Business support is lacking for critical technology investments focused on risk management or control. • IT investment prioritization is undefined and confusing. • IT infrastructure leaks are plugged rather than invested in more strategic, comprehensive improvements. • A widening wedge exists between IT and the business. 4
TYPES OF MISALIGNMENT • Complete disconnection: The technology risk approach exists without any meaningful links to an enterprise risk framework. The risk appetite and risk language used in the enterprise risk framework are absent from the technology risk framework. • Misalignment: Attempts to map technology risks to business risks have been made, but they are off the mark. For example, the links may reflect lack of context and prioritization (e.g., treating technology risks that underpin an employee application with the same urgency as the technology risks lurking in a proprietary trading system). • Technology-heavy measures: Some technology and business risk alignment exists, but the management of those risks lacks precision because it remains too technology-focused. Measures of root-cause technology risk is predominate over business measures, and this imprecision clouds risk decision-making and slows technology funding decisions. 5
ALIGNMENT IN PRACTICE: TWO CASE STUDIES (1/3) 1) Top 10 U.S. Retail and Commercial Bank • Problem Statement: IT metrics were not aligned to critical business outcomes. − Implement mature Level 2 IT risk management processes. − Focus was on reducing the number and duration of critical incidents. − Declare IT success and ensure that it resonates with business stakeholders. • Approach: Advance to Level 3 maturity. − Map IT services to critical business services. − Align metrics and IT reporting to business services expressed in business terms. • Benefits − Communications between IT and business stakeholders are improved. − IT investment priorities are better aligned. − IT service management priorities and architectural patterns change – shift in focus from reduction in number and duration of incidents to reductions in planned maintenance windows. 6
ALIGNMENT IN PRACTICE: TWO CASE STUDIES (2/3) 2) Top 10 Global Retail and Commercial Bank • Problem Statement: Risk and control data is high with no real understanding of risk exists. − Spend a significant amount of time documenting and testing controls. − Provide long lists of potential control issues with real understanding of business consequences. • Approach − Adopt a service model to establish a link between IT risks and business functions/processes. − Develop a reporting tool, which consolidates all relevant risks to an aggregated level and classifies the potential business impact in terms of availability, confidentiality, integrity or compliance for each system or service. − Establish a process and structure to enable both IT and business partners to interpret IT risk and control information and to quantify the potential impact of the risk on the business. − Establish a communication channel into the impacted business areas to enable everyone to understand, interpret and provide a judgment back to IT on risk appetites and priorities. • Benefits − The significance of the IT risks is vastly understood. − The cost of risk and compliance activities is reduced by over XX%. − Strategic investment in core IT processes is better prioritized and supported by the business. 7
ALIGNMENT IN PRACTICE: TWO CASE STUDIES (3/3) Lessons Learned/Project Challenges • Define reporting requirements upfront and design processes to deliver against these requirements. • Analyze risk and control data in aggregate to understand risk. Avoid information overload. Develop transparency reporting to aggregate control issues effecting services managed by IT, enabling the business impact of IT issues to be assessed and quantified. • Design the risk assessment methodology to facilitate the identification of duplicate controls. Linking common controls is key to avoid information overload and to fully understand control failure implications. • Utilize standardized risk and control assessment templates if quality and consistency is achieved globally and reliance is placed on process owners to support the risk assessment process. • Structure risk assessment around entities to significantly reduce duplication efforts. Service and entity models reduce the time to complete assessments and the associated costs by over XX%. • IT control/process owners are good at assessing the impact on individual IT control failures. The business is much better at assessing the true business impact of control failures if information is provided that they understand. • Analyze actual incidents to significantly improve the quality of the risk assessment process. Analyze the root cause of all significant incidents, and establish a process to update risk and control data based on actual findings. Transparency reporting enabled risk assessment benchmarking against actual incidents. • Ensure full integration with other assurance activities to maintain buy-in from IT and the business. The IT departments believe they are over audited. • Utilize training processes and control owners since risk and control concepts are not well understood by IT professionals. 8
KEEP IN MIND THREE IMPORTANT QUALITATIVE ASPECTS • Readiness and maturity vary. − A “one-size-fits-all” approach does not exist, but basic underlying principles are consistent. • It may take time. − Processes require time, patience and an organization’s fortitude. • Companies can begin anywhere and/or go as deep as they like. − Small successes can help sway skeptics and encourage buy-in for expanding the effort. 9
AND REMEMBER: NEAR MISSES WILL ADD VALUE • The most telling sign of alignment success is things, previously qualified as near misses, are spotted and responded to in a way that adds value. • By elevating technology risk management to a Level 4 maturity stage, organizations achieve the following: − Better overall risk management and better alignment to operational risk management − Better IT and business alignment − A nimbler IT organization that is better positioned to address the ever-increasing pace of change, the risk-sensitive introduction of emerging technologies and greater support for innovation 10

Recomendados

It alignment-who-is-in-charge
It alignment-who-is-in-chargeIt alignment-who-is-in-charge
It alignment-who-is-in-chargeTapas Bhattacharya
 
Aligning IT and Business for Better Results
Aligning IT and Business for Better ResultsAligning IT and Business for Better Results
Aligning IT and Business for Better ResultsGlobal Knowledge Training
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideAstalapulosListestos
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideAstalapulosListestos
 
Data governance guide
Data governance guideData governance guide
Data governance guideAstalapulosListestos
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guideAstalapulosListestos
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Root cause analysis questionnaire
Root cause analysis questionnaireRoot cause analysis questionnaire
Root cause analysis questionnaireAstalapulosListestos
 

Recomendados

It alignment-who-is-in-charge
It alignment-who-is-in-chargeIt alignment-who-is-in-charge
It alignment-who-is-in-chargeTapas Bhattacharya
 
Aligning IT and Business for Better Results
Aligning IT and Business for Better ResultsAligning IT and Business for Better Results
Aligning IT and Business for Better ResultsGlobal Knowledge Training
 
Business continuity planning guide
Business continuity planning guideBusiness continuity planning guide
Business continuity planning guideAstalapulosListestos
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideAstalapulosListestos
 
Data governance guide
Data governance guideData governance guide
Data governance guideAstalapulosListestos
 
Social media risks guide
Social media risks guideSocial media risks guide
Social media risks guideAstalapulosListestos
 
Auditing corporate governance guide
Auditing corporate governance guideAuditing corporate governance guide
Auditing corporate governance guideAstalapulosListestos
 
Root cause analysis questionnaire
Root cause analysis questionnaireRoot cause analysis questionnaire
Root cause analysis questionnaireAstalapulosListestos
 
Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Managementjiricejka
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideAstalapulosListestos
 
Information System Plan
Information System PlanInformation System Plan
Information System PlanRam Dutt Shukla
 
What Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceWhat Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceBill Lisse
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Directory: Regulatory & Risk Data
Directory: Regulatory & Risk DataDirectory: Regulatory & Risk Data
Directory: Regulatory & Risk DataConor Coughlan
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Yasir Khan
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1PrabhatSingh316896
 
Data governance guide
Data governance guideData governance guide
Data governance guideCenapSerdarolu
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Challenges in adapting predictive analytics
Challenges in adapting predictive analyticsChallenges in adapting predictive analytics
Challenges in adapting predictive analyticsPrasad Narasimhan
 

Mais conteúdo relacionado

Mais procurados

Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Managementjiricejka
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information Systemarif prasetyo
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guideAstalapulosListestos
 
What Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceWhat Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceBill Lisse
 
Information technology risks
Information technology risksInformation technology risks
Information technology riskssalman butt
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guideCenapSerdarolu
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelnooralmousa
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Directory: Regulatory & Risk Data
Directory: Regulatory & Risk DataDirectory: Regulatory & Risk Data
Directory: Regulatory & Risk DataConor Coughlan
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Yasir Khan
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsIT-Toolkits.org
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Hendri Eka Saputra
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 

Mais procurados (20)

Understanding IT Governance and Risk Management
Understanding IT Governance and Risk ManagementUnderstanding IT Governance and Risk Management
Understanding IT Governance and Risk Management
 
Control and Audit Information System
Control and Audit Information SystemControl and Audit Information System
Control and Audit Information System
 
Risk assessment facilitation guide
Risk assessment facilitation guideRisk assessment facilitation guide
Risk assessment facilitation guide
 
Information System Plan
Information System PlanInformation System Plan
Information System Plan
 
What Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT GovernanceWhat Every Executive Needs To Know About IT Governance
What Every Executive Needs To Know About IT Governance
 
Information technology risks
Information technology risksInformation technology risks
Information technology risks
 
Data analytics and audit coverage guide
Data analytics and audit coverage guideData analytics and audit coverage guide
Data analytics and audit coverage guide
 
Sudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity modelSudarsan Jayaraman - Open information security management maturity model
Sudarsan Jayaraman - Open information security management maturity model
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
 
Directory: Regulatory & Risk Data
Directory: Regulatory & Risk DataDirectory: Regulatory & Risk Data
Directory: Regulatory & Risk Data
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2Information System Architecture and Audit Control Lecture 2
Information System Architecture and Audit Control Lecture 2
 
Risk Management & Information Security Management Systems
Risk Management & Information Security Management SystemsRisk Management & Information Security Management Systems
Risk Management & Information Security Management Systems
 
Itrisksisaudit1
Itrisksisaudit1Itrisksisaudit1
Itrisksisaudit1
 
Data governance guide
Data governance guideData governance guide
Data governance guide
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)Control and audit of information System (hendri eka saputra)
Control and audit of information System (hendri eka saputra)
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 

Semelhante a It and business risk alignment guide

Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear LLC
 
Challenges in adapting predictive analytics
Challenges in adapting predictive analyticsChallenges in adapting predictive analytics
Challenges in adapting predictive analyticsPrasad Narasimhan
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008ssusera19f45
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceKuda Musundire CA (Z), RPA
 
Mergers & Acquisitions - Addressing The Critical IT Issues
Mergers & Acquisitions - Addressing The Critical IT IssuesMergers & Acquisitions - Addressing The Critical IT Issues
Mergers & Acquisitions - Addressing The Critical IT Issuescurtherge
 
IT investment decision-making with confidence - A practical guide for medium-...
IT investment decision-making with confidence - A practical guide for medium-...IT investment decision-making with confidence - A practical guide for medium-...
IT investment decision-making with confidence - A practical guide for medium-...Girish Kumar Ayyappath
 
IT investment decision-making with confidence
IT investment decision-making with confidenceIT investment decision-making with confidence
IT investment decision-making with confidenceBurCom Consulting Ltd.
 
Bending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT SimplificationBending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT SimplificationCognizant
 
New hospital it strategy 2
New hospital it strategy 2New hospital it strategy 2
New hospital it strategy 2Pankaj Gupta
 
The moving force behind IT decisions are variable as to what context.pdf
The moving force behind IT decisions are variable as to what context.pdfThe moving force behind IT decisions are variable as to what context.pdf
The moving force behind IT decisions are variable as to what context.pdfsanjeevtandonsre
 
The ITFM Tool Journey
The ITFM Tool JourneyThe ITFM Tool Journey
The ITFM Tool JourneyPete Hidalgo
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefVisal Thach
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Innovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdfInnovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdfAbdulbasit Almauly
 

Semelhante a It and business risk alignment guide (20)

Maclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and TrendsMaclear’s IT GRC Tools – Key Issues and Trends
Maclear’s IT GRC Tools – Key Issues and Trends
 
Challenges in adapting predictive analytics
Challenges in adapting predictive analyticsChallenges in adapting predictive analytics
Challenges in adapting predictive analytics
 
IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008IT Governance Presentation by omaha 2008
IT Governance Presentation by omaha 2008
 
Executive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and GovernanceExecutive's Handbook on IT Strategy and Governance
Executive's Handbook on IT Strategy and Governance
 
Mergers & Acquisitions - Addressing The Critical IT Issues
Mergers & Acquisitions - Addressing The Critical IT IssuesMergers & Acquisitions - Addressing The Critical IT Issues
Mergers & Acquisitions - Addressing The Critical IT Issues
 
IT investment decision-making with confidence - A practical guide for medium-...
IT investment decision-making with confidence - A practical guide for medium-...IT investment decision-making with confidence - A practical guide for medium-...
IT investment decision-making with confidence - A practical guide for medium-...
 
IT investment decision-making with confidence
IT investment decision-making with confidenceIT investment decision-making with confidence
IT investment decision-making with confidence
 
Bending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT SimplificationBending the IT Op-Ex Cost Curve Through IT Simplification
Bending the IT Op-Ex Cost Curve Through IT Simplification
 
Cloud Computing
Cloud Computing Cloud Computing
Cloud Computing
 
An IT Governance program
An IT Governance programAn IT Governance program
An IT Governance program
 
New hospital it strategy 2
New hospital it strategy 2New hospital it strategy 2
New hospital it strategy 2
 
The moving force behind IT decisions are variable as to what context.pdf
The moving force behind IT decisions are variable as to what context.pdfThe moving force behind IT decisions are variable as to what context.pdf
The moving force behind IT decisions are variable as to what context.pdf
 
Mortgage Industry MASTER
Mortgage Industry MASTERMortgage Industry MASTER
Mortgage Industry MASTER
 
The ITFM Tool Journey
The ITFM Tool JourneyThe ITFM Tool Journey
The ITFM Tool Journey
 
Sharpening the Lens
Sharpening the LensSharpening the Lens
Sharpening the Lens
 
It Governance Methodology Cox
It Governance Methodology CoxIt Governance Methodology Cox
It Governance Methodology Cox
 
Optimize Change Management
Optimize Change ManagementOptimize Change Management
Optimize Change Management
 
It implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-briefIt implement-it-asset-management-executive-brief
It implement-it-asset-management-executive-brief
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Innovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdfInnovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdf
 

Último

Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts ServiceCall Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Servicenarwatsonia7
 
Models Call Girls Electronic City | 7001305949 At Low Cost Cash Payment Booking
Models Call Girls Electronic City | 7001305949 At Low Cost Cash Payment BookingModels Call Girls Electronic City | 7001305949 At Low Cost Cash Payment Booking
Models Call Girls Electronic City | 7001305949 At Low Cost Cash Payment Bookingnarwatsonia7
 
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...narwatsonia7
 
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call GirlsBook Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call GirlsCall Girls Noida
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...High Profile Call Girls Chandigarh Aarushi
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...delhimodelshub1
 
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...High Profile Call Girls Chandigarh Aarushi
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Timedelhimodelshub1
 
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near MeBook Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Menarwatsonia7
 
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy GirlsRussian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girlsddev2574
 
Pregnancy and Breastfeeding Dental Considerations.pptx
Pregnancy and Breastfeeding Dental Considerations.pptxPregnancy and Breastfeeding Dental Considerations.pptx
Pregnancy and Breastfeeding Dental Considerations.pptxcrosalofton
 
Single Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So FarSingle Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So FarCareLineLive
 
Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949ps5894268
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...soniya singh
 
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...narwatsonia7
 
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service BangaloreCall Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalorenarwatsonia7
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...ggsonu500
 
Call Girls Gurgaon Vani 9999965857 Independent Escort Service Gurgaon
Call Girls Gurgaon Vani 9999965857 Independent Escort Service GurgaonCall Girls Gurgaon Vani 9999965857 Independent Escort Service Gurgaon
Call Girls Gurgaon Vani 9999965857 Independent Escort Service Gurgaonnitachopra
 

Último (20)

Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts ServiceCall Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
Call Girl Service ITPL - [ Cash on Delivery ] Contact 7001305949 Escorts Service
 
Models Call Girls Electronic City | 7001305949 At Low Cost Cash Payment Booking
Models Call Girls Electronic City | 7001305949 At Low Cost Cash Payment BookingModels Call Girls Electronic City | 7001305949 At Low Cost Cash Payment Booking
Models Call Girls Electronic City | 7001305949 At Low Cost Cash Payment Booking
 
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
Housewife Call Girls Nandini Layout - Phone No 7001305949 For Ultimate Sexual...
 
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call GirlsBook Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
Book Call Girls in Noida Pick Up Drop With Cash Payment 9711199171 Call Girls
 
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
Russian Call Girls in Chandigarh Ojaswi ❤️🍑 9907093804 👄🫦 Independent Escort ...
 
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
College Call Girls Hyderabad Sakshi 9907093804 Independent Escort Service Hyd...
 
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service LucknowCall Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
Call Girls in Lucknow Esha 🔝 8923113531 🔝 🎶 Independent Escort Service Lucknow
 
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
Call Girl Chandigarh Mallika ❤️🍑 9907093804 👄🫦 Independent Escort Service Cha...
 
Call Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any TimeCall Girls LB Nagar 7001305949 all area service COD available Any Time
Call Girls LB Nagar 7001305949 all area service COD available Any Time
 
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near MeBook Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
Book Call Girls in Hosur - 7001305949 | 24x7 Service Available Near Me
 
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy GirlsRussian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
Russian Call Girls in Raipur 9873940964 Book Hot And Sexy Girls
 
Pregnancy and Breastfeeding Dental Considerations.pptx
Pregnancy and Breastfeeding Dental Considerations.pptxPregnancy and Breastfeeding Dental Considerations.pptx
Pregnancy and Breastfeeding Dental Considerations.pptx
 
Single Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So FarSingle Assessment Framework - What We Know So Far
Single Assessment Framework - What We Know So Far
 
Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949Low Rate Call Girls In Bommanahalli Just Call 7001305949
Low Rate Call Girls In Bommanahalli Just Call 7001305949
 
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
Gurgaon iffco chowk 🔝 Call Girls Service 🔝 ( 8264348440 ) unlimited hard sex ...
 
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
Hi,Fi Call Girl In Whitefield - [ Cash on Delivery ] Contact 7001305949 Escor...
 
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service BangaloreCall Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
Call Girl Bangalore Aashi 7001305949 Independent Escort Service Bangalore
 
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service LucknowVIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
VIP Call Girls Lucknow Isha 🔝 9719455033 🔝 🎶 Independent Escort Service Lucknow
 
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
Gurgaon Sector 68 Call Girls ( 9873940964 ) Book Hot And Sexy Girls In A Few ...
 
Call Girls Gurgaon Vani 9999965857 Independent Escort Service Gurgaon
Call Girls Gurgaon Vani 9999965857 Independent Escort Service GurgaonCall Girls Gurgaon Vani 9999965857 Independent Escort Service Gurgaon
Call Girls Gurgaon Vani 9999965857 Independent Escort Service Gurgaon
 

It and business risk alignment guide

  • 1. IT & Business Risk Alignment Guide
  • 2. BENEFITS OF IT AND BUSINESS RISK ALIGNMENT • Technology risks are identified and understood. • The business impact of technology risks is easily quantified. • Operational risk management is more effective. • Preventive capabilities are stronger. • Collaboration between IT and business is healthier and practiced more. • IT investment decision making is better and prioritized. • Approaches to risk and control solutions are less tactical and reactive, enabling a more strategic approach. • Funding battles over IT investments occur less. • Capital use is more effective. 2
  • 3. KEY CHALLENGES OF ALIGNING IT SERVICES WITH BUSINESS SERVICES • IT operations are traditionally calibrated to IT components. • Existing environments are complex for the following reasons: − Decades of mergers and acquisitions activity − Layers upon layers of technology “plaque” accumulating over time − Duplicative, fragmented and overlapping solutions built in through line-of-business, product or departmental “silos.” • Change pace is accelerated, and outsourcing is common. Emerging and disruptive technologies are explosively adopted. • Rising technology investments are conducted outside the IT function. 3
  • 4. SIGNS OF MISALIGNMENT • Technology risk reporting occurs just because or is seen as a compliance exercise. • Technology risk data is overwhelmingly high, but underwhelming amounts of technology risk information exist. • Technology risk metrics are expressed solely in IT terms (e.g., server or network availability, number of incidents, etc.). • Business support is lacking for critical technology investments focused on risk management or control. • IT investment prioritization is undefined and confusing. • IT infrastructure leaks are plugged rather than invested in more strategic, comprehensive improvements. • A widening wedge exists between IT and the business. 4
  • 5. TYPES OF MISALIGNMENT • Complete disconnection: The technology risk approach exists without any meaningful links to an enterprise risk framework. The risk appetite and risk language used in the enterprise risk framework are absent from the technology risk framework. • Misalignment: Attempts to map technology risks to business risks have been made, but they are off the mark. For example, the links may reflect lack of context and prioritization (e.g., treating technology risks that underpin an employee application with the same urgency as the technology risks lurking in a proprietary trading system). • Technology-heavy measures: Some technology and business risk alignment exists, but the management of those risks lacks precision because it remains too technology-focused. Measures of root-cause technology risk is predominate over business measures, and this imprecision clouds risk decision-making and slows technology funding decisions. 5
  • 6. ALIGNMENT IN PRACTICE: TWO CASE STUDIES (1/3) 1) Top 10 U.S. Retail and Commercial Bank • Problem Statement: IT metrics were not aligned to critical business outcomes. − Implement mature Level 2 IT risk management processes. − Focus was on reducing the number and duration of critical incidents. − Declare IT success and ensure that it resonates with business stakeholders. • Approach: Advance to Level 3 maturity. − Map IT services to critical business services. − Align metrics and IT reporting to business services expressed in business terms. • Benefits − Communications between IT and business stakeholders are improved. − IT investment priorities are better aligned. − IT service management priorities and architectural patterns change – shift in focus from reduction in number and duration of incidents to reductions in planned maintenance windows. 6
  • 7. ALIGNMENT IN PRACTICE: TWO CASE STUDIES (2/3) 2) Top 10 Global Retail and Commercial Bank • Problem Statement: Risk and control data is high with no real understanding of risk exists. − Spend a significant amount of time documenting and testing controls. − Provide long lists of potential control issues with real understanding of business consequences. • Approach − Adopt a service model to establish a link between IT risks and business functions/processes. − Develop a reporting tool, which consolidates all relevant risks to an aggregated level and classifies the potential business impact in terms of availability, confidentiality, integrity or compliance for each system or service. − Establish a process and structure to enable both IT and business partners to interpret IT risk and control information and to quantify the potential impact of the risk on the business. − Establish a communication channel into the impacted business areas to enable everyone to understand, interpret and provide a judgment back to IT on risk appetites and priorities. • Benefits − The significance of the IT risks is vastly understood. − The cost of risk and compliance activities is reduced by over XX%. − Strategic investment in core IT processes is better prioritized and supported by the business. 7
  • 8. ALIGNMENT IN PRACTICE: TWO CASE STUDIES (3/3) Lessons Learned/Project Challenges • Define reporting requirements upfront and design processes to deliver against these requirements. • Analyze risk and control data in aggregate to understand risk. Avoid information overload. Develop transparency reporting to aggregate control issues effecting services managed by IT, enabling the business impact of IT issues to be assessed and quantified. • Design the risk assessment methodology to facilitate the identification of duplicate controls. Linking common controls is key to avoid information overload and to fully understand control failure implications. • Utilize standardized risk and control assessment templates if quality and consistency is achieved globally and reliance is placed on process owners to support the risk assessment process. • Structure risk assessment around entities to significantly reduce duplication efforts. Service and entity models reduce the time to complete assessments and the associated costs by over XX%. • IT control/process owners are good at assessing the impact on individual IT control failures. The business is much better at assessing the true business impact of control failures if information is provided that they understand. • Analyze actual incidents to significantly improve the quality of the risk assessment process. Analyze the root cause of all significant incidents, and establish a process to update risk and control data based on actual findings. Transparency reporting enabled risk assessment benchmarking against actual incidents. • Ensure full integration with other assurance activities to maintain buy-in from IT and the business. The IT departments believe they are over audited. • Utilize training processes and control owners since risk and control concepts are not well understood by IT professionals. 8
  • 9. KEEP IN MIND THREE IMPORTANT QUALITATIVE ASPECTS • Readiness and maturity vary. − A “one-size-fits-all” approach does not exist, but basic underlying principles are consistent. • It may take time. − Processes require time, patience and an organization’s fortitude. • Companies can begin anywhere and/or go as deep as they like. − Small successes can help sway skeptics and encourage buy-in for expanding the effort. 9
  • 10. AND REMEMBER: NEAR MISSES WILL ADD VALUE • The most telling sign of alignment success is things, previously qualified as near misses, are spotted and responded to in a way that adds value. • By elevating technology risk management to a Level 4 maturity stage, organizations achieve the following: − Better overall risk management and better alignment to operational risk management − Better IT and business alignment − A nimbler IT organization that is better positioned to address the ever-increasing pace of change, the risk-sensitive introduction of emerging technologies and greater support for innovation 10