EuroSox

Simple steps to manage IT Governance combined to the management of Risks - Part 1 of 5

IT governance is the process of establishing visible, positive oversight over the management of IT, practices. The components of IT governance set the discipline and determine the resources required to demonstrate that risks are managed and corporate objectives are achieved.

Technology is a key element of any GRC strategy and IT governance is an integrated part of technology. The two are vital elements of the enterprises’ total GRC initiative.

IT governance practices helps standardizing company practices, mapping them to best practices and looking for gaps and efficiencies.
IT governance does not prevent IT failures but ensures and balances that the risk of failures are addressed to in the Business Continuity plan.
IT Governance makes sure that IT risks are carefully considered, weighed and documented.
IT Governance makes sure that appropriate measures are in place to protect the company’s assets and information.
IT governance ensures that mitigation measures are proportional to risks and continuous development can eliminate redundant or inefficient controls.
IT governance should be documented and evidenced so that governance process should be visible and transparent.

Effective IT governance requires good risk management. When the above IT governance items are addressed and implemented the next step is to focus on the disciplines involved in Risk Management.

The enterprises’ value proposition is often built on IT. However risks associated with IT are not always evident. Managing IT risks does not accept the denial of service attacks, security risks arising from access by hackers, compliance risks arising from identity theft, risks from possible catastrophic disasters resulting in service outages.

Enterprises must incorporate a proven risk-based approach to ensure that risks are identified, managed, prioritized and linked to controls.

The elements in the discipline of risk management are:

A step-by-step identification of the risks that threaten the IT processes such as human error and system malfunction.
Assess each risk is assessed for significance and likelihood from both an inherent risk and residual risk perspective.
Use a structured approach based on existing risk frameworks to identify risks and they should use a standard risk table to assess risk levels.
Areas where risks are significant, controls can be described and documented or control gaps can be identified and remediated.

The goal is that management can see the big picture and distinguish where the big risks are. This provides the basis to allocate resources for documentation and tests. Technology then helps to manage the IT governance data collection efforts and provide visible oversight of major IT risks, processes, controls and issues.

These ‘simple’ steps give management the tools to identify and address IT governance as a single context.

See part II of 5 in the next newsletter.