Riskand Controls Management

Chia sẻ: Duy Pha | Ngày: | Loại File: PDF | Số trang:9

Thêm vào BST

Báo xấu

137
lượt xem 24
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

In a 2004 survey of 200 IT professionals from 14 countries in the Americas, Asia/Pacific and Europe, the IT Governance Institute (ITGI) found that in 80% of organizations, IT management is solely responsible for defining and addressing IT risk impact. This widespread lack of involvement by business unit managers demon- strates a consistent—and alarming—gap in mapping technology risk to the business. Additionally, this gap als shows that most organizations have inadequate IT risk assessment processes across their enterprises. After all, the consumers themselves—those people that require and use technology services—must share ownership of business-related IT risks with IT management and executive management....

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Riskand Controls Management

Written and provided by Expert Reference Series of White Papers Controlling the Beast: Risk and Controls Management in Financial Services 1-800-COURSES www.globalknowledge.com
White Paper Controlling the Beast: Risk and Controls Management in Financial Services Margaret Brooks, VP Strategic Solutions October 2006
Executive Summary Introduction With regulatory responsibility falling on executives In a 2004 survey of 200 IT professionals from 14 throughout the value chain and the danger of stringent countries in the Americas, Asia/Pacific and Europe, the and varied sanctions, enterprise risk management IT Governance Institute (ITGI) found that in 80% of continues to grow in importance within the financial organizations, IT management is solely responsible for industry. Accordingly, controls for mitigation of regulatory, defining and addressing IT risk impact. This widespread operational and reputational risks are now garnering the lack of involvement by business unit managers demon- same kind of attention and resources as an organization's strates a consistent—and alarming—gap in mapping more traditional market, liquidity and credit risk manage- technology risk to the business. Additionally, this gap also ment efforts. shows that most organizations have inadequate IT risk assessment processes across their enterprises. After all, Why the new found emphasis on enterprise risk the consumers themselves—those people that require management? Internal controls, which are essential and use technology services—must share ownership to good risk management, now have a direct impact on of business-related IT risks with IT management and the solvency and longevity of financial enterprises (due executive management. to increased public scrutiny). Further, the requirements for strong internal controls are unprecedented in their In only about one-third of the organizations surveyed, how- level of senior management awareness and accountability ever, does the CEO or board sign off on an organization’s IT (which include personal fines and even imprisonment). risk management plan. Yet without senior management’s Thus, we are in a new era of risk management: one where review and approval of the risk action plan and agreement “controls” are the remedy for risk and the term is applied to priorities and commitment of the necessary resources to to any and all of a company’s risk mitigation processes, effectively execute it, the plan itself is not worth the paper procedures, applications and data. it is printed on. That’s why ITGI recommends that boards oversee a consistent approach to the ownership of IT risk Thus, John Flaherty, a former Committee of Sponsoring management by business and IT management, and ensure Organizations (COSO) Chairman (whose framework was that all stakeholders are properly involved in the process. recognized by the SEC as the official one for establishing internal controls over financial reporting in a June 2003 ITGI identifies five focus areas for IT governance: announcement) and former Vice President and General 1. Strategic alignment Auditor for PepsiCo, says “every division in a company 2. Resource management needs to have a documented set of internal rules that 3. Performance measurement control how data is generated, manipulated, recorded 4. Value delivery and reported.” 5. Risk management For financial institutions and their partners, that’s both a good rule of thumb and a very tall order. However, executives are now on the hook for everything from the ic V De alu authenticity of their financial statements to “the quality rateg ent liv e of information reporting and systems, the manner in St ignm er y which business risks and activities are aggregated and management’s record in responding to emerging or Al changing risks.” IT Governance Perf sureme ent Mea But, how do you get started? Better yet, how do you Domains agem Man Risk monitor and maintain your controls program across the orm enterprise to achieve optimal value and risk mitigation? ance t In other words, how do you control the beast? n Resource Management ITGI’s five IT governance focus areas. 2
Governance starts with establishing objectives for an enterprise’s IT and continues with a closed loop of An Integrated Approach Can measuring and comparing results and refining activities Pay High Dividends and goals as necessary and appropriate. In that vein, Financial institutions minimize their risk exposures risk management’s specific function as it relates to IT through design and implementation of automated controls. governance is in protecting the strategic objectives of To achieve the necessary risk mitigation and return on the business against technology failures. And because a investment, however, individual controls should be inte- successful governance program is a continuous process, grated as part of an overall, enterprise controls framework. organizations must implement a sufficient controls Such an approach starts with achieving a high-level under- program, complete with testing, repeatability, visibility standing of comprehensive risks and risk requirements. and automation. And, it ensures that an organization’s controls strategy is constantly evolving along with its business risk Thus, risk and control go hand and hand and must be environment, which is often a complex combination of addressed together—and in a comprehensive and proac- regulatory, operational and reputational concerns. tive way. That means abandoning ad-hoc, point-product approaches in favor of a holistic approach that identifies processes and determines their associated risk, then: “A dynamic, enterprise-wide, risk-based • Ties the applicable controls to the risk(s) and controls framework is the foundation for a documents them successful institutionalized IT governance • Automates the most important controls program.” —Dan Trieschmann, Senior Managing • Develops ongoing monitoring capabilities for all controls Director, PricewaterhouseCoopers • Connects controls to any and all applicable and specific regulations Finally, this strategy lays the foundation for governance, • Ensures reporting provides the type and presentation of risk and compliance with continuous, proactive monitoring information necessary for compliance and audit of any and reporting, independent of any specific need, require- and all applicable and specific regulations ment or regulatory driver, allowing financial organizations to effectively: “CA's new Risk and Controls solution is a • Track and measure IT risk as a broader component of giant leap forward for banks of all sizes and business risk their executives who are responsible for • Monitor IT risk mitigation at every level within the organization managing risk. After almost 40 years in the • Provide information before a regulatory audit and/or banking industry, I understand the daily outside of it challenges of providing accurate and current • React to and grow with changes in the risk landscape data about risk and compliance. Today, Tactically speaking, it translates into implementation controls are far more important than ever as of a comprehensive system that includes elements for more information needs to be reported to identification, assessment, mitigation and ongoing control management, directors and regulators. of technology risk. And at minimum, that system must: The automated processes contained in 1. Identify all processes 2. Determine their associated risk(s) CA's latest software solution empower an 3. Tie applicable controls to the risk(s) executive to accurately report, as well as 4. Document the controls manage, a company's operational and 5. Automate the most important controls business IT risks company-wide.” 6. Develop ongoing monitoring capabilities for all controls 7. Connect specific regulations to applicable controls —Mr. Ronald Menaker, Retired President and Director 8. Ensure reporting provides the type of information of J.P. Morgan Services Inc. necessary for compliance and audit of specific regulations 3
Increased Global Emphasis on of Basel II call for the assessment of the control Internal Controls environment, including the quality of information reporting and systems, the manner in which business To ensure organizational responsibility and restore risks and activities are aggregated, and management’s investor confidence, various financial governing bodies record in responding to emerging or changing risks. around the world are focusing on developing rules that create transparency for internal controls and reporting • Canada’s Ontario Securities Commission, Multi- of publicly traded companies. Lateral Instrument 52-109 and Multi-Lateral Instrument 52-111, the so-called “J-SOX” require- In the US, the Sarbanes-Oxley (SOX) Act of 2002, ments to be incorporated into Japanese Securities which requires senior executives to personally attest to Exchange Law entitled, Financial Instruments and the accuracy of an organization’s financial measure- Exchange Law and—The rules require companies in ments and the controls that were implemented to these to file internal control reports along with their ensure this accuracy, is certainly the most famous. annual reports. That is because the requirement was instituted in response to such corporate scandals as Enron and • The EU’s Principles of Corporate Governance Global Crossings, and it sets a precedent for the level issued by the OECD (Organisation for Economic of personal responsibility and accountability it places Co-operation and Development)—Because it on a company’s management team to ensure ethical believes a mandatory standard for all of its 30 and sound reporting in the public interest. member countries is unrealistic, the EU has instituted a principles-based approach to internal controls. However, the SOX language is similar to—and heavily Many obligations and definitions mirror those of SOX influenced by—that of the UK’s Internal Control: and the framework specifically focuses on the rights, Guidance for Directors on the Combined Code roles and equitable treatment of shareholders; (The Turnbull Report) of 1999, which calls on boards disclosure and transparency; and the responsibilities of directors to regularly review reports on the effective- of the board. ness of their system of internal controls in managing key risks, and to undertake an annual assessment for Common elements among these documents include: the purpose of making statements on internal control • Identification of risks to financial reporting and in their annual reports. development of risk mitigation strategies on both the business and IT sides Other financial industry regulations that demonstrate • Linking significant risks to manual and automated a global emphasis on risk mitigation through internal controls controls include: • Testing of all key manual and automatic controls and revisions based on their operational effectiveness • The Group of Ten (G10) countries’ New Basel Capital • Identification of any new business and IT control Accord (Basel II)—In June, 2004, the G10 published gaps arising from a quality assessment review and a new framework for capital adequacy known as operational effectiveness testing, as well as institution Basel II. Sections 744 and 745 of Basel II call for an of applicable remediation action plans independent review of financial organizations’ internal • A complete and detailed quality assessment of all control structures, including risk management, business and IT controls documentation aimed at establishing a method for monitoring compliance with verifying that no key controls are missing internal policies, and verifying the adequacy of their • Documentation of all embedded system application systems of internal controls to ensure well-ordered controls and prudent business conduct. Sections 751 and 752 4
Automation Is Key Privacy Controls In their development of controls, however, most organiza- While the Internet has revolutionized the way tions have recently focused on passing audits and financial companies deliver services, the potential achieving compliance for specific guidelines and governing for abuse and fraud is high. As such, consumers are bodies. While this approach addresses immediate needs, demanding assurances that their personal data is it lacks any real long-term strategy, duplicates effort protected and secure—and government at all levels and usually misses the correlation between good risk has responded with a plethora of privacy laws. These management and good organizational control. Moreover, guidelines, aimed at protecting the confidentiality, it essentially communicates results of a controls program integrity and accessibility (CIA) of consumers’ based on a specific moment (the result of the assess- personal data, require board oversight and periodic ment/test), and forces a situation where cyclical and audit of the safeguards that institutions implement. manual maintenance are the norm. They include: • The European Union Data Protection Directive, In that “tactical“ mode, enterprises are constantly “rein- Directive 95/46/EC, 1995 venting the wheel“ because there is little or no automation, • Health Insurance Portability & Accountability Act and therefore, no mechanism by which they can easily (HIPAA), 1996 identify and address new and applicable risks, regulations • Section 501 of the Gramm-Leach-Bliley Financial or requirements. What’s more, testing, repeatability, Services Modernization Act (GLB or GLBA), 1999 visibility and remediation are costly or nonexistent. • US Department of Commerce’s Safe Harbor Framework, 2000 When it utilizes an integrated, strategic approach, however, • Personal Information Protection and Electronic automation of controls testing is both seamless and Documents Act (PIPEDA), Canada 2000 transparent and based on technologies that facilitate rapid • Various state consumer information protection reporting of operational activities against regulatory and/or “like“ rules, including California Civil Code 1798.80, business drivers. And, it also optimally includes federated AB 2246 and California SB 1386 monitoring and reporting of objectives among entities, • Self-regulating industry guideline, Payment Card partners and regulatory bodies, as well as applicable Industry (PCI) Data Security Standard between maintenance and repair. Visa and MasterCard to create common industry security requirement, 2004 “IT risks and business operational risks can no longer be kept in different silos given Financial institutions and credit card companies are aware that they are within the purview of GLBA. But, today's increasingly stringent regulatory real estate agents, appraisers, insurance companies environment. In my view, public companies and small financial planning and securities firms may should strongly consider CA's new software not know that they are, as well. And because it aims solution because of the unique way it to secure any record containing nonpublic, personal information about a customer, in paper, electronic, integrates IT and business risks through a or other form, that is maintained by or behalf of an centralized, highly visible repository, which financial organization, GLBA also applies to any and should enable corporate managers to more all third-party vendors and service providers that easily manage both the risks and the costs maintain, transact in or process financial companies’ customer data. associated with mitigating those risks.” —Rick Roberts, independent consultant and former commissioner of the Securities and Exchange Commission. 5
How CA Clarity™ Risk and Controls As such, the comprehensive CA Clarity Risk and Controls Manager solution helps organizations make decisions Manager Can Help that will drive efficiencies by establishing visibility into the CA Clarity Risk and Controls Manager provides a global quality of their existing controls while also helping them repository that easily maps new requirements to existing identify their requirements and corresponding operational controls, the ability to improve the overall quality of impacts. More to the point, CA Clarity Risk and Controls controls and the capabilities for continuous monitoring, Manage helps enterprises proactively manage, monitor managing and reporting of all risks and controls. and report on their internal and external controls, which helps manage the entire control landscape, including And in recognition of the fact that many enterprises have outsource relationships. already documented their business and IT processes and controls on their journeys toward a compliance program, CA Clarity Risk and Controls Manager allows them to retain and leverage their good work to build context around CA Clarity Risk and Controls Manager how their controls are used within their environments and Makes Spreadsheets Obsolete carry that information forward. Because of the advanced sorting and computational functionality the applications offer, spreadsheets Specifically, CA Clarity Risk and Controls Manager enables organizations to effectively integrate and automate their remain a staple of control information capture and enterprise risk and controls management programs by: maintenance. But CA Clarity Risk and Controls • Continuously optimizing processes for identifying risks Manager has rendered them obsolete, offering and implementing controls across business units, those features, in addition to innovative functionality geographies, and/or business processes that Excel and other spreadsheet software packages • Customizing the system configuration to address specific cannot. risk management methodologies • Utilizing industry-standard control frameworks that support COSO, CobiT, ISO:17799:2005 and NIST For example, role-based views can be used to lock standards down access to control information and offer the • Aligning policies, procedures, contracts, service level ability to capture additional qualitative information agreements (SLAs) and other internal requirements about the maturity of controls. And while it is with legislative and regulatory requirements, as well as difficult to ensure the integrity of documented associating with and reporting on the specific controls activities related to each controls that are created in other products once • Tracking specific control activity test results and storing they are distributed across the organization, CA the evidence of specific tests Clarity Risk and Controls Manager includes auditing • Tracking control activities related to outsourced IT or and workflow capabilities that facilitate change business processes tracking and alerts. • Monitoring the results of control testing and control failures, in addition to tracking controls maturity and graphically presenting the results through web-based Moreover, the combination of Clarity’s qualitative dashboards and quantitative data and sophisticated information • Facilitating root-cause analysis of control failures and presentation, allows management to create identifying other areas within an organization where powerful business intelligence that can be leveraged similar breakdowns may occur to make educated investment decisions about its • Offering continuous monitoring capabilities that include controls portfolio. repeatable alerts and escalations • Allowing implementation of a system based on the risk and control maturity of an organization • Tracking costs associated with sustaining the control environment 6
The CA Advantage CA is one of the world’s largest IT management software providers, delivering software and expertise to unify and simplify complex IT environments in a secure way across the enterprise for greater business results. Enterprise IT Management (EITM) is CA’s clear vision for the future of IT. It’s about how financial institutions can manage systems, networks, security, storage, applications and databases securely and dynamically. They can build on their IT investments, rather than replacing them, and do so at their own pace. Leveraging an architectural foundation that promotes the integration and sharing of management processes, data and user interfaces, EITM provides a path for proactive, enterprise-wide IT management that enables organizations to optimize resource allocation in anticipation of business needs. It ties together management of the entire enterprise IT environment—including end users, infrastructure, data, applications, IT services and business processes. In addition to streamlining core IT disciplines, such as fault and change management, EITM’s service-oriented approach eliminates the “silos” that historically have limited an IT organization’s ability to effectively manage disparate technologies. This makes it easier to enhance and monitor the end-to-end impact of IT on the business. As the world’s leading independent provider of IT management solutions, CA is uniquely able to provide customers with this consistent, integrated approach for managing their multi-vendor, multi-generation enterprise IT environments. CA has more than 5,300 developers worldwide who create and deliver IT management software that keeps the CA vision real. And CA has taken decades of experience solving complicated IT problems and developed practical paths for organizations to get from where they are today to where they want to be. For more information, visit www.ca.com/clarity. 7
Copyright © 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised of such damages. MP308571006