IS/IT Risk Assessment in the Implementation of a Business Continuity Plan : An integrated approach based on Enterprise Risk Management and Governance of Enterprise IT

Hidalgo Valdez, Cristina Cecilia

January 1900

Business continuity is an area of research that ensure continuity of enterprise operations. Business continuity requires knowledge and input from business and IT leaders to assess and manage risks associated with critical business processes to develop a plan that can allow the organization to resume operations. Organizations that have a holistic enterprise risk management approach can better manage business and technology risks. The increasing dependency on technological resources asserts the need to assess business and technology risks to develop business continuity. Nevertheless, governance and enterprise leaders find difficult to determine the scope and impact of risks associated with enterprise operations. In organizational contexts, business continuity planning is perceived as an element of contingency instead of an opportunity for improvement. In addition, there is a lack of academic literature related to the organizational implementation of a business continuity plan. For this reason, there is a need to merge enterprise risk management and governance of enterprise IT views to provide an integrated perspective of business and technological risk in the im-plementation of a business continuity plan.The objective of the study relies on assessing how the implementation of a business continuity plan is conducted, together with its challenges and benefits, to provide insights on the elements that facilitates a business continuity plan implementation. The study focuses on the preparation phase of a business continuity plan, where enterprise risks are identified, evalu-ated and mitigated. The study results are based on a case study performed at a multination retail and manufacturing enterprise in Spain. The results indicates that awareness from the higher governance body and senior management on the dependency that enterprises have developed on IS/IT key resources is a factor that influence how risk management and technology risk is perceived in organizations. This influence how the higher governance body views the need to implement enterprise risk management, governance of enterprise IT and business continuity initiatives. Likewise, the elements facilitating a business continuity imple-mentation are associated with the sponsorship and leadership from organizational actors, the involvement of an external organizational agent that can bring expertise and methodology related to business continuity planning, identification of enterprise critical areas and processes and the creation of business and IT risk scenarios to depict threats to the organization operations and processes. This internal reflection brings challenges and benefits to the or-ganization and both are addressed in the study.The study concludes with the presentation of two high level frameworks that can aid enter-prise leaders to visualize and understand the influence that enterprise risk management and governance of enterprise IT has on the implementation of a business continuity plan and the underlying elements that facilitate a business continuity plan implementation in organizations.

Enterprise Risk Management

Governance of Enterprise IT

Business Continuity Plan

Risk Assessment

IS Risk

IT Risk.

Application of enterprise risk management models during new business development / P.E. Heyneke

Heyneke, Petrus Erasmus

January 2010

Enterprise is often described as risk for reward, but it may be possible to reduce the risk while improving returns. According to SEDA, failure rates of SMMEs in South Africa range from 70 to 80 percent. The need for this study arose when it was found that most SMMEs did not have a formal system in place to mitigate their risks right from the outset in the feasibility study, the business plan design and the start–up of the business. This lack of mitigation controls could be a result of a lack of understanding of the enterprise risk management (ERM) methodology or an inappropriate ERM decision–making model to assist them in a way that would mitigate their risk and minimise financial losses. The ERM approach can anticipate unplanned occurrences and is a systematic way of foreseeing the future. Entrepreneurs and business owners take on risks to pursue new business objectives within their respective risk appetites. This study also evaluated several models of risk identification and the ERM methodology. In this study an ERM model, ISO 31000, was applied in a business case and a comparison was made between the risks identified in the business plan and the ERM approach. / Thesis (M.B.A.)--North-West University, Potchefstroom Campus, 2011.

Enterprise risk management

ERM

Risk identification

Strategic risk management

Enterprise development

Business development

Icke-finansiell riskhantering inom offentlig sjukvård : En fallstudie på Hudkliniken vid Universitetssjukhuset i Örebro / Non-financial risk management in public health care

Ardermark, Pontus, Carlsson, Andreas

January 2014

Offentliga organisationer har de senaste åren implementerat styrsystem från privata organisationer för att förbättra organisationerna. Dessa styrsystem har både påvisat för- och nackdelar för de offentliga organisationerna vilket även har ökat de icke-finansiella riskerna för dessa. Vi ställer då oss frågan om ett riskhanteringsramverk som är skapat främst för privata organisationer kan förbättra riskhanteringsarbetet för Hudkliniken på Örebro Universitetssjukhus (USÖ). Syftet med vår fallstudie är att förklara hur Hudkliniken på USÖ arbetar med riskhantering och om det där finns förbättringsmöjligheter. Vi vill också studera om COSOs ramverk för riskhantering kan vara till nytta för kliniken och hjälpa dem i deras arbete. Studien har använt en kvalitativ forskningsansats. Datan har bestått av intervjuer samt Hudklinikens dokumentation kring riskhantering. Studien visade att Hudkliniken på flera områden utför ett adekvat arbete gällande riskhantering med vår teoretiska referensram som mall. Då teorins alla områden inte täcks i verksamhetensnuvarande arbete skulle dock COSOs ramverk kunna vara till hjälp för organisationen.

Health care

COSO

enterprise risk management

public organizations

Sjukvård

COSO

riskhantering

offentliga organisationer

Application of enterprise risk management models during new business development / P.E. Heyneke

Heyneke, Petrus Erasmus

January 2010

Enterprise is often described as risk for reward, but it may be possible to reduce the risk while improving returns. According to SEDA, failure rates of SMMEs in South Africa range from 70 to 80 percent. The need for this study arose when it was found that most SMMEs did not have a formal system in place to mitigate their risks right from the outset in the feasibility study, the business plan design and the start–up of the business. This lack of mitigation controls could be a result of a lack of understanding of the enterprise risk management (ERM) methodology or an inappropriate ERM decision–making model to assist them in a way that would mitigate their risk and minimise financial losses. The ERM approach can anticipate unplanned occurrences and is a systematic way of foreseeing the future. Entrepreneurs and business owners take on risks to pursue new business objectives within their respective risk appetites. This study also evaluated several models of risk identification and the ERM methodology. In this study an ERM model, ISO 31000, was applied in a business case and a comparison was made between the risks identified in the business plan and the ERM approach. / Thesis (M.B.A.)--North-West University, Potchefstroom Campus, 2011.

Enterprise risk management

ERM

Risk identification

Strategic risk management

Enterprise development

Business development

Ο σύγχρονος εσωτερικός έλεγχος και η διαχείριση των κινδύνων (enterprise risk management, ERM) : ο κλάδος των τραπεζών

Παππάς, Γεώργιος

19 January 2011

Στην παρούσα εργασία περιλαμβάνονται: η θεωρητική προσέγγιση του εσωτερικού ελέγχου (internal audit) στην οποία αναλύονται ο ορισμός του εσωτερικού ελέγχου και το πλαίσιο επαγγελματικής εφαρμογής. Τα ελεγκτικά πρότυπα και οι κανόνες συμπεριφοράς. Επίσης αναλύεται το σύστημα εσωτερικού ελέγχου και η επιτροπή ελέγχου, καθώς και η οργάνωση της διεύθυνσης εσωτερικού ελέγχου και η μεθοδολογία που ακολουθείται για τη διεξαγωγή των ελέγχων. Στο δεύτερο μέρος αναλύουμε το πλαίσιο διαχείρισης κινδύνων (Enterprise risk management) και περιγράφουμε πως διεξάγεται ο έλεγχος στις τράπεζες. Στο τρίτο μέρος παρουσιάζουμε ένα εξειδικευμένο πρόγραμμα ελέγχου σε κάποιο τραπεζικό ίδρυμα με επισυναπτόμενα φύλλα εργασίας και εργαλεία που χρησιμοποιούν οι ελεγκτές και τη μεθοδολογία κατάρτισης εκθέσεων εσωτερικού ελέγχου. Παραθέτουμε συμπεράσματα από την ανάλυση των πορισμάτων της διεύθυνσης εσωτερικού ελέγχου. Στο παράρτημα αναφέρουμε τα διεθνή πρότυπα εσωτερικού ελέγχου και παρουσιάζουμε υπόδειγμα φύλλου αυτοαξιολόγησης καταστήματος μιας τράπεζας. / Included in this work: a theoretical approach of internal audit explaining definition of internal audit and professional practice framework (PPF) and auditing standards and rules of conduct. We also analyzed the internal audit and audit committee, and the organization of internal audit and the methodology used for the audits. In the second part we analyse the risk management (enterprise risk management) and we describe how the audit is being conducted in the banks. In the third part we present in any bank foundation a specialized inspection program with attached work sheets and tools using the controllers and methods of preparation internal audit report. We set conclusions from the analysis of the findings of the internal audit manager. The annex lists international standards of internal audit and presents a model of self-assessment package for one bank.

Εσωτερικός έλεγχος

Έλεγχος

Τράπεζες

658.155

Internal audit

Enterprise risk management

Control

Banks

A systematic approach to enterprise risk management

Benjamin, Nicolas James

03 1900

Thesis (MEng)--Stellenbosch University, 2015. / ENGLISH ABSTRACT: In the current economic climate where credit crises, fluctuating commodity prices, poor governance, rising unemployment and declining consumer spending exist, risk management is of utmost importance. Proclaiming the existence of a risk management strategy is not enough to ensure that an enterprise achieves its objectives. The implementation of a holistic enterprise-wide risk management framework is required in order to execute strategies and achieve objectives effectively and efficiently Two types of risk management have emerged in industry, namely quantitative and qualitative risk management. On the one hand, qualitative analysis of risk can be done quickly and with minimal effort. However, these methods rely on the opinion of an individual or group of individuals to analyse the risks. The process may be highly subjective and does not fully consider the characteristics of the enterprise. This renders qualitative risk analysis as an ineffective singular strategy although it has been shown to be effective when the risks are well understood. Quantitative analysis, on the other hand, is particularly effective when the risks are not well understood. These methods have been shown to provide substantially more information regarding risks compared to qualitative analysis. However, many quantitative risk management methods presented in literature are studied in isolation and not within the context of a holistic risk management process. Furthermore, quantitative methods tend to be complex in nature and require a reasonable understanding of mathematical and statistical concepts in order to be used effectively. In view of this, there is a need for an enterprise risk management framework that emphasises the use of qualitative methods when the risks are well understood and quantitative methods when in-depth analyses of the risks are required. In this study, a systematic enterprise-wide risk management framework that incorporates both quantitative and qualitative methods was developed. The framework integrates these methods in a logical and holistic manner. The quantitative methods were found be to be largely practical while the qualitative methods presented are simple and easy to understand. / AFRIKAANSE OPSOMMING: In die huidige ekonomiese klimaat waar krediet krisisse, wisselende kommoditeitspryse, swak bestuur, stygende werkloosheid en dalende verbruikersbesteding bestaan, is risikobestuur van die uiterste belang. Die verkondiging van die bestaan van 'n risiko bestuurstrategie is nie genoeg om te verseker dat 'n onderneming sy doelwitte bereik nie. Die implementering van 'n holistiese ondernemings- breë risikobestuursraamwerk is nodig om strategieë en doelwitte doeltreffend en effektief te bereik. Twee tipe risikobestuur het na vore gekom in die bedryf, naamlik kwantitatiewe en kwalitatiewe risikobestuur. Aan die een kant , kan kwalitatiewe ontleding van risiko vinnig en met minimale inspanning gedoen word. Hierdie metode is gewoontlik die mening van 'n individu of 'n groep individue wat die risiko ontleed. Die proses kan hoogs subjektief wees en nie ten volle die eienskappe van die onderneming in ag neem nie. Kwalitatiewe risiko-analise kan dan gesien word as 'n ondoeltreffende enkelvoud strategie maar dit is wel doeltreffend wanneer daar verstaan word wat die onderneming se risiko is. Kwantitatiewe analise, aan die ander kant, is veral effektief wanneer die risiko's nie goed verstaanbaar is nie. Hierdie metode het getoon dat daar aansienlik meer inligting oor die risiko's, in vergelyking met kwalitatiewe ontleding, verskaf word. Daar is egter baie kwantitatiewe risikobestuur metodes wat in literatuur verskaf word, wat in isolasie bestudeer word en nie binne die konteks van 'n holistiese risikobestuur proses nie. Verder is, kwantitatiewe metodes geneig om kompleks van aard te wees en vereis 'n redelike begrip van wiskundige en statistiese konsepte sodat kwantitatiewe analise effektief kan wees. In lig hiervan, is daar 'n sterk behoefte vir 'n onderneming om 'n risikobestuursraamwerk in plek te het. Die risikobestuursraamwerk sal beide die gebruik van kwalitatiewe metodes, wanneer die risiko goed verstaan word, en kwantitatiewe metodes, wanneer daar in diepte-ontledings van die risiko is, beklemtoon. In hierdie studie was 'n sistematiese onderneming-breë risikobestuursraamwerk ontwikkel wat beide kwantitatiewe en kwalitatiewe metodes insluit. Die raamwerk integreer hierdie metodes in 'n logiese en holistiese wyse. Die kwantitatiewe metodes is gevind om grootliks prakties te wees, terwyl die kwalitatiewe metodes wat aangebied word, eenvoudig en maklik is om te verstaan.

Enterprise risk management framework

Quantitative risk management

Qualitative risk management

UCTD

The Impact of Enterprise Risk Management on the Performance of Chinese Commercial Banks

January 2018

abstract: Chinese commercial banks have experienced a period of fast and stable development since 2007. The adoption of a comprehensive enterprise risk management (ERM) system based on the Basel Accords was a significant event for the banking supervisory authority and the commercial banks during this period. This study investigates the impact of ERM adoption on the financial performance of the commercial banks as well as the underlying mechanisms using longitudinal data of 96 commercial banks from 2007 to 2016. Results from quantitative analyses suggest the following findings. First, ERM adoption had a positive impact on commercial banks’ financial performance after controlling for the negative impacts of factors such as macro economic conditions and fiscal and monetary policies. Second, although this positive impact was partially attributed to increased risk appetite after the adoption of ERM, results show that ERM adoption also increased risk-adjusted financial performance. Lastly, ERM adoption improved commercial banks’ competence in risk management, as indicated by their sensitivity of financial returns to risk exposures. The above findings also received support from interviews and surveys of senior executives of commercial banks and officials of the banking supervisory authorities. This study contributes to the understanding of how the adoption of ERM influences the financial performance of Chinese commercial banks, and has important practical implications. Based on the empirical findings, I recommend all commercial banks in China to adopt and implement ERM so that they can better cope with the challenges presented by macroeconomic uncertainty, marketization, and internationalization. In the process, it is critical for them to understand the mechanisms through which ERM influences their performance. Meanwhile, they shall be aware of the operational costs associated with the initial adoption of ERM, learn from the experiences of those that have already adopted ERM, and have a long-term orientation about performance effect of ERM adoption. Supervisory authorities can also play a key role in guiding commercial banks to be more effective and efficient in the adoption of ERM. / Dissertation/Thesis / Doctoral Dissertation Business Administration 2018

Business administration

China

commercial bank

enterprise risk management (ERM)

financial performance

risk management

Comunicação nos processos de gestão de risco corporativo na BM&FBOVESPA / Communication in corporate risk management process in BM&FBOVESPA

Flavio de Moraes

24 October 2012

Este trabalho aborda como é estruturada a comunicação nos processos de gestão de risco corporativo para identificar como é realizado o alinhamento das informações e percepções sobre riscos entre a gestão, conselho de administração e demais públicos interessados. Foi realizada revisão da literatura sobre Governança Corporativa, Gestão de Riscos, Gestão de Riscos Corporativos e Comunicação sobre riscos. Devido à escassez de estudos relacionados ao tema esta pesquisa possui caráter exploratório e foi utilizado o método de estudo de caso. Devido às limitações do método utilizado, as principais contribuições da pesquisa são evidências que apontam para o papel da gestão de risco corporativo como complementar à gestão de risco em silos, para a parceria entre especialistas e não especialistas em gestão de risco como fator que influencia na qualidade dos processos e da comunicação sobre riscos, bem como possíveis fatores que influenciam na formação e manutenção desta relação de parceria, além de evidências da presença de pessoas com experiência em gestão de riscos e nas atividades da empresa como possível fator que afetar a relação entre especialistas e não especialistas em gestão de riscos e a qualidade dos processos de gestão de risco. / This paper discusses how communication in enterprise risk management is structured to identify how managers, board member and other stakeholders align information and perceptions about risks. The literature review covers Corporate Governance, Risk Management, Enterprise Risk Management and Communication about risks. Due to the limitations of the method used in this research the main contributions are evidences pointing to the role of corporate risk management as complementary to the risk management silo approach, the partnership between specialists and non specialists in risk management as a factor that influences quality of processes and communication about risks and factors that might influence the formation and maintenance of this partnership relationship as well evidences of the presence of people with experience in risk management and the company\'s activities as a possible factor affecting the relationship between experts and nonexperts in risk management and the quality of risk management processes.

Comunicação

Governança corporativa

Risco

Corporate governance

Enterprise risk management

Risk communication

Enterprise risk management as a business enabler

Du Plessis, Julian Lesley Nebreska

05 June 2012

M.Phil. / The premise of this research study was to study the phenomenon of Enterprise Risk Management (ERM) in order to understand the processes and practices of risk management within First National Bank (FNB). Risk management became a favourite topic for discussion in the aftermath of the Global Financial Crisis (GFC). Some analysts, chief financial officers and observers have noted that risk management is to blame for the economic recession and myriad of bank failures that ensue. However, the intention of this research study was not to analyse the GFC or to devote itself entirely to defend risk management and risk managers.

Enterprise risk management

Risk management

First National Bank of Southern Africa

Financial risk management

Tillverkningsföretagens kunskaper kring riskidentifieringstekniker

Gerner, Mikael

January 2014

I företag och organisationer är det vanligt att riskanalyser genomförs som ett led i arbetet med att hantera de risker och hot som verksamheten kan möta. En viktig del i en riskanalys är det första steget som går ut på att identifiera risker och hot, så kallad riskidentifiering. En brasiliansk studie pekar på att kunskapen kring riskidentiferingstekniker i brasilianska företag generellt sett är låg. Eftersom det förefaller finnas ingen eller mycket lite forskning i ämnet applicerat på svenska företag valde jag att undersöka hur stor kunskap som svenska tillverkningsföretag med huvudkontor i Göteborgsregionen har kring riskidentiferingstekniker. Tanken är dels att resultatet av undersökningen dels ska kunna utvecklas och användas som underlag i andra vetenskapliga studier, men också att det ska kunna vara möjligt att användas till en mer praktisk tillämpning. Undersökningen genomfördes med en kvantitativ enkätundersökning där jag så långt som möjligt försökte utforma frågor och svarsalternativ utifrån de regler och standarder som finns inom metodiklitteraturen. Frågorna rörde huruvida företaget tidigare hade gjort en riskanalys tidigare, hur stor kunskap de hade kring ett antal nämnda tekniker för riskidentifiering och om de hade använt några av dessa tidigare. Populationen avgränsades till att bara omfatta företag som låg innanför vissa kriterier. Enkäten skickades sedan till populationens samtliga 134 företag, varav 34 (25%) fullföljde och skickade in sina svar. Det är för få företag för att resultatet ska kunna generaliseras, men utifrån de förutsättningar och begränsningar som har funnits anser författaren att undersökningen har en god validitet och reliabilitet. Resultatet av undersökningen visar till att börja med att det 41% av företagen har genomfört en riskanalys tidigare. Brist på tid och kunskap är två faktorer som är bidragande till att vissa företag inte har valt att genomföra en riskanalys. Undersökningen visar också att majoriteten av företagen har tillräckligt stor kunskap för att använda 3-6 olika tekniker på ett bra sätt eller fullt ut. Det är tydligt att företagens kunskaper kring respektive teknik tenderar att öka benägenheten att använda densamma. Brainstorming, checklistor och SWOT-analys är alla populära tekniker att använda vid riskidentifiering. Samma tekniker är de som rankas högt när företagen listar vilka tekniker de kan använda bäst. Det finns ett antal olika vägar för den som vill forska vidare inom ämnet. En av dem är att göra en till studie som genomförs i syfte dels att bekräfta den undersökning som jag har gjort, men som också är större och inkluderar fler företag över en större area. Det skulle också vara möjligt att titta på riskidentifieringsteknikerna mer noggrant för att titta på vilken av dem som är bäst i vilken situation, fördelar och nackdelar, etcetera. / Risk assessments are a common way for organizations to address the risks and threats that the business may face. A vital part in a risk assessment is the first step which is to identify risks and threats, so-called risk identification. A Brazilian study indicates that knowledge about risk identification methods in Brazilian companies is generally low. Since there appears to be no or very little research on the subject applied to Swedish companies, I decided to investigate how much knowledge Swedish manufacturing companies headquartered in the Gothenburg region has regarding risk identification methods. The idea is that the outcome of the study could be used as a base in other scientific studies, but also that it should be possible to use a more practical application. The study was conducted with a quantitative survey in which I, as far as possible, tried to formulate questions and response options based on the standards that exist within the methodology literature. The questions covered whether the company in question had done a risk assessment before, how much knowledge they had about a number of mentioned methods for risk identification and if they had used any of these before. The population was restricted to only include companies that were within certain criteria’s. The questionnaire was then sent to the population of all 134 companies, of which 34 (25%) completed and submitted their answers. There were too few answers for the results to be generalized, but based on the conditions and limitations that have been presented the author believes that the study has good validity and reliability. The results of the survey show that 41% of the companies have undertaken a risk assessment in the past. However, lack of time and knowledge are two contributing factors to that some companies have chosen not to undertake a risk assessment. The results also shows that the majority of the companies have sufficient knowledge to use 3-6 different methods in either a sufficient way or to a full extent. It is clear that the usage of each method is aligned with the level of knowledge for that method – a method where the companies have a high average knowledge is likely to be more frequently used. Three examples are the use of brainstorming, checklists and SWOT-analysis which are all popular methods to use in the risk identification. The same methods are also those that rank high when companies list the methods they can use best. There are a number of different avenues for those wishing to do further research in this subject. One of them is to do the same kind of study, but to include more companies over a larger area. It would also be possible to look at the risk identification methods more closely to investigate which of them is best in which situation, with their respective advantages and disadvantages.

riskanalys

riskidentifiering

riskidentifieringsmetoder

riskidentifieringstekniker

risk management

enterprise risk management

risk identification

Information Systems