Enterprise Risk Management : insights on emerging risks from the German banking sector

Nöth-Zahn, Stephanie

January 2017

IT innovations have reshaped banking and will continue to do so. They are a manifestation of indispensable progress, yet risks emerge from IT innovations. Historic data and accounts of emerging risk experiences are rather scarce. Hence, they present a special challenge to risk management as they are hard to identify. Moreover, traditional risk management practices, relying on historic data, may not be fully adequate. What solutions can be offered by risk management to manage these risks? When is an uncertainty understood as an emerging risk? Who needs to be involved in the risk management process?The research asks the seemingly obvious question, yet this important topic has been regularly neglected in academics as well as in practice. Both literature and theoretical basis have only recently developed so as of yet there is little availability of varying viewpoints and reliable theories. 70% of the banks interviewed do notactively consider emerging risks in their risk management process. The banks take a reluctant position in general, waiting to see how things develop. Only three banks have a proactive approach and manage emerging risks from IT innovation in using an enterprise-wide approach such as Enterprise Risk Management (ERM).Therefore, this work develops a conceptual framework which aims to fill the research gap between ERM as an approach to holistic portfolio risk management and the lack of academic and practical work on emerging risks. The conceptual framework explores how banks can apply ERM to manage emerging risks in the future. Researching this topical phenomenon, extending today's common application and understanding of emerging risks and ERM in practice and academia is one of the most challenging tasks confronting future risk management (Bromiley et al., 2015).To the author's knowledge, this project is one of the first to take this challenge.

658

Avaliação do impacto do gerenciamento de riscos de TI no desempenho financeiro das empresas : uma análise empírica entre empresas abertas brasileiras

Eichler, Flavio Alberto V.

January 2017

Considerando a importância da TI no ambiente de negócios e os riscos inerentes ao emprego dessa tecnologia, este estudo visa buscar evidências de melhoria de desempenho de empresas com a realização de gerenciamento de riscos de TI (GRTI). A pesquisa em curso seguiu a metodologia da Hipótese de Eficiência de Mercado, na sua forma semiforte, isto é, utilizando o método de janela de eventos. Com essa metodologia estimaram-se os retornos anormais na valorização das ações de empresas, oriundos da publicação de eventos de GRTI pelas empresas de capital aberto brasileiras, obtidos a partir do site da BMF&BOVESPA. Foram analisadas todas as empresas listadas em todo o período disponível no site, isto é, de 2003 até 2016, perfazendo um total aproximado de 400 empresas em cada ano. Essa análise utilizou ferramentas de busca do próprio site para encontrar anualmente todos os documentos que contivessem menção à palavra risco. Todos os documentos públicos obtidos com essa filtragem foram examinados detalhadamente para identificar evidências de que a empresa realizou, pela primeira vez, ações de GRTI, isto é, de que a empresa anunciou ao mercado que o GRTI passou a fazer parte de suas rotinas operacionais e administrativas. Depois dessa análise pormenorizada de todos os documentos publicados por essas empresas no site da BMF&BOVESPA, chegou-se a 22 empresas que evidenciaram ao mercado que fazem GRTI. Essas 22 empresas foram examinadas à luz da metodologia de janela de eventos. Os resultados obtidos indicam que, no cenário brasileiro, não é possível afirmar que o GRTI traz uma melhora no desempenho financeiro das empresas, uma vez que a hipótese nula de alteração do valor do retorno das ações não foi invalidada. Infere-se que o mercado não percebe uma diferença de valor nas ações dessas empresas, em função dos eventos de GRTI. Com intuito de suportar teoricamente esta pesquisa, foram reunidas as principais pesquisas em governança de TI e GRTI e relacionando-as a um desempenho financeiro empresarial. / Considering the importance of IT in the business environment and the risks inherent in the use of this technology, this study aims to seek evidence of improved performance of companies with IT Risk Management (ITRM). The research followed the methodology of the Market Efficiency Hypothesis, in its semi-strong-form, that is, using the event window method. This methodology was used to estimate the abnormal returns on the valuation of companies' shares, resulting from the publication of ITRM events by Brazilian publicly traded companies, obtained from the BMF&BOVESPA website. All listed companies were analyzed throughout the period available on the site, that is, from 2003 to 2016, approximately 400 companies in each year. This analysis used search tools from the site itself to find annually all documents that contained mention to the word risk. All public documents obtained by this filtering were examined in detail to identify evidence that the company held, for the first time, ITRM actions. That is, the company announced that ITRM became part of their administrative and operational routines. After this detailed analysis of all documents published by these companies from Brazilian stock exchange, 22 companies evidenced to the market that do ITRM. These 22 companies were examined under the event window methodology. The results indicate that, in the Brazilian scenario, it is not possible to affirm that the ITRM brings an improvement in companies’ financial performance, since the null hypothesis of change shares’ return values was not negated. It is inferred that the market does not notice a difference in these companies’ share values due to ITRM events. In order to theoretically support this research, the main studies in IT governance and ITRM were gathered and related to a business financial performance.

Tecnologia da informação

Gestão de riscos

Risks

Risk management

IT risk management

IT governance

IT market value

Success

Performance and IT projects

Avaliação do impacto do gerenciamento de riscos de TI no desempenho financeiro das empresas : uma análise empírica entre empresas abertas brasileiras

Eichler, Flavio Alberto V.

January 2017

Considerando a importância da TI no ambiente de negócios e os riscos inerentes ao emprego dessa tecnologia, este estudo visa buscar evidências de melhoria de desempenho de empresas com a realização de gerenciamento de riscos de TI (GRTI). A pesquisa em curso seguiu a metodologia da Hipótese de Eficiência de Mercado, na sua forma semiforte, isto é, utilizando o método de janela de eventos. Com essa metodologia estimaram-se os retornos anormais na valorização das ações de empresas, oriundos da publicação de eventos de GRTI pelas empresas de capital aberto brasileiras, obtidos a partir do site da BMF&BOVESPA. Foram analisadas todas as empresas listadas em todo o período disponível no site, isto é, de 2003 até 2016, perfazendo um total aproximado de 400 empresas em cada ano. Essa análise utilizou ferramentas de busca do próprio site para encontrar anualmente todos os documentos que contivessem menção à palavra risco. Todos os documentos públicos obtidos com essa filtragem foram examinados detalhadamente para identificar evidências de que a empresa realizou, pela primeira vez, ações de GRTI, isto é, de que a empresa anunciou ao mercado que o GRTI passou a fazer parte de suas rotinas operacionais e administrativas. Depois dessa análise pormenorizada de todos os documentos publicados por essas empresas no site da BMF&BOVESPA, chegou-se a 22 empresas que evidenciaram ao mercado que fazem GRTI. Essas 22 empresas foram examinadas à luz da metodologia de janela de eventos. Os resultados obtidos indicam que, no cenário brasileiro, não é possível afirmar que o GRTI traz uma melhora no desempenho financeiro das empresas, uma vez que a hipótese nula de alteração do valor do retorno das ações não foi invalidada. Infere-se que o mercado não percebe uma diferença de valor nas ações dessas empresas, em função dos eventos de GRTI. Com intuito de suportar teoricamente esta pesquisa, foram reunidas as principais pesquisas em governança de TI e GRTI e relacionando-as a um desempenho financeiro empresarial. / Considering the importance of IT in the business environment and the risks inherent in the use of this technology, this study aims to seek evidence of improved performance of companies with IT Risk Management (ITRM). The research followed the methodology of the Market Efficiency Hypothesis, in its semi-strong-form, that is, using the event window method. This methodology was used to estimate the abnormal returns on the valuation of companies' shares, resulting from the publication of ITRM events by Brazilian publicly traded companies, obtained from the BMF&BOVESPA website. All listed companies were analyzed throughout the period available on the site, that is, from 2003 to 2016, approximately 400 companies in each year. This analysis used search tools from the site itself to find annually all documents that contained mention to the word risk. All public documents obtained by this filtering were examined in detail to identify evidence that the company held, for the first time, ITRM actions. That is, the company announced that ITRM became part of their administrative and operational routines. After this detailed analysis of all documents published by these companies from Brazilian stock exchange, 22 companies evidenced to the market that do ITRM. These 22 companies were examined under the event window methodology. The results indicate that, in the Brazilian scenario, it is not possible to affirm that the ITRM brings an improvement in companies’ financial performance, since the null hypothesis of change shares’ return values was not negated. It is inferred that the market does not notice a difference in these companies’ share values due to ITRM events. In order to theoretically support this research, the main studies in IT governance and ITRM were gathered and related to a business financial performance.

Tecnologia da informação

Gestão de riscos

Risks

Risk management

IT risk management

IT governance

IT market value

Success

Performance and IT projects

IT Risk register / Registr IT rizik

Kohout, Karel

January 2011

The theoretical part of the thesis analyzes several selected methodologies and best-practices related to information technology risks management, with focus on documents and guidance developed by ISACA. It builds a set of ideas and basic requirements for effective model of an IT risk register. Strong emphasis is placed on mapping CobiT 4.1 based Risk IT to COBIT 5. The practical part describes implementation of an exploratory web-based IT risk register in Python programming language utilizing the Django framework and employs concepts from the analysis.

IT Security Risk Management of Cloud Computing Services in Critical Infrastructures

Adelmeyer, Michael

27 February 2020

Due to the considerable advantages of cloud computing, such as cost efficiency, flexibility, and scalability, the technology has transformed the means of IT service provisioning. To realize the proclaimed benefits, critical infrastructure providers, as the backbone of societal life, increasingly deploy their IT services, processes, and functions in cloud environments. However, as the control over the underlying cloud infrastructure and the corresponding security measures is delegated to the cloud provider, the outsourcing to cloud environments exposes critical infrastructures to security risks. This is especially crucial since critical infrastructures highly rely on IT systems for dependable service provisioning. In addition, each cloud deployment is afflicted with individual risks depending on the selected cloud service and deployment model. Due to the strict requirements and regulations regarding the IT security of their landscapes, the management of IT security risks related to the adoption of cloud services is of significant importance for critical infrastructures. Thus, the objective of this thesis is to examine the IT security risk management of cloud services in critical infrastructures. For this purpose, frameworks, conceptual models, prototypical tools, action recommendations, and implications are developed. Besides the investigation of the status quo of cloud computing service adoption in German critical infrastructures, implications and methods for an adequate management of IT security and the corresponding risks resulting from the adoption of cloud computing services are derived. Further, in the context of the interaction between critical infrastructure and cloud computing service providers, the role of trust is examined. In addition, frameworks and prototypes for a tool support for the IT security risk management of cloud services in critical infrastructures are developed. As an underlying analytical framework, a multi-method approach is chosen to examine the field from a behavioral- as well as a design-oriented perspective by applying various qualitative and quantitative research methods. The results of this dissertation can support decision makers and researchers in the field of the IT security risk management of cloud computing services in critical infrastructures.

IT Security

IT Risk Management

Cloud Computing

Critical Infrastructures

Trust

Privacy

K.6.5 - Security and Protection

ddc:000

Effects of Information Technology Risk Management and Institution Size on Financial Performance

Barrett, Shaun D'olene Kecia

01 January 2016

A negative relationship exists between unmanaged IT risk and financial performance of institutions of varying sizes. The purpose for this quantitative correlation study was to examine the relationship between IT risk management, institution size, and the financial performance of credit unions in Jamaica. Information Systems Audit and Control Association (ISACA) risk IT model provided the theoretical framework for the study. Audited financial statements and a web-based survey provided data for this study. One hundred and thirty employees from 13 credit unions in Jamaica participated in the study. Results of the multiple regression tests confirmed a statistically significant relationship between IT risk management, institution size, and the financial performance of Jamaican credit unions, F (2, 99) = 46.861, p = 0.000, R2 = .486. Institution size was a statistically significant predictor of financial performance (beta = -.637, p = .000). IT risk management initiatives did not provide any significant variation (beta = .139, p = .074) in financial performance. Research findings may lead to more effective and efficient operations of Jamaican credit unions and improvement in their financial performance, which could result in positive social change through the increases in corporate social contributions, the payment of dividends, and the offer of affordable product and services for over 1 million Jamaican credit union members.

credit unions

credit unions in Jamaica

Information systems risk management

IT risk management

jamaica

Databases and Information Systems

Challenges and Opportunities of Having an IT Disaster Recovery Plan

Ghannam, Mohamed Ziyad

January 2017

There are various types of disasters and no one can expect when they will occur. IT disaster recovery plan (ITDRP) became one of the most important contingency plans for organizations in the event of disasters. Organizations started realizing the importance of having IT Disaster recovery plan but many hesitate to apply this plan before a disaster occurs. However, even when the importance of ITDRP is acknowledged in the IS field, most scholarly work has focused on the process and strategies while briefly looking at the challenges and benefits of the DRP. This paper aims to investigate the most common challenges associated with having an effective ITDRP and the opportunities associated with this plan. A qualitative study was conducted which consists 6 interviews within several organizations which have developed an ITDRP. The results show that top management support, staff issues, maintenance, and disaster recovery sites are the main challenges organizations face during DRP. While the benefits were data protection, reducing the interruption for business functions, enhancing the reliability for staff and IT services and speeding up the decision-making process.

IT Disaster recovery plan

IT Risk management

Business continuity

Business impact analyzez

Disaster recovery site

Disaster

Information Systems, Social aspects

Analýza hrozieb a rizík súvisiacich so správou dokumentov v telekomunikačnej spoločnosti / Analysis of threats and risks related with document management in the telecommunications company

Legát, Tomáš

January 2012

Diploma thesis is dedicated to the analysis of threats and risks related with document management in a real enterprise -- big telco company. For document management company utilizes a complex solution called application DMS which is implemented on IBM FileNet P8 platform. In my work I will concentrate on risks linked with operation of DMS application. Along with the description of DMS application and document management I will mention problems perceived from the external supplier's point of view. These problems will be the basis for identification of the risks for the company emerging from the operation of DMS application. Subsequently I will evaluate risks and propose solutions to handle or avoid these risks. I will put proposed solutions into the sequence, in which they should be implemented while considering nature of the risk and financial demands of the proposed solution. Contributions of my work are list of identified risks and list of solutions which both can be used for assigning priorities of the change requests carried out in 2013 and possibly during discussions about budget increase for the DMS application operation.

Modelo de gestión de riesgos de tecnología de información para garantizar la continuidad del servicio en los procesos organizacionales en los institutos de educación superior tecnológicos públicos

Milian Saavedra, Jefferson James

January 2024

This research has public technological higher education institutes as a case study, which proposes an IT risk management model to guarantee the continuity of the service in its main processes, where 3 public institutes were analyzed to determine the current state of the processes of those institutes, obtaining as results that the IT areas have not identified the risks to which the institutions are exposed and they do not have a strategic IT plan, which generates that within the institutes there is no improvement in their organizational processes. The model is based on the harmonization of standards or frameworks that refer to risk management, which were analyzed in a general way to determine the impact on IT risk management to guarantee the service continuity in the organizational processes, of which only 3 were selected from a list of 6. The model was validated through expert judgment, which was based on the indicators of sufficiency, clarity, coherence and relevance to give the validity and acceptance of the proposed model. Finally, the model was applied in an institute which allowed it to improve IT risk management and guarantee the continuity of the service of its organizational processes, through compliance with the CBC licensing requirements.

Gestión de riesgos de TI

Continuidad del servicio

Procesos organizacionales

IT Risk Management

Service Continuity

Organizational processes

Management informační bezpečnosti ve zdravotnickém zařízení / Information Security Management in Healthcare Organization

Mikulová, Aneta

January 2011

The topic of my thesis is "Information security management in healthcare organization." Medical facilities are generally the ones who should put emphasis on information security. For my thesis I chose aesthetic private clinic called Visage, I underwent safety analysis. The analysis showed that only a small part of the security process is documented in the clinic. This is particularly deficient in terms of business. There may be a leak of sensitive information on the health status of individual patients. It is necessary to better treat the handling of these data. The aim of this thesis is a security manual that will describe the personal, physical and IT security.