Operational Risk Management (ORM) – and especially IT risk management – is a specific discipline that aims to improve the resilience of the organization against potential disasters related to the use of technology in business processes. ORM and Enterprise Risk Management (ERM) must work together to enable the organization to monitor and manage the evolution of its risk profile. However, traditional risk management (ERM) and IT risk management often struggle to agree on the understanding of real risks to the business.
In this context, the internal IT control system (SCI-IT) must serve as a control environment enabling the IT department to monitor operational risks and treatment measures, supporting decision-makers in their risk management process. By doing so, compliance of the IT organization with external requirements (laws, regulations, industry standards, best practices, etc.) and internal requirements (company policies, standards and procedures) makes it possible to set up a continual improvement program, for the IT department as well as for the whole organization.
Implementation of good operational risk management practices and development of an internal IT control system (SCI-IT), adapted to the organization’ specific situation, must make it possible to manage the operational risks and the compliance of the IT organization according to business requirements.
Key questions for decision makers:
- How to ensure that the IT organization meets the requirements of the business, in terms of risk management and compliance?
- Can the risk profile be measured and the performance of risk management measures monitored?
- Which risk profiles present the portfolios of services and IT and business projects?
- How to measure and ensure compliance of my IT organization with multiple international, national and internal laws and standards?
- Has my company incorporated the necessary controls into processes to reduce the risk of fraud or loss of sensitive data?
Our services in the area of ORM & SCI-IT aim to create a virtuous circle for taking advantage of the standards imposed in order to continuously improve the risk management and compliance of the IT organization:
- Implementation of the Operational Risk Management (ORM) processes:
- Definition of the ORM process based on a standard methodology adapted to your organization. Examples: MEHARI, EBIOS, ISO 27’005
- Integration of the ORM process with ERM (Corporate Risk Management, based on the COSO model)
- Definition of a viable modus operandi between business and IT
- Execution of ORM process and identification of operational risks
- Definition of a continuous improvement program for compliance within the IT organization
- IT organization compliance improvement:
- Evaluation of the IT organization and identification of the potential for improvement in terms of compliance
- Review of current processes and identification of improvement points
- Review and redistribution of stakeholder responsibilities, including Segregation of Duties (SoD) and compensating measures
- Optimization of IT human resources management according to roles and responsibilities in the organization
- Definition of an internal control system for the IT organization (SCI-IT)
- Definition of a roadmap based on the priorities of the organization and identified operational risks
- Definition of ICS-IT controls based on operational risks that may impact the business
- Implementation of a continuous improvement program for risk management and compliance
- Preparatory audits related to compliance and risk management:
- Execution of ITGC (IT General Controls) audits or preparatory audits to facilitate internal audits
- Control Design Test (ToD: Test of Design)
- Operational Effectiveness Test (ToOE): Creating and Running Compliance Test Plans
- Revenue Assurance:
- Assessment of value chains, inherent operational risks and compliance requirements
- Definition and design of revenue assurance controls
- Test of design and operational effectiveness of controls