Site icon IT World Canada

Risk management framework to complement COBIT

The industry association behind a popular management framework for IT governance is working on an update that addresses potential technology-related risks in the enterprise.

Scheduled for completion later this year, the risk management framework will be offered free of charge through the Rolling Meadows, Ill.-based IT Governance Institute (ITGI). The documents explaining the framework will include a glossary of risk-related terms and a “risk register” that defines dangers to the enterprise according to IT activities and process levels. The framework will then outline consequences and best practices for each risk on the register.

ITGI is best known for developing Control Objectives for Information and related technology, also known as COBIT which was last updated in 2005. COBIT offers guidance and best practices to manage 34 different processes, including planning, acquisition, delivery and monitoring. The first edition was published in 1994. More recently, ITGI has published a framework called Val IT, which focuses on ways for technology professionals to achieve greater return on investment or value from their IT investments.

Urs Fisher, head of IT and risk management at SwissLife Group, is leading a steering committee that is developing the framework. While COBIT does contain some discussion of risk management, he said ITGI realized that it needed to provide more depth and guidance as technology professionals struggle with issues around compliance with regulations such as Basel II.That said, those who are already in the process of adopting COBIT should not see the risk management framework as another big project to take on.

“It’s more of an add-on (to COBIT) than a new one,” he said, adding that the risk register is only one element of a more comprehensive education about risk. “It’s not a checklist. It’s more about the way you should do risk management.”

Fischer said the framework will revolve around identification, assessment and mitigation of risk. It will not be tied to particular vendor’s products or common technology platforms. The task force will include experts from Carnegie-Mellon University in the United States as well as those from Australia and other countries. The process kicked off in January and a first draft has already been written, he said.

“Now we’re at the point where we have to discuss how to go on, look at where we are satisfied, where we want to have something different,” he said.

Earlier this year ITGI published the results of a survey by PricewaterhouseCoopers which tried to gauge the awareness and adoption of its frameworks. The survey showed awareness of COBIT and Val IT has doubled since the study was done in 2005, but there was also a 23 per cent jump in the number who cited insufficient staff to manage IT effectively. Fariba Anderson, a former CIO who now works as a consultant with Toronto-based Manta Group, said these kinds of frameworks need to be more deeply integrated into the kind of postsecondary education provided to future IT professionals.

“Governance in some respects is common sense. It’s just not commonly applied,” she said. “Governance is doing the right things the right way, and doing them well.”

Fischer said the risk management framework would not merely address issues of concern to CIOs but to middle management IT as well. Besides COBIT, ITGI said the framework could also be mapped to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) standard.

Exit mobile version