February 18, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Steven Minsky
New Era of Risk Management
 Steven Minsky, a risk expert, highlights the differences between traditional Risk Management and true Enterprise Risk Management, which most importantly is about helping something happen - not preventing something from happening. Steven's blog helps you think about risk in a new way and how to benefit practically from this rapidly evolving new field.

« Hot New Risk Management Trends & Opinion Poll Part I | Main | Myth Buster: Risk Management fears and doubts »

July 18, 2006
NYSE CEO speaks out on IT risk, Part II with Opinion Poll

Based on the opinion poll within my last blog, interest was highest for the question: How to surface common knowledge security issues that management doesn't know about?

You are in good company. At the SIA risk conference I had the opportunity to meet with Richard G. Ketchum, Chief Executive Officer of the New York Stock Exchange Regulation. One of the major themes he spoke about was the need for Technology Assessments to review governance, risk and compliance issues. He commented that adoption of new technology combined with changes due to mergers and acquisitions have left corporate systems frail and patched 3-4 levels below the senior management level where they are "common knowledge" by operational staff members. He mentioned that these high risk field issues however are frequently not known or understood by leadership and audit committees. He further spoke of the need for best practices to be implemented to identify reporting and control gaps.

When asked about methods to approach this problem, Mr. Ketchum commented “Precision in an imprecise area is dangerous” and suggested to look at the qualitative risk assessment approach of Enterprise Risk Management tools. He further commented that high risk subjects include processes with deficiencies, that have been triaged, areas not well connected, and legacy systems. Issues to focus on include operations and control practices.

COBIT 4.0 is just such a set of operational and control best practices that can help in this endeavor. According to ISACA, the publisher, COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. Craig Symons at Forrester research, comments that "COBIT 4.0 Is A Strong Governance Platform"

You can download a complementary copy of the new COBIT 4.0 best practices document on my website. I also recommend reading my article on Risk Maturity Models to best understand how to use the COBIT 4.0 framework, "The Elephant at the Enterprise Risk Management Party"

My next blog will address the number two voted issue in the opinion poll of my last blog "How to draw the line between acceptable and unacceptable risks?"

Posted by stevenminsky in Enterprise Risk ManagementMethodologyRisk IdentificationRisk Maturity Model |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/502

Comments

Risk issues are also compounded if your organization is of a smaller size, the SEC nor SOX differentiates between companies of 100 or 1,000. Financial Services and public companies still have to be accountable for these issues as they relate to their business and clientele http://www.essentialsecurity.com/Documents/article16.htm

Staying compliant can put smaller organizations in paralysis as some officers wear multiple hats like a CEO who also must make the IT decisions.

Posted by: Marilee Veniegas at July 21, 2006 09:05 PM

Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Categories
Archives
Recent Posts
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
ebizQ Web 2.0 and the Enterprise
Your E-mail Address:
Integrated SOA Governance
Date: Feb 19, 2008
Time: 14:00 PM ET
(19:00 GMT)
I WANT TO ATTEND
BPM Basics for Dummies: Getting a Read on BPM
Date: Feb 26, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map