Taking Stock of Risk

Arthur Cole

Arthur Cole spoke with Faith Boechter, senior consultant, BITS Shared Assessment Program.

Cole: Many people view enterprise risk management as strictly a network security issue. While that is certainly part of the equation, what are some of the other kinds of risks that IT managers should be concerned about?
Boechter: From a financial services perspective, we look largely at how government regulations define risk. We look primarily at risk to reputation, strategic risk, client/legal risk and interest rate liquidity. We look at risk areas that impact service to clients, disrupt operations or damage earnings or an organization's reputation. It's also important to evaluate the strategic importance of investments and the level of expertise required to manage them. It's important that as an organization looks at internal or external management, the assessment has a cost/risk approach. Make sure that when you're deploying processes, you understand the cost of exposure and ensure that it doesn't exceed the value of the investment.

Cole: What are the key considerations when evaluating risk management software or solutions?
Boechter: Let me be clear up front that we have not done any evaluations of individual solutions. Our program is designed to establish the criteria on which to base decisions. But one of the key considerations is to understand the components of any given solution. What does it manage, and what does it not manage? Is it just a document repository, or does it include policy and risk management oversight? How far does it go in managing information? What can be reported and analyzed? It's also important to know the expertise of the provider. Does the company incorporate within its tools the regulatory requirements, compliance risk management and operational risk management that will be needed? Also, what is the maturity of the organization's product? Where has it been deployed, and how? What is the financial stability of the company, and will there be a financial liability to provide service on an ongoing basis?

Cole: The BITS Shared Assessment Program is designed for financial institutions. Can it be applied to other industries?
Boechter: Absolutely. Unlike other industries, the financial services industry looks at third-party providers in terms of regulatory requirements. We can outsource the process, but not the risk. But we also need to comply with our own individual processes, so we're very much focused on developing voluntary guidelines and success strategies. We've made our program available to the public because we want other industries to benefit from these strategies as well. Our feedback is that it's been helpful for managing risk in other industries, whose risks are not much different than the ones we face. It provides a uniform questionnaire and assessment testing to assess reputation risk, transaction risk, customer risk. ... It has applications for any industry looking at shared service providers.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data