jump to navigation

Technology Risk Management February 25, 2011

Posted by Ishmael Chibvuri in Uncategorized.
trackback

Objective

The objective of a technology risk management initiative for an Information Technology department is to identify applications that carry the highest technology risk, quantify it and provide necessary inputs into the operational risk management, business continuity, audit and architecture design processes within an organization. This will enable Technology Risk Managers (TRM) to define and implement plans to mitigate identified risk and provide visibility to senior namagement of identified risks, mitigations recommendations and remediation efforts.

Scope

The scope of applications selected for an initiative can be based on a number of selection criterias e.g. importance to the business, previous fraud incidents, outsourced components etc. This selection criteria can be decided by the Technology Risk Managers along with the Technology and Operating heads of the respective business lines.

Process

* Different Forms are filled out by Application Managers of selected applications. The different forms are the Application Cataloging Form, Inherent Risk Form and the related Business Forms. A high level business process flow is shown here :Application Risk Management Process

* Scoring Results are collected and analyzed by the TRM and also forwarded over to other Process owners and Subject Matter Experts. (eg: BCP process owners, Information Security process owners) who requires the data for their processes.

* Mitigation areas and remediation efforts are agreed, planned and implemented by the Subject Matter Experts and or the Application Managers. The scores and remediation plans are updated in the Application Catalog.

Forms

Cataloging Forms – Applications in an organization have to be catalogued. These forms will help capture general information about and around applications. These form are usually filled by an application manager or someone he delegates to. A screen shot of the Application catalogue form is shown below. The list of forms will be available soon here.

Application Catalog Form

You can use the fields here to design your own internal database for cataloging applications which is highly recommended unless you have a vendor who provides this capability.

click here to download the application catalog form for free

Inherent Risk Forms – These forms capture Inherent Risk information for a given application. The information captured are aound an application’s availability, scale and volume, interfaces used, dependencies, etc. All this information is used to calculate the Inherent Risk of an application using a scorecard whose algorithm can be modified by the person maintaining the scorecard.

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: