Technology Risk Management February 25, 2011Posted by Ishmael Chibvuri in Uncategorized.
The objective of a technology risk management initiative for an Information Technology department is to identify applications that carry the highest technology risk, quantify it and provide necessary inputs into the operational risk management, business continuity, audit and architecture design processes within an organization. This will enable Technology Risk Managers (TRM) to define and implement plans to mitigate identified risk and provide visibility to senior namagement of identified risks, mitigations recommendations and remediation efforts.
The scope of applications selected for an initiative can be based on a number of selection criterias e.g. importance to the business, previous fraud incidents, outsourced components etc. This selection criteria can be decided by the Technology Risk Managers along with the Technology and Operating heads of the respective business lines.
* Different Forms are filled out by Application Managers of selected applications. The different forms are the Application Cataloging Form, Inherent Risk Form and the related Business Forms. A high level business process flow is shown here :Application Risk Management Process
* Scoring Results are collected and analyzed by the TRM and also forwarded over to other Process owners and Subject Matter Experts. (eg: BCP process owners, Information Security process owners) who requires the data for their processes.
* Mitigation areas and remediation efforts are agreed, planned and implemented by the Subject Matter Experts and or the Application Managers. The scores and remediation plans are updated in the Application Catalog.
Cataloging Forms – Applications in an organization have to be catalogued. These forms will help capture general information about and around applications. These form are usually filled by an application manager or someone he delegates to. A screen shot of the Application catalogue form is shown below. The list of forms will be available soon here.
Application Catalog Form
You can use the fields here to design your own internal database for cataloging applications which is highly recommended unless you have a vendor who provides this capability.
Inherent Risk Forms – These forms capture Inherent Risk information for a given application. The information captured are aound an application’s availability, scale and volume, interfaces used, dependencies, etc. All this information is used to calculate the Inherent Risk of an application using a scorecard whose algorithm can be modified by the person maintaining the scorecard.