Transcript Powerpoint slide show
Slide 1
Enabling Efficient Risk Management Policy Execution
“Curing CEO Insomnia With A Proactive &
Sustainable IT Strategy For Risk Management”
Presented by: Neil MacArthur
IDL Director of Strategy
www.idlworldwide.com
This entire 21 screen presentation is copyright IDL 2006 all rights reserved & no reproduction or presentation is permitted without written permission from IDL.
Repeatable Solution Sales & Compliance On Demand are IDL trademarks in the USA, UK and other countries. Monetary values quoted may be £ equivalent of
another currency. Neither ITEX nor IDL guarantee making companies compliant.
© 2006 Industry Direct Ltd. All Rights Reserved.
1
Slide 2
Contents
1. The Business Case
2. The Standards Based Solution Strategy
3. The Engagement Model
4. Next Steps
© 2006 Industry Direct Ltd. All Rights Reserved.
2
Slide 3
1. The Business Case
Risk & Compliance Quotation
“An inability to source & format data with sufficient
integrity can cost an organisation both financially
& legally”
Butler Group
© 2006 Industry Direct Ltd. All Rights Reserved.
3
Slide 4
In Legal
The Law Society is about to publish “Information Security Guidelines For Solicitors”
“The Law Society Information Security Guidelines are intended to
assist solicitors achieve good practice in relation to information
security”
Law Society October 2006
One of the significant problems this will pose is the guideline execution without a
framework or standards based approach as the foundation for an integrated
Information Security Management System.
© 2006 Industry Direct Ltd. All Rights Reserved.
4
Slide 5
In Public Sector
The adoption of Gershon Report and the Technology Transformation
policy by the public sector is having a significant impact on ISO
standards adoption in key areas:
• NHS Trusts
• Police Forces [CJIT]
• Local & Metropolitan Councils
IDL Analysis Autumn 2006
As the new ISO standards only appeared in Q4 2005, it is not until the FY06/07 public
sector ICT plans that the early implementation of the ISO standards based approach
was detected, with the most significant phase anticipated in FY07/08.
© 2006 Industry Direct Ltd. All Rights Reserved.
5
Slide 6
In Financial Services
This year, financial services institutions (FSIs) are investing an estimated
£35 billion globally in IT solutions for risk & compliance.
However, TowerGroup finds that 30 percent of these IT investments may
be considered wasteful.
Given their tactical compliance purpose, many risk & compliance
solutions are duplicated over multiple functional silos or are applied to
inefficient legacy technology systems.
TowerGroup
Financial Services organizations, for example, have a major problem with the cost of
regulatory compliance, as they have to meet multiple regulations including Sarbanes
Oxley, Basel II, Solvency II, Anti-Money Laundering, Data Privacy, SEPA & other
regulations.
© 2006 Industry Direct Ltd. All Rights Reserved.
6
Slide 7
2. The Standards Based Solution Strategy
Risk & Compliance Quotation
“Many of the necessary IT components [for compliance]
may already be in place, but they must be integrated &
standardized across the business.”
Gartner
© 2006 Industry Direct Ltd. All Rights Reserved.
7
Slide 8
Corporate Governance & IT Governance
Corporate Governance relies upon IT Governance to support efficient & sustainable risk
& compliance, using an integrated not fragmented IT solution – this is Phase #2!.
Corporate Governance
Content
Processes
Applications
Infrastructure
IT Governance
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
8
Slide 9
Risk & Compliance Phase #2 Overview
IT solutions for risk & compliance has evolved from “point solutions” & use of manual or
legacy systems to the adoption of best practice frameworks such as COSO Enterprise Risk
Management Integrated Framework, CoBIT or ITIL. And, today there is the availability of
ISO certification to ensure robust, efficient & effective best practice implementation of risk
& compliance policies at the lowest cost.
Risk management & compliance evolution
ISO standards for risk & compliance subjects
Phase #1
Best practice COSO integrated policy framework for risk & compliance
Phase #2
Manual, legacy or point solutions for risk & compliance
2004
2005
2006
2007
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
9
Slide 10
Best Practice Evolution
Integrated IT risk management & compliance best practice evolution.
Integrated Management & Control
COSO
Internal
Control Integrated
Framework
[SEC
endorsed]
IT Control
Objectives for
Sarbanes
Oxley - ITGI
COSO
Enterprise Risk
Management –
Integrated
Framework
Institute of
Internal
Auditors
Endorsement
Of COSO
ERM
Framework
ISO 20000
IT Service
Management
2002
2004
2004
2005
2006
SMB
Enterprise
Financial Control -------------------
ISO 27000
series
information
security
Guidance
For Smaller
Public
Companies
Reporting
On Internal
Control
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
10
Slide 11
Best Practice Implementation
Risk management covers multiple areas of risk that a corporation needs to formally
monitor and manage to stay efficient and compliant. Best practice is COSO Enterprise
Risk Management – Integrated Framework [www.coso.org] for policy used by auditors,
setting the corporate governance agenda, supported by ISO-standards based IT.
COSO Enterprise Risk Management Integrated Policy Framework
Credit
Market
Liquidity
Hazard
Trading
Legal
Systems
Risk assess >>> risk policy >>> implementation >>> report >>> update risk policy
COBIT & ITIL
ISO 20000 IT Service Management
ISO 27000 Information Security
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
11
Slide 12
Compelling Value
Automating the adoption of standards will further reduce risk and cost!
"78% of businesses that adopt standards feel prepared to handle
catastrophic IT failure - only 28% of business without standards
adoption feel prepared for IT catastrophe.
Furthermore, 71% of businesses that adopt standards feel prepared to
deal with failure in the supply chain, whereas only 43% of those
without standards feel prepared".
Business Standards Magazine reporting on BSI Research
© 2006 Industry Direct Ltd. All Rights Reserved.
12
Slide 13
Framework & Standards Adoption
New IDL analysis in Q3 2006 demonstrates the adoption of standards and framework
strategy in risk management across 50 major European financial service institutions.
Frameworks & Standards Adoption Autumn 2006
COSO Enterprise Risk Management
45%
ISO 27001 Information Security
30%
IT Infrastructure Library [ITIL]
41%
ISO 20000 IT Service Management
29%
Control Objectives for Information & Related Technology [COBIT]
37%
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
13
Slide 14
3. The Engagement Model
Risk & Compliance Quotation
“The IIA advocates for an Enterprise Risk Management
process that takes into account all aspects of a
company”
The Institute of Internal Auditors
© 2006 Industry Direct Ltd. All Rights Reserved.
14
Slide 15
Integrated IT Risk & Compliance Solutions
Corporate Governance relies upon IT Governance support for efficient & sustainable
risk & compliance, which is an integrated not fragmented IT infrastructure solution.
The IT solution set requires an integrated and scalable implementation, probably using
a blended on-site and off-site model for delivery.
Integrated Corporate Governance
Content
Processes
Applications
Infrastructure
Integrated IT Governance
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
15
Slide 16
Engagement
The US IT Governance Institute [ITGI] has developed a “best practice” engagement
process to align a corporation’s risk & compliance policy to an integrated IT solution.
#4 Document
IT Controls
#1 Plan &
Scope : Driven
by policy
#2 IT Risk
Assessment
#3 Identify
Accounts &
Controls
#5 Evaluate
Control
#6 Evaluate
Operations
#7 Scope &
Remediate
#8 Updated
Documentation
& Approval
#9 Build
Sustainability
& Scale To
ERM
ITGI best practice scoping model [www.itgi.org]
© 2006 Industry Direct Ltd. All Rights Reserved.
16
Slide 17
ISO Standards Based IT Governance
The expanding range of internationally accepted standards has generated substantial
interest is a common, independent and certifiable strategy for sustainable IT governance.
Service Delivery
Service Delivery
Capacity Mgmt.
BS PAS
77:
ITSCM
Service Continuity &
Availability Mgmt.
Service Level Mgmt.
Info. Security Mgmt.
Service Reporting
IT Services Budget &
Control
ISO
27001
Accounting
Configuration Mgmt.
Release
Release Mgmt.
Change Mgmt.
Resolution
Incident Mgmt.
Problem Mgmt.
Relationship
Business
Relationship Mgmt.
Supplier Mgmt.
ISO
22000
Service Support Including Service Desk
© 2006 Industry Direct Ltd. All Rights Reserved.
17
Slide 18
Thank You
Neil MacArthur
IDL Director of Strategy
[email protected]
© 2006 Industry Direct Ltd. All Rights Reserved.
18
Enabling Efficient Risk Management Policy Execution
“Curing CEO Insomnia With A Proactive &
Sustainable IT Strategy For Risk Management”
Presented by: Neil MacArthur
IDL Director of Strategy
www.idlworldwide.com
This entire 21 screen presentation is copyright IDL 2006 all rights reserved & no reproduction or presentation is permitted without written permission from IDL.
Repeatable Solution Sales & Compliance On Demand are IDL trademarks in the USA, UK and other countries. Monetary values quoted may be £ equivalent of
another currency. Neither ITEX nor IDL guarantee making companies compliant.
© 2006 Industry Direct Ltd. All Rights Reserved.
1
Slide 2
Contents
1. The Business Case
2. The Standards Based Solution Strategy
3. The Engagement Model
4. Next Steps
© 2006 Industry Direct Ltd. All Rights Reserved.
2
Slide 3
1. The Business Case
Risk & Compliance Quotation
“An inability to source & format data with sufficient
integrity can cost an organisation both financially
& legally”
Butler Group
© 2006 Industry Direct Ltd. All Rights Reserved.
3
Slide 4
In Legal
The Law Society is about to publish “Information Security Guidelines For Solicitors”
“The Law Society Information Security Guidelines are intended to
assist solicitors achieve good practice in relation to information
security”
Law Society October 2006
One of the significant problems this will pose is the guideline execution without a
framework or standards based approach as the foundation for an integrated
Information Security Management System.
© 2006 Industry Direct Ltd. All Rights Reserved.
4
Slide 5
In Public Sector
The adoption of Gershon Report and the Technology Transformation
policy by the public sector is having a significant impact on ISO
standards adoption in key areas:
• NHS Trusts
• Police Forces [CJIT]
• Local & Metropolitan Councils
IDL Analysis Autumn 2006
As the new ISO standards only appeared in Q4 2005, it is not until the FY06/07 public
sector ICT plans that the early implementation of the ISO standards based approach
was detected, with the most significant phase anticipated in FY07/08.
© 2006 Industry Direct Ltd. All Rights Reserved.
5
Slide 6
In Financial Services
This year, financial services institutions (FSIs) are investing an estimated
£35 billion globally in IT solutions for risk & compliance.
However, TowerGroup finds that 30 percent of these IT investments may
be considered wasteful.
Given their tactical compliance purpose, many risk & compliance
solutions are duplicated over multiple functional silos or are applied to
inefficient legacy technology systems.
TowerGroup
Financial Services organizations, for example, have a major problem with the cost of
regulatory compliance, as they have to meet multiple regulations including Sarbanes
Oxley, Basel II, Solvency II, Anti-Money Laundering, Data Privacy, SEPA & other
regulations.
© 2006 Industry Direct Ltd. All Rights Reserved.
6
Slide 7
2. The Standards Based Solution Strategy
Risk & Compliance Quotation
“Many of the necessary IT components [for compliance]
may already be in place, but they must be integrated &
standardized across the business.”
Gartner
© 2006 Industry Direct Ltd. All Rights Reserved.
7
Slide 8
Corporate Governance & IT Governance
Corporate Governance relies upon IT Governance to support efficient & sustainable risk
& compliance, using an integrated not fragmented IT solution – this is Phase #2!.
Corporate Governance
Content
Processes
Applications
Infrastructure
IT Governance
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
8
Slide 9
Risk & Compliance Phase #2 Overview
IT solutions for risk & compliance has evolved from “point solutions” & use of manual or
legacy systems to the adoption of best practice frameworks such as COSO Enterprise Risk
Management Integrated Framework, CoBIT or ITIL. And, today there is the availability of
ISO certification to ensure robust, efficient & effective best practice implementation of risk
& compliance policies at the lowest cost.
Risk management & compliance evolution
ISO standards for risk & compliance subjects
Phase #1
Best practice COSO integrated policy framework for risk & compliance
Phase #2
Manual, legacy or point solutions for risk & compliance
2004
2005
2006
2007
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
9
Slide 10
Best Practice Evolution
Integrated IT risk management & compliance best practice evolution.
Integrated Management & Control
COSO
Internal
Control Integrated
Framework
[SEC
endorsed]
IT Control
Objectives for
Sarbanes
Oxley - ITGI
COSO
Enterprise Risk
Management –
Integrated
Framework
Institute of
Internal
Auditors
Endorsement
Of COSO
ERM
Framework
ISO 20000
IT Service
Management
2002
2004
2004
2005
2006
SMB
Enterprise
Financial Control -------------------
ISO 27000
series
information
security
Guidance
For Smaller
Public
Companies
Reporting
On Internal
Control
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
10
Slide 11
Best Practice Implementation
Risk management covers multiple areas of risk that a corporation needs to formally
monitor and manage to stay efficient and compliant. Best practice is COSO Enterprise
Risk Management – Integrated Framework [www.coso.org] for policy used by auditors,
setting the corporate governance agenda, supported by ISO-standards based IT.
COSO Enterprise Risk Management Integrated Policy Framework
Credit
Market
Liquidity
Hazard
Trading
Legal
Systems
Risk assess >>> risk policy >>> implementation >>> report >>> update risk policy
COBIT & ITIL
ISO 20000 IT Service Management
ISO 27000 Information Security
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
11
Slide 12
Compelling Value
Automating the adoption of standards will further reduce risk and cost!
"78% of businesses that adopt standards feel prepared to handle
catastrophic IT failure - only 28% of business without standards
adoption feel prepared for IT catastrophe.
Furthermore, 71% of businesses that adopt standards feel prepared to
deal with failure in the supply chain, whereas only 43% of those
without standards feel prepared".
Business Standards Magazine reporting on BSI Research
© 2006 Industry Direct Ltd. All Rights Reserved.
12
Slide 13
Framework & Standards Adoption
New IDL analysis in Q3 2006 demonstrates the adoption of standards and framework
strategy in risk management across 50 major European financial service institutions.
Frameworks & Standards Adoption Autumn 2006
COSO Enterprise Risk Management
45%
ISO 27001 Information Security
30%
IT Infrastructure Library [ITIL]
41%
ISO 20000 IT Service Management
29%
Control Objectives for Information & Related Technology [COBIT]
37%
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
13
Slide 14
3. The Engagement Model
Risk & Compliance Quotation
“The IIA advocates for an Enterprise Risk Management
process that takes into account all aspects of a
company”
The Institute of Internal Auditors
© 2006 Industry Direct Ltd. All Rights Reserved.
14
Slide 15
Integrated IT Risk & Compliance Solutions
Corporate Governance relies upon IT Governance support for efficient & sustainable
risk & compliance, which is an integrated not fragmented IT infrastructure solution.
The IT solution set requires an integrated and scalable implementation, probably using
a blended on-site and off-site model for delivery.
Integrated Corporate Governance
Content
Processes
Applications
Infrastructure
Integrated IT Governance
Copyright IDL 2006 all rights reserved
© 2006 Industry Direct Ltd. All Rights Reserved.
15
Slide 16
Engagement
The US IT Governance Institute [ITGI] has developed a “best practice” engagement
process to align a corporation’s risk & compliance policy to an integrated IT solution.
#4 Document
IT Controls
#1 Plan &
Scope : Driven
by policy
#2 IT Risk
Assessment
#3 Identify
Accounts &
Controls
#5 Evaluate
Control
#6 Evaluate
Operations
#7 Scope &
Remediate
#8 Updated
Documentation
& Approval
#9 Build
Sustainability
& Scale To
ERM
ITGI best practice scoping model [www.itgi.org]
© 2006 Industry Direct Ltd. All Rights Reserved.
16
Slide 17
ISO Standards Based IT Governance
The expanding range of internationally accepted standards has generated substantial
interest is a common, independent and certifiable strategy for sustainable IT governance.
Service Delivery
Service Delivery
Capacity Mgmt.
BS PAS
77:
ITSCM
Service Continuity &
Availability Mgmt.
Service Level Mgmt.
Info. Security Mgmt.
Service Reporting
IT Services Budget &
Control
ISO
27001
Accounting
Configuration Mgmt.
Release
Release Mgmt.
Change Mgmt.
Resolution
Incident Mgmt.
Problem Mgmt.
Relationship
Business
Relationship Mgmt.
Supplier Mgmt.
ISO
22000
Service Support Including Service Desk
© 2006 Industry Direct Ltd. All Rights Reserved.
17
Slide 18
Thank You
Neil MacArthur
IDL Director of Strategy
[email protected]
© 2006 Industry Direct Ltd. All Rights Reserved.
18