Design (conceptual)

The figure presents a detailed version of the Design level:

At the Design level, various Governance Frameworks regulations influence the following aspects, also depicted in the above figure:

• Design of business process. Requirements of Governance Framework translate into necessary changes in business processes, e.g. financial processes, HR processes, etc.
• Design of IT services. IT services have to be designed according to Governance Frameworks requirements. As a matter of fact, the definition of an IT service covers different elements of an IT environment, including applications, and IT infrastructure. The figure below gives an overview of the elements of IT services.

In most cases Governance Framework requirements affect directly business processes, which, as a consequence, formulate requirements on IT services (e.g. reporting, more analytics, better storage etc.). However, in some Governance Frameworks, direct requirements regarding IT services can be found, for instance, in MIFID. The black arrow on the figure represents the direct impact of Governance Framework requirements on business processes and IT services.

• Eventually, requirements regarding IT services have to be implemented. This process is represented as a Development of IT services.

• Design of the ICS

The structure of the ICS is also presented in more details:

• (Business) process controls are designed in order to guarantee correctness and compliance of business processes with Governance Frameworks. A request for process controls can arise:
  • Directly from Governance Frameworks requirements
  • From the ICS
  • From ERM

• IT controls are automated controls where design could be triggered by:
  • Changes in IT services (as a result of direct or indirect requirements from Governance Frameworks),
  • Extension of the ICS (e.g. to support business process controls or to directly monitor IT services)
  • Requirements from IT RM/RA
• Eventually, IT controls are implemented by the means of configuring or developing an IT service

Enterprise Risk Management deals primarily with business process controls and to some extend with IT controls (area on the left side of the graphics). IT RM/RA focuses on risks related with the design and implementation of IT services (area on the right side of the graphics). The integration of Business Governance and IT RM/RA is provided for these processes (area on the right side of the graphics).