The recent financial scandals in conjunction with the increasing complexity and internationality of business relations push regulators to introduce legislations aimed at risk reduction and strengthening the credibility of business.
These regulations touch different aspects of an organisational culture, e.g. ethics, responsibilities and risk management, to name a few. Some of the regulations have national reach, while others have international validity.
Such demand for a more transparent way of directing corporations resulted in increased popularity of Corporate Governance also known as Business Governance.
Corporate Governance is concerned with holding the balance between economic and social goals and between individual and communal goals. The Corporate Governance Framework is there to encourage the efficient use of resources and equally to require accountability for the stewardship of those resources. The aim is to align as nearly as possible the interests of individuals, corporations and society. [Sir Adrian Cadbury in Global Corporate Governance Forum, World Bank, 2000]
As a consequence of existing Corporate Governance regulations, organisations launch different projects in order to achieve compliance. Such projects are focused on the implementation of Corporate Governance Frameworks (CGF) and they might require major changes in business processes and IT services.
The figure gives a schematic overview of the role of Governance Frameworks towards business processes and IT services. The Frameworks on the top of the figure impact business processes, e.g. by regulating certain procedures and formulating requirements for Risk Management (both business Risk Management and IT Risk Management) in particular. As a matter of fact, Risk Management provides regulatory input to IT Processes, which in turn deal with delivering of IT services aiming is to support business processes.
Enisa effort focuses on the impact an implementation of a Governance Framework will have on IT Risk Management, as well as on the consequences IT Risk Management might have on the implementation of such frameworks.
Since Governance Frameworks deal mostly with business processes and Business Risks Management, with no direct link between IT processes and IT Risk Management, these areas are often approached separately. However, such an approach leads to general problems in implementation and execution of Governance Frameworks. The overall quality of Risk Management suffers as various aspects of risks are treated in isolation. The first step to address this problem is to identify references between actual business processes and IT processes by the way of designing a comprehensive Governance Framework implementation and execution strategy. With such a strategy it will be possible to integrate IT RM/RA with Enterprise Risk Management and incorporate their input into business governance.
The process of integration is achieved through recognition of interfaces between IT Risk Management processes described in the ENISA RM/RA Framework and chosen Business Governance processes. The focus of the integration is mainly on the identification of corresponding data, roles and information flows between the various risk management processes.