A large number of Business Governance Frameworks exist in a national and international context. They affect various geographical regions and apply to different industry sectors. There are guidelines for business governance in every country – however, not all are formulated as regulations of the governing law, some are only generally accepted norms of conduct. Furthermore, the OECD has developed its own set of principles for corporate governance. The table below contains a selection of well-known frameworks and regulations. It should be noted that some regulations, while being formally only national, have actually a much wider scope.
|Basel II||Introduces modifications to the way banks define risk-weighted assets. Basel II alters the basic risk equation, defined in the original Basel Accord, to include operational risk in addition to credit risk and market risk when computing requirements for reserve capital. This allows banks to reduce their overall reserve cash position set aside for credit risk by adopting a set of internal controls to reduce operational risks.||Worldwide||Bank|
|SOX||Standard for all publicly traded companies in the U.S. Contains 11 sections, ranging from additional Corporate Board responsibilities to criminal penalties. Covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. Has raised the profile and general awareness of the COBIT® framework, in particular through its application for identifying IT controls relevant to the SOX section 404.||USA||All sectors|
|Solvency II||Updated set of regulatory requirements for insurance firms. Based on economic principles for the measurement of assets and liabilities. Includes a risk-based system where risks are measured on consistent principles and are connected to capital requirements. Known as the insurance version of Basel II, it will come into effect in 2012.||Europe||Insurance|
|COSO||A U.S. private-sector initiative, which major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. Has established a common definition of internal controls, standards, and criteria against which companies and organisations can assess their control systems.||USA||All sectors|
|CobiT||The Control Objectives for Information and related Technology (CobiT) is a set of best practices for IT Management created by ISACA and ITGI. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. It is largely based on the control concepts of COSO.||Worldwide||All sectors|
|MiFID||The Markets in Financial Instruments Directive (MiFID) is a European Union law, which provides a harmonised regulatory regime for investment services across the 30 member states of the European Economic Area. The main objectives of the directive are to increase competition and consumer protection in investment services.||Europe||Financial services|
|Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 formulates regulations on the protection of individuals with regard to the processing of personal data and on the free movement of such data.||Europe||All sectors|
|ISO/IEC 27002||ISO/IEC 27002 is an information security standard published by the ISO and the IEC as ISO/IEC 17799:2005 and subsequently renumbered ISO/IEC 27002:2005 in July 2007. It provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems.||Worldwide||All sectors|
|KonTraG||The KonTraG (Gesetz zur Kontrolle und Transparenz im Unternehmensbereich - German Act on Control and Transparency in Business), aims at improving corporate governance in German companies.||Germany||All sectors|
|SESTA||The Federal Act on Stock Exchanges and Securities Trading is a directive intended to encourage issuers to make certain key information relating to corporate governance available to investors in an appropriate form. Applies to all issuers whose securities are listed on the SWX.||Switzerland||All sectors|
|TransPuG||Transparency and publicity law (TransPuG) for the reform of the share and balance legislation, which entered into force on 26 July 2002, is representing a further step in the direction of a modern European compatible enterprise legislation.||Germany||All sectors|
Due to the limited resources Enisa decided that only three most relevant Governance Frameworks will be considered within this effort, namely Basel II, MIFID and SOX. Criteria for the selection of these Frameworks were the global reach and the maturity level of their contents. Descriptions of the selected Frameworks can be found in the relative three sub-sections.
Basel II is an international regulation. While SOX and MiFID were created for specific markets (respectively USA and EEA) they heavily influence companies operating outside of the said markets. All discussed frameworks have either been present and active for a reasonable time period (Basel II, SOX) or are based on previously existing regulations (MiFID) and have already multiple implementations worldwide.
It should be noted that all analysed Frameworks are business oriented. However, they also influence IT – either directly or indirectly. This aspect is of a special interest to this effort, as most interfaces to ENISA IT RM/RA Framework will exist in the area of IT.