For the selected Governance Frameworks and the ENISA IT Risk Management, various possible dimensions of integration exist. These incorporate e.g.:
- Integration of operational IT processes, which are regulated by the Governance Frameworks with IT Risk Management
- Integration of Governance Frameworks requirements with IT Risk Management
- Integration of Governance Frameworks implementation process and IT Risk Management
The above integration options may not be fully exhaustive, but represent the distinct choices. The figure below presents a scheme, which summarises these integration approaches.
The first option describes a situation when an operational IT process is being completely redesigned during the course of implementation of a Governance Framework. As a result, the final IT process is significantly different from the organisation’s usual IT processes.
This dimension is presented in the ENISA project: “Integration of RM/RA with Operational Processes”.
The second option suggests a direct integration of Governance Framework requirements with the IT Risk Management. This approach is also out of scope of Enisa projects because of following reasons:
- Each Governance Framework has its specifics reflected by numerous requirements. These requirements can be implemented in a variety of ways, depending on country, branch, etc. In addition, some Governance Frameworks requirements must be adapted to the country’s specific law, which again multiplies the number of possible integration variants. Therefore, this kind of integration would provide very little added value for a specific company.
- Fulfilling Governance Framework requirements means not only introducing them, but also e.g. monitoring. Therefore, more comprehensive process is required, which will include design and execution of organisation’s processes and IT with regard to Governance Framework requirements.
The third option is the integration of IT Risk Management with the processes defined for the implementation of Governance Frameworks in an enterprise.
This dimension is presented in the ENISA project: “Integration of RM/RA into Business Governance”.