IT Governance

Ensuring that all IT systems, frameworks and practices work together to achieve corporate strategies and objectives can be a challenge.

IT Governance is a way to ensure IT function sustains the strategies and the objectives of a company. Or we can define it as a structure of how a company matches its IT strategy with business strategy in order to achieve its strategies and goals and to implement an appropriate way to measure the performance of its IT. 
IT Governance also helps you to make sure that all stakeholders interests are counted . An IT governance framework should answer key questions like how the IT department is functioning overall, what kind of metrics is needed, and what is the ROI of IT systems. 

Leading IT governance frameworks includes COBIT, ITIL, and finally ISO/IEC 38500:2015.

COBIT

COBIT is a framework for IT Management and IT Governance. It is a supporting tool-set that allows IT managers to bridge the gap between control requirements, technical issues, and finally business risks. 
The business aspect of COBIT links business goals to IT goals by providing metrics and maturity models to measure the achievement, and identifying responsibilities of IT process owners and business process owners.

COBIT 5 is a framework not only for IT Governance but also for Risk Security and Auditing. Actually COBIT evolves over the time. It was just about auditing back in 1996 when it was on version 1. 

ISO 38500

ISO 38500 is the newest one and has definitions, principles and a model for IT Governance. ISO/IEC 38500:2015 is based on six principles:

1. Responsibility
2. Strategy
3. Acquisition
4. Performance
5. Conformance
6. Human behavior

ISO 38500 also has some guidance to those advising, informing, or assisting governing bodies like directors and auditors.

ITIL 

ITIL is also considered as a kind of IT Governance framework. It is a set of practices for IT Service Management with the focus on aligning IT services with the needs of business. ITIL is mostly about processes, procedures, tasks, as well as some checklists which can be used in any company or organization.
It can be applied by an organization to establish integration with its strategy, deliver value, and maintain some level of competency. 

Simple Risk Management in Four Steps

Risk Management is noting but Risk Assessment plus Risk Treatment. Risk Assessment exercises should be undertaken regularly (for example: quarterly) in order to check if internal controls/safeguards are still fit for purpose or not? 

The 1st question that you have yourself is Do the controls detect and prevent errors and problems in our existing operations environment? The 2nd question would be: Will controls help to reduce of impact of new risks? (Risk Mitigation). 

The key point is that you should look at the Risk Management as an-ongoing process. It means that you must review exposure to new and emerging risks continually. So risk management cycle would have these steps:

1. Risk Identification: 

Regularly consider the nature & extent of internal & external risks.

2. Risk Evaluation:

Develop a process to evaluate identified risks, consider the impact that risks may have on operations, and then assess the probability of a risk materialization.

3. Managing the Risk:

Ensure controls are sufficient to detect and/or prevent the problems and understand that internal controls reduce risks.

4. Monitoring of Controls:

Make sure that you have proper procedures to monitor the effectiveness of internal control regularly and ensure controls are up to date and are capable of mitigating new risks.

Now we can walk through all above-mentioned steps by an example: 

1. Risk Identification 

As an example you may face such risks in an organization:

a. Delays in investment

b. Incorrect payment of invoices to suppliers

c. Loss of independent compliance audit

d. IT Failure

2. Risk Evaluation

We follow a quantitative approach to evaluate risk here. In the risk evaluation step you need to rank the impact of that risk to your business and also calculate the likelihood of that event. 

Use this formula to calculate/score the risk: 

Risk (R) = Likelihood (L)* Impact (I) 

For example for the items in section 2 we may have:

Score of risk a = likelihood of a * impact of a = 6 * 7 = 42

Score of risk b = likelihood of b * impact of b = 2 * 4 = 8

Score of risk c = likelihood of c * impact of c = 3 * 7 = 21

Score of risk d = likelihood of d * impact of d = 2 * 9 = 18

We choose a number between 0 to 9 for likelihood as well as for the impact. You can adpot any range. 

3. Managing the risk

Now you have to make sure that the risks are mitigated by using proper controls (Risk Mitigation). You have to check the existing safeguards and add more if needed. 

These are the potential controls for the risk a to risk d which already mentioned in section 1:

Controls for risk a: 

• Director of investment should monitor the time between fund receipt to investment. 
• Investment department should monitor investment protocols for delays in investing funds.

Controls for risk b:

• Accounting department should schedule weekly arrangements with the suppliers to check and authorize payments of invoices. 
• Accounting department should review expenses against budget.

Control for risk c:

• Maintain separation of company and auditor.

Controls for risk d:

• Presence of up-to-date, certified and tested Disaster Recovery Plan.
• Presence of up-to-date, certified and tested Business Continuity Plan.

4. Monitoring of controls

You should monitor/audit your systems and test them on a regular basis at planned intervals. For example you can choose the following timeline:

• Test risk a: Quarterly
• Test risk b: Semiannually
• Test risk c: Biannually
• Test risk d: Quarterly