In Control of IT Processes and Risks
THE REQUEST
“To elevate our IT Control Framework to a higher level, we’d like to be given insight into the configuration and operation of all IT processes and the associated controls, Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).” That’s the request we received from an international (re)insurer. Relevant? Absolutely! It’s not just financial institutions that are increasingly focusing on being able to stay in control of IT risks, supervisory bodies are also putting more and more emphasis on their having the ability to do so. The Netherlands Central Bank (DNB), for example, now expects organisations to meet requirements that guarantee the integrity, continuous availability and security of their information systems.
Backed up by our knowledge of the financial markets and international standards in the areas of legislation and regulations and IT risk management, we set to work on improving this organisation’s IT Control Framework.
OUR APPROACH
To attain an executable and manageable IT Control Framework, we took the size, complexity and strategy of the applicable (re)insurer as our departure point. We kicked-off the project off by throwing some light on the current set-up and way that the IT processes are implemented. To this end, and to establish a good connection with the actual way-of-working, we analysed all available documentation and organised workshops with frontline employees and managers. The insights into the current situation that this provided served as a good departure point for the transition to the “to be” situation.
In the following step, we compared the current way of working with industry standards and best practices, including ITIL, COBIT and the ISO 27000 series. Based on a FIT/GAP analysis, we then described the “to be” process. The description comprised the extensive documentation of the process and the respective roles and responsibilities, together with a concise and clear visualisation. We also mapped out the relationships between the various sub-processes, as well as the dependencies between them. To identify all possible risks, we then organised risk assessments. Finally, to mitigate these risks and demonstrate the design and working of the process, in the next step we defined and documented the controls, KPIs and KRIs.
THE RESULT
By involving the client in every step of the process, we established a broadly supported, executable and demonstrable IT Control Framework. Furthermore, our approach also increased familiarity, ownership and awareness of IT Risk Management throughout the client’s organisation.
Want to know more about what we can do for you in the area of IT Risk Management? Click here