Information Technology Reference
In-Depth Information
2. Reporting and dashboards are also very appreciated by management, allow-
ing for the consolidation of important information, in real-time. It also lets
stakeholders reach an increased level of trust on the organization since they
possess valuable and trusted information concerning the level of exposure to
risks;
3. The level of risk appetite must be collaboratively defined in order to make
governance and business performance more risk-aware in decision making [15].
Another important aspect that can be very helpful in risk identification is the
information concerning complaints, incidents, suggestions, etc., that are reported
when something happens. This we present as issues. An issue is a nonroutine
stimulus that requires a response [25]. It may be positive or negative, internal
or external to the organization. Issues can be risks that occur or risks that were
not identified in the first place.
As risk management acts on the prediction of events, issue management iden-
tifies threats that occurred and need to be categorized and addressed. Addi-
tionally, it is in the organization's interest not only to correct what is wrong,
but also to have a mechanism in place that could help improve the organiza-
tion itself, for example, through suggestions from clients. By integrating this
functionality in the GRC system, the information from issues management can
be helpful in identifying new sources of risk and improve the activities of the
organization.
Monitoring plays a crucial role on the eciency of risk management, since it
provides the capability to effectively and eciently identify potential risks and
issues. Therefore, it gives the organization the key to identify opportunities and
mitigate “risks in the context of corporate strategy and performance” [24]. Inter-
nal Controls can be seen as a monitoring tool, since their role in risk management
is to help prevent, detect, correct and also track risks.
Monitoring, reporting and dashboards are essential in risk and issue man-
agement because they allow organizations to answer very important questions:
What are our top 10 risks? What is the percentage of issues that were identified
as risks? What are the impacts of those risks and what is their status? Which
risks can our organization endure? What objectives are compromised?
3.3 Compliance
Compliance must assure that the organization is following all its obligations, and
thus is operating within the defined boundaries. According to OCEG, “compli-
ance is the act of adhering to, and the ability to demonstrate adherence to,
mandated requirements defined by laws and regulations, as well as voluntary
requirements resulting from contractual obligations and internal policies” [15].
Through this definition, the relation between governance and compliance be-
comes clearer.
Compliant organizations need an effective approach to verify that they are in
conformity with external (standards, regulations) and internal (internal policies)
rules. This approach is assisted by risk management, which must identify and
