Information Technology Reference
In-Depth Information
be delegated to a committee with representation from various departments and supported
by a risk management function headed by a director or manager.
The purpose of the risk management committee is to coordinate risk management activities
in the enterprise, and they are also responsible for monitoring risks and ensure that new or
changing risks are quickly identified and mitigated. The risk management committee will
also give regular feedback to the board and senior management on risks in the enterprise.
It is recommended that representation on the risk management committee should be across
the enterprise in order to ensure that all risk issues are picked up by the committee and re-
ported to senior management and the board. The risk management function or department
will conduct most of the routine work on behalf of the committee.
In smaller enterprises, the risk management function can be performed by other functions
such as internal audit or a risk specialist contracted from outside the enterprise. The enter-
prise may also opt to employ a risk specialist to coordinate risk management activities on
behalf of management.
The risk management committee should always be available to handle new risks or changes
in risk exposure. This is why it is recommended that various departments should be repres-
ented on the risk management committee. Enterprises will always face different types of
risks as they interact with clients, suppliers, regulators, and other enterprises. The IS aud-
itor might look for evidence of availability of the committee members by checking who is
on the committee, if they can be easily contacted by phone or email, and how often they
interact with business operations to be able to identify and observe operations and how IT
risk procedures are being implemented.
The IS auditor should hold interviews with the board, senior management, and the risk
management committee in order to obtain an understanding of their appreciation of the en-
terprise's risk policy and procedures. A key consideration is how the board, senior manage-
ment, and the risk management team monitor IT risk. It is possible that a risk management
function could be available but without tools for monitoring risks. Enterprises are dynamic
and face various problems which might cause new risks to arise.
The risk management committee should have a risk management program, which is imple-
mented to deal with various risks. The program should include activities such as general IT
risk assessments, IT project risk assessments, IT risk monitoring, IT risk profiling, change
management, IT risk audits, and risk mitigation. The risk management function should con-
sider developing a calendar of activities on how they shall conduct various risk activities.
The risk management committee should meet regularly to discuss business operations and
review how risks are being managed. Ad hoc meetings with users can also be helpful as a
way of monitoring risks. Front desk employees interact with clients and often come across
Search WWH ::
Custom Search