Fundamentals of Risk Management
Approaches to risk management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Approaches to risk management
110 of the standards varies. For example, the Orange Book produced by HM Treasury in the UK is intended as guidance to central government departments on risk management. An important development in standards is the emergence of the concept of Governance Risk and Compliance (GRC) and this is considered in more detail in Chapter 35. The approach underpinning the principle is related to the concept of the three lines of defence whereby different risk management and internal control responsibilities are allocated to senior management, specialist risk functions and internal audit. The overall approach to GRC is based on the separation of functions. Senior management is responsible for governance within the organization, specialist risk functions are responsible for risk management activities and assurance on adequate compliance is provided by internal audit. In South Africa, the highly influential and detailed King III corporate governance code was published in 2009. Risk management remains important in the updated code and more detailed guidance is given on how it is to be accomplished. The board is responsible for the governance of risk and disclosure and management is respon- sible for the risk management design, implementation and monitoring of the risk management plan. Detailed responsibilities for risk management are set out in King III in relation to the responsibilities of the board of the company. These are summarized in Table 9.1. In addition to risk management standards and corporate governance requirements, there are a number of specialist standards that apply to risk management. In particular, the IT sector has produced a number of well-regarded and widely used standards. Perhaps the best-known of the standards is Control Objectives for Infor mation and Related Technology (COBIT). COBIT provides good practices across a domain and process framework and presents activities in a manageable and logical structure. The COBIT approach is described in more detail in the box below. The good practices described in COBIT represent the consensus of experts. They are strongly focused on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong. For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by: ● ● making a link to the business requirements; ● ● organizing IT activities into a generally accepted process model; ● ● identifying the major IT resources to be leveraged; ● ● defining the management control objectives to be considered. The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners. Control Objectives for Information and related technology (COBIt) |
