IT Governance Issues: Risk Management, COSO ERM, and OCEG Guidance
RISK MANAGEMENT IS AN INSURANCE-RELATED CONCEPT where an individual or an enterprise will envision some type of threat, such as the danger of a residential fire or theft, and then will take actions to provide protections in the event that threat occurs. The most common risk protection approach is to purchase insurance from a commercial outside vendor or install protection mechanisms to provide some protection over the risks, using a risk-based approach to decide what type and how much insurance to purchase or what protection to install. Key decision factors here are the extent of perceived risks or other threats and the insurance and protective device costs to cover those risks.
Although individuals often think of risks and insurance protection in terms of the threat of fires, natural disasters, or theft, an enterprise needs to consider risks on a much broader level, which can include such things as the failure of a new business venture, malicious litigation because of a product failure, or unexpected economic bad turns. An enterprise cannot just easily buy insurance, in a cost-effective manner, to cover those other risks. Rather, an enterprise needs to implement other processes to provide protection from these many and varied business risks. An enterprise’s IT resources are often a major area, where the physical destruction of their IT equipment, a disruption in network connections, or the theft ...