Chapter 8. Enterprise Risk Analysis

Out of intense complexities intense simplicities emerge.

—Winston Churchill

IDENTIFYING RISK-BASED CONTROLS

Identify Strategic IT Controls

Understanding the pressures on an organization and the subsequent weighted-risk valuations requires recognition and consideration of the near-and long-term strategy of the business itself. Doing this requires sufficient management direction and communication to account for the firm's forward direction. Of course, plans change and markets shift, so the program must be somewhat flexible and reviewed regularly (quarterly). The short-term outlook should consider the fiscal year ahead; the long term covers up to five years beyond. The strategic direction of the organization affects how the control environment is defined, established, managed, and maintained by the entire enterprise. External influences must be taken into consideration both at the operational customer-delivery level and at the level of legal commitments.

A process of assigning a value to these influences that reflects the organization's strategic direction shall ensure that the control environment appropriately reflects and responds to the needs and requirements of the organization and all concerned parties. In an age when the entity itself is beholden to internal employees, external shareholders, international regulatory enforcement agencies, and service-delivery commitments to customers and partners, a thorough consideration must be reflected in the ...

Get It Compliance And Controls: Best Practices for Implementation now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.