Xem mẫu
- Written and provided by
Expert Reference Series of White Papers
Controlling the Beast:
Risk and Controls
Management in
Financial Services
1-800-COURSES www.globalknowledge.com
- White Paper
Controlling the Beast:
Risk and Controls
Management in
Financial Services
Margaret Brooks, VP Strategic Solutions
October 2006
- Executive Summary Introduction
With regulatory responsibility falling on executives In a 2004 survey of 200 IT professionals from 14
throughout the value chain and the danger of stringent countries in the Americas, Asia/Pacific and Europe, the
and varied sanctions, enterprise risk management IT Governance Institute (ITGI) found that in 80% of
continues to grow in importance within the financial organizations, IT management is solely responsible for
industry. Accordingly, controls for mitigation of regulatory, defining and addressing IT risk impact. This widespread
operational and reputational risks are now garnering the lack of involvement by business unit managers demon-
same kind of attention and resources as an organization's strates a consistent—and alarming—gap in mapping
more traditional market, liquidity and credit risk manage- technology risk to the business. Additionally, this gap also
ment efforts. shows that most organizations have inadequate IT risk
assessment processes across their enterprises. After all,
Why the new found emphasis on enterprise risk the consumers themselves—those people that require
management? Internal controls, which are essential and use technology services—must share ownership
to good risk management, now have a direct impact on of business-related IT risks with IT management and
the solvency and longevity of financial enterprises (due executive management.
to increased public scrutiny). Further, the requirements
for strong internal controls are unprecedented in their In only about one-third of the organizations surveyed, how-
level of senior management awareness and accountability ever, does the CEO or board sign off on an organization’s IT
(which include personal fines and even imprisonment). risk management plan. Yet without senior management’s
Thus, we are in a new era of risk management: one where review and approval of the risk action plan and agreement
“controls” are the remedy for risk and the term is applied to priorities and commitment of the necessary resources to
to any and all of a company’s risk mitigation processes, effectively execute it, the plan itself is not worth the paper
procedures, applications and data. it is printed on. That’s why ITGI recommends that boards
oversee a consistent approach to the ownership of IT risk
Thus, John Flaherty, a former Committee of Sponsoring management by business and IT management, and ensure
Organizations (COSO) Chairman (whose framework was that all stakeholders are properly involved in the process.
recognized by the SEC as the official one for establishing
internal controls over financial reporting in a June 2003 ITGI identifies five focus areas for IT governance:
announcement) and former Vice President and General 1. Strategic alignment
Auditor for PepsiCo, says “every division in a company 2. Resource management
needs to have a documented set of internal rules that 3. Performance measurement
control how data is generated, manipulated, recorded 4. Value delivery
and reported.” 5. Risk management
For financial institutions and their partners, that’s both
a good rule of thumb and a very tall order. However,
executives are now on the hook for everything from the ic V
De alu
authenticity of their financial statements to “the quality
rateg ent liv e
of information reporting and systems, the manner in St ignm er
y
which business risks and activities are aggregated and
management’s record in responding to emerging or
Al
changing risks.”
IT Governance
Perf sureme
ent
Mea
But, how do you get started? Better yet, how do you Domains
agem
Man Risk
monitor and maintain your controls program across the
orm
enterprise to achieve optimal value and risk mitigation?
ance t
In other words, how do you control the beast?
n
Resource
Management
ITGI’s five IT governance focus areas.
2
- Governance starts with establishing objectives for an
enterprise’s IT and continues with a closed loop of
An Integrated Approach Can
measuring and comparing results and refining activities Pay High Dividends
and goals as necessary and appropriate. In that vein, Financial institutions minimize their risk exposures
risk management’s specific function as it relates to IT through design and implementation of automated controls.
governance is in protecting the strategic objectives of To achieve the necessary risk mitigation and return on
the business against technology failures. And because a investment, however, individual controls should be inte-
successful governance program is a continuous process, grated as part of an overall, enterprise controls framework.
organizations must implement a sufficient controls Such an approach starts with achieving a high-level under-
program, complete with testing, repeatability, visibility standing of comprehensive risks and risk requirements.
and automation. And, it ensures that an organization’s controls strategy
is constantly evolving along with its business risk
Thus, risk and control go hand and hand and must be environment, which is often a complex combination of
addressed together—and in a comprehensive and proac- regulatory, operational and reputational concerns.
tive way. That means abandoning ad-hoc, point-product
approaches in favor of a holistic approach that identifies
processes and determines their associated risk, then:
“A dynamic, enterprise-wide, risk-based
• Ties the applicable controls to the risk(s) and controls framework is the foundation for a
documents them successful institutionalized IT governance
• Automates the most important controls program.” —Dan Trieschmann, Senior Managing
• Develops ongoing monitoring capabilities for all controls
Director, PricewaterhouseCoopers
• Connects controls to any and all applicable and specific
regulations
Finally, this strategy lays the foundation for governance,
• Ensures reporting provides the type and presentation of
risk and compliance with continuous, proactive monitoring
information necessary for compliance and audit of any
and reporting, independent of any specific need, require-
and all applicable and specific regulations
ment or regulatory driver, allowing financial organizations
to effectively:
“CA's new Risk and Controls solution is a • Track and measure IT risk as a broader component of
giant leap forward for banks of all sizes and business risk
their executives who are responsible for • Monitor IT risk mitigation at every level within the
organization
managing risk. After almost 40 years in the • Provide information before a regulatory audit and/or
banking industry, I understand the daily outside of it
challenges of providing accurate and current • React to and grow with changes in the risk landscape
data about risk and compliance. Today,
Tactically speaking, it translates into implementation
controls are far more important than ever as of a comprehensive system that includes elements for
more information needs to be reported to identification, assessment, mitigation and ongoing control
management, directors and regulators. of technology risk. And at minimum, that system must:
The automated processes contained in 1. Identify all processes
2. Determine their associated risk(s)
CA's latest software solution empower an 3. Tie applicable controls to the risk(s)
executive to accurately report, as well as 4. Document the controls
manage, a company's operational and 5. Automate the most important controls
business IT risks company-wide.” 6. Develop ongoing monitoring capabilities for all controls
7. Connect specific regulations to applicable controls
—Mr. Ronald Menaker, Retired President and Director
8. Ensure reporting provides the type of information
of J.P. Morgan Services Inc. necessary for compliance and audit of specific
regulations
3
- Increased Global Emphasis on of Basel II call for the assessment of the control
Internal Controls environment, including the quality of information
reporting and systems, the manner in which business
To ensure organizational responsibility and restore
risks and activities are aggregated, and management’s
investor confidence, various financial governing bodies
record in responding to emerging or changing risks.
around the world are focusing on developing rules that
create transparency for internal controls and reporting
• Canada’s Ontario Securities Commission, Multi-
of publicly traded companies.
Lateral Instrument 52-109 and Multi-Lateral
Instrument 52-111, the so-called “J-SOX” require-
In the US, the Sarbanes-Oxley (SOX) Act of 2002,
ments to be incorporated into Japanese Securities
which requires senior executives to personally attest to
Exchange Law entitled, Financial Instruments and
the accuracy of an organization’s financial measure-
Exchange Law and—The rules require companies in
ments and the controls that were implemented to
these to file internal control reports along with their
ensure this accuracy, is certainly the most famous.
annual reports.
That is because the requirement was instituted in
response to such corporate scandals as Enron and
• The EU’s Principles of Corporate Governance
Global Crossings, and it sets a precedent for the level
issued by the OECD (Organisation for Economic
of personal responsibility and accountability it places
Co-operation and Development)—Because it
on a company’s management team to ensure ethical
believes a mandatory standard for all of its 30
and sound reporting in the public interest.
member countries is unrealistic, the EU has instituted
a principles-based approach to internal controls.
However, the SOX language is similar to—and heavily
Many obligations and definitions mirror those of SOX
influenced by—that of the UK’s Internal Control:
and the framework specifically focuses on the rights,
Guidance for Directors on the Combined Code
roles and equitable treatment of shareholders;
(The Turnbull Report) of 1999, which calls on boards
disclosure and transparency; and the responsibilities
of directors to regularly review reports on the effective-
of the board.
ness of their system of internal controls in managing
key risks, and to undertake an annual assessment for
Common elements among these documents include:
the purpose of making statements on internal control
• Identification of risks to financial reporting and
in their annual reports.
development of risk mitigation strategies on both the
business and IT sides
Other financial industry regulations that demonstrate
• Linking significant risks to manual and automated
a global emphasis on risk mitigation through internal
controls
controls include:
• Testing of all key manual and automatic controls and
revisions based on their operational effectiveness
• The Group of Ten (G10) countries’ New Basel Capital
• Identification of any new business and IT control
Accord (Basel II)—In June, 2004, the G10 published
gaps arising from a quality assessment review and
a new framework for capital adequacy known as
operational effectiveness testing, as well as institution
Basel II. Sections 744 and 745 of Basel II call for an
of applicable remediation action plans
independent review of financial organizations’ internal
• A complete and detailed quality assessment of all
control structures, including risk management,
business and IT controls documentation aimed at
establishing a method for monitoring compliance with
verifying that no key controls are missing
internal policies, and verifying the adequacy of their
• Documentation of all embedded system application
systems of internal controls to ensure well-ordered
controls
and prudent business conduct. Sections 751 and 752
4
- Automation Is Key Privacy Controls
In their development of controls, however, most organiza- While the Internet has revolutionized the way
tions have recently focused on passing audits and financial companies deliver services, the potential
achieving compliance for specific guidelines and governing for abuse and fraud is high. As such, consumers are
bodies. While this approach addresses immediate needs, demanding assurances that their personal data is
it lacks any real long-term strategy, duplicates effort protected and secure—and government at all levels
and usually misses the correlation between good risk has responded with a plethora of privacy laws. These
management and good organizational control. Moreover, guidelines, aimed at protecting the confidentiality,
it essentially communicates results of a controls program integrity and accessibility (CIA) of consumers’
based on a specific moment (the result of the assess- personal data, require board oversight and periodic
ment/test), and forces a situation where cyclical and audit of the safeguards that institutions implement.
manual maintenance are the norm. They include:
• The European Union Data Protection Directive,
In that “tactical“ mode, enterprises are constantly “rein- Directive 95/46/EC, 1995
venting the wheel“ because there is little or no automation, • Health Insurance Portability & Accountability Act
and therefore, no mechanism by which they can easily (HIPAA), 1996
identify and address new and applicable risks, regulations • Section 501 of the Gramm-Leach-Bliley Financial
or requirements. What’s more, testing, repeatability, Services Modernization Act (GLB or GLBA), 1999
visibility and remediation are costly or nonexistent. • US Department of Commerce’s Safe Harbor
Framework, 2000
When it utilizes an integrated, strategic approach, however, • Personal Information Protection and Electronic
automation of controls testing is both seamless and Documents Act (PIPEDA), Canada 2000
transparent and based on technologies that facilitate rapid • Various state consumer information protection
reporting of operational activities against regulatory and/or “like“ rules, including California Civil Code 1798.80,
business drivers. And, it also optimally includes federated AB 2246 and California SB 1386
monitoring and reporting of objectives among entities, • Self-regulating industry guideline, Payment Card
partners and regulatory bodies, as well as applicable Industry (PCI) Data Security Standard between
maintenance and repair. Visa and MasterCard to create common industry
security requirement, 2004
“IT risks and business operational risks can
no longer be kept in different silos given Financial institutions and credit card companies are
aware that they are within the purview of GLBA. But,
today's increasingly stringent regulatory real estate agents, appraisers, insurance companies
environment. In my view, public companies and small financial planning and securities firms may
should strongly consider CA's new software not know that they are, as well. And because it aims
solution because of the unique way it to secure any record containing nonpublic, personal
information about a customer, in paper, electronic,
integrates IT and business risks through a or other form, that is maintained by or behalf of an
centralized, highly visible repository, which financial organization, GLBA also applies to any and
should enable corporate managers to more all third-party vendors and service providers that
easily manage both the risks and the costs maintain, transact in or process financial companies’
customer data.
associated with mitigating those risks.”
—Rick Roberts, independent consultant and former
commissioner of the Securities and Exchange
Commission.
5
- How CA Clarity™ Risk and Controls As such, the comprehensive CA Clarity Risk and Controls
Manager solution helps organizations make decisions
Manager Can Help that will drive efficiencies by establishing visibility into the
CA Clarity Risk and Controls Manager provides a global quality of their existing controls while also helping them
repository that easily maps new requirements to existing identify their requirements and corresponding operational
controls, the ability to improve the overall quality of impacts. More to the point, CA Clarity Risk and Controls
controls and the capabilities for continuous monitoring, Manage helps enterprises proactively manage, monitor
managing and reporting of all risks and controls. and report on their internal and external controls, which
helps manage the entire control landscape, including
And in recognition of the fact that many enterprises have outsource relationships.
already documented their business and IT processes and
controls on their journeys toward a compliance program,
CA Clarity Risk and Controls Manager allows them to
retain and leverage their good work to build context around CA Clarity Risk and Controls Manager
how their controls are used within their environments and Makes Spreadsheets Obsolete
carry that information forward. Because of the advanced sorting and computational
functionality the applications offer, spreadsheets
Specifically, CA Clarity Risk and Controls Manager enables
organizations to effectively integrate and automate their remain a staple of control information capture and
enterprise risk and controls management programs by: maintenance. But CA Clarity Risk and Controls
• Continuously optimizing processes for identifying risks Manager has rendered them obsolete, offering
and implementing controls across business units, those features, in addition to innovative functionality
geographies, and/or business processes that Excel and other spreadsheet software packages
• Customizing the system configuration to address specific
cannot.
risk management methodologies
• Utilizing industry-standard control frameworks that
support COSO, CobiT, ISO:17799:2005 and NIST For example, role-based views can be used to lock
standards down access to control information and offer the
• Aligning policies, procedures, contracts, service level ability to capture additional qualitative information
agreements (SLAs) and other internal requirements about the maturity of controls. And while it is
with legislative and regulatory requirements, as well as
difficult to ensure the integrity of documented
associating with and reporting on the specific controls
activities related to each controls that are created in other products once
• Tracking specific control activity test results and storing they are distributed across the organization, CA
the evidence of specific tests Clarity Risk and Controls Manager includes auditing
• Tracking control activities related to outsourced IT or and workflow capabilities that facilitate change
business processes tracking and alerts.
• Monitoring the results of control testing and control
failures, in addition to tracking controls maturity and
graphically presenting the results through web-based Moreover, the combination of Clarity’s qualitative
dashboards and quantitative data and sophisticated information
• Facilitating root-cause analysis of control failures and presentation, allows management to create
identifying other areas within an organization where powerful business intelligence that can be leveraged
similar breakdowns may occur to make educated investment decisions about its
• Offering continuous monitoring capabilities that include
controls portfolio.
repeatable alerts and escalations
• Allowing implementation of a system based on the risk
and control maturity of an organization
• Tracking costs associated with sustaining the control
environment
6
- The CA Advantage
CA is one of the world’s largest IT management software
providers, delivering software and expertise to unify and
simplify complex IT environments in a secure way across
the enterprise for greater business results. Enterprise IT
Management (EITM) is CA’s clear vision for the future
of IT. It’s about how financial institutions can manage
systems, networks, security, storage, applications and
databases securely and dynamically. They can build on
their IT investments, rather than replacing them, and do
so at their own pace.
Leveraging an architectural foundation that promotes the
integration and sharing of management processes, data
and user interfaces, EITM provides a path for proactive,
enterprise-wide IT management that enables organizations
to optimize resource allocation in anticipation of business
needs. It ties together management of the entire enterprise
IT environment—including end users, infrastructure, data,
applications, IT services and business processes.
In addition to streamlining core IT disciplines, such as
fault and change management, EITM’s service-oriented
approach eliminates the “silos” that historically have
limited an IT organization’s ability to effectively manage
disparate technologies. This makes it easier to enhance
and monitor the end-to-end impact of IT on the business.
As the world’s leading independent provider of IT
management solutions, CA is uniquely able to provide
customers with this consistent, integrated approach for
managing their multi-vendor, multi-generation enterprise
IT environments.
CA has more than 5,300 developers worldwide who create
and deliver IT management software that keeps the CA
vision real. And CA has taken decades of experience
solving complicated IT problems and developed practical
paths for organizations to get from where they are today
to where they want to be.
For more information, visit www.ca.com/clarity.
7
- Copyright © 2006 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational
purposes only. To the extent permitted by applicable law, CA provides this document “AS IS” without warranty of any kind, including, without limitation, any implied warranties of merchantability,
fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits,
business interruption, goodwill or lost data, even if CA is expressly advised of such damages.
MP308571006
nguon tai.lieu . vn