Some Guidance for professionalising your ORM and ITRM Programme
A recurring theme of my talks with organisations that approach me for Operational & IT Risk Management (ORM & ITRM) with our GRC technology is: Professionalising ORM & ITRM
Here are some pointers for getting started on that front:
?? What not to do
Before looking through ICT guidelines, being cognisant of what not do or learning from the risk management failings of others, is a good way to set the right foundations for your programme.
The Swiss Financial Market Supervisory Authority (FINMA) puts out the “Risk Monitor” annually that reports on risks that financial institutions grapple with.
FINMA’s Risk Monitor release from 2022 particularly outlines cyber risk management deficiencies and findings from their supervisory work and site visits at financial institutions on p.13 & 14.
The link below leads to the 2022 report that I reference and the preceding Risk Monitor releases for noting what to avoid as you professionalise your ITRM.
It also includes the report from November 2023, which reiterates the major cyber threats p.16-18 and points out weaknesses of GRC programmes at financial institutions that the regulator observed. The recent report also includes a new section on Outsourcing on p. 21 that provides a steer on mapping the risks in the supply chain and guidance for adequately structuring a GRC programme via the embedded Circular 2017/1.
In addition to that, the enforcement actions by the UK's Financial Conduct Authority can be mined for operational resilience failings to avoid, mitigation actions to take and controls to apply:
The same goes for accessing the US Securities and Exchange Commission database for enforcement actions and risk management failings by filtering the press releases with the word "control".
The link below is filtered as described above and can be subscribed to for incorporating the controls and mitigation actions deduced from the enforcement notices:
?? Build your Risk Universe
It’s hard to address risks that you didn’t see coming.
Risk identification and preparedness typically starts with the documentation of your risk universe.
领英推荐
The Cambridge Taxonomy of Business Risks and ORX’s offer with wrap-around services help organisations save time in building out their risk repositories.
Here are links for accessing the aforementioned taxonomies: https://managingrisktogether.orx.org/
?? Technology for connecting GRC processes
GRC platform ensure among others, that your institutional knowledge on ORM and ITRM is digitised and can be reproduced quickly for internal/external purposes via the audit trail from the aggregated GRC data.
In addition to that, workflows and data linkages ensure that rules are consistently adhered to.
Once your risk universe is in a GRC platform, the next logical step would be to connect it to your control repositories and execute workflows to ensure that your business rules are automatically followed via our integrated platform.
Happy to consult on this and other collaborative GRC applications that ease ORM & ITRM with automation.
?? The Netherlands' Central Bank ITRM Guide
During the panel section of my EU DORA webinar Martin Stravers casually mentioned “….for instance, in the Netherlands, we have the Dutch Central Bank (DNB), who is providing sound guidance on information security…”.
What Martin referred to is the handy and possibly under-appreciated “Good practice” document on ITRM that DNB put out. I looked into it and can second that view-indeed very "...sound guidance on information security...".
There are of course the EBA guidelines and Germany’s Minimum Requirements for Risk Management of the financial industry, but personally the DNB document is a bit easier to read for quickly getting an actionable steer on ITRM & ORM.
With a modular structure the document has applications beyond the financial industry, because it addresses broad ITRM and ORM aspects like Governance & Framework, Risk/Control Management, underlying Processes, physical Security and Facilities Management.
DNB's Good practice guide, that allows you to easily click to and through relevant domains for professionalising your programme, can be accessed underneath: