Enterprise Risk Management & Governance Executive Report Abstracts

2009 | 2008 | 2007 | 2006 | 2005 | 2004

2009 | Volume 6
An Integrated Approach to SOA Governance (Vol. 6, No. 2)

Many organizations are increasingly coming up against difficult governance issues as they ramp up their early service-oriented architecture (SOA) efforts. In this Executive Report by Paul Allen, we take a business-driven approach to dealing with these challenges in a practical manner that integrates with existing non-SOA governance initiatives.

[Top | Order this Issue ]

Identifying Risks from an ITIL Service Perspective (Vol. 6, No. 1)

The IT Infrastructure Library (ITIL) and its fundamental concern for quality IT service delivery and management provides a completely fresh way of identifying the full range of risks that organizations face in conceiving, funding, executing, and operating IT services that support business objectives. ITIL strategic and tactical objectives are as clear as the desert sky. Because of this clarity, managers should find it easier to document the potential risks in failing to fulfill ITIL's prescriptions. And identification is the necessary first step to mitigation of those risks. This Executive Report by John Berry demonstrates how businesses can use a simple mini-methodology based on ITIL mandates for the consistent, systematic identification of risks at every stage of the IT service lifecycle within the entire organization.

[Top | Order this Issue ]

2008 | Volume 5
Taking the Pulse of Complex Operational Systems and Processes: Risk from a Different Perspective (Vol. 5, No. 4)

The business, project, and operational environments facing us today are becoming increasingly complex, interrelated, and interdependent. Without an adequate understanding of these complexities, today's programs are at increasing risk of partial or complete failure. But how does anyone acquire this understanding? This Executive Report by Audrey Dorofee and Christopher Alberts explores a time- and resource-efficient means of assessing the overall health of a complex operational system or process; in other words, "taking its pulse."

[Top | Order this Issue ]

Quality of Service: You Can't Measure What You Don't Specify! (Vol. 5, No. 3)

At the heart of risk management and governance of service-oriented applications is the need to achieve agreed and measurable quality of service (QoS) levels. Traditionally, analysis and design techniques have tended to focus primarily on functional requirements, relegating quality concerns to the backseat position of nonfunctional requirements, with lip service to QoS levels such as availability and responsiveness. In contrast, service orientation requires that QoS take on a much more central, demanding, and diverse role. As detailed in this Executive Report by Paul Allen, clear definitions and overall guidance are required for addressing these challenges in a way that fits coherently into the bigger picture of roles, service-oriented architecture (SOA) policy, service specifications, and service-level agreements (SLAs).

[Top | Order this Issue ]

Lessons Learned: Taking a Page from Risk Management History (Vol. 5, No. 2)

This Executive Report by Carl Pritchard uses lessons learned from three classic examples to get at the heart of risk perception and risk management. The examples -- the construction of Saint Paul's Cathedral; the promotion, construction, shipment, and installation of the Statue of Liberty; and the implementation of the US Social Security program from legal authorization through the first benefit payment -- offer powerful, specific, actionable lessons that can be applied in the modern business environment.

[Top | Order this Issue ]

Business Continuity: A Business Survival Strategy (Vol. 5, No. 1)

Business continuity is a business survival strategy for an organization. Executive managers who fail to take action to protect their organization will be held accountable by the shareholders, strategic business partners, regulatory authorities, or other interested parties. This Executive Report by Ken Doughty focuses on the business continuity development process. A strong business continuity environment provides assurance to the organization's executive management that in the event of a disaster the company is in a superior position to survive.

[Top | Order this Issue ]

2007 | Volume 4
Contract Management Strategy (Vol. 4, No. 8)

As organizations increasingly move toward contracting for the provision of services, contract management is becoming one of the core activities of overall business management. The use of outsourcing does not imply less effort in managing IT, only a different emphasis. This Executive Report by Dr. Sara Cullen is designed to help you prepare a contract management strategy, which is your plan for how you want to manage your outsourcing agreement. Do this early in the outsourcing lifecycle and you will also end up designing a superior contract -- one that will work in practice.

[Top | Order this Issue ]

An E-Discovery Primer: Preparing for (and Dealing with) Requests for Electronic Information (Vol. 4, No. 7)

With so many business records now in electronic, as opposed to hard copy, format, the rules governing "e-discovery" need to be addressed. This Executive Report by Daniel J. Langin gives an overview of these e-discovery rules and the impact they may have on your organization. The report discusses six key e-discovery issues and lists important e-discovery do's and don'ts.

[Top | Order this Issue ]

Compliance Effects on Operations and Costs (Vol. 4, No. 6)

Compliance efforts have risen to prominence due mostly to Sarbanes-Oxley (SOX) and its extraordinarily high costs. However, SOX is only the tip of the iceberg. A number of other regulations are waiting in the wings, and they are becoming increasingly complex. Many companies are now electing to implement a unified compliance strategy combined with management frameworks such as COBIT and ITIL. The result is potential business process improvement aided by automated systems capable of bringing together management frameworks and compliance requirements.

[Top | Order this Issue ]

The People Side of Successful Mergers and Acquisitions (Vol. 4, No. 5)

Most business mergers and acquisitions fail to achieve their desired outcomes and often result in lower shareholder value. Mergers that appear excellent on paper often fall apart due to a lack of attention to the human elements of the deal. This Executive Report by Moshe Cohen offers an approach for addressing a number of people-related issues that affect merger success, including social groupings, culture, change, anxiety, and conflict. By paying attention to the people side of mergers, managers can promote healthier, more profitable, and ultimately more successful deals.

[Top | Order this Issue ]

The Outsourcing Contract: Seven Solutions to Minimize Risk (Vol. 4, No. 4)

This Executive Report by Sara Cullen discusses seven complex contract provisions that are worth considering for your outsourcing contract. These provisions focus on helping you minimize risk by ensuring that promised personnel are provided; appropriate underlying practices, plans, and procedures are in place; and your organization maintains business continuity in the event of the service provider failing performance or becoming insolvent, as well as making sure financial restitution is available to you.

[Top | Order this Issue ]

The Move to Enterprise Security Centralization (Vol. 4, No. 3)

Enterprise security requirements have evolved to the point where centralized security management is necessary. The threat environment is now more dangerous; compliance requirements make verification needs for security more rigorous; and rapid and efficient response have made unification a desirable goal. Yet achievement of centralization requires careful consideration and advanced planning.

[Top | Order this Issue ]

Building an Effective Privacy Program for Business (Vol. 4, No. 2)

Privacy is essential for business success. Organizations that experience privacy incidents lose the trust of their customers. And lost trust results in lost customers. Organizations need strong privacy programs not only to keep their customers' trust but also to comply with a growing number of privacy laws and regulations worldwide. This Executive Report by Rebecca Herold discusses why it is essential for organizations to establish a privacy program and what components are required to make the program effective.

[Top | Order this Issue ]

Alternative Perspectives in Risk Management (Vol. 4, No. 1)

For every organizational practice, no matter how ordinary or well rehearsed, there are variations on a theme. Risk management is no exception. Because effective risk management is borne out of experience and shared perceptions of what's dangerous (and what's opportunistic) for an organization, rendering the lessons from one perspective can add value to others. This Executive Report by Carl Pritchard examines various risk management perspectives in order to understand how risk can be most effectively applied in a wide range of organizational situations.

[Top | Order this Issue ]

2006 | Volume 3
Effective Information Security Management Begins with a Methodology (Vol. 3, No. 12)

Is your organization satisfied with the planning, decision making, and tactical execution of activities required in building and maintaining an effective information security management system (ISMS)? A methodology can help organizations plan, design, execute, and monitor over time an ISMS. In this Executive Report by John Berry, learn how to build an effective methodology that injects greater management discipline and effectiveness into information security management.

[Top | Order this Issue ]

Technology Side Effects: A Guide to Protecting Yourself from Legal Risks (Vol. 3, No. 11)

Commercial and government entities face legal risks from their use of information technology, including harassment/discrimination cases; electronic record discovery; suits for unlawful acts of employees; protection of medical, financial, and children's information; misstatements on Web sites/security breaches; loss of trade secrets; and IT governance ramifications of Sarbanes-Oxley. This Executive Report by Daniel J. Langin discusses how to avoid these risks through acceptable use policies, document retention policies, and other compliance measures.

[Top | Order this Issue ]

Risk Management for ERP Programs: A Holistic Approach (Vol. 3, No. 10)

Enterprise resource planning (ERP) program management is not for the faint of heart or the unwary. Program failure rates are variously estimated to be at 40%-60%. To be successful, program managers need to understand the full range of risks that they face and have a well-planned program to contain the most critical ones. More importantly, they need a clear understanding of what needs to go right and the program's vision for success.

[Top | Order this Issue ]

Developing a Resilient Organization Through Risk Management (Vol. 3, No. 9)

Most organizations can be classified as risk-agnostic; they perform insufficient analysis of potential events that impact their viability. But given the current threat environment, enterprises must become more mature in their ability to mitigate these threats. A resilient organization takes proactive positions and requires a formal enterprise-wide risk management process. This Executive Report by Gary L. Richardson provides a risk event decision framework and outlines a theoretical risk management model. From this theory base, the report then describes a four-step organizational maturation process that can move an enterprise toward a more effective risk culture.

[Top | Order this Issue ]

The 40 Fundamental Clauses in an Outsourcing Contract (Vol. 3, No. 8)

This Executive Report by Sara Cullen discusses the 40 most common clauses in an outsourcing contract based on experience with 107 outsourcing deals over the last decade. It has been designed to help practitioners understand the basic "must have" clauses that should be present in all IT outsourcing deals. The report briefly discusses why each clause is used and then provides an example in "plain English" wording.

[Top | Order this Issue ]

Managing Distributed Business Processes for Mission Success (Vol. 3, No. 7)

This Executive Report by Christopher Alberts presents research from the Software Engineering Institute (SEI) regarding developing methods, tools, and techniques for achieving mission success in complex environments. This report focuses on distributed work processes, where multiple organizations or groups combine their efforts in pursuit of a single mission. The basic philosophy behind managing distributed work processes for mission success is presented and contrasted with traditional risk management approaches. The report also illustrates key concepts using a detailed example scenario.

[Top | Order this Issue ]

ROI Analysis of Security Technology: Why Bother? (Vol. 3, No. 6)

While many organizations are not in the habit of making the effort to fully assess the economic value of security-related information technology before purchase, those serious about optimizing total security strategy will recognize the importance of conducting a value assessment exercise. The act of exploring all the costs and benefits of a security-related technology provides greater visibility into how it might influence security strategy; new technology can introduce process and organizational change as well as affect governance and decision rights. This Executive Report by John Berry walks readers through a detailed value analysis of fraud detection technology to demonstrate how managers can make more effective security management decisions in possession of detailed cost/benefit information. Security strategy is as important as corporate strategy. Getting it right is critical.

[Top | Order this Issue ]

Risk Management 2006: A Comprehensive Survey (Part II) (Vol. 3, No. 5)

In 2002, Cutter Consortium conducted its first comprehensive survey of the state of risk management practice in the IT community. From all reports, the practice of risk management seems to have grown both generally and in formality over the past four years. The question this two-part series of Executive Reports by Robert N. Charette addresses is, has it, and if so, by how much? Here in Part I, we explore risk management under the umbrellas of experience, principles, areas in which it is needed, and the software processes surrounding the field. Part II will cover additional avenues of risk, including enterprise risk management -- the latest hyped segment. Overall, the 2006 survey finds that IT risk management practice has grown in maturity, if not in absolute numbers.

[Top | Order this Issue ]

Risk Management 2006: A Comprehensive Survey (Part I) (Vol. 3, No. 4)

In 2002, Cutter Consortium conducted its first comprehensive survey of the state of risk management practice in the IT community. From all reports, the practice of risk management seems to have grown both generally and in formality over the past four years. The question this two-part series of Executive Reports by Robert N. Charette addresses is, has it, and if so, by how much? Here in Part I, we explore risk management under the umbrellas of experience, principles, areas in which it is needed, and the software processes surrounding the field. Part II will cover additional avenues of risk, including enterprise risk management -- the latest hyped segment. Overall, the 2006 survey finds that IT risk management practice has grown in maturity, if not in absolute numbers.

[Top | Order this Issue ]

Agile Project Governance (Vol. 3, No. 3)

For most of its history, computing has experienced a management lag. The emerging agile development model has avoided this to some degree with a number of excellent models for agile or radical project management being developed and adopted. However, the impact on and implications for the governance of IT projects as well as the broader areas of IT governance from adopting agile development have been relatively ignored. In this Executive Reports by Rob Thomsett, we explore the challenges that agile development presents to IT and project governance.

[Top | Order this Issue ]

Forensic Systems Analysis: A Methodology for Assessment and Avoidance of IT Disasters and Disputes (Vol. 3, No. 2)

This Executive Report by Dr. Stephen Castell describes the Forensic Systems Analysis (FSA) IT expert witness methodology for investigating IT project disasters. These techniques can also be used to assess the status of problem software implementation contracts before they stall, fail, or sink into litigation. The report presents a realistic IT dispute case study to illustrate how the FSA methods can be applied.

[Top | Order this Issue ]

The Business of Information Technology: Managing Acquisitions (Vol. 3, No. 1)

Why do some acquisitions fail to meet expectations? This Executive Report by David N. Rasmussen explores the IT challenges of managing acquisitions. You will learn what factors contribute to poor or successful performance and find out how investing once in good policies and procedures can lead to improved and sustainable IT performance for both due diligence and integration.

[Top | Order this Issue ]

2005 | Volume 2
Due Diligence for Potential Outsourcing Deals (Vol. 2, No. 12)

Due diligence is an in-depth evaluation of the preferred bidder(s) and bid(s) prior to awarding a contract. Often overlooked, due diligence involves investigating the service provider's claims that it is what it has represented itself to be in an effort to minimize unpleasant surprises the client may encounter. This is key since unwinding such deals can be one of the most expensive and disruptive exercises an organization can experience.

[Top | Order this Issue ]

The Security Risks of Modern Distributed Systems (Vol. 2, No. 11)

Many business-critical IT systems are living on borrowed time. Although it has been commonly overlooked in the past, the need for security is immediate and imperative. Meeting this challenge will be difficult, because security involves technical, human, business, and legal dimensions. Excellent technology, expertise, and policies are prerequisites for reliable security, but knitting together these diverse strands into a seamless fabric is a task for IT governance.

[Top | Order this Issue ]

The Challenge of IT Asset Management (Vol. 2, No. 10)

In order to leverage their IT investments and manage the associated operational risks, organizations need to take control of their IT assets. The focus of this Executive Report by Ken Doughty and Peter Doherty is how organizations can use IT asset management (ITAM) to increase their ITAM maturity level, increase key investment areas, and gain -- and keep -- a competitive edge.

[Top | Order this Issue ]

Governance in the Trenches: Three Cases of Control (Vol. 2, No. 9)

Over the the past 10 years, we've discovered how important governance is to successful technology acquisition, deployment, and support. Without clear governance, business technology investments will seldom be optimized. This Executive Report by Steve Andriole examines five business technology layers and the procedural-regulatory context in which the activities of these layers occur as well as the governance role assigned to each activity. The report then presents three case studies regarding the styles of governance decision making based on company contextual conditions and drivers.

[Top | Order this Issue ]

Enterprise Risk Frameworks: Surveying the Landscape, Moving Toward Governance (Vol. 2, No. 8)

A well-constructed, well-implemented enterprise risk management (ERM) and governance framework helps organizations adapt to a volatile business world and avoid "predictable surprises." Over the past decade, several countries have attempted to create a viable ERM framework for their indigenous enterprises and have pushed to make their standard the international standard. This Executive Report by Robert N. Charette examines these efforts, discusses the scope of ERM frameworks, and highlights the limitations of an ERM approach.

[Top | Order this Issue ]

Architecting for Basel II: From Compliance to Excellence (Vol. 2, No. 7)

The New Capital Accord -- also known as Basel II -- must not be viewed as "yet another compliance exercise." The accord adds an important new dimension of competition for financial institutions, thus creating a new significant area of enterprise architecture alignment. This Executive Report (by Michal Nowakiewicz, Jan Guryn, and Borys Stokalski with contributions from Michal Paluskiewicz and Wojtek Winnicki) introduces a roadmap that can help financial institutions reinvent their enterprise architecture to achieve business excellence, rather than merely compliance with regulations.

[Top | Order this Issue ]

Asset-Based Information Security Risk Assessments (Vol. 2, No. 6)

Today, information security assessments have rapidly become a requirement in both government- and industry-related domains. Simply finding and patching vulnerabilities is no longer sufficient to protect a company's assets and help ensure corporate survivability. Protecting a company includes not only securing its systems and networks but also guarding its physical property, protecting important information, and improving employee practices. This Executive Report by Audrey Dorofee discusses how to ensure that the method and tools chosen are suitable for your company now and in the future.

[Top | Order this Issue ]

Generating Business Intelligence from the Operational Risk Management Process (Vol. 2, No. 5)

In the wake of numerous new regulations requiring corporate compliance, many companies have lost sight of the objective of risk management. Compliance is but one element in the risk management process, and managing operational risk can be accomplished effectively only within the context of an organization's business strategy. This Executive Report by Bill Sharon discusses the shortcomings of the current corporate understanding of risk management and presents a new way of thinking about governance.

[Top | Order this Issue ]

A Corporate Information Governance Agenda: Integrating Business Continuity and Security Management (Vol. 2, No. 4)

Many organizations perceive risk management as an overly complex discipline. However, this Executive Report by James Royds examines why and how we should be deriving greater strategic benefit from managing and merging complementary risk management processes -- specifically information security and business continuity -- so that we better manage risk across and between functional, organizational, and industry boundaries rather than exclusively within them.

[Top | Order this Issue ]

The Implications of Sarbanes-Oxley for the IT Community (Vol. 2, No. 3)

As a result of companies' accounting improprieties, governmental regulatory activity concerning financial integrity, employee rights, security, and ethics has increased. One of the most significant regulations is the US Sarbanes-Oxley Act (SOX), which creates new demands on IT departments to support the initial compliance process and the ongoing operational aspects of the regulation. The goal of this Executive Report by Charles W. Butler and Gary L. Richardson is to offer insight into SOX requirements and to emphasize the IT activities that are required for compliance.

[Top | Order this Issue ]

IT Due Diligence in M&As: Minimize Risk and Maximize Opportunity (Vol. 2, No. 2)

The key to a smooth merger and acquisition transition is addressing risks quickly, knowing where opportunities exist, and identifying the specific issues that require technology support. This Executive Report by Mike Sisco provides insight on how to conduct effective IT due diligence.

[Top | Order this Issue ]

Creating a Risk Culture in an IT Environment (Vol. 2, No. 1)

Despite the negative cachet of instituting an enterprise risk management and governance (ERM&G) strategy, risk management practices have become increasingly important for IT organizations. But introducing enterprise-wide ERM&G can be disruptive to prevailing IT practices and cultures, so risk managers and others tasked with implementing a company's risk strategy must change cultural norms and sometimes even overcome institutional resistance. This Executive Report by Carl Pritchard discusses the changes in organizational culture that must take place to ensure a successful ERM&G strategy.

[Top | Order this Issue ]

2004 | Volume 1
Profiting from Risk: A Transformation of One Company's Risk Culture (Vol. 1, No. 2)

Organizational change is never easy. However, successful transformations can and do happen. This Executive Report by Robert N. Charette, Patrick O'Brien, and Art Gemmer details the 10-year transformation of Rockwell Collins from a risk-averse to a risk-entrepreunerial company. It includes an array of lessons learned that will help your organization sidestep the long and winding road to success in favor of a more direct route.

[Top | Order this Issue ]

The Rise of Enterprise Risk Management and Governance (Vol. 1, No. 1)

For corporations, risk management has become a top-level concern in the face of increasing demand for greater corporate accountability as well as world events that have changed the risk landscape and their impact on the business world. This Executive Report looks at the rapid rise in enterprise-wide assessment and management of risk and at the CIO's role in that effort.

[Top | Order this Issue ]

Enterprise Risk Management & Governance Executive Report Abstracts