The chapter outlines key terms, such as enterprise risk management, governance of enterprise IT and business continuity. The chapter is divided in four sections. The first section presents the topic of Enterprise Risk Management and presents the frameworks that deal with the risk assessment process. The second section discusses the academic literature related to Governance of Enterprise IT and IS/IT risk assessment process. This section includes discussion on IT Governance, IS/IT risk categories and the construction of IS/IT risk scenarios that visualize the impact of IS/IT on business processes. The third section discusses Business Con-tinuity Plan concepts and traditional approaches. It specifically focuses on the initial phase of the business continuity plan. The section articulates IS/IT risk assessment on the development of a business impact anal-ysis and risk analysis. The chapter is finalized by the establishment of an integrated view of IS/IT Risk assessment in the business continuity implementation.
Enterprise Risk Management perspective on Risk Assess-ment
Enterprise Risk Management (ERM) is an essential function of corporate governance that addresses the management of risks within an organization. ERM consist on the process for identifying and managing potential events that could affect the entity’s ability to manage business risks such that they remain within its risk appetite (COSO cited in O’Donnell, 2005). ERM involves anticipating and managing business risks before problems occur rather than responding and reacting to threats after the fact, when the damage has already been done (Barton et al cited in O’Donnell, 2005). The ERM definition is complemented by the Com-mittee of Sponsoring Organizations of the Treadway Commission (COSO) guidelines “En-terprise risk management is a process, effected by an entity’s board of directors, management and other per-sonnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” (COSO, 2004; Parent & Reich, 2009). This view on ERM position risk management as an important element that assess business risks while also acting as a control system. The goal is to increase stakeholder value by assessing the risks that can pre-vent the business to achieve its objectives. Furthermore, effective ERM can provide a signif-icant source of competitive advantage for those organization that can demonstrate a strong ERM methodology. While there are organizations that are implementing ERM processes to increase the effectiveness of their risk management activities, Beasley, Clune and Hermanson (2005) perform research on why some organizations embrace ERM and others do not em-brace the practice. Their research points out that, in part, ERM deployment is embraced when there is a strong level of leadership and support from corporate boards and senior management. The involvement of this governing bodies is critical to enact the ERM vision since they take accountability on overseeing the portfolio of risks that the organization faces.
Gordon, Loeb and Tseng (2009) depict ERM by addressing how firm performance is im-proved by acquiring a holistic risk management approach. This view is consistent with trends in corporate governance strategy that views ERM as an integrated approach for determining the business risks tha t impact an organization’s ability to achieve its business objectives and to develop programs for managing the identified risks (Miccolis et al. cited on O’Donnell, 2005). Opposite from viewing risk management from a silo-based perspective, a holistic risk management perspective allows the enterprise to cover business risks associated with their internal and external context. Gordon, Loeb & Tseng (2009), asserts that a holistic ERM approach enables the organization to lower the risk failure, increase performance and create value. The authors argue that the relationship between ERM and firm performance is dependent upon the link that exists between risk management and five critical factors that im-pact the organization. These factors are (a) environmental uncertainty, which cover the in-creasing unpredictability of future events affecting the organization; (b) industry competition, that pose a substantial risk to enterprise performance due to substitution of product and services by competitors that prevent the firm to earn sustainable level of profits; (c) firm complexity which increases the need for an appropriate ERM system that can produce inte-gration of information and lessen the difficulties in management control systems within an organization; (d) firm size, which has relevance when considering the design and use of man-agement control systems in the organization and (e) board of directors’ monitoring, which active participation and encouragement influences the adoption of an effective ERM system (Gordon, Loeb & Tseng, 2009).
The authors suggest that there is a positive relation between the degree of the abovemen-tioned five factors confronting a firm and its need for the implementation of an ERM system. O’Donnell (2005), also reinforce this notion by suggesting a holistic approach to risk man-agement based on a systems thinking approach. The author emphasizes the need that enter-prises have to assess the interdependence of enterprise components to determine overall performance. Systems thinking provides a comprehensive overview of the enterprise in order that decision makers better understand the behavior of the system and the risks associated with them. The theory implies that the constant iteration and refinement of business pro-cesses shapes organizational functions, structure and output. By performing organizational mapping, obtaining a comprehensive view of the relationship among its components and reviewing constantly changes that happen within the business environment, decision makers can manage business risks effectively (O’Donnell, 2005).
Organizations perform risk management activities in the aim to setting and pursuing objec-tives against an uncertain environment. The uncertainty arises from those internal and exter-nal factors that the organization does not completely control but that may lead the organiza-tion to not achieve its objectives. Risk therefore is neither positive nor negative but the con-sequences the organization experiences may vary from loss and detriment to gain and benefit (Purdy, 2010). Organizations that plan, design and implement an ERM system need to count with organizational leadership and direction that can set the tone for responsibility and ac-countability of enterprise risks. The risk management function must be framed within the decision making processes that governing bodies perform (ISO, 2009a).). Decision making mechanisms steer the direction in which the enterprise moves forward but also can bring on elements of risks that can affect the organization objectives and performance (Purdy, 2010).
The ERM function in an organization relies on the main governing body that oversee the risk management function are the board of directors and senior/middle management. The board of directors must have independence from management in order to perform appropriate oversight. The rationale behind this argument relies on the fact that an independent board can perform a more objective assessment of management actions. The independence of the board of directors is central for encouraging the adoption of ERM in the organization (Beasley, Clune & Hermanson, 2005). Since corporate boards often do not have the essential knowledge required to ask substantial questions about IT risk and expense, the Risk Man-agement Committee can facilitate a board in corporate accountability and the risks associated with management, assurance and reporting. The Risk Management Committee responsibility includes disaster recovery risk on business continuity management, technology risk, opera-tional risk and compliance (Posthumus, von Solm & King, 2010).
The appointment of a Chief Risk Officer (CRO) falls within the responsibilities of the risk management committee. The CRO aids in the implementation of risk management initia-tives. This role is of relevance when promoting policies and procedures that reinforce risk management notions as part of the key enablers for performing risk management functions (COSO, 2004). Arena, Arnaboldi and Azzone (2010) discuss the organizational roles that participate in the ERM function. On the most detailed level, the authors note that risk un-certainty is addressed by risk management specialists that focus on traditional silos and are primarily concern with assessing quantifiable impact. CROs with internal audit serve as ad-visors who support managers in taking responsibility for risks assessment process while ac-countants are been encouraged to take an active approach to risk and link it with the organ-ization performance management. Beasley, Clune and Hermanson (2005) suggest that in or-der for ERM to be implemented in an organization, the following factors contribute to ac-celerate the adoption of the practice: auditor type, organization size and industry type. Or-ganizations that conduct their internal and/or external audits with high quality auditors, such as Big Four firms, have a strong commitment to pursue risk management practices. Further-more, external auditors, who report independently to the higher governance body, review risk management activities and results to ensure that ERM procedures and structures are suitable for the enterprise. Auditors present their independent reviews and communicate them to senior management and the board of directors to take appropriate actions and main-tain a consistent ERM framework (Doughtry, 2011). Organization size increases the scope of events that an organization may be exposed. At the same time large organizations can have a better ability to deploy ERM practices because they count with more resources. The industry in which an organization operates also has a great impact on ERM implementation due to the fact that global regulations required a risk management approach to business ac-tivities (Beasley, Clune & Hermanson, 2005; Abram, 2009).
The occurrence of risk is associated with the decisions taken while performing business ac-tivities. Business risks can come from different parts of the organizations or consolidate itself by being an interconnected component of the system, as suggested by O´Donnell (2005). Baker and Filbeck (2014) note the different types of business risk categories that exist. The de-gree of relevance of each category differs considering the type of industry the business thrives. Operational risk remain as one of the traditional risks in organizations. For the de-velopment of this study, the focus will be on governance, strategic and compliance risk. Governance risk consist on “the inability to make the right decisions at the highest levels of organiza-tions”. Governance risk is structured on four dimensions: people, information architecture, structures and processes, and organizational culture. Strategic risk derives from changes in society demand/supply or the utilization of new technologies that has an effect on how cor-porate strategy is addressed in an organization. Technology risk associated with the use of information systems and information technologies are contained within the boundaries of strategic risk. Finally, compliance risk involves the risk of not achieving regulatory and gov-ernmental requirements (Baker & Filbeck, 2014). This category covers the risk of noncom-pliance with applicable laws and regulations, contracts with vendors and customers (Marks, 2010).
Changes in the organization environmental context is at the core of ERM. For organizations to be able to keep pace with the emergence of new technologies, critical examination of the environmental context should be assessed (Cornell & Cox, 2014). The authors point out the inability of organizations to challenge their status quo. In fact, assuming that the organization system will not change and remain the same provides failure in monitoring current environ-mental risks like competitors, market trends and employee performance. Failing to examine and challenge the status quo cn have serious implications in a changing environment be-cause it can amplify and materialize the scope of organizational risks. O´Donnell (2005) points out that the impact of changing economic conditions, the level of competition in a particular market space, natural and man-made disasters, and political changes that influence regulatory control can have an effect on the organization environmental context. This effect may impact positively or negatively the organization according to the level of risk associated with business activities.
Organizations design an internal control framework to provides internal policies and generate compliance with procedures throughout their business activities. Management support for ERM initiatives is interrelated with the internal audit function. Internal auditors set the tone for laying out the internal control framework and there primary responsibilities within the organization relates to risk identification and assessment. For this reason, they are often en-gaged with senior management on ERM implementation issues and boost the creation of a risk management culture (Beasley, Clune & Hermanson, 2005). Posthumus, von Solms and King (2010) note that the internal audit committee is responsible for conducting perfor-mance reviews of an organization’s system of internal control as well as for reviewing inter-nal, legal and regulatory compliance efforts. Internal auditors focus on setting out best prac-tices on internal control by looking deeper into an organization’s risk management policies and procedures. Internal audit professional play an important role developing the ERM func-tion as, often, they devote time and resources on the overall risk assessment process (Arena, Arnaboldi & Azzone, 2010).
O’Donnell (2005) discuss risk management from a systems thinking perspective. The author argues that the existence of performance factors within the organization internal control framework that can impulse risk events thus impacting the organizational value chain posi-tively or negatively. This risk events and its performance are associated with the ability to execute procedures by organizational agents. He argues that procedure design, procedure support and procedure externalities can create internal business risks due to failures in inter-nal processes. Procedure design is the ability to accomplish a business process and failure to design it in a satisfactory manner influence management ability to monitor performance ef-fectively. Procedure support, in the form of a supporting infrastructure that connects value chain processes, include tangible resources and services.
The abovementioned procedures are executed by agents that requires skills, motivation and information in order to reduce risks associated with performing procedures. Agent skills relies on document procedures in order to effectively execute supervision and training of in-ternal agents while motivation centers on intrinsic and extrinsic incentives provided by the organization in order to motivate agents to perform well. Agents need information to take decisions while executing procedures. Effective performance is achieved when the agents have the appropriate information to make the correct decisions. Cornell and Cox (2014) note that legal and institutional frameworks are required to further define, clarify and enforce right, duties and procedures by agents in the organization.
Organizations need to define their level of risk appetite and risk tolerance. Risk appetite is defined as either the amount and type of risk that an organization is willing to pursue (ISO, 2009a) or as the amount of risk an entity is willing to accept in pursuit of value (COSO, 2004). Van (2009) notes that organizations lose appetite for risk when performance weakens as a result of conducting business activities in a difficult environmental context. Since risks cannot be eliminated, organizations need to define their risk appetite and move within the boundaries of risk tolerance, which consist on the maximum amount of risk the organization is willing to take in pursuit of its objectives (Van, 2009). When organizations are confident about their performance in the environmental context, Van (2009) notes that risk tolerance is high and thus decision makers tend to emphasize enterprise growth through acquisition. Aven (2013) examines both perspectives and states that the question is whether an organiza-tion possess appetite for risk or an appetite for the value-generating activities that involve risk. As a consequence, the author defines risk appetite as the willingness to take on risky activities in pursuit of values.
1.4. Research Questions
2. Theoretical Framework
2.1. Enterprise Risk Management perspective on Risk Assessment
2.2. Governance of Enterprise IT perspective on Risk Assessment
2.3. Business Continuity Plan
2.4. Initial Framework
3. Research Methodology
3.1. Philosophical Perspective
3.2. Research Approach
3.3. Research Strategy
3.4. Research Design
3.5. Data Collection
3.6. Data Analysis
3.7. Research Setting
4. Grupo Cortefiel Case Study
4.1. General Outlook
4.2. BCP Implementation Antecedents
4.3. BCP Implementation Development
5.1. Enterprise Risk Management and Risk Assessment
5.2. Governance of Enterprise IT
5.3. Business Continuity Plan Implementation
5.4. Final Framework
GET THE COMPLETE PROJECT