Guide to the TechWeb Network

Intelligent Enterprise

Better Insight for Business Decisions
Intelligent Enterprise - Better Insight for Business Decisions
search Intelligent Enterprise
Advanced Search
RSS
Webcasts
Whitepapers
Subscribe
Home



September 18, 2001


Upside, Downside

As your business globalizes and depends more on outside forces, an enterprise approach to risk management will become increasingly important

By Chris J. Jensen

Continued from Page 1

Organizational Implementation and Applied Patterns

There are several considerations in implementing risk management architecture as part of an overall enterprise architecture. The elements to consider are similar to those in any other enterprise architectures. Most important, you must define organizations and roles up front.

According to ISACA, Oregon has adopted the COBIT framework as its statewide enterprise control standard

Best practice, according to PricewaterhouseCoopers, is to move risk management to an integrated approach in which tools and techniques are shared across the enterprise and management has a deliberate strategy. An integrated approach is proactive because it tries to anticipate, instead of react to, risk. This approach provides more upside opportunity while limiting the downside or hazards.

One of the products I have experience with here is Corporate Modeler by CASEwise, a robust tool set for creating, and more important, managing and sharing data, business process, application, and technology architectures at an enterprise level via an integrated relational database. The database can be published on the company intranet for use by decision makers and analysts across the enterprise. Risk exposures and related measurements can be mapped and linked to objects in the database for analysis. Corporate Modeler also provides modeler links to popular development tools such as Rational Rose and PowerDesigner.

Your risk management architecture needs to focus on the full scope of your organization's activities. Providing a defined linkage to the other enterprise architectures can help instantiate risk management principles, models, and standards.

The organizational roles that support a dynamic risk management architecture are shown in Figure 3. In this diagram, the risk management architects provide the tools, principles, models and standards that help management effectively manage risks. You should apply these principles, models, and standards using patterns that can you can reuse in process development, reengineering, and managing operations.

Patterns are reusable elements or templates that can be applied to help make development and assessment processes more efficient. For example, the risk management architects could develop a pattern for risk management that developers could apply to ensure they are considering risks in the application or system under development. The patterns could take the form of checklists that describe principles, models, and standards that relate to the exposures and opportunities faced in the general areas of data, application, process, and technology architectures. You could also embed these patterns in development tools such as Rational Rose and modeling tools such as Corporate Modeler. The patterns can take the form of templates developed by the risk management architects and analysts. Maintaining these patterns in a tool repository helps ensure developers, analysts, and decision makers consider them at the appropriate time.

If management has a risk architecture framework and patterns to apply to data, process, technology, and application architectures, the enterprise can take a consistent, integrated approach to risk management. Using patterns would help assure exposures are considered and that surprises don't occur.

The Boeing Co. is one organization that has adopted COSO principles as a basis for its internal control policies and procedures.

The role of independent audit, assessment, and validation is to use the risk management architecture framework as a basis for assessing the strength of the framework and determining whether it is working as intended. The auditors then report to senior management and the board of directors with their findings. Most internal audit and public accounting professionals would find stronger assurances assessing internal controls in such an environment.

Microsoft is one example of a company that uses a "risk map" to plot natural, legal, financial, and human resource risks faced by a company. To truly add value, this map should link to the business, data, technology, and application architectures where these risks are mitigated and controlled. Such a linkage would help assure that as enterprise architectures are redefined and changed that risks are still effectively managed.

As with any enterprise architecture implementation, cultural change would be necessary. This change can happen only with senior management commitment represented through clear accountabilities and incentives. A risk management architecture would need all these elements to truly thrive.



Rate This Article

Comments:

Optional e-mail address:

Know the Risks

Applying enterprise architecture constructs to risk management can help managers move beyond putting out fires and lead them to seek opportunities by avoiding hazards and leveraging their risk environment.

Including risk management architecture as part of an overall enterprise architecture helps enable the consistent, integrated inclusion of risk management principles, models, and standards at all enterprise levels. Applying the risk management architecture through reusable patterns can lead to smooth sailing, because risks and perils will always be on the radar.



Chris J. Jensen [cjensen2@yahoo.com] is an internal process consultant with Allstate Insurance Co. He has 11 years of experience in internal IT and process auditing. He is currently a member of a team using process management theories and modeling services to help business leaders understand and analyze new and current business activities.

RESOURCES

Cook, Melissa A. Building Enterprise Information Architectures, Reengineering Information Systems. Prentice-Hall PTR, 1996

Erickson, Jon. IdeaByte/GigaTel Survey Results: Risk Management and IT. Giga Information Group, March 21, 2000

Willis, David M., and Susan S. Lightle. "Management Reports on Internal Controls." Journal of Accountancy, October 2000

CASEwise: www.casewise.com

COSO: www.coso.org

Information System and Control Association: www.isaca.org

PricewaterhouseCoopers: www.pricewaterhousecoopers.com

Rational Software: www.rational.com

Sybase: www.sybase.com




Most Popular This Week
Report Warns Of Data Warehouse 'Bottleneck' In Real-Time Analytics
Start-Ups Bring Google's Parallel Processing To Data Warehousing
Seven Steps to Successful BI Competency Centers
Business Intelligence 2.0: Simpler, More Accessible, Inevitable

IE Weekly Newsletter
Subscribe to the newsletter
    Email Address







InformationWeek Business Technology Network
InformationWeekInformationWeek 500InformationWeek 500 ConferenceInformationWeek AnalyticsInformationWeek CIO
InformationWeek EventsInformationWeek ReportsInformationWeek MagazinebMightyByte and SwitchDark Reading
Digital LibraryIntelligent EnterpriseInternet EvolutionNetwork ComputingNo Jitter
space
Techweb Events Network
InteropVoiceConWeb 2.0 ExpoWeb 2.0 SummitEnterprise 2.0 ConferenceMobile Business ExpoSoftware ConferenceCSI - Computer Security Institute
Black HatGTECEnergy CampMashup CampStartup Camp
space
Light Reading Communications Network
Light ReadingLight Reading EuropeUnstrungLight Reading's Cable Digital NewsConstantinopleInternet Evolution
Heavy ReadingLight Reading Live!Light Reading InsiderEthernet ExpoOptical ExpoTeleco TVTower Technology Summit
space
Financial Technology Network
Advanced TradingBank Systems & TechnologyInsurance & TechnologyWall Street & TechnologyAccelerating Wall StreetBank Systems & Technology Executive SummitBuyside Trading SummitInsurance & Technology Executive Summit
space
Microsoft Technology Network
MSDN MagazineTechNetThe Architecture Journal
space