APUNTES SOBRE LAS ARTES

Enterprise risk management (ERM) is a wide-ranging and complex concept that encompasses all key areas of an organisation. Hampton (2014) defines ERM as:

“the process of identifying major risks that confront an organization, forecasting the significance of those risks in business processes, addressing the risks in a systematic and coordinated plan, implementing the plan, and holding key individuals responsible for managing critical risks within the scope of their responsibilities” (p.20).

Definitions of ERM address this concept at three levels of strategic, functional and process (Hampton, 2014). This in turns implies different levels of risk awareness in relation in IT contexts. At the strategic level a focus on risks impacting on results is important, while at the functional level the focus shifts to risk associated with activities. At the process level risk awareness may be concerned with actions to manage risk.

COSO (2004) states that ERM is “a process, affected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.

This emphasises the integrated nature of risk within ERM. Consequently this broadens the conceptualisation of risk awareness in a way that reflects a dependency on events beyond individual immediate context. It is suggested that while risk management can be a highly specialised process research has found that organisations function more effectively when all

Page | 43 members are involved in the risk management process (Stoney, 2007; Power, 2004). ERM is a holistic, enterprise-wide approach to managing risks and centralising risk information (Alviunessen and Jankensgård, 2009) and implies that all types of risks are integrated or aggregated in risk analysis, and integrated tools and techniques are used to communicate across business unit boundaries (Ahmed and Tahir, 2011). ERM approaches are therefore systematic and integrated which negates the management of risks in departmental silos and assists in identifying risk appetite (Ahmed and Tahir, 2011). This further ensures that risks are mitigated or avoided in alignment with risk tolerance and firm objectives (Walker et al., 2003). These points underline the significance of risk awareness measurement to reflect an enterprise-wide perspective at various levels.

The COSO framework has four categories of objectives to help enterprises meet their goals:

(a) Strategic – high-level goals, (b) Operation – effective and efficient use of resources, (c) Reporting – reliability of reporting and (d) Compliance – compliance with applicable laws and regulations. The eight components of the COSO framework provide a comprehensive coverage of enterprise-wide risk management and reflect a range of sub-components which are underpinned by risk awareness.

There is substantial consensus in the literature that a Risk Management framework should contain some method for risk identification, risk modelling, risk assessment, risk control and risk management (Hillson, 2006; Border, 2000; Graham and Kaye, 2006; Hancock, 2001;

Rashid and Allan, 2005;Haimes, 1998; Simon, 1997; Ansell and Wharton, 1992; Coyle, 2002; Vasarchelyi, 2002). Other authorities agree that risk management contains eight steps for risk: define, focus the process, identify the issues, structure the issues, clarify ownership, estimate sources of variability, evaluate overall implications and manage implementation (Chapman and Word, 2002). Within ERM frameworks the importance of risk awareness has been highlighted. For example Bayaga and Moyo (2009) assert that in order for organisations to enable enterprise-wide risk responsiveness and preparedness all organisational members need to have knowledge and understanding of organisational risks.

The findings of their study into risk awareness in the context of university ERM shows that risk awareness is associated with organisational risk preparedness, through the understanding and documentation of risk policies and procedures and the formulation of a risk treatment plan (Bayaga and Moyo, 2009).

Page | 44 2.8 IT Risk Management

The pervasiveness of IT into every aspect of society underlines the significance of IT risk management. The myriad risks associated with technology and digital technologies have profound repercussions for all areas of society. However, the study of IT systems risk is a relatively recent development. In spite of a number of conceptual studies, few have any empirical basis.

Risk in the IT context has frequently focused on specific risks relating to viruses, password cracking, and firewall penetration. Goodue and Straub’s (1991) study states that IT security is a function of inherent industry risk, measures of effort made to control those risks, and individual factors like awareness of prior attacks and previous experience. Their proposed model addresses the role of awareness in risk defining managerial perceptions of security risk based across three variables: organisational environment and beliefs about industry susceptibility to industry risk; IS environment and actions to effectively secure systems;

individual characteristics, and awareness/knowledge of systems and local systems risk.

Independent verification of these factors has been reported by Dixon et al. (1992). These studies clearly indicate ‘awareness’ as an issue in IT systems risk management.

Pember (1996) recognised that risk managers needed to be “very aware of the potential risks”

(p. 36). Her investigation resulted in a model of risk management for IT detailing five components: (a) Acceptance of risk and mandate from top management, (b) Identification and assessment of risk and development of worst case scenarios, (c) Elimination or minimisation of potential risks, (d) Creation of formal disaster recovery plan/s and (e) Transfer of risk.

The National Institute of Standards and Technology (NIST) in the U.S provides a methodology for IT risk management (Stoneburner et al., 2002). It defines risk as “a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation” (p.8). It asserts that “the risk management process is on-going and evolving” (p.41) as computer networks and Internet networking is continually expanded and updated, its components changed, and its software applications replaced or updated with newer versions. It thus proposed ‘on-going risk evaluation and assessment’ using its methodology. In the NIST methodology risk

Page | 45 management is conducted and integrated based on the Systems Development Life Cycle (SDLC). It requires a specific schedule for assessing and mitigating ‘mission risks’ but advocates flexibility to respond to major changes to IT systems. The key success factors for implementing the methodology are: “(1) senior management’s commitment; (2) the full support and participation of the IT team; (3) the competence of the risk assessment team, with expertise to apply the risk assessment methodology to a specific site and systems, identify mission risks, and provide cost-effective safeguards that meet the needs of the organisation;

(4) the awareness and cooperation of members of the user community, who must follow procedures and comply with the implemented controls to safeguard the missions of their organisation; and (5) an on-going evaluation and assessment of the IT-related mission risks.”

(p.41). In addressing ‘the awareness and cooperation of members’ the NIST methodology marginally explores the issue of risk awareness and fails to provide any conceptualisation of components or measures of risk awareness.