COBIT Case Study: IT Risk Management in a Bank  This case study is a real-life example of using COBIT®for IT risk management within a global bank. COBIT was used effectively for managing risk within the technology teams to ensure that appropriate IT governance and IT assurance processes were utilised throughout the bank.
Background
The bank in the given case is a global conglomerate with operations in more than 50 countries and with more than 125,000 employees across the globe. The bank’s technology teams are located throughout the world to support global lines of business. The IT teams include development centres that are part of the bank and others that are outsourced to vendors, as well as technology back offices that support IT infrastructure and services. The bank had a history of multiple governance and assurance templates and processes followed by different teams, regions and locations. Hence, the key challenge was to create a common governance and assurance process across technology teams.
The technology governance and assurance programme was designed through a risk management framework to ensure effective risk and control management.
The framework was defined to address existing risk and control management weaknesses, such as:
•Immature processes for assessing and testing compliance
•Lack of a single control repository, resulting in control duplication
•Lack of a clear, repeatable process for completing risk assessments
The new framework was expected to enable technology teams to understand the significant operational risks and their impact on the wider organisation by:
•Addressing areas in which risks were not effectively controlled
•Allowing technology executives to demonstrate regulatory responsibilities efficiently
•Using a common platform for reporting all regulatory requirements across regions and countries •Effectively reporting technology risk and control weaknesses that may impact the business •Implementing a standard process across regions and offices to ensure consistency and avoid
duplication of reporting
Use of COBIT
The governance team decided to use COBIT as a standard framework. A team of professionals—including risk, IT security and US Sarbanes-Oxley Act process experts—was set up to define the processes and templates. The team primarily worked on three areas:
governance1. Defining a framework to use—Control objective
framework (COF)
2. Identifying a standard definition of
‘entities’ against which risks and controls were to be evaluated—Key entity management model
3. Identifying a risk management process—Risk
and control assessment (RCA)
Key steps in the process of developing a new risk management framework are described in the following sections.
Step 1—Defining COF
The COF was defined to link risks affecting technology offices and industry standard best practice controls as defined by COBIT. Three objectives were set whilst defining the COF:
1. It should act as a tool to facilitate the
effective assessment of risks and controls within
technology.
2. It should act as a reporting framework to
demonstrate how technology satisfies reporting
regulatory requirements, including those of Sarbanes-Oxley.
3. It should act as an aid to drive management assurance.
The steps in implementing COF using COBIT included:
•Identify principal risks—The principal risks of level I were defined and frozen based on earlier information. Those identified included risks related to technology, operations, people, legal and regul
atory, financial reporting, financial crime, brand, and change.
•Identify level II risks—The principal risk was further broken down into level II risks. As an example, the ‘technology principal risk’ was further drilled down to:
- Inadequate design/testing of IT systems
- Unavailability of IT systems
- Lack of IT security
•Identify control objectives—For each of the level II risks, control objectives were identified using COBIT. Figure 1 indicates the mapping of the level II risks with the control objectives identified against each of the technology risks.
Benefit of Step 1
Prior to implementing this framework, each entity, organisation and location had its own set of controls. COBIT helped in developing and managing a single list of

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。