Research Article
BibTex RIS Cite

An Aggregated Information Technology Checklist for Operational Risk Management

Year 2007, Volume: 1 Issue: 2, 49 - 75, 01.12.2007

Mehmet Zeki Önal

Abstract

This study addresses the issue of the Information Technology (IT) Governance frameworks and standards that respond to different levels of operational risks, especially
those caused by the information systems and technology infrastructure. A requirement analysis regarding Basel II is conducted, a gap analysis between the Information
Control Models (ICMs) is performed, and the aggregated IT checklist for Operational Risk Management (ORM) is proposed by mapping the control objectives in ICMs to
the operational risk categories described in Basel II as loss event types. The validity and reliability of the study is based on the focus group assessment of the mappings. 

Keywords

Basel II Operational Risk Management Information Control Model Information Technology Governance

References

  • Basel Committee. (2002c). About the Bank for International Settlements, Basel Committee on Banking Supervision. Basel: The Bank for International Settlements.
  • Basel Committee. (2003a). Sound practices for the management and supervisi- on of operational risk. Basel: The Bank for International Settlements.
  • Basel Committee. (2003b). The New Basel Capital Accord consultative docu- ment. Basel: The Bank for International Settlements.
  • Basel Committee. (2004). International convergence of capital measurement and capital standards: A Revised Framework. Basel: The Bank for International Settlements.
  • BBA, ISDA, RMA ve PwC. (1999). Operational risk: the next frontier. Philadelp- hia: British Bankers’ Association, the International Swaps and Derivatives Asso- ciation, Risk Management Association, and PricewaterhouseCoopers.
  • Bornman, W. G. ve Labuschagne, L. (2006). A comparative framework for eva- luating information security risk management methods. Auckland Park: Rand Afrikaans University.
  • BRSA. (2001). Regulation on banks’ internal control and risk management sys- tems –Banking Regulation and Supervision Agency. Turkish Official Gazette, 8 February 2001, 24312.
  • BRSA. (2006a). An attitude of Banking Regulation and Supervision Agency for IT assurance. Istanbul: IT Audit 2006 Workshops Proceedings.
  • BRSA. (2006b). Regulation on information systems assurance in the banks - Banking Regulation and Supervision Agency. Turkish Official Gazette, 16 May 2006, 26170.
  • BSI. (1999). British Standard: Information security management part1 & part2. London: British Standards Institute Group (BSI).
  • Campbell, P. L. (2003). An introduction to information control models. New Mexico: Sandia National Laboratories.
  • Carey, M. ve Stulz, R. M. (2005). The risks of financial institutions. Columbus: Ohio State University Press.
  • Chapelle, A. (2005b). The virtues of operational risk management. Brussels: Université Libre de Bruxelles.
  • COSO. (2004). Enterprise Risk Management – Integrated Framework. Washing- ton: The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
  • Datardina, M. (2005). Comparative analysis of IT control frameworks in the context of SOX. Ontario:Centre for Information Systems Assurance, University of Waterloo.
  • Davidson, S. (2006). The role of identity management: Moving from complian- ce to improved business performance. New York: Computer Associates Inter- national, Inc.
  • Di Renzo, B. ve Bernard, C. (2005). Operational risk management in financial institutions: Process assessment in concordance with Basel II. Luxembourg: Centre de Recherche Public Henri Tudor & Commission de Surveillance du Sec- teur Financier.
  • and risk management for compliance. Rolling Meadows: IT Governance Institu- te (ITGI).
  • Jochum, C. (2006). IT risk management in the banking industry. Frankfurt am Main: Institut für Wirtschaftsinformatik.
  • Kane, E. J. (2001). Relevance and the need for international regulatory stan- dards. Washington: Brookings Institution Press.
  • King, J. L. (2001). Operational risk. New York: John Wiley & Sons.
  • Kloman, H. F. (1990). Risk management agonists. Risk Analysis, 10/2, 201-205.
  • Korac-Kakabadse, N. ve Kakabadse, A. (2001). IS/IT governance: need for an integrated model. Corporate Governance, 1/4, 9-11.
  • Lanz, J. (2002). Prioritizing aspects of technology risk assessment and mitigati- on. Bank Accounting & Finance, December 2002, 19-26.
  • Mc Connell, P. (2005). Measuring operational risk management systems under Basel II. Sydney: Risk Trading Technology.
  • Mürmann, A. ve Öktem, Ü. (2002). The near-miss management of operational risk. Philadelphia: University of Pennsylvania.
  • Netter, J. M. ve Poulsen, A. B. (2005). Operational risk in financial service providers and the proposed Basel Capital Accord: An overview. Athens: University of Georgia.
  • Norris, V. A. ve Young, L. R. (2005). Risk assessment in Sarbanes-Oxley. Char- leston: Advanced Technology Institute.
  • OGC. (2004). Information Technology Infrastructure Library v.2. Norwich: The Office of Government Commerce (OGC).
  • Panko, R. R. (2006). Spreadsheets and Sarbanes-Oxley: Regulations, risks, and control frameworks. Hawaii: University of Hawaii.
  • Payne, N. (2003). IT Governance and audit. Accountancy SA, January 2003, 35.
  • RMG. (2002). The quantitative impact study (QIS) for operational risk: Overvi- ew of individual loss data and lessons learned: Report to Basel Committee. Ba- sel: Risk Management Group, Bank for International Settlements.
  • Samad-Khan, A. (2005). Why COSO is flawed? Retrieved January 18, 2005, from http://www.operationalriskonline.com
  • Saunders, A. (2000). Financial institutions management: A modern perspective. New York: McGraw Hill.
  • SEI. (2002) Capability Maturity Model® Integration (CMMI), version 1.1. Pitt- sburgh: Software Engineering Institute, Carnegie Mellon University.
  • Young, P. C. ve Tippins, S. C. (2001). Managing business risk: An organization-wi- de approach to risk management. New York: American Management Association.

Operasyonel Risk Yönetimi için Bütünleştirilmiş Bilgi Teknolojileri Kontrol Listesi

Year 2007, Volume: 1 Issue: 2, 49 - 75, 01.12.2007

Mehmet Zeki Önal

Abstract

Keywords

Basel II Operational Risk Management Information Control Model Information Technology Governance

References

  • Basel Committee. (2002c). About the Bank for International Settlements, Basel Committee on Banking Supervision. Basel: The Bank for International Settlements.
  • Basel Committee. (2003a). Sound practices for the management and supervisi- on of operational risk. Basel: The Bank for International Settlements.
  • Basel Committee. (2003b). The New Basel Capital Accord consultative docu- ment. Basel: The Bank for International Settlements.
  • Basel Committee. (2004). International convergence of capital measurement and capital standards: A Revised Framework. Basel: The Bank for International Settlements.
  • BBA, ISDA, RMA ve PwC. (1999). Operational risk: the next frontier. Philadelp- hia: British Bankers’ Association, the International Swaps and Derivatives Asso- ciation, Risk Management Association, and PricewaterhouseCoopers.
  • Bornman, W. G. ve Labuschagne, L. (2006). A comparative framework for eva- luating information security risk management methods. Auckland Park: Rand Afrikaans University.
  • BRSA. (2001). Regulation on banks’ internal control and risk management sys- tems –Banking Regulation and Supervision Agency. Turkish Official Gazette, 8 February 2001, 24312.
  • BRSA. (2006a). An attitude of Banking Regulation and Supervision Agency for IT assurance. Istanbul: IT Audit 2006 Workshops Proceedings.
  • BRSA. (2006b). Regulation on information systems assurance in the banks - Banking Regulation and Supervision Agency. Turkish Official Gazette, 16 May 2006, 26170.
  • BSI. (1999). British Standard: Information security management part1 & part2. London: British Standards Institute Group (BSI).
  • Campbell, P. L. (2003). An introduction to information control models. New Mexico: Sandia National Laboratories.
  • Carey, M. ve Stulz, R. M. (2005). The risks of financial institutions. Columbus: Ohio State University Press.
  • Chapelle, A. (2005b). The virtues of operational risk management. Brussels: Université Libre de Bruxelles.
  • COSO. (2004). Enterprise Risk Management – Integrated Framework. Washing- ton: The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
  • Datardina, M. (2005). Comparative analysis of IT control frameworks in the context of SOX. Ontario:Centre for Information Systems Assurance, University of Waterloo.
  • Davidson, S. (2006). The role of identity management: Moving from complian- ce to improved business performance. New York: Computer Associates Inter- national, Inc.
  • Di Renzo, B. ve Bernard, C. (2005). Operational risk management in financial institutions: Process assessment in concordance with Basel II. Luxembourg: Centre de Recherche Public Henri Tudor & Commission de Surveillance du Sec- teur Financier.
  • and risk management for compliance. Rolling Meadows: IT Governance Institu- te (ITGI).
  • Jochum, C. (2006). IT risk management in the banking industry. Frankfurt am Main: Institut für Wirtschaftsinformatik.
  • Kane, E. J. (2001). Relevance and the need for international regulatory stan- dards. Washington: Brookings Institution Press.
  • King, J. L. (2001). Operational risk. New York: John Wiley & Sons.
  • Kloman, H. F. (1990). Risk management agonists. Risk Analysis, 10/2, 201-205.
  • Korac-Kakabadse, N. ve Kakabadse, A. (2001). IS/IT governance: need for an integrated model. Corporate Governance, 1/4, 9-11.
  • Lanz, J. (2002). Prioritizing aspects of technology risk assessment and mitigati- on. Bank Accounting & Finance, December 2002, 19-26.
  • Mc Connell, P. (2005). Measuring operational risk management systems under Basel II. Sydney: Risk Trading Technology.
  • Mürmann, A. ve Öktem, Ü. (2002). The near-miss management of operational risk. Philadelphia: University of Pennsylvania.
  • Netter, J. M. ve Poulsen, A. B. (2005). Operational risk in financial service providers and the proposed Basel Capital Accord: An overview. Athens: University of Georgia.
  • Norris, V. A. ve Young, L. R. (2005). Risk assessment in Sarbanes-Oxley. Char- leston: Advanced Technology Institute.
  • OGC. (2004). Information Technology Infrastructure Library v.2. Norwich: The Office of Government Commerce (OGC).
  • Panko, R. R. (2006). Spreadsheets and Sarbanes-Oxley: Regulations, risks, and control frameworks. Hawaii: University of Hawaii.
  • Payne, N. (2003). IT Governance and audit. Accountancy SA, January 2003, 35.
  • RMG. (2002). The quantitative impact study (QIS) for operational risk: Overvi- ew of individual loss data and lessons learned: Report to Basel Committee. Ba- sel: Risk Management Group, Bank for International Settlements.
  • Samad-Khan, A. (2005). Why COSO is flawed? Retrieved January 18, 2005, from http://www.operationalriskonline.com
  • Saunders, A. (2000). Financial institutions management: A modern perspective. New York: McGraw Hill.
  • SEI. (2002) Capability Maturity Model® Integration (CMMI), version 1.1. Pitt- sburgh: Software Engineering Institute, Carnegie Mellon University.
  • Young, P. C. ve Tippins, S. C. (2001). Managing business risk: An organization-wi- de approach to risk management. New York: American Management Association.
There are 36 citations in total.

Details

Primary Language English
Subjects Finance
Journal Section Research Article
Authors

Mehmet Zeki Önal This is me

Publication Date December 1, 2007
Published in Issue Year 2007 Volume: 1 Issue: 2

Cite

APA Önal, M. Z. (2007). An Aggregated Information Technology Checklist for Operational Risk Management. BDDK Bankacılık Ve Finansal Piyasalar Dergisi, 1(2), 49-75.