An Aggregated Information Technology Checklist for Operational Risk Management

Bu çalışma, Bilgi Teknolojileri (BT) Yönetişim çerçevesi ve standartlarının, özellikle bilgi sistemleri ve teknolojileri altyapısından kaynaklanan farklı seviyelerdeki operasyonel risklere cevap vermeleri sorununu vurgulamaktadır. Basel II bağlamında bir gereksinim analizi yapılmış, Bilgi Kontrol Modelleri (BKM) arasında bir farklılık analizi gerçekleştirilmiş ve Basel II’de zarar olay tipleri olarak açıklanan operasyonel risk kategorilerinin BKM’lerdeki kontrol hedeflerine eşleştirilmesi ile Operasyonel Risk Yönetimi (ORY) için bütünleştirilmiş BT kontrol listesi önerilmiştir. Çalışmanın geçerliliği ve güvenilirliği, eşleştirmeler üzerinde yapılmış olan grup değerlendirmesine dayandırılmıştır.

Operasyonel Risk Yönetimi İçin Bütünleştirilmiş Bilgi Teknolojileri Kontrol Listesi

This study addresses the issue of the Information Technology (IT) Governance frameworks and standards that respond to different levels of operational risks, especially those caused by the information systems and technology infrastructure. A requirement analysis regarding Basel II is conducted, a gap analysis between the Information Control Models (ICMs) is performed, and the aggregated IT checklist for Operational Risk Management (ORM) is proposed by mapping the control objectives in ICMs to the operational risk categories described in Basel II as loss event types. The validity and reliability of the study is based on the focus group assessment of the mappings.

PDF

___

1. Alberts, C. (2006). Common elements of risk. Pittsburgh: Software Engineering Institute, Carnegie Mellon University.
2. Alberts, C. ve Dorofee, A. (2005). Mission assurance analysis protocol (MAAP): Assessing risk in complex environments. Pittsburgh: Software Engineering Institute,Carnegie Mellon University.
3. Beaumaster, S. (2002). Local government IT implementation issues: a challenge for public administration. Hawaii: Proceedings of Hawaii International Conference on System Sciences.
4. Basel Committee. (2001a). The new Basel Capital Accord: an explanatory note. Basel: The Bank for International Settlements.
5. Basel Committee. (2001b). Consultative document: operational risk. Basel: The Bank for International Settlements.
6. Basel Committee. (2001c). Working paper on the regulatory treatment of operational risk. Basel: The Bank for International Settlements.
7. Basel Committee. (2001d). Sound practices for the management and supervision of operational risk. Basel: The Bank for International Settlements.
8. Basel Committee. (2002a). Sound practices for the management and supervision of operational risk. Basel: The Bank for International Settlements.
9. Basel Committee. (2002b). Overview paper for impact study. Basel: The Bank for International Settlements.
10. Basel Committee. (2002c). About the Bank for International Settlements, Basel Committee on Banking Supervision. Basel: The Bank for International Settlements.
11. Basel Committee. (2003a). Sound practices for the management and supervision of operational risk. Basel: The Bank for International Settlements.
12. Basel Committee. (2003b). The New Basel Capital Accord consultative document. Basel: The Bank for International Settlements.
13. Basel Committee. (2004). International convergence of capital measurement and capital standards: A Revised Framework. Basel: The Bank for International Settlements.
14. BBA, ISDA, RMA ve PwC. (1999). Operational risk: the next frontier. Philadelphia: British Bankers’ Association, the International Swaps and Derivatives Association, Risk Management Association, and PricewaterhouseCoopers.
15. Bornman, W. G. ve Labuschagne, L. (2006). A comparative framework for evaluating information security risk management methods. Auckland Park: Rand Afrikaans University.
16. BRSA. (2001). Regulation on banks’ internal control and risk management systems – Banking Regulation and Supervision Agency. Turkish Official Gazette, 8 February 2001, 24312.
17. BRSA. (2006a). An attitude of Banking Regulation and Supervision Agency for IT assurance. Istanbul: IT Audit 2006 Workshops Proceedings.
18. BRSA. (2006b). Regulation on information systems assurance in the banks -Banking Regulation and Supervision Agency. Turkish Official Gazette, 16 May 2006, 26170.
19. BSI. (1999). British Standard: Information security management part1 & part2. London: British Standards Institute Group (BSI).
20. Campbell, P. L. (2003). An introduction to information control models. New Mexico: Sandia National Laboratories.
21. Carey, M. ve Stulz, R. M. (2005). The risks of financial institutions. Columbus: Ohio State University Press.
22. Chapelle, A. (2005b). The virtues of operational risk management. Brussels: Université Libre de Bruxelles.
23. COSO. (2004). Enterprise Risk Management – Integrated Framework. Washington: The Committee of Sponsoring Organizations of the Treadway Commission (COSO).
24. Datardina, M. (2005). Comparative analysis of IT control frameworks in the context of SOX. Ontario: Centre for Information Systems Assurance, University of Waterloo.
25. Davidson, S. (2006). The role of identity management: Moving from compliance to improved business performance. New York: Computer Associates International, Inc.
26. Di Renzo, B. ve Bernard, C. (2005). Operational risk management in financial institutions: Process assessment in concordance with Basel II. Luxembourg: Centre de Recherche Public Henri Tudor & Commission de Surveillance du Secteur Financier.
27. Dorofee, A. J. (1996). Continuous risk management guidebook. Pittsburg: Software Engineering Institute, Carnegie Mellon University.
28. Dowd, W. (2001). Insurance of operational risk and the New Basel Capital Accord. Boston: Capital Allocation for Operational Risk Conference Proceedings.
29. Goldstein, M. (2001). Comment and discussion on relevance and the need for international regulatory standards. Washington D.C.: Brookings Institution Press.
30. Hardy, G. (1995). Standards - The need for a common framework. London: Proceedings of COMPSEC International 1995, 12th World Conference on Computer Security, Audit and Control.
31. Hardy, G. (2002). Make sure management and IT are on the same page: implementing an IT Governance framework. Information Systems Control Journal, 3, 14-16.
32. Hoffman, D.G. (2002). Managing operational risk: 20 firmwide best practice strategies. New York: Wiley Frontiers in Finance, John Wiley & Sons, Inc.
33. ISACA. (2006). CISA review manual 2007. Rolling Meadows: Information Systems and Control Association (ISACA).
34. ISO. (2005). Information technology – Security techniques - Information security management systems – Requirements. Geneva: International Organization for Standardization (ISO).
35. ITGI. (2004). IT control objectives for Sarbanes-Oxley 1st edition: The Importance of IT in the design, implementation and sustainability of internal control over disclosure and financial reporting. Rolling Meadows: IT Governance Institute (ITGI).
36. ITGI. (2005). COBIT® 4th edition. Rolling Meadows: IT Governance Institute (ITGI).
37. ITGI. (2006a). COBIT® mapping: Mapping of ISO/IEC 17799:2005 with COBIT ® 4.0. Rolling Meadows: IT Governance Institute (ITGI).
38. ITGI. (2006b). IT control objectives for Sarbanes-Oxley 2nd edition: The importance of IT in the design, implementation and sustainability of internal control over disclosure and financial reporting. Rolling Meadows: IT Governance Institute(ITGI).
39. ITGI. (2007a). COBIT® mapping: Mapping of ITIL® with COBIT® 4.0. Rolling Meadows: IT Governance Institute (ITGI).
40. ITGI. (2007b). IT control objectives for Basel II: The importance of governance and risk management for compliance. Rolling Meadows: IT Governance Institute(ITGI).
41. Jochum, C. (2006). IT risk management in the banking industry. Frankfurt am Main: Institut für Wirtschaftsinformatik.
42. Kane, E. J. (2001). Relevance and the need for international regulatory standards. Washington: Brookings Institution Press.
43. King, J. L. (2001). Operational risk. New York: John Wiley & Sons.
44. Kloman, H. F. (1990). Risk management agonists. Risk Analysis, 10/2, 201-205.
45. Korac-Kakabadse, N. ve Kakabadse, A. (2001). IS/IT governance: need for an integrated model. Corporate Governance, 1/4, 9-11.
46. Lanz, J. (2002). Prioritizing aspects of technology risk assessment and mitigation. Bank Accounting & Finance, December 2002, 19-26.
47. Mc Connell, P. (2005). Measuring operational risk management systems under Basel II. Sydney: Risk Trading Technology.
48. Mürmann, A. ve Öktem, Ü. (2002). The near-miss management of operational risk. Philadelphia: University of Pennsylvania.
49. Netter, J. M. ve Poulsen, A. B. (2005). Operational risk in financial service providers and the proposed Basel Capital Accord: An overview. Athens: University of Georgia.
50. Norris, V. A. ve Young, L. R. (2005). Risk assessment in Sarbanes-Oxley. Charleston:Advanced Technology Institute.
51. OGC. (2004). Information Technology Infrastructure Library v.2. Norwich: The Office of Government Commerce (OGC).
52. Panko, R. R. (2006). Spreadsheets and Sarbanes-Oxley: Regulations, risks, and control frameworks. Hawaii: University of Hawaii.
53. Payne, N. (2003). IT Governance and audit. Accountancy SA, January 2003, 35.
54. RMG. (2002). The quantitative impact study (QIS) for operational risk: Overview of individual loss data and lessons learned: Report to Basel Committee. Basel: Risk Management Group, Bank for International Settlements.
55. Samad-Khan, A. (2005). Why COSO is flawed? Retrieved January 18, 2005, from http://www.operationalriskonline.com
56. Saunders, A. (2000). Financial institutions management: A modern perspective. New York: McGraw Hill.
57. SEI. (2002) Capability Maturity Model® Integration (CMMI), version 1.1. Pittsburgh: Software Engineering Institute, Carnegie Mellon University.
58. Young, P. C. ve Tippins, S. C. (2001). Managing business risk: An organization-wide approach to risk management. New York: American Management Association.