Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

Join author Sunil Bakshi as he responds to ISACA member questions beginning 23 January 2012. Add your questions by responding to this post!

You must be logged in and be a member of this group* to participate.
*After logging in click "Join this Community" to the right and then return to this page by clicking the back button. As a member of this topic you can now view this and other discussions from the topic homepage.

National Stock Exchange (NSE) is thelargest stock exchange in India catering to 1,200-plus members. Globally, NSEhas been ranked second in stock index options and third in single stock futuresand stock index futures. The business processes of NSE are heavily dependent onIT. Average daily turnover of trades processed by NSE are INR 1,441,010.[i] Ata national level, NSE is a critical organization for the Indian economy and isidentified as one of its most sensitive organizations.Read the rest of the article


You must sign in to rate content.
(1 ratings)

Comments

RE: COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

I would be interested in knowing if/how the business operations risks were defined across the enterprise within which IT Operations would fit. 

I like your methodical, constructive, aggregative approach to building a risk register and control catalogue across all product lines.  With them in place, a common language will encourage decision making as well as ongoing risk assessments.

Your views of risk should also placate recent criticism for use of either inherent risk, residual or quantifiable risk assessments with or without deferential calculus.

I have two questions.

One: Would you be willing to share your organization’s view and definition of enterprise risks that apply to any or all market segments?

Two:  I see your project acquired approval of IT Operations risk from the Board and Senior Management.  So who defined the enterprise risks to begin with?

Don Steane at 1/26/2012 1:39:02 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

Dear Don,

Thank you for your comment.

Let me answer your Q 2 first.

Being in financial market, market risk and business risks are integrated part of business operations and had been perfromed rgularly.

What we did, is to align IT risks with operation risk, since entire operations heavily depend on IT, most operational risks arise from IT. e.g. Not being able to perform operations can arise in two scenarios 1. unavalability of facilities (addtressed by BCP) and 2. Unavailability of IT to perform operations. This 2nd operational risk can materialize due to multiple IT risk scenarios like failure of hardware, application, network etc. and each risk is mitigated by different controls like fail safe architecture, IT DR etc. 

Business Operational risks are evaluated as part of ERM, and then IT risks are aligned with them. Board and sr. management reviews business operational risks and if required reviews IT risks.

As for Q 1, the market risks are handled separately by ERM group, I may not have access to share the same.

Hope it clarifies.

regards,

Sunil
Sunil Bakshi at 1/26/2012 6:09:41 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

Dear Don,

Thank you for your comment.

Let me answer your Q 2 first.

Being in financial market, market risk and business risks are integrated part of business operations and had been perfromed rgularly.

What we did, is to align IT risks with operation risk, since entire operations heavily depend on IT, most operational risks arise from IT. e.g. Not being able to perform operations can arise in two scenarios 1. unavalability of facilities (addtressed by BCP) and 2. Unavailability of IT to perform operations. This 2nd operational risk can materialize due to multiple IT risk scenarios like failure of hardware, application, network etc. and each risk is mitigated by different controls like fail safe architecture, IT DR etc. 

Business Operational risks are evaluated as part of ERM, and then IT risks are aligned with them. Board and sr. management reviews business operational risks and if required reviews IT risks.

As for Q 1, the market risks are handled separately by ERM group, I may not have access to share the same.

Hope it clarifies.

regards,

Sunil
Sunil Bakshi at 1/26/2012 6:09:41 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

I would be interested in knowing if/how the business operations risks were defined across the enterprise within which IT Operations would fit. 

I like your methodical, constructive, aggregative approach to building a risk register and control catalogue across all product lines.  With them in place, a common language will encourage decision making as well as ongoing risk assessments.

Your views of risk should also placate recent criticism for use of either inherent risk, residual or quantifiable risk assessments with or without deferential calculus.

I have two questions.

One: Would you be willing to share your organization’s view and definition of enterprise risks that apply to any or all market segments?

Two:  I see your project acquired approval of IT Operations risk from the Board and Senior Management.  So who defined the enterprise risks to begin with?

Don Steane at 1/26/2012 1:39:02 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

I would be interested in knowing if/how the business operations risks were defined across the enterprise within which IT Operations would fit. 

I like your methodical, constructive, aggregative approach to building a risk register and control catalogue across all product lines.  With them in place, a common language will encourage decision making as well as ongoing risk assessments.

Your views of risk should also placate recent criticism for use of either inherent risk, residual or quantifiable risk assessments with or without deferential calculus.

I have two questions.

One: Would you be willing to share your organization’s view and definition of enterprise risks that apply to any or all market segments?

Two:  I see your project acquired approval of IT Operations risk from the Board and Senior Management.  So who defined the enterprise risks to begin with?

Don Steane at 1/26/2012 1:39:02 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - Risk IT Framework for IT Risk Management: A Case Study of National Stock Exchange of India Limited

Dear Don,

Thank you for your comment.

Let me answer your Q 2 first.

Being in financial market, market risk and business risks are integrated part of business operations and had been perfromed rgularly.

What we did, is to align IT risks with operation risk, since entire operations heavily depend on IT, most operational risks arise from IT. e.g. Not being able to perform operations can arise in two scenarios 1. unavalability of facilities (addtressed by BCP) and 2. Unavailability of IT to perform operations. This 2nd operational risk can materialize due to multiple IT risk scenarios like failure of hardware, application, network etc. and each risk is mitigated by different controls like fail safe architecture, IT DR etc. 

Business Operational risks are evaluated as part of ERM, and then IT risks are aligned with them. Board and sr. management reviews business operational risks and if required reviews IT risks.

As for Q 1, the market risks are handled separately by ERM group, I may not have access to share the same.

Hope it clarifies.

regards,

Sunil
Sunil Bakshi at 1/26/2012 6:09:41 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.