Effective IT Governance Through the Three Lines of Defense, Risk IT and COBIT 

 
Download Article Article in Digital Form

When the US Senate Banking Committee asked US Federal Reserve Chairman Ben S. Bernanke what lessons were learned from the current economic crisis, he replied, “The importance of being very aggressive and not being willing to allow banks, you know, too much leeway, particular when they’re inadequate in areas such as risk management.”1

Many financial institutions incurred large losses during the current, ongoing economic crisis with various external factors being held responsible for the losses; however, it was observed that despite this, there were a small number of banks that thrived during this period and actually prevented many losses. A close study of the latter banks revealed that they thrived because they benefited from a strong risk culture combined with a sharp focus on three effective lines of defense. This strong risk culture was found to be functioning ineffectively at the failing banks. The lines of defense and strong risk culture, combined with an effective governance structure, provide a stronger and more effective route for banks and other corporations to find their way out of this economic crisis and also to address the fundamental issues within their operations that resulted in the economic downturn.2

This article defines IT governance, addresses its importance, and describes how to apply the three lines of defense by implementing a combination of the Risk IT and COBIT frameworks to produce a more effective IT governance framework to strengthen IT governance.

Importance of IT Governance

IT is a powerful resource used by enterprises to achieve their most important objectives. For example, IT can represent a core driver of cost savings for large transactions such as mergers, acquisitions and divestitures; it can enable automation of key business processes such as the supply chain; and it can be the cornerstone of new business strategies or models. Even though IT has the potential for business transformation, it represents a very significant investment at the same time, typically from 1–8 percent of gross revenue. In some cases, the true cost is not clear, and budgets could spread across business units, functions and geographic locations with no overall oversight. This often ends up in failure to deliver expected outcomes and, therefore, results in a spectrum of IT-related risks such as the nonavailability of customer-facing business systems, disclosure of customer or proprietary data, or missed business opportunities due to an inflexible IT architecture. These and the complex regulatory environment faced by enterprises today have led to a significant focus on IT governance.3

IT governance is an integral part of enterprise governance. While the need for governance at the enterprise level is driven primarily by demand for transparency across enterprise risks and protection of shareholder value, the significant costs, risks and opportunities associated with IT call for a dedicated, yet integrated, focus on IT governance. While the terms “enterprise governance” and “IT governance” may have different meanings to different individuals, they can be defined as follows:

Enterprise governance is the set of responsibilities and practices exercised by the board and executive management with the goals of providing strategic direction, ensuring the objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly, while IT governance is the responsibility of executives and boards of directors and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.4

Application of the Three Lines of Defense Model

The three lines-of-defense model can be used as the primary means to demonstrate and structure roles, responsibilities and accountabilities for decision making, risk and control to achieve effective governance risk management and assurance.5 This model is based on the resilient yet flexible compliance risk management framework that is comprised of three key elements: risk identification and assessment, risk management, and risk monitoring. As shown in figure 1, to successfully implement this model, two frameworks—Risk IT and COBIT—can be adopted. Risk IT sets good practices by providing a framework for enterprises to identify, govern and manage IT risks, while COBIT sets good practices for the means of risk management by providing a set of controls to mitigate IT risk.6

Figure 1

The first line of defense entails the identification and assessment of IT risk, providing risk responses, defining and implementing controls to mitigate key IT risks, and reporting on progress. This means identifying threats to the enterprise and causes of potential losses and business disruptions, and then assessing the level of impact that the identified threats may have on the enterprise.

IT risk is a component of the overall risk universe of the enterprise. Since IT is extensively used in all areas of the enterprise, IT risk is a business risk and also a component of all other risks such as strategic risk, environmental risk, market risk, credit risk, operational risk and compliance risk. As shown in figure 2, implementing the Risk IT framework helps ensure that:

  • The enterprise identifies and analyzes IT-related risks and opportunities and presents them in business terms
  • IT-related risk issues, opportunities and events are addressed in a cost-effective manner and in line with business priorities
  • IT risk management practices are embedded in the enterprise, enabling it to secure risk-adjusted return

Figure 2

The Risk IT framework enables the enterprise to establish its risk appetite, which is the amount of risk the enterprise is prepared to accept when trying to achieve its objectives (by assessing its objective capacity to absorb losses), and its management culture or predisposition toward risk taking, which could range from cautious to aggressive. In addition, the framework enables the enterprise to establish its risk tolerance, which is the tolerable deviation from the level set by the risk appetite and business objectives, and to provide risk awareness within the enterprise. Risk awareness enables IT risks to be well understood, known and managed by the enterprise.

Analyzing the reasons for the current economic downturn and changing business environments, it was found that even though banks had invested heavily in risk management tools and processes over the years, which made these banks compliant with regulations and could also have assisted in avoiding this economic downturn, they did not invest heavily in risk management tools because the enterprises could not resolve more fundamental risk issues. For example, many banks did not focus sufficiently on addressing the root causes of poor data integrity and quality, resulting in systems that have proved ineffective at producing timely, relevant, decision-oriented information. There was also an overreliance on complex models that were understood by too few people within the banks, and when adequate information was available, only a few managers had the experience, authority and oversight to make actionable decisions.7 In addition, business models implemented by organizations have continuously evolved over the years, resulting in organizations increasingly providing business services via the Internet. For example, meters installed in a client’s home are connected to the enterprise networks over the Internet. As soon as such services are opened up and transmitted via the Internet, companies provide more benefits to their customers, but at the same time, they increase the vulnerabilities and risks, e.g., inappropriate access to enterprise systems and data, customer identity theft, lost e-mails, and system outages.8 These vulnerabilities and risks can become obstacles in achieving the desired corporate financial results sought by the organization. If the three lines-of-defense approach had been adopted by these banks, risks such as those mentioned would have been identified and assessed.9

As shown in figure 3, the Risk IT framework provides the enterprise with risk responses to identified key risks. The purpose of a risk response is to bring risk in line with the defined risk appetite of the enterprise after risk analysis. This means that a response needs to be defined such that future residual risk (current risk with the risk response defined and implemented) is, as much as possible (usually dependent on budgets available), within risk tolerance limits. The four types of responses are:

  1. Risk avoidance—Exiting activities or conditions that give rise to risk. Risk avoidance applies when no other risk response is adequate.
  2. Risk sharing/transfer—Reducing risk frequency or impact by transferring or sharing a portion of the risk. Examples include insurance and outsourcing.
  3. Risk acceptance—No action taken relative to a particular risk—loss accepted if or when it occurs. This is different from being ignorant of risk in that accepting the risk assumes that the risk is known and an informed decision has been made by management to accept it.
  4. Risk reduction/mitigation—Action taken to detect risk, followed by action to reduce the frequency and/or impact of a risk. Mitigated risks can be managed through a control framework for IT governance, such as COBIT.10

Figure 3

COBIT provides a framework of processes and key controls that can be matched to identified key risks to which the enterprise has decided to respond via mitigation. As shown in figure 4, an example of a typical identified key risk is stated as “logical attacks.” A risk response of mitigation results in this risk being matched to the COBIT IT processes PO2, PO3, DS5 and DS12 (from the Plan and Organize [PO] and Deliver and Support [DS] domains) and their associated control objectives.11

Figure 4

The second line of defense entails setting company boundaries by drafting and implementing policies and procedures and embedding the controls into these procedures, ensuring that existing procedures and policies are kept up to date, responding to new strategic priorities and risks, monitoring to ensure compliance with the updated policies, and providing surveillance over the effectiveness of the compliance controls embedded in the business.12, 13 The COBIT framework provides a reference process model for the second line of defense because it defines IT activities in a generic process within four domains—PO, Acquire and Implement (AI), DS, and Monitor and Evaluate (ME). COBIT has defined processes with associated control objectives, and it also overarches IT controls. Therefore, these predefined processes and controls can be used as a starting point for an enterprise in drafting and creating its policies, procedures and controls. COBIT also encourages process ownership, enabling the definition of responsibilities and accountabilities. 14

The third line of defense is the role of independent assurance providers such as internal and external audit, which offers independent review of the levels of assurance provided by business operations and oversight functions. This involves providing independent audit of the key controls and formal reporting on assurance.15 As shown in figure 5, the list of typical activities of a risk-based assurance plan can be linked to the Risk IT and COBIT components, which can then be leveraged to make assurance activities more effective and efficient. To gain insight into an entity in which the IT assurance activities are to be performed, outputs from the Risk IT framework provide an insight to the key risks while IT assurance activities, such as planning, scoping and testing, extensively use the material that is at the heart of COBIT—the control objectives. Some of the strongest links between Risk IT and COBIT components and IT assurance activities are as follows:16

  • Outputs of the Risk IT risk analysis process and COBIT goals and outcome measures with planning risk-based assurance initiatives
  • Outputs of the Risk IT risk analysis process and COBIT risk and value statements with risk assessments and risk substantiation
  • COBIT key activities and Responsible, Accountable, Consulted and Informed (RACI) charts with detailed assurance planning
  • COBIT control objectives and practices with testing and evaluating controls
  • COBIT maturity models and attributes with process maturity and other high-level assessments

Figure 5

Conclusion

IT is used by enterprises for automating business processes and transforming current business models, and significant investment is made by enterprises in this area. The increasing use of IT within an enterprise results in an increasing existence of IT-related risk that, if not properly managed, can deter an enterprise from achieving its business goals. An enterprise can manage IT-related risk effectively through establishing an IT governance framework. Such a framework can be achieved through the adoption of the three lines of defense model, which consists of risk identification and assessment, risk management, and risk monitoring. The adoption and implementation of the Risk IT and COBIT frameworks within the boundaries of the three lines of defense model further strengthen an enterprise’s IT governance framework.

Endnotes

1 Wyatt, Edward; “Fed Chief Says US Bolstered Its Ability to Handle Failure of a Big Bank,” The New York Times, 17 February 2011
2 Laplante, Phillip A.; Thomas Costello; CIO Wisdom II: More Best Practices, Prentice Hall, USA, 2005
3 ISACA, Implementing and Continually Improving IT Governance, USA, 2009
4 Ibid.
5 Caprasse, Denise; Julien Laurent; Wendy Reed; “Three Lines of Defence: How to Take the Burden Out of Compliance,” Insurance Digest, www.pwc.com/en_GX/gx/insurance/pdf/three_lines_of_defence.pdf
6 ISACA, The Risk IT Framework, USA, 2009
7 Op cit, Caprasse
8 Nelson, Fritz; Val Rahmani; Daniel Sabbah; Al Zollar; “Understanding IT Governance and Risk Management to Maximize IT Business Value,” video
9 Teschner, Charles; Peter Golder; Thorsten Liebert; “Banks’ Three Lines of Defense,” Bringing Back Best Practices in Risk Management, Booz & Co., Germany, 2008
10 Op cit, ISACA, The Risk IT Framework
11 IT Governance Institute (ITGI), COBIT® 4.1, USA, 2007
12 KPMG, “The Three Lines of Defence,” Audit Committee Institute, Quarterly 25, Belgium, 2009
13 Op cit, Caprasse
14 Op cit, ITGI
15 Op cit, Caprasse
16 Op cit, ITGI

Ronke Oyemade, CISA, CRISC, PMP, is principal consultant and chief executive officer of Strategic Global Consulting LLC and has more than 14 years of consulting experience in industries such as oil and gas, health care, education, hospitality, data management, finance, telecommunications, retail, manufacturing, and insurance. Her areas of expertise include IT audit and security, software development, data analytics and mining, and US Federal Trade Commission and US Sarbanes-Oxley Act compliance. Oyemade has worked with firms such as Ernst & Young and Deloitte and is an experienced training instructor who has trained employees of Fortune 500 companies. She can be reached at strategicglobalconsult@gmail.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.