Benchmark IT Risk Management Policies Against Industry Standards
Fortune 50 Financial Services Institution
The Client’s Operational Risk Management team sought outside expertise to improve its Technology risk policies and standards by benchmarking governance documents against regulatory guidance and industry best practices (including NIST) and developing a remediation plan for any gaps identified.
- The Client’s existing enterprise technology policies and standards were owned by multiple teams and lacked sufficient context and content to serve as standalone governance documents. Furthermore, there were several instances of standards that did not align to a related policy.
- Many policies and standards did not consistently reference or incorporate industry best practices. The Client also feared that technology policies and standards failed to adhere to the organizations’ own Enterprise Risk Management requirements, creating the risk of regulatory non-compliance and the risk that instances of non-compliance could go undetected and unreported.
- Reference Point deployed a team led by an experienced Risk Management executive to document gaps in over 30 technology operational risk policies and standards based on expert knowledge of industry best practices, regulatory guidance, and the Client’s own Enterprise Risk Management governance documents.
- The team identified additional content to create standalone policy and standards documents and identified improvements to the overall policy and standards framework so that all standards aligned to a related policy and business objective.
- Reference Point proposed applying a single integrated framework (such as COSO or COBIT) to facilitate a strong oversight and management control environment and to provide direction to mitigate risk.
- After recommending governance and control framework enhancements, Reference Point built upon the initial scope of work by developing policy and standard adherence guidelines for the oversight and monitoring of First Line risk activities. Reference Point also assisted in the development of an Operational Risk Management Guidance document for the ongoing governance of policies and standards.
- A Reference Point subject matter expert developed an introductory Technology Policy and Standard Writing Guidance manual for Client teams and developed a plan to provide training for policy authors and owners in order to ensure long-term success.