LO 39.4: Explain the benefits to a firm from having a robust risk data infrastructure, and describe key elements of an effective IT risk management policy at a firm.
A benefit of a robust risk data infrastructure is the ability to aggregate timely and accurate data to report on credit, market, liquidity, and operational risks. This, in turn, allows management to make proper decisions regarding the firms strategy, risk appetite, and risk management during periods of constant and frequent changes. Another benefit is the ability to sufficiently document and convey the firms risk reporting requirements. Such requirements include: specific metrics, data accuracy expectations, element definitions, time frames, supervisory expectations, and regulatory reporting requirements.
Key elements of an effective IT risk management policy at a firm are described as follows: Clearly defined standards and internal risk reporting requirements to ensure a proper IT
infrastructure and internal reporting. Sufficient funding is provided to develop IT systems for the purpose of internal risk reporting; they compete equally with proposals that are revenue generating, for example.
Assessing IT infrastructure and capacity prior to approving new products. Post-implementation reviews of IT systems performed anywhere from 618 months
afterward as a check that the systems meet the risk personnels needs.
Page 28
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
The level of governance for outsourced IT activities is the same as if they were done
in-house. There are no impediments to implementation or access to data due to outsourcing.
The existence of effective project management offices (PMOs) to ensure that timelines and deliverables are met. Specifically, one person is in charge of the PMO, which seems to result in stronger coordination and communication between project staff.
There is a data administrator as well as a data owner, and the data owner must ensure a sufficiently high level of data accuracy, integrity, and availability. This helps to ensure that IT projects are meeting the users needs.
The board is able to implement relevant internal audit programs to allow for periodic
reviews of data maintenance processes and functions. The monitoring could be continuous or specific to a product or business line. This would allow for the quick correction of any weaknesses detected by internal audit.
P o o r o r F r a g m e n t e d IT I n f r a s t r u c t u r e