Of course, just focusing on the title of the guide above for a second, it may also be a good idea to proactively ensure your chief audit executive is engaged as early as possible in your IT risk management program too. Doing so could mean better internal audit reports in the future (e.g., reports which go wider or deeper, are more risk-centric, and at minimum do not simply point to a lack of adherence to policy).
What may be best about the guide above is that it recognizes that implementing policy effectively requires doing things which help embed it into the culture so it is inherent within the mindset for overall quality. In this way policy then becomes better engrained, understood, used or complied with.
Also, regardless of the order of the steps in the above noted guide, perhaps try replacing the word “privacy” with the word “risk” and you may get some good ideas for improving adherence to your risk management policy, and related IT risk management program. The following questions may further help you to see this.
- Do you have a central “go to” person for IT risk management related queries within the organization?
- Do you have a risk management policy that reflects the IT risk management needs and risks of the organization?
- How often do you conduct effective IT risk management impact assessments and how effective is your organization at identifying, logging and managing IT risks?
- Have you linked each requirement within your risk policy to a concrete, actionable item—IT operational processes, controls and procedures, translating each policy item into a specific practice that must be executed?
- What do you do to demonstrate how each practice item will actually be implemented? Have you developed and conducted IT risk management education and awareness training programs to ensure all employees in IT, using IT services, or working on IT projects understand the required policies and procedures as well as the obligations they impose? Can new employees quickly access the education, training and awareness programs and demonstrations (e.g., are they online and replayable at anytime, is there a test to measure understanding, and is there a link or button learners can push to engage an expert in a related dialogue)?
- Does your organization verify both employee and organizational execution of the risk policy and operational processes and procedures (including in regards to IT risk management), and does your organization proactively prepare for a potential IT risk to materialize by establishing related protocols to effectively manage the risk?
- Are your IT risks being managed consistently across your various projects?
- Are IT risks really getting the attention they should? Are risks logged early in a project, not sufficiently mitigated and largely forgotten about?
- Is your organization happy with IT operational and project outcomes?
- Has your organization established sufficient documented policies (including for IT), and are they enough?
- Are policies current with best practices? Are any policies missing? Are policies sufficiently complied with?
Quality Management Specialist