ABSTRACT

Due to an increasing number of high-profile, technology-related incidents across the US financial markets, industry participants are focused on improving their operational IT risk management frameworks. This is reflected by the inclusion of IT risk guidelines in recent regulatory mandates, industry standards and enterprise risk management methodologies. IT risk is a key component of operational risk, mainly through two event types (or subcategories). One is business disruptions and system failures, which addresses the disruption of regular business due to system failures; the other is external fraud, which covers the threats from external parties trying to hack a firm's systems and computers. Across the US financial markets domain, operational IT events have been shown to have a larger impact on participants than IT security events or IT project failures (Goldstein 2009). Within this context, the monitoring of operational IT risk across the various organizations comprising an extended enterprise such as the US capital markets becomes an important element of systemic risk management for the economy. This paper suggests an approach to assessing IT risk within the operational risk context using an incident-based method for monitoring operational IT risk across an extended enterprise based on the Information Systems Audit and Control Association risk IT framework. The proposed monitoring methodology is illustrated with an example from an extended enterprise within the US capital market. Observations on the approach are also discussed and potential future research is outlined.