An aggregated information technology checklist for operational risk management

Abstract

This paper develops an aggregated information technology (IT) checklist in order to manage the operational risks in an organization, especially those caused by the information systems and technology infrastructure. The study addresses the issue of the IT Governance frameworks and standards (information control models) that respond to different levels of operational risks and need to be harmonized. The definition of risk, operational risk, and risk management are discussed, a requirement analysis regarding Basel II is conducted, a gap analysis between the information control models (ICMs) is performed, and the aggregated IT checklist for operational risk management (ORM) is proposed by mapping the control objectives in ICMs to the operational risk categories described in Basel II as loss event types. The validity and reliability of the study is based on the focus group assessment of the mappings. The managerial impacts of the checklist are discussed, considering the audit implications of the checklist.