Modeling the impact of ESG orientation on business continuity through IS audit effectiveness: Evidence from financial institutions using SPSS–PLS

Business continuity management (BCM) and risk management (RM) processes are very important to current organizations. The former ensures that organizations can limit losses after severe contingencies or disasters. The latter helps organizations identify potential security incidents and adopt the most cost-effective countermeasures. However, current risk management approaches or methodologies do not reflect the important differences between RM and BCM processes. Therefore, even an organization that has established RM processes may need to re-assess the risks for BCM processes. In light of this, this study proposes RiskPatrol, a risk management system that provides an integrated view of risks associated with RM and BCM processes. RiskPatrol provides an easy way for users to retain enough information for BCM while they perform risk assessment in RM processes, and vice versa. The proposed approach can improve the efficiency of establishing information security management systems by minimizing redundancies in RM and BCM processes.

Continuity could be and should be strategic for the business competitive advantage. Besides natural disaster, from blackout to tsunami, businesses face in daily activities critical challenges in IT management for assuring business continuity; for example, business continuity management results must be strategic, because of the infrastructural, organizational, and information systems changes that are required to assure compliance with regulatory norms (see, e.g., the impact of Basel II norms in financial sector), or must have and maintain a time-to-market advantage (disasters can facilitate competitors in a first mover perspective). Nevertheless, business continuity is at present often synonymous with risk management at the IT level, disaster recovery at the hardware level, or in the best case?at the data management level?with data quality management. These perspectives fail to unveil the strategic value of IT business continuity as a framework assuring alignment of strategy, organization, and systems, allowing a competitive advantage in a dynamic competitive environment. Moreover, even when business continuity, under these perspectives, has become one of the most important issues in IT management, there still appears to be some discrepancy as to the formal definitions of what precisely constitutes a disaster, and there are difficulties in assessing the size of claims in the crises and disaster areas. Taking these issues into account, we propose: (a) an analysis of the different facets of the concept of business continuity, and (b) an integrated framework for strategic management of IT business continuity. To these ends, we move from the finance sector?a sector in which the development of information technology (IT) and information systems (IS) have had a key impact upon competitiveness. Indeed, banking industry IT and IS are considered “production,” not “support” technologies. The evolution of IT and IS has challenged the traditional ways of conducting business within the finance sector. These changes have largely represented improvements to business processes and efficiency but are not without their flaws, in as much as business disruption can occur due to IT and IS sources. The greater complexity of new IT and IS operating environments requires that organizations continually reassess how best they may face changes and exploit these later for organizational advantage. As such, IT and IS have supported massive changes in the ways in which business is conducted with consumers at the retail level. Innovations in direct banking would have been unthinkable without appropriate IS, and merger and acquisition (M&A) initiatives represent the ideal domain to show what value can lead strategic management of IT business continuity. Taking these issues into account, we point out the relevance of continuity for maintaining customers, and time-to-market in complex and evolutionary competitive environments. Due the relevance of IT to maintain a valueadded continuity, our contribution aims to clarify the concept of IT business continuity, providing a framework, exploiting the different facets that it encompasses, and showing the strategic implications to the field of IS&T.

A business continuity plan (BCP) is a form of insurance for an organization—and, like insurance, we all hope that we never have to rely on it. However, proper preparation and training will provide the organization with a plan that should hold up and ease the pressures related to a crisis. A good plan should minimize the need to make decisions in the midst of a crisis and outline the roles and responsibilities of each team member so that the business can resume operations, restore damaged or corrupted equipment or data, and return to normal processing as rapidly and painlessly as possible. Business continuity planning (BCP) has received more attention and emphasis in the past year than it has probably had cumulatively during the past several decades. This is an opportune time for organizations to leverage this attention into adequate resourcing, proper preparation, and workable business continuity plans. Business continuity planning is not glamorous, not usually considered to be fun, and often a little mundane. It can have all the appeal of planning how to get home from the airport at the end of an all-too-short vacation. This entry examines some of the factors involved in setting up a credible, useful, and maintainable business continuity program. From executive support through good leadership, proper risk analysis and a structured methodology, business continuity planning depends on key personnel making business-oriented and wise decisions, involving user departments and supporting services. Business continuity planning can be defined as preparing for any incident that could affect business operations. The objective of such planning is to maintain or resume business operations despite the possible disruption. BCP is a preincident activity, working closely with risk management to identify threats and risks and reducing the likelihood or impact of any of these risks occurring. Many such incidents develop into a crisis, and the focus of the effort turns to crisis management. It is at this time that the value of prior planning becomes apparent. The format of this entry is to outline the responsibilities of information systems security personnel and information systems auditors in the BCP process. A successful BCP program is one that will work when needed and is built on a process of involvement, input, review, testing, and maintenance. The challenge is that a BCP program is developed in times of relative calm and stability, and yet it needs to operate in times of extreme stress and uncertainty. As we look further into the role of leadership in this entry, we will see the key role that the leader has in times of crisis and the importance of the leader’s ability to handle the extreme stress and pressures of a crisis situation. A significant role of the BCP program is to develop a trained and committed team to lead, manage, and direct the organization through the crisis. Through this entry we will examine the aspects of crisis development, risk management, information gathering, and plan preparation. We will not go into as much detail about the plan development framework because this is not normally a function of IT or security professionals, yet understanding the role and intent of the business continuity program coordinator will permit IT professionals to provide effective and valued assistance to the BCP team. So what is the purpose of the BCP program? It is to be prepared to meet any potential disruption to a business process with an effective plan, the best decisions, and a minimization of interruption. A BCP program is developed to prepare a company to recover from a crisis—an event that may have serious impact on the organization, up to threatening the survival of the organization itself. Therefore, BCP is a process that must be taken seriously, must be thorough, and must be designed to handle any form of crisis that may occur. Let us therefore look at the elements of a crisis so that our BCP program will address it properly.

This perspective paper is based on several sessions by the members of the Round Table AI at FIRM , with input from a number of external and international speakers. Its particular focus lies on the management of the model risk of productive models in banks and other financial institutions. The models in view range from simple rules-based approaches to Artificial Intelligence (AI) or Machine learning (ML) models with a high level of sophistication. The typical applications of those models are related to predictions and decision making around the value chain of credit risk (including accounting side under IFRS9 or related national GAAP approaches), insurance risk or other financial risk types. We expect more models of higher complexity in the space of anti money laundering, fraud detection and transaction monitoring as well as a rise of AI/ML models as alternatives to current methods in solving some of the more intricate stochastic differential equations needed for the pricing and/or valuation of derivatives. The same type of model is also successful in areas unrelated to risk management, such as sales optimization, customer lifetime value considerations, robo-advisory and other fields of applications. The paper makes reference to recent related publications from central banks, financial supervisors and regulators as well as by other relevant sources and working groups. It aims to give practical advice for establishing a risk-based governance and test framework for the mentioned model types and also discusses the use of recent technologies, approaches and platforms to support the establishment of responsible, trustworthy, explainable, auditable and manageable AI/ML in production. In view of the recent EU publication on AI (see European Commission 2021), also referred to as the EU Artificial Intelligence Act (AIA), we also see a certain added value for this paper as an instigator of further thinking outside of the financial services sector, in particular where “High Risk” models according to the mentioned EU consultation are concerned. Our key takeaways are: 1. There need to be general principles, requirements and tests to control model risk and fitness-for-purpose for each model. Particularly because AI is not a fixed category, we are talking about a spectrum of mathematical models of varying complexity, of which gradually more and more complex ones are becoming feasible. With regards to this fact, the mentioned governance elements (principles, requirements, tests to control model risk etc.) should hinge upon models’ respective purposes, influence on human lives and business impact, rather than upon model design or complexity. To satisfy these requirements of course, special tests will be necessary for more complex or even dynamic models. This holds true especially for the implementation of those models and their utilization in a scaling enterprise production environment. 2. To this end, it will be necessary and useful to combine the expertise and approaches of classical risk management and governance with those of data science and AI knowledge. 3. Many aspects of AI governance, algorithmic auditing and risk management of AI systems can be addressed with technology and computing platforms. In fact, an entire industry is about to emerge in this area. Many of the necessary techniques essentially consist of the use of somewhat less complex and more transparent models in their own right, with associated cost for maintenance and operation, and with inherent (more indirect and smaller) risks to operate them. Hence, there will always be residual risk and consequentially a need for human oversight. The level of residual risk should be covered via OpRisk Management (IT risk, mal-decisioning risk, reputational risk) and by AI incident management or AI model insurance. 4. Explainability, interpretability and transparency of models, data and decision making will be key to even enable an appropriate possibility to manage remaining model risks (“Explaining Explainable AI”). All three need to be directed towards the internal stakeholders of financial institutions, but – depending on model purpose – also towards the outside world, particularly to clients/consumers and supervisors. Each stakeholder needs to be informed about the model aspects in a different and specific way. There are technologies and experts to support interfacing the different domains involved. 5. One particular aspect of the “Explainable AI” agenda is to enable the fairness of AI decision making or decision support from a societal perspective (linked to the ESG agenda). The associated fairness considerations, starting from the need to explicitly define a notion of fairness and enable its implementation and ongoing validation, are by no means exclusive to AI modelling techniques. They pertain to classical decision making to the same extent; however, due to their lack of innate transparency, the cost of fairness will be higher for AI models. This should be taken into account in the business decisions around the choice of model design.

Risk Management: It's Not Just FMEA

Increasing levels of business disruptions and disaster events on one hand while local, national and international campaigns on the other have increased businesses’ awareness, attention and demand for the need for business continuity management. As more and more businesses are looking to integrate disaster risk and business continuity management into their business operations and decision making processes, the need for such expertise has also increased. Despite these needs, many business schools around the world have not fully identified, realized or addressed them. While there are several models for integrating disaster risk and business continuity management in business education, York University has established undergraduate and graduate level disaster and emergency management programs in a business school setting to address these growing needs. Through this integration, considerable numbers of business students enroll in disaster risk management, and business continuity courses. Knowledge and skills that students acquire through these courses make them informed and knowledgeable players in business continuity management teams in their varied work places.

Integrated risk management means the comprehensive and effective management all significant risks (affecting the bank’s activities) and their interrelation, including building a corporate culture of risk management and integrating risk management into strategic planning. The significant risks have big impact on the financial result of the bank, its capital, and liquidity, business reputation, their consideration is required for the assessment of banking creditworthiness and stability for regulators. In the context of economic crises and sanctions, the role of effective risk management in banks is significantly increasing, as it allows the bank to adequately distribute its capital and reserves and contributes to its stable existence in the face of uncertainty. The most significant risks in banking are credit and liquidity risks. In the banking sector, a significant methodological base has now been accumulated for assessing and managing these types of risks. The purpose of this study is to systematize the approaches to the formation of a risk management system in Russian and world practice, to assess their advantages and disadvantages, and also to formulate a list of recommendations for improving the existing system. Decision-making at management levels takes place in conditions of uncertainty in the external and internal environment, which causes partial or complete uncertainty in the final results of activities. In economics, uncertainty is understood as incompleteness or inaccuracy of information on the conditions of economic activity, including the costs and the results. The causes of uncertainty are three main factors: ignorance, randomness, and competition. In particular, the uncertainty is explained by the fact that the problems are reduced to the tasks of choosing from a certain number of alternatives, while the banks do not have full knowledge of the situation to work out the optimal solution, and do not have the resources to adequately account for all the information available to them. A measure of uncertainty is risk, i.e. the probability of occurrence of events, as a result of which unexpected losses of income, property, cash, and other assets are possible. In modern banking risk management systems, procedures for influencing individual risk events or types of risk are increasingly being replaced by the organization of continuous monitoring of the bank’s aggregate risk and the management of the value of various businesses of a credit institution adjusted for their inherent risk. This conceptual approach is called Integrated Risk Management (IRM). In the international banking regulation standards, the IRM logic is disclosed by the requirements of Component 2 of the Basel II and Basel III agreements (BKBN 2004, 2010), in Russian practice—Bank of Russia Ordinance No. 3624-U “On requirements for the risk and capital management system credit organization and banking group”(Bank of Russia, On Requirements for the Risk and Capital Management System of a Credit Institution and a Banking Group, 2015).

About the Authors

Decision making is an important aspect of software processes management. Most organizations allocate resources based on predictions. Improving the accuracy of such predictions reduces costs and helps in efficient resources management. risk management is of vital importance for any financial institution (and enterprise for that matter) to keep its information systems secure at an acceptable level, the key issues focus on both how to reduce the probability of risk occurrence and decrease the loss of risk consequence. The main tasks for the implementation of such requirements involve the determination of the causes of risks, the estimation of risk occurrence probability, and the evaluation of risk consequence severity, which are all included in the risk analysis. In the process of risk analysis for information systems, models are built in order to analyze and better understand the risk factors and their causal relationships in real-world information systems. Establishing an appropriate model suitable for the target risk problem is a crucial task that will ultimately influence the effectiveness of risk analysis results. In the existing literature, most the approaches either assumed that the structure of the model was provided by domain expert experience and knowledge, or assumed that the structure was chosen from some general well-known class of model structures, thus, the results of risk analysis were relatively subjective. To overcome these drawbacks, not only expert have the experience and knowledge that needs to be taken into account, but also, the database of observed cases from information systems should be utilized in the process of modeling. With the growth of the dependency on IT, the impact of risk concerns on the development and exploitation of information systems has also increased exponentially. The risk management system focuses on specific phases of the software life cycle, without recognizing that risks in one stage can have an impact on other stages. This paper explores the risk situation as it is in the financial institutions in Kenya and suggests ways through which risk management can be brought a notch higher in order to minimise the losses incurred when faced by these risk situations.

As risk analysis and risk management get increasingly caught up in political debates, a new way of looking at and defining the risks of modern technologies becomes necessary

Based on the Horizons Scan Report 2021 by BSI, the top 6 threats to organizations today are pandemics, health incidents, safety incidents, IT and telecommunications outages, cyberattacks, and extreme weather. Universitas Indonesia (UI), as a modern, comprehensive, and open campus, strives to become a leading research university globally. As the IT service manager at UI, the Directorate of Information Systems and Technology (DSTI) has the task of strengthening service management by implementing risk management and security management in line with relevant laws and policies. The main problem for DSTI as an IT service at UI is that there are no documents related to risk management and information security management, resulting in IT services’ failure. This year, there have been four data center failures due to power and UPS problems. DSTI wants to improve IT services at UI by implementing risk management and Business Continuity Management System (BCMS). This study aims to conduct a risk analysis to design a Business Continuity Plan (BCP) for IT services at the University of Indonesia. The research was conducted using mix method. The OCTAVE qualitative method was carried out in finding a list of risks on critical assets in IT services at UI. A quantitative approach is needed to rank the risk list using a questionnaire and FMEA calculations to get a risk priority number. This study separates the risk of general assets and information system assets. For critical assets, it is generally found that two are at a very high level, one is high, eight risks are at a low level, and 12 are at a very high level, for information system assets found 12 assets with very high risk, three medium and one low.

Advances in auditing and business continuity: A study in financial companies

Since the early eighties volatility of GDP and inflation has been declining steadily in many countries. Financial innovation has been identified as one of the key factors driving this ‘Great Moderation’. Financial innovation was considered to have improved significantly the allocation and sharing of financial risks, both from a macro and micro perspective. In particular, the prevailing opinion was that great progress has been made in developing models and other quantitative methods for measuring and managing risk. However, the global financial crisis that started in the summer of 2007 revealed important failures in risk management by financial institutions. Over-optimism prevailed and risks were underpriced, caused by problems of both a conceptual and technical nature. This paper analyses these two angles from the viewpoint of financial institutions. Conceptually, we will show that risk management degenerated into a ‘pseudo’ quantitative science. This in turn gave a false sense of security to financial institutions and their supervisors. Prior to the crisis, supervisory and regulatory regimes assumed that for the financial sector as a whole, risk management had been improved and that, as a result, financial stability was enhanced. The fact that many financial activities were carried out in a rapidly changing landscape – i.e. key decisions had to be taken in situations with uncertainty - was largely ignored. At a very fundamental level it was mistakenly assumed that all uncertainty can be measured in a reliable fashion using a probability distribution – i.e. all uncertainty can be treated as ‘risk’. This attitude had also adverse consequences for the way risk management and decision making were organised in financial institutions. There was too much focus on quantitative models and measurement and too little on the qualitative dimension of risk management, involving such issues as information flows, people and their motives and incentives. In addition, even from a narrow, technical perspective risk management techniques proved to be insufficiently sophisticated. The second part of the paper focuses on the lessons to be learned from the past episode of inadequate risk management at the level of financial institutions. Apart from technical improvements there is a need for a greater emphasis on handling fundamental uncertainty. More specifically, it will be shown that qualitative risk management is particularly important to deal with the latter uncertainty. However, even with better risk management the future remains uncertain and human nature will remain largely unchanged. Finding better ways of dealing with fundamental uncertainty remains therefore a continuous challenge.

Bank Regulation, Risk Management, and Compliance is a concise yet comprehensive treatment of the primary areas of US banking regulation – micro-prudential, macroprudential, financial consumer protection, and AML/CFT regulation – and their associated risk management and compliance systems. The book’s focus is the US, but its prolific use of standards published by the Basel Committee on Banking Supervision and frequent comparisons with UK and EU versions of US regulation offer a broad perspective on global bank regulation and expectations for internal governance. The book establishes a conceptual framework that helps readers to understand bank regulators’ expectations for the risk management and compliance functions. Informed by the author’s experience at a major credit rating agency in helping to design and implement a ratings compliance system, it explains how the banking business model, through credit extension and credit intermediation, creates the principal risks that regulation is designed to mitigate: credit, interest rate, market, and operational risk, and, more broadly, systemic risk. The book covers, in a single volume, the four areas of bank regulation and supervision and the associated regulatory expectations and firms’ governance systems. Readers desiring to study the subject in a unified manner have needed to separately consult specialized treatments of their areas of interest, resulting in a fragmented grasp of the subject matter. Banking regulation has a cohesive unity due in large part to national authorities’ agreement to follow global standards and to the homogenizing effects of the integrated global financial markets. The book is designed for legal, risk, and compliance banking professionals; students in law, business, and other finance-related graduate programs; and finance professionals generally who want a reference book on bank regulation, risk management, and compliance. It can serve both as a primer for entry-level finance professionals and as a reference guide for seasoned risk and compliance officials, senior management, and regulators and other policymakers. Although the book’s focus is bank regulation, its coverage of corporate governance, risk management, compliance, and management of conflicts of interest in financial institutions has broad application in other financial services sectors. Chapter 6 of this book is freely available as a downloadable Open Access PDF under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 license. https://tandfbis.s3-us-west-2.amazonaws.com/rt-files/docs/Open+Access+Chapters/9780367367497_oachapter6.pdf

In recent years, there have been growing concerns about the adequacy of internal controls within local government institutions in Zambia, including the Lusaka City Council. Instances of financial irregularities, resource misallocation, and operational inefficiencies have highlighted the need for a comprehensive assessment of the internal audit function. Despite Lusaka City Council having a well-established internal audit function, they seem to be irregularities which are still appearing and these are in growing tendency, during the period of five years between 2018 to 2022 Lusaka City Council has failed to collect revenue which the council had budget for amounting K480 million. In this regard, this study evaluated the effectiveness of internal audit in risk management at Lusaka City Council using a self-administered questionnaires by assessing the Audit Committee, Segregation of Duties, Data Security and Information Technology in Internal Audit, and Risk Assessment. Analysis of Variance (ANOVA) was used to create whether there was difference between the independent variables and effectiveness of the internal audit at the Lusaka City Council. Analyzing the effectiveness of the Audit Committee, Reduced Audit Queries, and Enhanced Revenue Collection on internal audit controls at Lusaka City Council. The model showed a significant effect overall, with a p-value of .029 (Sig. = .029). This indicated that, collectively, the predictors significantly contribute to explaining the variance in internal audit controls. The F-value of 3.896 reflects the model’s strength in predicting internal audit controls, while the Regression Sum of Squares (4.163) and Mean Square (2.096) indicate the proportion of variance attributed to the predictors compared to the residual variance (30.677). The regression equation IAC=0.763+0.174 RAQ+0.214 ERCIAC, describes the influence of Reduced Audit Queries (RAQ) and Enhanced Revenue Collection (ERC) on Internal Audit Controls (IAC). Reduced Audit Queries (B = .174, Sig. = .026) has a statistically significant positive effect, meaning that improvements in reducing audit queries are associated with stronger internal audit controls. Enhanced Revenue Collection (B = .214, Sig. = .117) shows a positive but statistically insignificant impact, suggesting it may contribute to internal audit controls but not as strongly or reliably as Reduced Audit Queries. Overall, the results imply that while both predictors positively influence internal audit controls, reducing audit queries is the most significant factor in this model. The regression model IAC=−0.781+0.164 SD+0.293 SJDIAC, describes the effects of Segregation of Duties (SD) and Structure and Job Descriptions (SJD) on Internal Audit Controls (IAC). Segregation of Duties (B = 0.164, Sig. = .037) has a positive and statistically significant impact, suggesting that improving segregation of duties positively influences internal audit controls. Structure and Job Descriptions (B = 0.293, Sig. = .096) also show a positive relationship with internal audit controls, although this effect is not statistically significant at the 0.05 level (Sig. = .096). Overall, the model suggests that enhancing segregation of duties has a meaningful impact on strengthening internal audit controls, while the influence of structured job descriptions is positive but less definitive in this model. The findings indicate the presence of internal control measures, including an audit committee overseeing financial reporting, internal controls, and risk management. However, several weaknesses are identified, such as inadequate internal audit reporting, inadequate revenue database system, poor operation of billing systems and slow operations of online payment systems. These weaknesses can impact financial management and revenue collection. To address these issues, the study recommends specific remedies aligned with best practices identified in the literature. These remedies include partnering with mobile phone service providers to introduce a platform which allows customers to easily access their bills and statements, invest their resources in procuring a bigger database that can store all their revenue from different revenue streams. In addition, the council should also procure Computer Assisted Audit Techniques (CAATs) tools that will broaden the audit scope and perform test that cannot be performed manually by enabling real-time monitoring and detection of irregularities which will increase the quality and reliability of audit results. Auditors should also be trained in information system and forensic audits since payments and revenue at the council are processed using information systems, and due to the nature of the risks at the council the auditors need to have forensic skills in order to detect fraud. The other recommendation is that the council should have a disaster recovery plan in place. The recommendations provided in the study aim to establish a robust internal control system at Lusaka City Council.