Literature references

Aabo, Tom, Fraser, John R.S., Simkins, Betty J. (2004). The rise and transformation of the chief risk officer: a success story on enterprise risk management. Version of December 10, 2004. Revised version available in Journal of Applied Corporate Finance, Winter 2005. Pages 1-34, Available from: http://www.gloriamundi.org/detailpopup.asp?ID=453057237 [Accessed 16 April 2006]

Alvarez, Gene (2005). ‘An Operational Risk Management Framework’. Chapter 11 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 227-236.

Andersen, Arthur (2001). Basel and operational risk: new perspectives, new challenges. Financial services (March 2001). Pages 1-6.

Appel, Willie (2005). ‘Redefining IT Governance Readiness’, Meta Group, Meta Practice 2369. Pages 1-8.

Basel Committee on Banking Supervision. Risk Management Group. Cole, Roger (chairman) et. al. (2003). ‘Sound practices for the management and supervision of operational risk’, Bank for International Settlements (BIS). Pages 2-5 and 8.

Birchall, David, Ezingeard, Jean-Noël and McFadzean, Elspeth (2003). Information security. Setting the boardroom agenda. Grist and Henley Management College sponsored by Qinetiq. Executive summary also referenced. Pages 1-51.

Birchall, David, Ezingeard, Jean-Noël and McFadzean, Elspeth (2004). Information assurance. Strategic alignment and competitive advantage. Grist and Henley Management College sponsored by Qinetiq. Executive summary also referenced. Pages 1-73.

Bolton, Nick; Berkey, Judson (2005). ‘Aligning Basel II Operational Risk and Sarbanes-Oxley 404 Projects’. Chapter 12 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 237-246.

Booker, Robert (2006). ‘Re-engineering enterprise security’, Computers & Security 25. 13-17

Carey, Allan (2005). ‘2005 Global information security workforce study’, IDC whitepaper, sponsored by ISC2. Pages 1-28.

COBIT. IT Governance Institute (2000). ‘Control objectives for information and related technologies’ COBIT, 3rd edition. Pages 1-12.

Coles, Robert S. and Moulton, Rolf (2003). ‘Operationalizing IT risk management’,

Computers & Security 0167-4048/03. Pages 487-492.

Committee of Sponsoring Organisations of the Treadway Commission COSO (2004). Enterprise Risk Management Framework – Executive summary – Exposure Draft for Public Comment (pages 1-103) downloadable from www.coso.org/publications.htm

DeLotto, R., McKibben, D. and Leskela, L. (2003). ‘Risk management in the new regulatory environment’, Gartner, Research note 19 March 2003. COM-19-4409. Pages 1-4.

Dierick, Frank; Pires, Fatima; Scheicher, Martin; Spitzer, Kai Gereon (2005). ‘The new Basel capital framework and its implementation in the European Union’ [online]. European Central Bank (ECB) Occassional Paper Series no. 42 December 2005. Pages 1-28. Available at http://www.ecb.int/pub/pdf/scpops/ecbocp42.pdf [Last accessed 12 May 2006].

Dillon, Robin L. and Paté-Cornell, Elisabeth (2005). ‘Including technical and security risks in the management of information systems: a programmatic risk management model’. Systems engineering. 8. 1. Regular paper. Pages 15, 17, 18 and 24.
Ernst&Young (2005). Ernst & Young’s 8th annual Global Information Security Survey [online]. Pages 1-28. Available from: http://int.sitestat.com/ernst-and-young/international/s?Global-Information-Security-survey-2005&ns_type=pdf [Last accessed 8 May 2006]. Press release Available at http://www.ey.com/GLOBAL/content.nsf/International/Press_Release_-_2005_Global_Information_Security_Survey [Last accessed 8 May 2006]

Expansión (2006). “El libro abierto de Basilea II”. Published 30 June 2006. Page 20.

Ezingeard, Jean-Noël (2003). ‘Expert advice’ [online]. Available at http://www.infoconomy.com and http://www.information-age.com/article/2003/june/expert_advice . Security perspective [Last accessed 18 December 2005]. Pages 1-2.

Ezingeard, J.-N., M. Bowen-Schrire, et al. (2004). Triggers of Change in Information Security Management. ISOneWorld Conference, Las Vegas, Information Institute (http://www.information-institute.org/). Pages 1-37.

Fujii (2005). ‘Building Scenarios’. Chapter 7 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 169-178.

Giraud, Jean-Rene (2005a). ‘Managing hedge funds’ exposure to operational risks’. Chapter 14 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 275-283.

Giraud, Jean-Rene (2005b). ‘Managing hedge funds’ operational risks’. Chapter 14 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 284-294.

Giraud, Jean-Rene (2005c). ‘Quantifying hedge funds’ operational risks’. Chapter 14 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 295-303.

Hamel, Gary (2006). ‘The Why, What and How of Management Innovation’. Harvard Business Review. February 2006. Pages 1-12.

Hughes, Peter (2005). ‘Using transactional data to measure operational risk’. Chapter 1 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 3-12.

Huijgens, Hennie (2004). ‘Value chain control – An IT control approach that puts business in the centre’. Information systems control journal. 2 57-62.

Information Security Forum ISF (2000). May 2000, Fundamental Information Risk Management: Implementation Guide. Pages 14-37.

Information Security Forum ISF (2005a). December 2005, Improving Security Management. Enterprise-wide. Reference ISF 05-053. Pages 1-46.

Information Security Forum ISF (2005b). The Standard of Good Practice for Information Security. Reference ISF 05-104. Pages 1-28.

Information Security Forum, ISF (2005c). Information Security Health Check version 1.1. Reference ISF 05-SHC. Pages 2-8.

Information Security Forum ISF (2006). Survey Results. Reference ISF 06-0303. Pages 1-9.

Irwin-McCaughey, Elizabeth (2006). ‘Central bank risk management’. Presentation given at the 2006 Risk Management and Internal Audit specialised training course at the Federal Reserve of New York (USA), 8 May 2006.

ISO (2002). ISO Guide 73 – Risk Management – Vocabulary – Guidelines for use in Standards. Reference: ISO/IEC GUIDE 73:2002(E/F). Pages 1-16.

ISO (2004). ISO/IEC 13335-1 Information technology – Security techniques – Management of information and communications technology security. Part 1: Concepts and models for information and communications technology security management. Reference: ISO/IEC 13335-1:2004(E). Pages 1-28.

ISO (2005) ISO/IEC 17799 Information technology – Security techniques – Code of practice for information security management. Second edition 2005-06-15. Reference: ISO/IEC 17799-1:2005(E). Pages 1-115.

Kaplan, Robert S., Norton, David P. (1992). ‘The Balanced Scorecard: measures that drive performance’. Harvard Business Review. Article reprint 1 July 2005 (Product name R0507Q). Pages 1-12.

Kilian, Lutz; Manganelli, Simone (2003). ‘The central banker as a risk manager: Quantifying and forecasting inflation risks’ [online]. 15 April 2003. European Central Bank (ECB) Working Paper no. 226. Pages 1-15. Available at http://www.ecb.int/pub/pdf/scpwps/ecbwp226.pdf [Last accessed 12 May 2006].

Leippold, M. and Vanini, P. (2003). The quantification of operational risk. University of Southern Switzerland and Zürcher Kantonalbank. Pages 1-10 and 22-36. Available at http://www.gloriamundi.org/download.asp?ResourceID=453056815 [Date of access: April 17 2006]

Leskela, Lane; Knox, Mary; Schehr, David; Furlonger, David; Redshaw, Peter (2005). ‘Client issues 2005: How to achieve regulatory compliance and ERM’, Gartner, Research note. 29 March 2005. ID Number: G00126561. Pages 1-4.

Lewis, Christopher M; Lantsman, Yakov (2005). ‘What is a fair price to transfer the risk of unauthorised trading? A case study on operational risk’. Chapter 16 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 315-319 and 348-351.

May, Cliff (2002). ‘Risk Management – Practising what we preach’, Computer Fraud & Security, 8: 10-13.

McFadzean, Elspeth, Ezingeard, Jean-Noël and Birchall, David (2003). ‘Boards of Directors’ engagement with Information Security’, Henley Management College, working paper series. HWP 0309. Pages 1-25.

Mogull, R. (2004). ‘Gartner’s simple enterprise risk management framework’, Gartner, Strategic analysis report. 10 December 2004. G00125380. Pages 1-14.

Morrison, Alan D. (2005). ‘Sarbanes-Oxley, Corporate Governance and Operational Risk’. Chapter 13 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 247-271.

NIST (2002). ‘Risk management guide for information technology systems’. National Institute of Standards and Technology NIST (Technology Administration. U.S Department of Commerce). Recommendations. Special publication 800-30 by Stoneburner, Gary; Goguen, Alice and Feringa, Alexis. Pages 1-F1.

Organisation for Economic Co-operation and Development (2002). OECD Guidelines for the security of information systems and networks: towards a culture of security. Adopted as a Recommendation of the OECD Council at its 1037 Session on 25 July 2002. Pages 1-19.

Organisation for Economic Co-operation and Development (2003). Implementation plan for the OECD guidelines for the security of information systems and networks: towards a culture of security. Working Party on Information Security and Privacy. 2 July 2003. Pages 1-6.

Proctor, Paul (2005). ‘Security and Risk Compliance Overview. Security & Risk Strategies, Security Infusion’, Meta Group, Meta Practice 2339. Pages 1-7.

Rinnooy Kan, A.H.G. (2004). ‘IT governance and corporate governance at ING’. Information systems control journal. 2 26-31.

Rubin, Robert (2006). ‘An uncertain and complex global economy: outlook, opportunities and challenges’. Keynote address at the ECB Conference on Financial Globalisation and Integration. 17 July 2006.

RSA Security (2005). Trends and attitudes in Information Security – AN RSA Security e-book [online]. Pages 1-7 and 23. Available from: http://www.rsasecurity.com/go/identity/files/RSA_e-book_a5_Final.pdf
[Last accessed 9 May 2006]

Rybczynski, Tony. Podcast from Wharton titled ‘Security, Business Continuity and the 'Real-time Virtual Enterprise' interviewing Tony Rybczynski (director of strategic marketing and technologies for Nortel)[online]. Available from: http://knowledge.wharton.upenn.edu/audio/WTC_RybczynskiINT.mp3 [Last accessed 5 May 2006]

Schachter, Barry (1997). ‘An irreverent guide to value at risk’ [online]. Page 1. Available from: http://www.gloriamundi.org/introduction.asp [Last accessed 11 May 2006].

Sheffi, Yossi and Rice Jr., James B. (2005). ‘A supply chain view of the resilient enterprise’ MITSloan Management Review. Fall 2005. Vol. 47 No.1. Pages 45-47.

Scholtz, Tom (2004a). ‘Articulating the Business Value of Information Security. Security & Risk Strategies, Security Infusion, Global Networking Strategies’, Meta Group, Meta Delta 2774. Pages 1-4.

Scholtz, Tom (2004b). ‘META Group Information Security Services Framework Update: Version 3: Enterprise Planning & Architecture Strategies, Security & Risk Strategies, Security Infusion’, Meta Group, Meta Delta 3137. Pages 1-6.

Scholtz, Tom (2004c). ‘Organising for security: trends and best practices. Executive directions, security and risk strategies, security infusion’. Meta Practice. 27 July 2004. Practice 2223. Pages 1-8.

Slywotzky, Adrian J; Drzik, John (2005). ‘Countering the biggest risk of all‘. Harvard Business Review. April 2005. Pages 78-88.

Soo Hoo, Kevin J. (2000). ‘How much is enough? A risk-management approach to computer security’ Consortium for Research on Information Security and Policy (CRISP) Working paper. June 2000. Pages 1-6 and 15-20.

Straub Jr, D.W. (1990). ‘Effective IS Security: An Empirical Study’, The Institute of Management Sciences, Information Systems Research 1(3):255-276.

Straub, D. W. and R. J. Welke (1998). "Coping with systems risk: Security planning models for management decision making." MIS Quarterly 22(4): 441-469.

Tabb, Larry (2005). “Re-defining risk”. Perspectives. Wall Street & Technology September 2005. ABI/INFORM Global. Page 58.

The Economist (2006a). “The trial of Sarbanes-Oxley”. Published 22 April 2006. Pages 59-60.

The Economist (2006b). “A survey of international banking”. Published 20 May 2006. Pages 12–14.

Thompson, John with Martin, Frank (2005). Strategic management. Thomson 5th edition. Key success factors and E-V-R congruence. Pages 114 and 125-130.

Venkatraman, N. (1994). "IT-Enabled Business Transformation: From Automation to Business Scope Redefinition." Sloan Management Review 35(2): 73-87

Vinella, Peter; Jin, Jeanette (2005). ‘A Foundation for KPI and KRI’. Chapter 6 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 157-167.

Viney, Christopher (2005). ‘Model behaviour’. Chapter 9 of the book titled ‘Operational Risk: Practical approaches to implementation’. Edited by Ellen Davis. Risk books. Pages 201-214.

von Solms, Basie (2005a). ‘Information Security Governance: COBIT or ISO 17799 or both?’, Computers & Security 24, 99-104

von Solms, Basie (2005b). ‘Information Security Governance: Compliance management vs operational management’, Computers & Security, 24, 443-447.

von Solms, Basie (2006). ‘Information Security – The Fourth Wave’, Computers & Security, 25, 165-168.

Wikipedia. Definition of Enterprise Risk Management. Pages 1-2. Available from: http://en.wikipedia.org/wiki/Enterprise_Risk_Management [Accessed 16 December 2005]
Wright, Marie (1999). ‘Third Generation Risk Management Practices’, Computer Fraud & Security February 1999 3723/99. Pages 9-12.