IT RISK MANAGEMENT BEST

PRACTICES TOOLS AND

PROCEDURES
Prepared For
Futures & Options Expo
2002
-- A Panel Discussion --
AGENDA
I. Introduction, Purpose and Organization
of This Panel Discussion
II. About Our Panelists
III. What Are IT Risk Management Best
Practices Tools And Procedures?
How Do They Work?
How Do They Manage Risk?
What Are Their Pros and Cons?
IV. What Are Our Panelists Experiences?
V. Questions From the Floor
I. INTRODUCTION, PURPOSE AND
ORGANIZATION OF THIS PANEL
DISCUSSION
1. INTRODUCTION
In the Financial Services Industry, when you
think of RM, you think of trading controls.
And, those trading controls usually rely
heavily on automated applications of many
types and flavors. But, what if one of these
critical applications failed or did not operate
properly. What type of IT risk management
tools does the CIO use? Whats available to
him? Is a suite of risk management tools in
place? How are they managed? How do they
integrate? How do they manage risk?
purpose and scope
The PURPOSE of this session is to discuss
IT risk management procedures that will
significantly reduce business risk, capital
drain and loss of competitiveness. Its
intention is to make the audience aware
of these types of tools both
technologists and users alike so they
can be applied in your own offices. In
fact, IT risk management is the front
line in the battle to achieve business risk
avoidance.
purpose and scope
The session is organized as follows:
Ill tell you the pedigrees of our panelists
Next, I will give a brief introduction and
explanation about what IT risk
management tools are
Then, I will ask our panelists to address
specific questions about how they acquired
these tools and how they use them
And, for the last 5-10 minutes of our
allotted time, we will answer questions
from the audience
II. ABOUT OUR PANELISTS
Steve Bass, Senior Vice President, Chief
Information Officer, New York Board of Trade
William Farrow, Executive Vice President, Chicago
Board of Trade
Brett Paulson, Senior Vice President, Chief
Information Officer, Board of Trade Clearing
Corporation
Phillip Marks, Project Management Consultant,
Rolfe & Nolan Plc
Roman Szymansky, President, MicroDesign
Services, Inc.
Jonathan Weisblatt, Senior Vice President,
eTrading/eCommerce, Man Financial
Jerry Tellefsen, Moderator, Senior Vice President,
Tellefsen Consulting Group, Inc.
III. WHAT ARE IT RISK MANAGEMENT
BEST PRACTICES TOOLS?
Rapid Application Development (RAD)
Quality assurance (QA)
Automated test tools
Version control
Disaster recovery
Business continuity planning
We will discuss six types of RM tools and
processes today:
Lets take a brief look at each.
best practices tools


WHAT ARE THEY?
There are rule-based licensed software, that once
learned, allow the tool user to have thousands of lines
of code developed automatically almost instantly.

WHAT BUSINESS RISK DO THEY HELP AVOID?
Mainly, time to market! Imagine if development time
would normally take six-nine months to complete and
you can do that in one-third the time. The earlier the
service is provided to the business user, the less risk
there is of losing market share.
RAPID APPLICATION DEVELOPMENT (RAD) TOOLS
best practices tools

WHAT DOES IT DO WHEN ITS DONE PROPERLY
It assures that the likelihood of failure of any new
application put into production is extremely low
because it has been so methodologically tested and
retested. It is a very strict regimen and almost as
importantly an insurance policy for the CTO/CIO.

WHAT BUSINESS RISK DOES IT HELP AVOID?
Many kinds. The risk of starting up and failing because
the system doesnt perform as advertised. The risk of
losing disappointed users. The risk of losing the
business. The risk of the CTO/CIO getting fired.

QUALITY ASSURANCE (QA)
best practices tools

WHAT DO THEY DO
They speed significantly all kinds of testing
functionality, stress and failover. They allow one to
simulate and test and understand bandwidth
requirements. They can be licensed from multiple
sources and take some time to learn how to use
properly but well worth investigating.

WHAT BUSINESS RISK DO THEY HELP AVOID?
Many! Including but not limited to: speedier testing of
new and revised software (time to market) and
ensuring no system failure when running at maximum
capacity.
AUTOMATED TEST TOOLS (ARROWS IN
THE QA QUIVER)
best practices tools

WHAT DOES IT DO
Version Control (aka Change Management) keeps track
of where (in which computers) each version of
application and system software is running. Its
methodology ensures that all preliminary steps
required to verify the readiness of a new software
version to go into production has been accomplished.

WHAT BUSINESS RISK DOES IT HELP CONTROL?
Mainly, that mission critical applications dont go down
when new versions of application and system software
are upgraded. It ensures that old versions of existing
software will work as expected with the application
version being upgraded, and that new features and bug
fixes are actually implemented in new releases.

VERSION CONTROL
best practices tools

WHAT DOES IT INCLUDE
First, D/R is not the same as failover. D/R is a
capability to keep computer systems running at a back-
up data center with minor hitches when a
catastrophe occurs at a primary data center.

WHAT BUSINESS RISK DOES IT HELP CONTROL?
Loss of data processing capability

DISASTER RECOVERY (D/R)
best practices tools

WHAT IS IT
Its different than D/R, but clearly includes D/R. Its a
strategy and plan to keep the business running by
assuring that the people needed to run the business
have required facilities and information provided to
them quickly. A BCP is very inclusive and detailed and
is a dynamic document with multiple accesses for
instant availability.

WHAT BUSINESS RISK DOES IT HELP AVOID
Talk to anyone affected by 9/11

BUSINESS CONTINUITY PLANNING
(BCP)
IV. WHAT ARE OUR PANELISTS
EXPERIENCES?
QUESTIONS FOR PANELISTS
1. What are your experiences with rapid
application development tools?
2. For those of you who do not use RAD,
why not?
3. Has the QA department ever saved your
bacon?
4. Is the role of the QA department clearly
understood and appreciated?
5. How do you do new application testing
today?
6. How have application testing tools
helped you to be risk adverse?
questions for panelists
7. What network and security measures do
you use?
8. How do you effect version control in
your company?
9. Have you ever had a version control
disaster?
10. Does your firm have D/R plan .. and do
you practice it?
11. What effect did 9/11 have on your D/R
focus?
12. Who maintains the BCP in your firm?
13. Did your firm have one on 9/11?