IT/IS Risk Management Framework for the National Bank of Ethiopia
No Thumbnail Available
Date
2025-07-01
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
With the increasing prevalence of cyber threats and rapid digital transformation, robust IS risk management has become essential for financial institutions particularly central banks that play a critical role in ensuring national economic stability. Despite the growing complexity and volume of IS-related risks, the National Bank of Ethiopia has not yet implemented a formal IS risk management framework aligned with its strategic objectives. The absence of a structured approach limits the bank ability to proactively identify, assess, and respond to evolving IS risks, thereby exposing critical systems to potential disruptions.This study aims to assess the current IS risk management practices at NBE, identify organizational
and procedural gaps, and propose a practical IS Risk Management Framework tailored to the institution‘s context. The research adopts a qualitative methodology grounded in the ISACA Risk IT Framework, focusing on the domains of Risk Governance, Risk Evaluation, and Risk Response. Data were collected through semi-structured interviews with 20 participants from ISMD, Internal audit and risk management, and business units, as well as document reviews. This study employed qualitative data analysis software (QDAS) to systematically code and interpret interview transcripts.The findings reveal that NBE current approach to IT/IS risk management is fragmented, reactive, and poorly integrated with enterprise-level strategies. Key issues include the absence of a dedicated IS risk policy, lack of a governance committee; silos risk data, and reliance on basic risk categorization methods. Interview responses also highlighted gaps in risk communication, cross functional coordination, and post-incident learning processes. Based on these insights and supported by best practices (e.g., the risk IT framework, ISO 31000, COBIT 5 for Risk, and Option Based IT risk management framework), a tailored Information system Risk Management Framework is proposed. The framework includes strategic alignment mechanisms, formal governance roles, continuous risk monitoring processes, and a capacity-building agenda.research makes a theoretical contribution by contextualizing and extending the ISACA Risk IT the central banking sector in developing countries, addressing a gap in IS risk management literature within this underexplored domain. It provides a structured model for enhancing Information system risk oversight in NBE and similar institutions. Future studies are
recommended to test the framework effectiveness across broader institutional settings and to explore quantitative validation approaches
Description
Keywords
IT Risk, Information system risk, the risk IT, ERM, IT governance