Insights on it risks evolving it landscape


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Insights on it risks evolving it landscape

  1. 1. Insights on IT risk Business briefing June 2011 The evolving IT risk landscape The why and how of IT Risk Management today
  2. 2. ContentsIT risks in today’s business risk landscape.............................. 1The IT Risk Universe ............................................................. 5IT Risk Management ........................................................... 10What organizations are doing .............................................. 14Taking action ...................................................................... 16
  3. 3. IT risks in today’s businessrisk landscapeThe evolving IT risk landscapeThe way in which companies interact with their employees, customers and other organizationsis changing at an unprecedented rate. Mobile computing and new technologies such ascloud computing and social media are breaking down the walls of the conventional officeand demolishing the old IT risk paradigm.For example, an organization’s hardware is now operated in low-cost countries, software isprovided in the cloud and an organization’s data is held all round the world. Corporate datais transmitted over the internet, communicated and discussed on social media channels,and can travel around the globe instantly through a variety of channels and platforms,captured on employees’ smart phones, tablet computers and personal computers. Thesehigh-tech devices, through which data now flows freely, were once only the exclusive domainof the employers who provided them, but now they are mostly owned by employees. Theresult is personal information and important and proprietary company data often residingon the same low security devices.Faced with these complex and ever-changing layers of risk in this new ‘world withoutborders’, IT risk programs must expand and adapt to meet these challenges.IT risk has historically been dismissed as the sole responsibility of the IT department, and hasnot been considered a strategic business risk requiring an enterprise-wide focus. However, as thepervasive use of IT tools and technology continues to grow, impacting virtually every aspectof business function, it is becoming increasingly clear that managing IT risk is less about justIT, and more about managing risks for the whole business. Organizations must now include ITRisk Management (ITRM) within their overall enterprise-wide risk management approach.Over the years, our annual Global Information Security surveys1 have revealed that boardmembers and audit committees are increasingly interested in information security. This isone of the most important measures an organization can take to potentially reduce IT risk.However not all IT risks are covered by information security; there is a lot more to do.1 For further detailed reading on information security, ask for a copy of Borderless security: Ernst & Young’s 2010 Global Information Security Survey, or download from on IT risk | June 2011 1
  4. 4. IT risks are firmly linked tobusiness risksThe Ernst & Young Business Risk Report 2010 looked at the top 10 But there is more. In the graphs we have also highlighted (redrisks across all business types, then by specific industry. By way of star) those business risks in the top 10 that actually have a largeexample, the ‘risk radars’ below show the top 10 risks for banks and IT component within them, containing a ‘hidden’ IT risk. Managingfor technology organizations. these business risks can only be achieved effectively when ITRM is an integral part of business risk management. Without ITRM anThese two sectors are heavy users of information technology. Risks organization will fail to fully address these important business risks.related to IT are therefore listed as a separate category in their top10 list. The banking sector has a generic ‘IT risks’ category (greenstar) while the technology sector focuses more specifically on ‘datarisks’ (green star). Banking Technology Co Co ial m al m nc pl nci pl an a a i n na na ia ia nc nc Fi Fi a g nan an e e in na n ai Protecting the value Managing and of liquid assets, defending property, g a an including managing including R&D e i en ia cre i ian i k foreign exchange volatility optimization ai i e ro th in a post scal a i n i k stimulus world and Responding to e i ica continued expansion technology macroeconomic in emerging markets convergence hock an a i a f cient and i k in ing Reshaping the business effective operations i a ign through business through shared n a i n model evaluation Enhancing service centers or restructuring product eak ec e e development Strengthening i ece i n Selective capabilities data security i k acquisition ns St ns St gani a i na and effective te te at io ra at io ra integration gi change r gi r c O pe c Attracting and O pe managing talentMost of the business risks have a strong link to IT risks Most of the business risks have a strong link to IT risks• Regulatory risk. How will regulators respond to the increasing • Expansion in emerging markets. Does increasing your company’s threat of IT risk? footprint add to the challenge of business continuity?• Geopolitical shocks. What is your exposure to these shocks? • Reshaping the business. How much would your IT risk profile change? How responsive is your IT organization? • Shared services centers. Would this increase the risks to security• Reputation risk. How would a cyber attack affect your and IT sourcing? reputation and brand? • IP and data security. Are you covered against data leakage, loss• Control failures. Could gaps or weaknesses in IT controls and security be contributing factors? and rogue employees?• IT risk. How will you address the key risk areas of security, • Selective acquisitions and effective integration. How successful resilience and data leakage? are your investments if you are not able to integrate the IT environment of an acquired company?Source: The Ernst & Young Business Risk Report 2010. This item is available to download from Insights on IT risk | June 2011
  5. 5. To put it differently: ITRM is influenced by the same market forces Some of the key risks to focus on and their implications for ITRM are:as the other risks and is supportive to achieving the overall business • Trends like business process outsourcing (BPO), cloud computingobjectives. It is within this business environment that organizations and IT outsourcing are all creating greater dependency on thirdhave to manage their ‘IT Risk Universe’. This IT Risk Universe is parties. Therefore managing business continuity — and ensuringprovided in the framework below; it captures and highlights the 11 the availability of IT facilities — has additional external dimensionsmost significant risk categories (the eleventh category is ‘strategy and complexities.alignment’ depicted in the center of the graph) which we will address • Events like the WikiLeaks incidents, identity theft and mobilein a later section in more detail. The risks within these categories computing are forcing companies to focus more on datawill change over time depending on the IT megatrends organizations leakage risks.are facing. ITRM provides the overall risk and control frameworkthat enables the most important control objectives for IT: effectiveness, • EU data protection directives are helping companies take actionefficiency, compliance, confidentiality, integrity, and availability. against increased cybercrime, phishing and online fraud. It is clear that — with the exception of concerns about issues related to the start of the new millennium — IT risks are only increasing. TheThe growing importance of ITRM breadth and depth of the risks and the need for effective counter measures is expanding rapidly, and will likely continue to accelerate.The IT risk paradigm has always been subject to changes, but the Many businesses are recognizing this: in our recent IT Risk Agendacomplexity and types of risk have expanded significantly over the Survey2, two- thirds agreed that managing IT risk has become moreyears and will continue to do so. Evolving business models, challenging over the past few years.increased regulation and deliberate acts of cybercrime all increasethe exposure to risk and heighten the need to impose a new riskmanagement regime. The graph on the next page shows how therisks have evolved over the years.The business environment and ITRM Business environment IT Ris ana ement Market IT e atrends Ef ciency Outcomes Business forces objectives Third-party suppliers and E Enable Globalization outsourcin Pro rams innovation ffe ce e al and an and chan e and change ct re ulatory mana ement ive pli Reduced cost Com Consumerization nes Margin of operations Protect pressure Strategy brand s Cloud computin Applications Security Predictability Resiliency and databases and privacy Regulatory IT Risk Transparency Manage pressure Universe and con dence compliance Cybercrive Physical and expectation Co n Infrastructure environment Avoidance of Internal threats New business security breaches Seemless l i ty A li models and gnm e nt customer Chan e a enda den a bi technology Enhanced capability experience a il tia Economic Av taf n li t Data Drive growth recovery and y market volatility Operations Investor I n te g r i t y Operational con dence excellence2 See ‘About our Survey’ at the end of this report. Insights on IT risk | June 2011 3
  6. 6. Cloud Evolving business models Smart phones and computing mobile computing Emerging threats business WikiLeaks Increasing regulatory requirements Payment card incident industry data security st. Increasing trend towards BPO/IT Risk outsourcing Major damage incidents Focused exposure through intrusions (viruses, terrorist worms, DOS attacks, etc.) Rise on threats online fraud EU - Data protection Sarbanes-Oxley Increased directives cybercrime Increasing Internet and web identity theft service attacks Extended and phishing enterprises Organized 9/11 - War against industrial E-commerce terrorism espionage boom Start of Y2k internet era Evolution of connected Increased awareness economy of insider risks, intellectual property 1995 – 1999 2000 – 2003 2004 – 2007 2008 – 2012 Internet startup E-commerce Extended Borderless enterprise enterpriseHas managing IT risk become more challenging over The growth of technologies such as mobile computing, cloudthe past years? computing and virtualization, and the rapid adoption of social media platforms and online commerce/payments shows little 3% sign of slowing. Newer technologies will continue to be created, 12% 18% each posing their own new set of risks and challenges, the nature of which cannot be easily predicted. Some organizations have embraced the new technology and harnessed it to help grow their businesses. (For example, the new consumer product and services 19% discount website ‘Groupon’ needed only three years to achieve US$ 1 bn in revenue). For these fast-moving companies, reliance on effective ITRM is considerable. They understand that an IT risk incident imperiling data and undermining consumer confidence 48% could threaten their very existence. Cybercrime is a highly unpredictable risk and has inevitably drawn increasing governmental regulation and oversight scrutiny. The EU data protection directives, Sarbanes-Oxley and the Payment Card Strongly agree Industry data security standards have therefore also become significant drivers of investments in ITRM-related processes and procedures. Agree Neither agree nor disagree Disagree Strongly disagree4 Insights on IT risk | June 2011
  7. 7. The IT Risk UniverseIn order to effectively manage IT risks, organizations need to get The IT Risk Universe highlights the need for an aligned strategya broad and complete view of the entire IT risk landscape. We to manage the 11 broad risk categories. These categories arehave developed a framework to provide such a view, called the IT relatively stable but the risks within these categories will varyRisk Universe. This holistic perspective provides companies with company by company and will evolve over time.a starting point to help identify and manage current IT risks andchallenges, and those that may evolve over time. • Poor service levels • Data Leakage • Inadequate support • Lack of assurance • Budget overruns • Non-compliance • Significant delays with regulations • Poor quality of deliverables • Non-compliance with software • Ineffective change control license contracts Third-party suppliers and outsourcing • Unsupported Programs applications Legal and and change • Intrusion of regulatory management malware • Critical system failures • Virus attacks • Unable to handle • Web site attacks load • Poor patch • Configuration Applications Security and management issues and databases privacy IT Risk Universe Infrastructure Physical • Damage to servers environment • Utilities failures • Inflexible IT • Natural disasters architecture • Labor strikes • Theft • Environmental • Obsolete technology sanctions Sta ng Data Operations • Disclosure of sensitive data • Loss of key IT resources • Corruption of data • Inability to recruit IT staff • Unauthorized access • Mismatch of skills • Failure to mine information • Lack of business knowledge • Operator errors during backup or maintenance • Breakdown of operational processes Insights on IT risk | June 2011 5
  8. 8. How different business environments Note that large organizations are almost never in a single mode. They can be in several modes of the quadrant at the same time,impact IT Risk Universe depending on the part of the organization that is examined and the core applications in use in this part of the organization.With IT risks so closely bound to business-wide risks, board membersshould be asking critical questions about the effectiveness of For example: organizations (or parts thereof) in ‘Factory’ or ‘Strategic’managing IT risks. To help identify these important and revealing mode (scoring highly on the vertical axis) should focus on businessquestions, board members don’t need to have detailed IT knowledge. continuity measures to prevent operational disruptions. For these types of organization, information security and reliability should beThey just need to be clear on two things: how much their company on the agenda of boardroom discussions. The board should, forrelies on cost-effective, uninterrupted and secure IT systems example, ensure that management monitors the organization’s(defensive IT), and how much their company relies on achieving networks on security breaches and that business continuity andcompetitive advantage through IT (offensive IT) or both. This disaster recovery plans are in place and effective.understanding will help drive the questions they need to ask. Organizations (or parts thereof) in ‘Turnaround’ or ‘Strategic’ modeCompanies can plot themselves on this “IT Strategic Impact Grid’ to (scoring highly on the horizontal axis), should focus more onhelp gain perspective on their IT priorities, How ‘business critical’ managing IT investments in innovation, and maintaining an overviewtheir day-to-day operational functions are, and whether IT requires of the continuously changing IT landscape. The risk managementgreater innovation and investment. activities would typically focus on the mitigation of risk associatedOnce an organization is aware of the mode they are in, they can with IT projects, programs and change management initiatives.focus on what is important for their specific circumstances and Typical control activities could, for example, focus on assuranceimplement customized governance and controls as necessary. of strategic IT projects, the maturity of configuration and change control processes, and control over the enterprise architecture. IT strategic impact grid Defensive Offensive Factory mode Strategic mode Increasing need for reliable information technology • If a system fails for more than one minute, there is • If a system fails for more than one minute, there is an immediate loss of business an immediate loss of business • Decrease in response time beyond one second has • Decrease in response time beyond one second has serious consequences for internal and external users serious consequences for internal and external users • New systems promise major process and service • Most core business activities are online transformations • Systems work is mostly maintenance • New systems promise major cost reductions • Systems work provides little strategic differentiation • New systems will close significant cost, service and/ or dramatic cost reduction or process performance gaps with competitors Support mode Turnaround mode • Even with repeated service interruptions up to 12 • New systems promise major process and service hours, there are no serious consequences transformations • User response time can take up to 5 seconds with • New systems promise major cost reductions online transactions • Internal systems are mostly invisible to suppliers and • New systems will close significant cost, service and/ customers. There is little need for extranet capability. or process performance gaps with competitors • Companies can quickly revert to manual procedures • IT constitutes more than 50% of capital spending for 80% of value transactions • IT makes up more than 15% of corporate expenses • Systems work is mostly maintenance Increased need for new information technologySource: “Information Technology and the board of directors,” Nolan & McFarlan, Harvard Business Review, October 2005.6 Insights on IT risk | June 2011
  9. 9. IT Megatrends help identify the IT risks that matterTo help best appreciate the IT Risk Universe and to build an ITRM Each of these megatrends brings with them great opportunitiesapproach, it is helpful to understand that IT risks are impacted as well as new and complex challenges. Each of these megatrendsheavily by a number of significant trends — so-called ”megatrends’. links to the IT Risk Universe in several ways, as shown in the table below: Categories of IT Risk Megatrends Business benefit Business/IT risks Universe affected • Mobile computing: Anytime • Increased vulnerability due to anytime, anywhere accessibility • Security and privacy and anywhere connectivity/ • Risk of unintended sharing, amplification of casual remarks, and • Data high volume portable data disclosure of personal and company data. The availability of this • Legal and regulatory storage capability data on the web facilitates cyber attacks Emerging • Infrastructure • Social media: New and • Employees may violate company policies in terms of data leakage consumerization advanced information sharing capabilities such as crowdsourcing. • Lower total cost of ownership • Lack of governance and oversight over IT infrastructure, • Security and privacy • Focus on core activities and applications and databases • Data reduction of effort spent on • Vendor lock-in • Third-party suppliers and managing IT infrastructure • Privacy and security outsourciing and applications • Availability of IT to be impacted by the use of • Applications and databases The rise of cloud • Contribute to reduction of the cloud • Infrastructure computing global carbon footprint • Increased risk to regulatory non-compliance (SOX, PCI etc.). • Legal and regulatory The cloud also brings about challenges in auditing compliance. • The cloud may impact the agility of IT and organizations; the platform dictated by the provider may not align with software development and strategic needs of the user • 24/7/365 availibility of IT • Failure of the business continuity and disaster recovery plans • Infrastructure systems to enable continuous causing financial or reputational loss • Applications and databases The increased consumer support, operations, • Staffing importance of e-commerce, etc. • Operations business continuity • Physical environment • N/A • Spread of malicious code in company systems causing system • Security and privacy outages • Data Enhanced persistence • The risk of theft of personal, financial, and health information of cybercrime • Loss of confidential data due to external vulnerabilities • Financial loss due to unauthorized wire transfers • N/A • Assigning access rights that are beyond what is required for • Data the role by employees or contractors • Applications and databases Increased exposure • Failure to remove access rights for employees or contractors to internal threats on leaving the organization • Fast adoption of new business • Failure to deliver IT projects and programs within budget, timing, • Programs and change management models or reducing costs quality and scope causing value leakage The accelerating provides organizations with change agenda competitive advantage Insights on IT risk | June 2011 7
  10. 10. 1. Emerging consumerization: This is when new information at least parts of their IT in the cloud. The benefits to using cloud technology emerges first in the consumer market and then computing include a reduction of the total cost of ownership, and spreads into business organizations. This results in the it allows organizations to focus on their core business since it convergence of the IT and consumer electronics industries, and reduces the overall effort to managing infrastructure operations. a shift in IT innovation from large businesses to the home. Mobile On top of these benefits, the increased adoption of the cloud will computing and social media are examples of consumerization reduce our overall ecological footprint since it allows for more that are increasingly being adopted by a wide audience and effective utilization of IT assets. The cloud also brings several across many demographic groups. They are examples of new risks and challenges that need to be managed, such as the how technology is providing the user with great convenience ownership of data, availability risks, and challenges in auditing such as anytime and anywhere access to information (mobile regulatory compliance. computing), enhanced information sharing capabilities (social 3. Resiliency: As companies grow in complexity and interconnectivity, networking) and high volume data storage portability (mobile the impact of non-availability of any of the IT resources has computing). Consumerization also brings about new risks related magnified. In the current world of the “borderless enterprise,” to accessibility through mobile computing or the unintended there is a visibly cascading impact of the inability of any part of disclosure of personal or company data through social media. the organizational value chain to deliver on its commitments.2. The rise of cloud computing: This is a means of using the In addition, many businesses are increasingly dependent on internet to access data, using a third party’s software running on their IT systems for 24-hour availability for their sales and yet another party’s hardware, potentially in yet another party’s customer support, or other core company operations. Although data center. In this example, that data center is usually operated the importance of business continuity and disaster recovery by a cloud service provider that offers a pay-as-you-go service. is recognized by many companies, others still struggle. Many As shown in the diagram below, this is offered in several common companies don’t have business continuity plans, and those that market services including IaaS (Infrastructure as a Service), PaaS do rarely test them. Business continuity has a more prominent (Platform as a Service), and SaaS (Software as a Service). position in the IT Risk Universe than ever before. This is Companies are increasingly using the “cloud” to support all of (or evidenced by the results of the Ernst & Young Global Information portions of) their systems landscape. Various surveys on internet Security Survey 2010 which showed that the availability of IT usage show that more than 50% of large corporations now source resources is identified as the number one risk. Data center services On-premise Infrastructure Platform Software (as a service) (as a service) (as a service) You manage Applications Applications Applications Applications You manage Data Data Data Data Runtime Runtime Runtime Runtime Managed by vendor Middleware Middleware Middleware Middleware You manage Managed by vendor O/S O/S O/S O/S Managed by vendor Virtualization Virtualization Virtualization Virtualization Servers Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking8 Insights on IT risk | June 2011
  11. 11. 4. Enhanced persistence of cybercrime: Companies have crisis, or from a sense of acting in the public interest. In practice, increasingly been victims of cybercrime. FBI statistics show that many firms are struggling with the management of providing the cybercrime rates in 2009 and 2010 were higher than ever the right access to information to the right people in their before and 20% up on 2008. Research by the UK government organizations. Experience tells us that: (1) companies are not (Office of Cyber Security & Information Assurance) has shown able to articulate what their most valuable and important data that the overall cost to the UK economy from cybercrime is elements are, (2) where these data elements are and (3) where approximately £27bn per year. The study shows that the majority these data elements are sent to. (£21bn) of the loss is being born by UK businesses and that 6. The accelerating change agenda: Change remains a “constant’ these losses are attributed to leakage of vital company data in IT. Companies have historically put much effort in building and since ‘espionage’ and ‘IP theft’ are the two largest sources of professionalizing an ERP landscape to support their core economic loss in the UK. Cybercrime was initially the work of processes. Nowadays, the focus seems to shift to the surrounding individuals that undertook hacking activities such as identity suite of the ERP core such as Governance Risk & Compliance theft for their own personal financial gain. More recently, (GRC) and business intelligence. In addition, the financial crisis cybercrime has become perpetrated by more organized groups has put a break on innovation with many organizations due to working in concert, leveraging more resources, skills and reach. budget cuts. They have therefore ceased to invest in strategic Advanced Persistent Threats (APTs) are a growing issue. The change in the past years leading to a significant installed base of nature of these activities is that they are not focused on short IT legacy. For these two reasons, IT projects and programs remain term gains; the goal is to stay uncovered and to collect as much top IT priorities. vital company information as possible (IP, rates, proposals, new product design, strategic plans, etc). Traditional information The statistics on IT projects and programs, however, are not security measures are relatively ineffective against these APTs encouraging: according to the regular reports published by and this has forced organizations to take additional measures Standish, approximately 2 out of 3 projects are classified as ‘not against external threats. successful’ meaning that they are either over budget, too late or not delivering the anticipated benefits. The low success rate5. Increased exposure to internal threats: The recent exposure causes a severe value leakage in IT organizations since they of Wikileaks-related incidents have shown that internal security receive less ‘bang for the buck’ invested in IT as anticipated. In is at least as important as external threats. In one incident a order to increase the success rate in IT projects and programs, disgruntled (ex)-employee of a Swiss bank handed over the bank organizations may take additional measures such as implementing account data of more than 2,000 prominent individuals to Wikileaks, Quality Assurance programs on major strategic programs. potentially exposing tax evasion. This incident emphasizes once more that employees with access to critical, restricted information For further reading on these trends and other related topics, refer to can put organizations at risk by disclosing the information to the our report, Innovating for growth: IT’s role in the new global economy public. This risk has recently been fueled by a rise in rogue or (available from This report discusses these trends and disgruntled employee behavior as a consequence of the financial other related topics in more detail. Insights on IT risk | June 2011 9
  12. 12. IT Risk ManagementIn the following areas of IT risk, did your organization Today’s megatrends in ITexperience a negative incident or event in the past 12months (response rate ‘yes’)? To address the evolving trends in IT risk, and any critical categories 20.00% within the IT Risk Universe, many organizations may need to do some 18.00% significant re-evaluation or readjustment of their ITRM approach. It should take into account not just the current state, but also factor in 16.00% the future business response to the megatrends. 14.00% 12.00% In our survey, we asked executives in which categories of the IT Risk Universe they had experienced the most negative IT- 10.00% related incidents. Our results show that the three most commonly 8.00% experienced incidents were in the categories of (1) security and 6.00% privacy, (2) infrastructure and (3) data. It is not a surprise that all 4.00% three categories also relate to most of the IT megatrends. 2.00% We then also asked the participating executives if they planned to 0.00% spend more or less on the different IT Risk Universe categories. Their response (see below) shows that: • security and privacy and infrastructure are recognized as high risk areas and organizations are planning to spend more to mitigate these risks • although applications and databases are not immediately a high risk category, organizations plan to spend more (with the potential risk of overspending) • the risks around data are not yet very high on the corporateFor each of the following areas of IT risk, does your agenda (implying a potential risk of underspending).organization plan to spend more, less or the same over thenext 12 months (in comparison with the previous 12 months)to mitigate the associated risks? (Y-axis scale: % participantsresponding ‘more’ - % participants responding ‘less’) 14% Over spend? 12% 10% 8% 6% 4% Under spend? 2% 0%10 Insights on IT risk | June 2011
  13. 13. Taking responsibility for managing Creating a pro-active ITRM frameworkIT risk The first step in building an effective and proactive ITRM program is to identify its core components. This is where organizationsA key challenge for large companies is how to effectively embed can leverage their existing risk management framework to ensureITRM efforts across the enterprise. It is not possible for any one consistent coordination, collaboration, risk coverage and risksingle control, function or organizational layer to mitigate today’s management across the enterprise. The graphic on the nextcomplex IT risks. Risks need to be coordinated along the page shows a detailed ITRM framework and addresses the keyseveral lines of defense each organization has. Companies therefore components from the top down.need to implement controls across these various lines of defenseto bring the inherent IT risks back to a level that aligns with thecompany’s strategic risk appetite. The overall effectiveness ofITRM is thereby determined by how well organizations are able tobuild effective controls across these lines of defense and across allfunctions and stakeholders.Different functions involved in managing risk: lines of defense Market forces Manage IT risk through Achieve business IT megatrends and strategy lines of defense objectives Enable innovation Globalization R&D and change Consumerization Transactions Business support functions Margin pressure Marketing Internal Executive Protect brand Cloud computing IT audit management Risk functions Procurement Regulatory Manage compliance Strategy Operations Oversight and SCM Tax Compliance Board pressure Resiliency and expectations Inventory Finance Internal Audit New business Cybercrime Seamless customer control control committee models and technology experience Legal/ Internal threats Manufacturing regulatory Risk Other Economic recovery and management committees Drive growth market volatility Change agenda Sales and HR distribution Operational Investor confidence excellence The ITRM activities and processes (e.g., risk assessment, issue management, crisis management) are performed by many different functions in every organization within the several lines of defense. Insight into the processes and activities is provided in the subsequent sections of this article. Insights on IT risk | June 2011 11
  14. 14. IT Risk Management program Outcomes 1 IT risk governance Risk Organization 3 Risk identification • A risk conscious culture established at Policies and standards the top and cascaded throughout the (People, program, function) and profiling organization • Streamlined risk and control operations Process, risk and control framework • Reliable insights in risks supporting 4 Risk assessments decisions and enabling performance Risk processes and operational procedures regulatory requirements Cost Business drivers and • Rationalization or reduction of risk overlaps Risk srategy and redundancies management Ris • A focused effort on the risks and Issues e k m orting that really matter versus the low risk areas As reg rdin anc rep acc Risk su ula at ag ab d etri ept an r an en y ra to ion co Value em ilit t nc ry o m lne at cs e vu hre an Inc nt T d ma iden me • Enabling confidence to take risk as opposed na t lo ge ge na to avoid risk me ss s ma nt isi Cr • The risk function provides process improvement suggestions 2 Scenario analysis 5 Awareness and training 2 Tools and technology Compliance monitoring and reporting 1 1 IT risk governance & compliance monitoring and reporting. 2 Business drivers, regulatory requirements and (IT) risk Ownership, accountability, and oversight are the cornerstones strategy. Most organizations do not spend enough time clearly of any risk management program. The risk governance defining those critical business issues or business drivers that component of the ITRM program should have a strong leader, create the need for an ITRM program. These drivers must be an executive who can juggle strategic and tactical enterprise aligned with business objectives, regulatory requirements, initiatives across diverse and distributed IT environments. The and board of directors and executive management directives. overall governance of an ITRM program is supported by the IT Without such alignment, there is the potential for confusion in risk dashboard to enable ongoing (compliance) monitoring and coordinating various agendas and communicating the overall reporting on program effectiveness and risk posture. enterprise risk vision. This vision should encompass risk- tolerance guidance, risk processes, expectations for the risk This is where organizations put in place their processes to management function, and the integration of risk processes assess compliance with policies, standards, procedures, and such as IT security into standard IT operations. regulatory requirements. Monitoring and reporting capabilities are designed to provide management with organizational views and trend analyses for risks, control issues, and vulnerabilities.12 Insights on IT risk | June 2011
  15. 15. 3 Organization/Risk identification and profiling/Policies and standards. ITRM should be supported by a proper definition of roles and responsibilities. In addition, the ITRM program must define policies, standards, and guidelines that are fair to all stakeholders, and that provide an effective management of the operational procedures themselves. This includes specifying who has ownership and accountability for defining the organization’s IT risk procedures, and for providing the oversight and guidance for formulating them. Since organizations operate in a constantly changing risk environment, the organization needs to define a consistent process for identifying and classifying risk. This includes defining a taxonomy for risks and internal controls, risk ratings, prioritization of gaps, and parameters for the frequency and rigor of IT risk and internal controls assessments. Risk profiling reveals the gaps in a company’s processes for managing its risks across the spectrum of potential exposures — legal, political, economic, social, technological, environmental, reputational, cultural, and marketing. Risk prioritization indicates the relative importance of the risk, including the likelihood of the threat, the degree of vulnerability and the potential business impact.4 Process, risk and control framework. The organization should have a framework incorporating an IT process, risk and control framework (a library) with associations to regulatory, leading practices and internal requirements. In addition, the organization needs to design methodologies and procedures to enable a sustainable and repeatable assessment of IT risk in support of ITRM goals.5 Risk processes and operational procedures. Processes and operational procedures represent the heart of the execution phase of an ITRM program and should be directly linked to the chosen risk management standard. This is the critical point for ITRM. Core components should include: • Scenario analysis for disasters and events • Incident loss management to capture events and estimate their financial impact • Assurance and regulatory coordination for the risk management processes to support the continuous enhancement of IT-oriented risk data and processes • Risk metrics and reporting to achieve continuous insight in risk exposure • Issues management to operationalize the handling of issues • Risk acceptance for the residual risks by management • Threat and vulnerability management • Crisis management during disasters or major events • Awareness and training to increase the capabilities to achieve operational excellence in ITRM Insights on IT risk | June 2011 13
  16. 16. What organizationsare doingWhich of the following best Adoption of ITRMdescribes the ITRM program in yourorganization? In the IT Risk Agenda Survey we investigated the degree of adoption of ITRM. We found that over one third of the organizations had a well-established program and that almost a quarter had only recently implemented an ITRM program. Another 30% were either 12% implementing a program or considering a program. Further in-depth analysis of these 13% 36% results also shows that there is also a correlation between the size of business and the adoption percentage: large companies (700 employees or more) are significantly more likely to have an established ITRM program in place than companies with fewer employees. 17% 22% The use of tools Many software vendors offer risk management or GRC (Governance Risk & Compliance) services. These tools often link their business requirements with a reporting tool that Level 5 can aggregate various risk elements and information in order to obtain an enterprise- The program has been well-established wide view of IT risk. We asked the participants in the IT Risk Agenda Survey if they for several years used such supporting tools. We found that the more mature the ITRM program is within Level 4 We introduced a program within the an organization, the more likely it is that the organization uses tools. In our view an past three years organization should seriously consider the adoption of appropriate tools – our survey Level 3 suggests that the use of tools may be a key component in the achievement of a mature We are in the process of implementing ITRM program. a program Level 2 We are currently evaluating options for a program Level 1 We are not considering a programDoes your organization use any tools or software applications to support ITRM (e.g., GRC tools)? 100% 90% 80% 22% 27% 70% 60% 50% 40% 20% 30% 31% 20% 10% – 0% Level 5 Level 4 Level 3 Yes - we rely upon Yes, but we use these on these to support our a linited basis only IT risk management efforts No, but we are considering No - we are not considering using such tools the use of such tools14 Insights on IT risk | June 2011
  17. 17. The perceived value of ITRM competitors. This can translate into reduced reputational risk, improved stakeholder confidence and more preferential ratingsIn today’s business environment, organizations need to from outside commentators and regulators.demonstrate value from the procedures they put in place - whether Added value can also be demonstrated in other ways: our resultsthey have arisen from recent investments or not. In addition to show that organizations that have more ‘experience’ in ITRM,the risk management value, we asked the participants in the through years of a more established program, are more risk alertIT Risk Agenda Survey to rate the effectiveness of their ITRM and more attuned to the changing trends in IT risk. They may haveprocesses against that of their competitors. The results show that higher standards and expectations for their program and so workorganizations with ‘mature’ ITRM rate the effectiveness of ITRM harder to stay ahead of IT risk, rather than keep up with it.much more highly than peers. In our view these organizations usetheir ITRM program to obtain competitive advantage: we know that Those that are not considering a program are more likely to bethere is a strong correlation between the length of time an ITRM ambivalent as to whether IT risk is more challenging or not. Thisprogram has been in place, and its superior effectiveness against could suggest a greater degree of complacency or a greater lack of awareness versus those organizations that have a program. How would you compare the effectiveness of your organizations’s ITRM with that of your competition? (% participants responding ‘ours is more effective’ ) Level 5 30% The program has been well-established for several years 25% Level 4 We introduced a program within the 20% past three years Level 3 15% We are in the process of implementing a program 10% Level 2 5% We are currently evaluating options for a program Level 1 0% Level 1 Level 5 Level 4 Level 3 Level 2 We are not considering a program - 5% Insights on IT risk | June 2011 15