There are several key components of an effective and mature IT risk management framework. The following is a list and brief description:
- Business Drivers- purpose, mission, and vision of the program from the perspectives of business objectives, regulatory requirements, and top level management
- Risk Strategy- concise, top-level plan that lays out vision and direction for risk management throughout the entire organization; should contain risk tolerance guidelines, expectations, and integration of processes with information technology operations
- Governance- ownership, accountability, and oversight
- Policies and Standards- define technology policies, standards, and procedures with participation from all functions, including IT
- Risk Identification and Profiling- define a consistent process for identifying and classifying risk; prioritize and rating risks very critical across entire organization
The survey conducted by Ernst & Young Financial Services is categorized by different topics, including analyses of positive trends and areas for improvement.
Information Technology Risk Management Program Maturity and Effectiveness – Approximately 78% of respondents reported that they have a formal IT risk management function, indicating increased integration with the overall risk management program. In addition, about 54.4% felt that investments in programs were increasing, indicating that programs are in early stages of maturity. Areas of improvement include program governance and spending as well as awareness of and education about risk management.
Convergence – Over half of the survey respondents felt that an integrated approach to risk management contributed to its success, while 40% felt that it posed challenges. Ideally, assessment of risks and controls should be done just one time and tested once, using the results for multiple purposes. Areas for improvement include building a common control library, taxonomy and common risk language across all functions, not just IT. In addition, about 60% stated that IT risk management programs were only partially aligned or not aligned at all with the enterprise-wide risk strategy; therefore, significant improvements still lie with this important aspect of risk management.
Information Technology Risk Management Processes – The results indicate that organizations have established processes and are now looking for efficiencies and ways to optimize those processes. In addition, over three-fourths of the respondents felt their organizations have established formal IT risk framework and assessment processes. However, areas for improvement include optimization of controls and alignment of processes.
Tools and Technology – A majority of respondents expect spending projections to increase to assist with optimization and process automation. After establishing effective processes, using tools for optimization of the risk management program will help consistency across the enterprise risk management program.
Reporting and Metrics – Survey results indicate that about half of the respondents agreed that tools to monitor and report risk contributed to the success of their IT risk management initiatives. Metrics and reporting assist in communicating value to top-level executives, which helps in strong support and spending for IT risk management program. However, more than 40% of respondents did not feel their organization was effective in risk reporting and disclosure.
The survey concludes with explanations about using benchmarking to determine where firms stand compared to industry leading practice and on what areas they should focus. Also, the survey cites regulatory compliance as a key driver impacting IT risk management beyond 2008.
This abstract is based on the report “Managing Information Technology Risk: A Global Survey for the Financial Services Industry” by Ernst & Young Financial Services, 2008. Please contact Ernst & Young Financial Services for a copy.