One of the top universal issues that business executives, boards of directors and audit committees deal with is they hate surprises. I'm not talking about the good ones, like an unexpected jump in stock price, a product launch that's a runaway success, or a favorable tax position. I'm talking about bad surprises. Those that bring to the forefront risks that the company, its risk and assurance functions, and "the auditors" failed to identify and do something about. This especially hits home to auditors when they recently spent time auditing a particular area and could have identified certain risks and alerted management before it led to a bad surprise. Bad surprises come in all shapes and sizes but they usually spring from unidentified or misdiagnosed risks. A risk category that is a top five for most executives, and is becoming more prevalent (but is much less understood) is IT risks.
Gartner recently released its Magic Quadrant for IT Risk Management (again naming EMC/RSA a leader for its Archer GRC platform offering). Gartner defines this space as risks within the scope and responsibility of IT, the IT department, or IT dependencies that create uncertainty in daily tactical business activities, as well as IT risk events resulting from inadequate or failed internal IT processes, people or systems, or from external events. Gartner reiterates that IT risk management is a core competency for governance, risk, and compliance programs. This means that the line between business and IT risk management is becoming blurred as processes evolve and incorporate more and more technologies or become the technologies themselves. This raises IT risks that ORM/ERM and business process auditors, second and third lines of defense, may not be adept at recognizing and knowing how to deal with.
Among the many questions to address in proper risk management is one I'll focus on today. Which is this - does your organization have the right risk management structure, approach, organization and skills to properly manage IT risks? A potential weak link in the chain exists in many organizations' organizational approach to risk management. Operations Risk Management (ORM) or Enterprise Risk Management (ERM) functions typically address business risks, while IT risks are mainly tackled by the IT organization. Similarly, Internal Audit (IA) departments are often delineated between business auditors and IT auditors, who perform business process audits and IT audits, respectively. The weak link manifests itself if these separate groups don't have similar if not related risk management methodologies, don't communicate, and don't track or resolve findings through common approaches. IT organizations usually understands their risks fairly well, but they must do a better job at being the conduit between their business counterparts to translate IT risks into business impacts that make sense to executives. On a positive note, most ORM/ERM groups and their IT counterparts do connect at some level, either through similar risk management approaches, risk registers or other methods. Similarly, IT auditors typically have the skills to identify and raise issues around IT risks and do a good job of communicating them through their audit findings.
Most organizations have a ways to go until they can manage their IT risks to the point that they won't be seeing many surprises - but that's more of a journey than a destination that we're all on. Let's keep the dialogue going! Check out our Community page for more information on the Gartner Magic Quadrant series. Use this link for the “Community page” https://community.emc.com/docs/DOC-41831 and email me at Patrick.firstname.lastname@example.org with your thoughts!