Global financial services giant uses Protiviti’s model to map journey to IT risk management maturity

Global financial services giant uses Protiviti’s model to map journey to IT risk management maturity

Global Investment Management Firm Client Story

Change Requested: 
Eliminate overlaps, inconsistencies, redundancy and fragmentation from IT risk management practises
Change Envisioned : 
Provide a road map to achieving a holistic view of IT risk across the organisation, defined in a business, rather than technology, context
Change Delivered: 
A future-state vision and maturity goal based on strategic and growth objectives, and a prioritised multi-year road map with specific recommendations

As the financial services industry awakens to the competitive advantage of driving business value with technology, industry leaders are expanding their view of risk management to include information technology in the complex financial services “riskscape.” This new holistic view of technology risk, which we call Tech Risk 2.0, integrates IT risk management (ITRM) across an organisation, breaking down risk governance silos and aligning risk priorities with business goals and objectives, positioning organisations to respond better to a new market defined by cloud, mobile and fintech applications.


For one global financial services organisation, the journey to ITRM maturity began with an IT risk director frustrated by the inefficiencies and inconsistencies in the evaluation of IT risk across the organisation. The issues arose from the fact that the risk assessment practises in place (PCI, technology changes, project risk, vendor risk, etc.) were misaligned and fragmented, without a common framework or reference to the overall risk picture of the organisation. Inconsistencies were present in both the types of risk considered by the various groups and the methodologies used to assess them, but most importantly, in the conclusions about their effect on the organisation and the controls considered to mitigate them. In addition, much of the risk assessment was technology-focused and offered little business insight, which made it challenging for management to properly understand and prioritise IT risks at an enterprise level.

Management knew that if the organisation was to capitalise on technology-driven business opportunities, it needed to raise the level of its ITRM maturity by instituting an enterprisewide ITRM framework defined by business, rather than technology, goals.


Management understood also that a journey to higher maturity does not happen overnight. It is a cultural and operational evolution that occurs over multiple years, often requiring the assistance of an experienced third party unconstrained by the organisational silos and mindsets that often prevent such change from occur­ring. To provide this objectivity and expertise, the IT risk group partnered with Protiviti, selecting Protiviti’s IT risk maturity model with which to assess and improve its maturity state.


Transformation began with an initial discovery period to clarify organisational structures, identify stakeholders, document existing processes and envision a future state that takes into account regulatory requirements as well as the company’s technology-enabled business objectives. Discovery was followed by assessments and interviews to glean an understanding of established risk manage­ment practises and identify areas for improvement. Using its IT risk index, Protiviti compared the company’s ITRM capabilities to industry best practises, to arrive at a maturity level from which to design the road map for improvement. Once the gaps between the current and desired state were identified, Protiviti developed a list of prioritised observations and recommendations (short and long term) that would serve as a guide to the organisation in the transformation process.

Key deliverables from this process included:

  • A business-centred risk governance framework for managing all IT risk programmes and assessments 
  • Enhanced risks and controls library change manage­ment process with clear linkage of policies and procedures to the library
  • Standardised method of reporting risk assessment results, focused on actionable items and residual risk
  • Optimisation of existing risk assessment tools


The risk framework Protiviti designed helped the firm not only to visualise its ideal end-state but have a clear road map and methodology with which to realise that vision. The framework is business-centric, aligned with the organisation’s risk appetite and strategic goals, utilises technology effectively by removing redundancies, and posi­tions the company for competing in a cloud-enabled world.

For our client, the effort to raise IT risk to the enterprise level was a complex undertaking requiring a lot of focus, energy and commitment to change. Transformation on this scale could never be achieved without strong support at the highest levels of the organisation – which in this case was present and steadfast throughout the project. In a recent conversation, a stakeholder at the company said that the work by Protiviti continues to inform the actions of the risk team on its road to ITRM maturity. Protiviti also has remained as a top-tier security partner to the firm.


Though the journey to IT risk maturity has just begun, the financial services company has already achieved its primary objective – a clear view of strong, enterprise-level IT risk management and a well-marked path to get there.

Kurt Underwood
Kurt A. Underwood
Managing Director