In many organizations, there is a vast divide between business lines and the IT department. Specifically, when it comes to risk, having these groups see and communicate eye-to-eye can be a challenge. Yet failing to address this gap in order to understand and manage the business impact of IT risks places any organization in jeopardy. By following a simple three-step plan, organizations can overcome this critical obstacle and identify, quantify and control business risks associated with IT failures.
IT often functions in a silo. This is not a new challenge, but as technology becomes increasingly strategic and critical to organizations, there is greater urgency and responsibility to address this issue.
Virtually every business depends heavily on its IT systems. Consequently, threats to the effectiveness and reliability of IT can impact business performance significantly, as IT risks can quickly become business risks to the enterprise. While management may recognize this problem, there often is an alarming lack of ability to identify, measure, manage and monitor IT risks effectively. These risks can escalate further when the organization decreases IT resources.
Challenges and Opportunities
When IT investments are being reduced or cut altogether due to budget pressures or restructuring, the organization’s IT control environment becomes strained, leading to greater potential impacts on the business. This is something of a paradox considering the greater scrutiny being placed by many organizations on their risk appetite.
Unfortunately, there tends to be poor understanding of the potential damage an IT risk can inflict on the business. Managers outside of the IT function may fail to realize the significant business impact IT risks can have because they do not understand the technology. Managers within the IT function may not have a full understanding of how the business relies on that technology. These challenges are exacerbated by poor communication between these groups. Often times, in fact, there is a language barrier created as “tech speak” and “business speak” collide.
The IT function must partner with business leaders and managers to ensure mutual understanding of the business impact of IT risks. When this occurs, technology risks can be addressed and managed as risks that are relevant to the entire enterprise. To accomplish this, organizations need to take three key steps:
- Define a link between IT and the business.
- Quantify IT risk for the business.
- Define accountabilities and process.
Our Point of View
If an organization completes each of these steps successfully, the IT function will be able to communicate clearly the business impacts associated with technology risks, and business managers can assure the board, audit committee, shareholders and regulators that business risks associated with technology are clearly understood, sufficiently captured and managed effectively.
The stakes have never been higher. The quality of an organization’s operational risk management is now a central concern not just for executives and boards of directors, but also for shareholders, analysts and regulators. Because IT is a core component of operational risk, many business risks can be traced back to IT either as a cause of a risk or as an integral part of the controls put in place to manage it. A failure of business management and the IT function to share a common view of risk leads to a haphazard and incomplete approach to risk management, with poor awareness of IT risks and weak or ineffective business controls to manage them. Consequently, assurance around IT risk becomes of diminished value.
Problems arise when business units and the IT function fail to bring their expertise together. However, if addressed in a cohesive manner, their different approaches to addressing the same risk can be a source of strength rather than weakness. Effective IT risk management requires a clear and agreed-upon definition of accountabilities and responsibilities for both the IT function and the business. IT risk management cannot be successful if it merely is a set of processes operating in an IT silo. Bridging this gap requires a full and open partnership.
How We Help Companies Succeed
Protiviti has helped many organizations bridge the knowledge and communication gap between IT and business functions. We have deep expertise in enterprise governance of IT and risk management along with the proven ability to define a common language and set of processes to achieve this.
For a global retail and commercial bank, Protiviti designed and implemented a process to communicate IT risk and control information to impacted business functions. To achieve this, we:
- Established a link between IT risks and the supported business functions and processes.
- Designed and built a reporting tool that consolidated all relevant risks to an aggregated level, classifying the potential business impacts in terms of availability, confidentiality, integrity or compliance for each system or service.
- Launched a support model and process to enable both IT and the business to interpret IT risk and control information, and to gain a quantified view of the potential impact of the risk to the organization.
- Established a communication channel into the impacted business areas to enable each to understand, interpret and provide a judgment back to IT on each of the technology risks based upon their individual risk appetites. The feedback loop, which previously was absent, provided IT with a clear understanding of the areas of greatest concern for the business.
The process we designed and implemented provided our client with additional value by giving the IT organization a vastly improved understanding of the significance of the IT risks it managed and the impact each had on the business. This enabled IT to prioritize its remedial activities and IT improvement initiatives at a strategic level and have a mechanism to address items of specific concern.