At their core, financial services industry (FSI) companies are technology businesses, the success of which hinges on the ability to manage opportunities and threats on each side of the risk coin. But FSI companies face a pressing risk management problem: Most of their technology risk frameworks are decidedly one-sided, focused – perhaps not surprisingly – on technology rather than the business it supports. An unintended and perhaps more surprising consequence of this is that many of the risks arising from the use of technology are often understated or misstated, if not missing, from operation risk reports, as the business consequences of technology risk are not well understood and are difficult to quantify.
To correct this problem, FSI companies need to rethink and revamp their information technology (IT) risk frameworks so that they are aligned with business services. Simply stated, too many technology risk programs focus on IT-specific measures, such as network availability and incident counts; too few focus on business outcomes. Technology measures are absolutely necessary, but not nearly sufficient; metrics and supporting processes should map to business processes so they can be managed and prioritized more effectively from a business risk management perspective.
In this white paper, we define the nature of the technology risk management challenge for chief information officers (CIO’s), other IT executives, chief risk officers (CRO’s) and operational executives. We also highlight a four-level mapping process that integrates technology risk management with business risk management.