Building a Successful Information Technology Risk Management Program
Many financial services organizations are recognizing the need to broaden the scope of risk governance and management to include information technology (IT).
This awareness is growing in the wake of highly publicized identity theft incidents and other security breaches, as well as legislation aimed at managing financial, market, and operational risk exposures.
Developing an information technology risk management (ITRM) program is on the minds of chief executive officers, chief risk officers, IT chief risk officers, and chief information security officers, who are asking: How do I build my ITRM program and office? What are its responsibilities? How do I ensure its effectiveness and success?
An ITRM program is designed to execute, manage, measure, control and report on risk matters within IT. It is essential to an organization's overall risk management capability and effectiveness. If successful, an ITRM program provides the board of directors, senior management, regulators and other external stakeholders with confidence that IT can deliver business value efficiently and securely, while providing high quality assurance around data integrity, availability, and confidentiality.
A Complex (but Worthy) Undertaking
Developing and managing the program is a multi-faceted task, requiring risk management capabilities, communication and negotiation skills, creativity, organization, time management, change management and education in the form of risk management awareness. The key success factors are similar to those for most strategic enterprise initiatives:
- Tone at the top and management support
- Management accountability and authority to effect change
- Close alignment with the corporate culture
- Consistent and standardized risk management processes
- Measurable results
The first step in building the program is to identify its core components. This is where organizations can leverage their existing risk management framework to ensure consistent coordination, collaboration, risk coverage and risk management across the enterprise.
Figure 2 depicts a comprehensive IT risk management framework and addresses the key components in the "pyramid" from the top down.
Figure 2. Information Technology Risk Management Framework
Business Drivers: Most organizations do not spend enough time clearly defining those critical business issues or business drivers that create the necessity for an ITRM program. These drivers must be aligned with business objectives, regulatory requirements, and board of directors and executive management directives. Without such alignment, there is the potential for confusion in coordinating various agendas and communicating the overall enterprise risk vision.
Risk Strategy: The risk strategy is a concise, high-level plan that articulates the vision and direction for risk management within the organization. The plan should encompass risk tolerance guidance, risk processes, expectations for the risk management function, and the integration of risk processes such as IT security into standard IT operations. Ideally, the plan is representative of the enterprise's risk strategy and charter. An awareness initiative or road show, along with a widely distributed directive from the CEO, can be useful in demonstrating "tone from the top" and obtaining buy-in on the plan from stakeholders.
Risk Governance: Ownership, accountability and oversight are the cornerstones of an ITRM program. The risk governance component of the program should have a strong leader, an executive who can juggle strategic and tactical enterprise initiatives across diverse and distributed IT environments.
The risk governance aspect of the ITRM program must also define views of risk at various levels within the organization. This is important in order to provide management with risk information from multiple views -- enterprise, regional, country, and line of business -- and to identify trends within specific IT processes across all views. For example, if management has discrete views on how controls around change management processes are operating in the various geographies and business units, it can determine where variances are occurring and whether they are incidental or constitute a trend. The organization can get a running start on this task by leveraging the existing guidelines developed through its Sarbanes-Oxley initiative, which provides an established roadmap for accountability and risk views.
Policies and Standards: The ITRM program office can define policies, standards, and guidelines with the participation of working groups from the existing risk management and business IT risk functions. The decision making process should be designed to be fair to all stakeholders, while ensuring that the execution of policies and standards are managed effectively.
The ITRM program specifies who has ownership and accountability for defining the organization's IT risk policies and standards, and provides oversight and guidance for formulating IT operational policies and standards. For example, functional owners of security are responsible for defining security requirements for their respective department's security policies and standards; ITRM provides assurance that these policies and standards address all risk management concerns. ITRM policies should be concise and emphasize key expectations for managing IT risk. At a high level, the policies should address definitions, principles, processes, methodology, evaluation criteria, roles, and responsibilities.
Most organizations have used components of various established standards, which are generic, to help them customize their own distinctive risk management standards for IT. Common standards are:
- Enterprise Risk Management Standard of COSO (Committee of Sponsoring Organizations of the Treadway Commission)
- The Joint Australian/New Zealand Risk Management Standard (AS/NZS 4360: 2004) of The Council of Standards Australia and Council of Standards New Zealand
- Risk Management Guide for Information Technology Systems from the National Institute of Standards and Technology (NIST SP800-30)
- Risk Management Standard from a consortium of the Institute of Risk Management (IRM), the Association of Insurance and Risk Managers (AIRMIC), and ALARM (the National Forum for Risk Management in the public sector)
Several organizations have used security risk management standards such as Information Risk Analysis Methodologies (IRAM) from the Information Security Forum and modified them for overall IT Risk. It is a leading practice to define and utilize a consistent standard for all risks across the enterprise and to add specific IT components.
Risk Identification and Profiling: The organization needs to define a consistent process for identifying and classifying risk. This includes defining a risk taxonomy for risk and internal controls, risk ratings, prioritization, and parameters for the frequency and rigor of IT risk and internal controls assessments. Risk ratings and risk prioritization are critical to management's efforts in aligning risk management resources effectively across the enterprise.
Risk identification is the process of discovering, defining, describing, documenting and communicating risks before they become problems and adversely affect the organization. Accurate and complete risk identification is vital for effective risk management. It is important to capture and document all possible risks. Not all risks will be acted upon. Once more details are known about each risk, the decision can be made by management as to how to address each risk.
Various techniques can be used for risk identification, including brainstorming as well as systematic inspections and process analysis. Regardless of the technique used, the participation of key functional area personnel is essential to identify risks.
The data obtained through the risk identification process makes it possible to profile and then prioritize the various risks and profile categories. The profile reveals the gaps in a company's ability to manage its risk across the spectrum of potential exposures -- legal, political, economic, social, technological, environmental, reputational, cultural, and marketing. Prioritization in this context indicates the relative importance of the risk, including the likelihood of threat and vulnerability and the potential business impact. As the organization prioritizes its risks, management utilizes the established risk categories/domains or profiles to group risks across IT systems and processes. An example of a potential grouping could be change management for distributed computing environments where an organization may have identified several discrete issues for this IT process.
After the IT domains are defined, the organization should identify key indicators, including Key Risk Indicators (KRIs) and Key Control Indicators (KCIs). The KRIs and KCIs must be articulated for each IT domain and process. Ideally, KRIs are simple and measurable. KRIs may be linked to risks and controls contained in a risk and control library. The library, which presents definitions for all risks and controls, helps ensure that risks and controls are classified and assessed consistently throughout the enterprise.
People and Organizational Management: An appropriate management structure at the functional and line levels enables the organization to make the transition from a risk management initiative to a full program with enterprise-wide operational capabilities for IT risk management. Most organizations underestimate the time frame required for this maturation process. In most cases, it takes two to three years from program startup to successfully engineer risk processes into operational procedures that are fully integrated throughout a large global organization. Therefore, it is important to understand the risk management target environment, end state, and interim solutions.
Processes and Operational Procedures: Processes and operational procedures represent the heart of the execution phase of the program and should be directly linked to the chosen risk management standard. Core risk processes should include:
- Design risk measurements and metrics
- Risk assessments, risk control assessments (RCA), and risk control self- assessments (RCSA)
- Detailed risk analyses
- Risk reporting
- Issues risk management
- Event capture and loss estimates
- Risk mitigation planning
- Risk acceptance
Risk management processes should be aligned with legal and regulatory requirements and include or link to relevant activities such as privacy, information security assessments, continuity of business assessments, and business impact analysis. For large organizations to implement risk processes consistently, they must utilize strong communications, focused change management processes, process guidance and training.
Tools and Technology: Risk management tools and technology vary in maturity and capability. Many large organizations tend to build their own risk management systems or utilize multiple commercially available risk management applications. They may process their business requirements with a reporting tool that can aggregate various risk elements and information. The organization should reassess the vulnerability and regulatory compliance technology tools that are already in place to ensure they have the relevant risk management measurements and reporting capabilities in areas such as threat and vulnerability protection, availability monitoring and entitlements.
An effective risk tool must support the design and enhancement of data integrity controls and input controls for risk data. In fact, most organizations today are struggling to identify the best way to acquire accurate data in an automated fashion. An independent review by, for example, the internal controls department, quality assurance function or internal audit department, can provide "third party" confirmation that the organization is in fact effectively managing risk workflow and ensuring the integrity and accuracy of its risk information.
Compliance, Monitoring, and Reporting: This is where "the rubber meets the road" for IT risk management. The organization puts in place its processes to assess compliance with policies, standards, procedures, and regulatory requirements. Monitoring and reporting capabilities are designed to provide management with organizational views and trend analyses for risks, control issues, and vulnerabilities.
When designing metrics for monitoring and reporting, many organizations start with the end product (IT risk management dashboards) to ensure that their metrics will be aligned with executive management's vision and requirements. Obtaining and reporting the metrics for KRIs is critical for organizations to demonstrate the value of the program and verify that risk management processes have been implemented. Getting the metrics design, implementation, and measurements right can be tedious and time consuming, in part because risks change regularly.
Building an ITRM program is a challenge. But an appropriately designed program helps align silos and cross-functional areas so that risk objectives are met in a highly coordinated, consistent fashion.
At heart, risk management is the process of making conscious decisions about appropriate levels of residual risk. Successful ITRM programs help better manage IT risk - and give their organizations an important competitive marketplace advantage. Other positives include: enhanced business value in the form of process, risk and control efficiencies; elimination of redundancies; expense reduction; effective resource management; and legal and regulatory compliance.
About the Author
Tim Purtell, firstname.lastname@example.org, is a senior manager in
Ernst & Young's Technology & Security Risk Services practice.