Tougher to do, and with tougher consequences if you get it wrong: these are the two big trends in IT risk management today.
While CIOs still lead as being the largest category of individuals responsible for ITRM, other categories like CEOs, CISOs, CFOs, and others also now stand at significant levels. Why?
Today’s business environment is also less forgiving than in the past. Operational glitches tend to be more severe, as do the business consequences. So, what could go wrong? And who in the organisation is responsible for mitigating the associated IT risk, other than the CIO?
The expanding business risk environment that also drives ITRM includes:
- Accelerating change agendas
- Globalisation, global economic and geo-political pressures
- Joint ventures and other operational complexities
- Technological expansion over diverse geographical domains
- Growing importance of resiliency
- Enhanced persistence of cybercrime
- Increased role of cybersecurity in securing physical assets
- Increased exposure to internal threats
- Movement towards intangible assets
- Increased use of outsource providers
- Acquisition, divestment, separation of businesses and IT
- Regulatory and legal boundaries
- Increased reliance on future-proof technologies.
According to a survey from EY, roles involved in overseeing the ITRM function were distributed as follows:
- CIO 34%
- CRO (Chief Risk Officer) or CIRO 31%
- COO 26%
- CISO 14%
- CCO (Chief Compliance Officer) 12%
- CEO 9%
- CFO 6%
- Other 14%
How well does businesses manage or monitor these risks? According to the same EY survey, the split looked like this:
- Well-monitored: IT security (such as system patching, and protection against system vulnerabilities and viruses), information security (including identity and access management), data leakage avoidance
- Moderate monitoring: IT compliance, data centre operations, outsourcing and vendor risks, privacy and data protection, data quality, IT continuity and disaster recovery, IT infrastructure availability
- Limited or no monitoring: Offshoring, fraud, theft or loss of assets (including intellectual property), program and project risks.
In other words, despite the expansion and diversity of risk, and the different people getting involved, only the basic IT functions (and the ones the most difficult to link back to business objectives) are getting proper monitoring. All that makes it sound like there is distinct room for improvement for the management part of ITRM.