First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Collaboration between the business risk and IT security teams

Business risk and IT security teams must work together, because there is no such thing as IT risk, only business risk.

business risk and IT security teamsOCEG and MetricStream[1] have made available a free illustration on the topic of How Business, IT and Security Teams Gain a Common View of Risk:

As usual, there are some good points in the OCEH/MetricStream work.

But, also as usual, I have some problems.

There is no such thing as IT risk, nor cyber risk or information security risk. These are just sources of business risk.

We should be concerned about how a failure to manage any of these areas might affect the achievement of business objectives.

Let’s take two situations.

In the first, the company is about to release a breakthrough new product.

In the second, the company is mid-cycle on its latest release and is starting to consider how to move forward in the next generation.

In both cases, success of the business is dependent on keeping its intellectual property (details about its product and related marketing and sales plans) safe. The likelihood of a breach and subsequent theft of its IP is identical.

But the effect on the business, and therefore the level of risk, is far more in the first than the second case.

It is fairly easy to come up with similar scenarios. Consider a retail chain and its dependency on the reliability of its computer systems. First, think of the level of risk should the systems go down mid-week in February. Now think of the level of risk should they fail during the week prior to Xmas or Thanksgiving.

How about a start-up company that finds out that its financial systems have been penetrated by a crime syndicate? Is the risk the same six months before going to investment banks and starting the process to go public as it would be in the midst of a public offering? Clearly not.

Yes, all of the groups included in the illustration need to be working together. But let’s add in the strategy and planning groups, operating management, and perhaps everybody else.

You need to consider how a failure in the use or management of technology could affect the operation of the business today and in the future if you want to manage risks (and their sources) effectively.

Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?

I welcome your comments.

BTW, I strongly recommend joining OCEG (www.oceg.org). Membership of the nonprofit is free and there are lots of resources, including webinars.


[1] Full disclosure: I have worked with both but am independent.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me
Send to Kindle

, , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.