First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Talking sense about technology risk and cyber

Technology risk should be managed within the greater context of the business.

technology riskToo often, the technology technicians try to assess and address technology-related risks without putting them in the context of the business.

There is some good guidance out there, though.

In 2009, ISACA published the “Risk IT Framework”. That document and the more recent “COBIT 5 for Risk” provide guidance to practitioners on technology-related risk.

COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. IT risk can occur with both uncertain frequency and impact and creates challenges in meeting strategic goals and objectives.

Today, I want to look at two recent pieces. The first is from CIO magazine, a piece presumably sponsored by KPMG. It discusses the results of KPMG’s 2017 inaugural tech risk survey under the title of IT Risk Management.

Here are some excerpts with key sections highlighted:

  • …despite the rising profile of the technology risk function across the 1st and 2nd line of defense, the organization still does not actively manage risks and show its value to the larger business. Instead, many remain stuck in traditional, compliance-focused approaches to technology risk.
  • technology risk is seen as reactive and siloed: Although technology risk teams clearly have a larger role to play in the business, their ability to do so is hindered by the fact that an overwhelming majority (87%) of organizations do not currently view IT risk’s role as the proactive management of technology risk across the organization. And 72% said tech risk teams were brought into projects after the fact, only after problems began to arise — exposing the business to even greater risk. Tech risk is also seen by two-thirds of respondents as an arm of compliance, while a third see it as an arm of cybersecurity — rather than an organization-wide function for proactive risk management.
  • …dynamic technology risk functions that demonstrate risk impact against broader organizational goals must be implemented to gain a seat at the executive table. The tech risk function can maximize impact only when included at the outset of project initiatives.
  • organizations have realized that simply managing technology risk without having a direct implication to the bottom line is not enough. Instead, there needs to be a move toward proactive, agile technology risk with enough flexibility to respond to new emerging risks.
  • “While the board still continues to receive risk reports related to compliance, this is more meaningful, timely and directly related to business goals and objectives.”
  • The most important ways to see success in making IT risk more proactive is to make sure the technology risk organization really understands its role and does not look at technology in a silo. They should not hinder the innovation process through resistance and negativity, but rather help enable and support the business growth. They should also collaborate closely with strategic planning teams, including business planning, innovation and technology enablement teams.
  • According to KPMG’s recent CEO Outlook Survey, 49% were concerned with the integrity of the data they base decision-making upon.

The second is a discussion of cybersecurity and risk management that appeared in the Kansas City Business Journal.

Here are some of their comments, again with highlights:

  • …remember that data security is a business function, not just an IT function
  • It all comes back to the individual business and the business risks that they have.
  • take some time to plan out your business risks
  • It comes back to risk priority and understanding the business risk, not just the IT risk.

You have to have sponsorship from the CEO and throughout the company to really understand and diagnose those risks and prioritize them. That’s where a business manager might say: “This is where I need to put my money first and foremost. These other steps might be important, but they’re going to take a backseat until I get these bigger concerns taken care of first.”

I have excerpted and highlights the comments that refer to assessing the risk from technology-related sources that might affect the achievement of enterprise, business objectives.

I am pleased to see that taking hold, not only among consultants but by leaders of technology functions within organizations.

I have a couple of suggestions.

  1. Take a top-down approach that focuses on how technology-related events, situations, and decisions might affect the achievement of enterprise objectives.This is accomplished by taking, in turn, each enterprise objective and asking “what needs to go right” and “what could go wrong” with technology that could affect achievement.
  2. Take a bottoms-up approach to supplement the top-down. For those technology-related risks that the techies identify, ask “so what?” How could they affect the enterprise objectives, which ones, and to what extent? I prefer to think less in terms of $$ and more in terms of the likelihood of achieving an objective. Is the likelihood of failure now less than acceptable?

What do you think?

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , , ,

Comments are currently closed.