The transformation of IT risk management

Organisations are transforming their IT risk management model to account for the need to meet a changing and diverse range of risks, to provide mitigation of those risks, and convert risks into opportunities, writes Nitin Khanapurkar.

Tags: KPMG - DubaiRisk management
  • E-Mail
The transformation of IT risk management A holistic view of ITRM can help to identify, manage and optimise risks—not just mitigate themm says Khanapurkar.
By  Nitin Khanapurkar Published  July 10, 2014

Organisations are facing increasing demand to realign their IT Risk Management (ITRM) framework to meet constantly changing regulatory standards. An effective ITRM framework poses many challenges, including maintaining a cost-effective process design and meeting the efficiency demands of company management, while balancing the need to intervene and enabling innovation and the flow of business. This is forcing organisations to redefine and transform their traditional ITRM model.

Although cost factors are a challenge for organisations in deriving value from an ITRM function, integrated ITRM operating models can significantly help to improve business decision making and accountability for IT risk. An effective ITRM function can also assist in establishing a risk-aware culture and methods of working and collaborating to take appropriate action, strengthening the first line of defense within the organisation.
The role of IT risk management.

The role of IT in an organisation has transformed over recent years and is no longer seen as just supporting the business. IT also allows organisations to differentiate themselves and provides many organisations a competitive advantage. This results in IT being a strategic enabler instead of a cost centre.

As a result, the view on managing IT risk within an organisation has also evolved. Because IT risk covers many aspects of the organisation, it is assumed that the functions of internal audit, business operations, and/or technology operations will be able to identify, monitor, and address these risks. However, that is not the case, and often, if these functions are performing an element of IT risk management, the efforts are not coordinated, consistent, or consolidated for an enterprise view.

The ITRM function within an organisation operates as a distinct, but integrated, function within IT. It supports the enterprise as a whole addressing the strategic objectives, mission, and business model of the organisation. An ITRM function manages the firm’s risk posture and appetite for IT risk and security by determining the key IT threats that an organisation faces and leading a proactive response to combat these threats. An effective ITRM function ensures a robust and effective engagement with regulatory bodies to determine compliance priorities for each jurisdiction. Furthermore, as an enterprise business issue, ITRM requires an organisation to build capabilities that must be embedded and managed across a matrixed organisation through a sustainable process to provide transparency and accountability.

A holistic view and discussion on ITRM helps management to identify, manage and optimise risks — not just mitigate their risks — turning IT risks into advantages and aligning management’s risk appetite with a desired return.

ITRM should define a comprehensive view of IT risks; continuously refresh the inventory of IT risks; help create strategies to prevent, mitigate, or accept these risks; and monitor risks against defined tolerances. Through fit-for-purpose design, skills, and competencies, and automation platforms, the ITRM function provides management an opportunity to proactively manage risk and transform its ITRM needs into a capability that plays to the broader enterprise strategy and the critical issues that organisations face.

Aligning the ITRM function with the other risk oversight functions such as internal audit, enterprise risk management, and compliance, as well as with regulatory mandates, is an important element in more effectively ensuring that risks are optimised.

Scope of IT risk management
Understanding the complexity of the business environment and changes from within the organisation are some of the key drivers in understanding key areas of risk in an organisation. These factors are in turn being driven by numerous forces, whether external such as regulatory, geo-political, or market-driven, or internal such as new products, acquisitions, or IT implementations.

A coordinated approach to ITRM enables information flow and a clear understanding of the risk domains within IT. Organisations need to assess for risk and develop risk optimisation strategies by defining and delivering broad risk organisation programs.

They also need to establish a measurement program to report holistically on the IT risk posture. But this is not just about measuring and reporting; it is about optimising the resources dedicated to ITRM on a business impact-prioritised basis, leveraging a defined process, using lessons from history, and applying as appropriate across the landscape of enterprise IT risks.

For either mature or early-stage ITRM functions, monitoring is considered to be essential in terms of compliance and operations. Organisations need to consider implementing capabilities to monitor the ITRM function’s effectiveness by defining KRIs for managing risks such as number of risks within each risk area, and number of risks mitigated, number of risks by ongoing mitigation effectiveness; determining appropriate collection and reporting methods; and developing tools for reporting on essential measurements for managing risks.

Nitin Khanapurkar is Partner Consulting, KPMG.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code