Many organizations are zeroing in on IT risk management as an important aspect of their enterprise-wide risk and compliance programs.
And for good reason. Technology risk and cybersecurity issues have come to the forefront thanks to recent high-profile cyber attacks and data breaches. In fact, recent research indicates that 32% of organizations were victims of a major cyber attack in 2017.
But what’s behind the increasing IT risk?
A risk management study released in 2018 by Forbes Insights and KPMG looked at the changing technology risk landscape, how organizations are coping with challenges, and the strengths and weaknesses of their current IT risk management practices. The researchers observed that:
“With technology increasingly touching nearly every aspect of the business, more C-suite leaders now acknowledge the direct connection between IT risk and enterprise risk—and more broadly enterprise strategy. As such, many organizations are beginning to view technology risk as a value center that helps meet critical business objectives, and are investing accordingly.”
The study also highlighted several critical components of an effective IT risk management framework. Let’s look at a few foundational best practices:
Determining risk appetite and performing risk assessments are baseline requirements, but mature risk management programs move toward automated tools and processes such as risk registers.
The study indicates room for improvement in this area, as the majority of companies surveyed (82%) rely on either informal, interview-based processes or periodic risk assessments for their risk data collection and reporting. Only 18% leverage automated processes, despite this methodology providing the most proactive approach to risk mitigation.
One important function of analytics is to drive the development of key risk indicators (KRIs) that tie in with business impact. However, only 13% of organizations surveyed consistently use key risk indicators (KRIs) to understand and manage IT risk.
The study pinpointed analytic capabilities as an area of investment that enhances organizations’ ability to predict technology risk, along with improved data access and effective dashboard reporting (more on that in the next section)
Researchers also highlighted the value of dashboard-based risk reporting. This approach enables risk managers to share insights that are personalized for their intended audience (i.e, executive reports) in a format that is “understandable, actionable, and impactful.”
Easily digestible risk reporting contrasts with the common practice of providing executives and other stakeholders with detailed, lengthy reports that lack high-level analysis. Dashboarding can solve a number of issues associated with this approach, including:
IT risk management is frequently seen as a siloed, reactive process, rather than “an organization-wide function for proactive risk management.” Survey respondents overwhelming viewed IT risk management as an arm of compliance and/or cybersecurity:
However, integrating IT with other business units enables organizations to link risks to strategic objectives — a critical step in developing an effective, enterprise-wide risk management framework.
Even though organizations are recognizing that IT risk management is a key piece of the enterprise strategy puzzle, many are still struggling to catch up their management processes to current best practices.
Quantivate’s comprehensive IT Risk Management Software offers built-in best practices for measuring, managing, and monitoring technology risk. Our GRC platform integrates with other business units for powerful data-sharing and automation capabilities.
This solution includes features and guided processes for implementing an effective IT risk management framework, including: