Building an IT Risk Management Framework: 4 Keys to Success

  • February 20, 2019
  • Quantivate

Many organizations are zeroing in on IT risk management as an important aspect of their enterprise-wide risk and compliance programs.

And for good reason. Technology risk and cybersecurity issues have come to the forefront thanks to recent high-profile cyber attacks and data breaches. In fact, recent research indicates that 32% of organizations were victims of a major cyber attack in 2017.

But what’s behind the increasing IT risk?

  • Software and systems power more core operations.
  • Technology is embedded into most critical business processes. As a result, technology failures or breaches have wide-ranging ramifications for operations, finances, and reputation.
  • Organizations struggle to keep up with the changing risk landscape driven by new and complex technology and increasing data volume.

A risk management study released in 2018 by Forbes Insights and KPMG looked at the changing technology risk landscape, how organizations are coping with challenges, and the strengths and weaknesses of their current IT risk management practices. The researchers observed that:

“With technology increasingly touching nearly every aspect of the business, more C-suite leaders now acknowledge the direct connection between IT risk and enterprise risk—and more broadly enterprise strategy. As such, many organizations are beginning to view technology risk as a value center that helps meet critical business objectives, and are investing accordingly.”

 

The study also highlighted several critical components of an effective IT risk management framework. Let’s look at a few foundational best practices:

1. Risk Identification & Measurement

Determining risk appetite and performing risk assessments are baseline requirements, but mature risk management programs move toward automated tools and processes such as risk registers.

The study indicates room for improvement in this area, as the majority of companies surveyed (82%) rely on either informal, interview-based processes or periodic risk assessments for their risk data collection and reporting. Only 18% leverage automated processes, despite this methodology providing the most proactive approach to risk mitigation.

2. Data Analytics

One important function of analytics is to drive the development of key risk indicators (KRIs) that tie in with business impact. However, only 13% of organizations surveyed consistently use key risk indicators (KRIs) to understand and manage IT risk.

The study pinpointed analytic capabilities as an area of investment that enhances organizations’ ability to predict technology risk, along with improved data access and effective dashboard reporting (more on that in the next section)

3. Ongoing Monitoring & Reporting

Researchers also highlighted the value of dashboard-based risk reporting. This approach enables risk managers to share insights that are personalized for their intended audience (i.e, executive reports) in a format that is “understandable, actionable, and impactful.”

Easily digestible risk reporting contrasts with the common practice of providing executives and other stakeholders with detailed, lengthy reports that lack high-level analysis. Dashboarding can solve a number of issues associated with this approach, including:

  • The broad scope and lack of synthesis make extracting meaningful insights difficult
  • Reports fail to link risk data to the organization’s risk appetite
  • The connection to business impact gets lost in the “white noise” of too much data volume with too little analysis
  • Leadership response to this overwhelming amount of data tends toward either panic or just ignoring it

4. Integration With Other Business Units

IT risk management is frequently seen as a siloed, reactive process, rather than “an organization-wide function for proactive risk management.” Survey respondents overwhelming viewed IT risk management as an arm of compliance and/or cybersecurity:

However, integrating IT with other business units enables organizations to link risks to strategic objectives — a critical step in developing an effective, enterprise-wide risk management framework.

The Takeaway

Even though organizations are recognizing that IT risk management is a key piece of the enterprise strategy puzzle, many are still struggling to catch up their management processes to current best practices.

How Quantivate Can Help

Quantivate’s comprehensive IT Risk Management Software offers built-in best practices for measuring, managing, and monitoring technology risk. Our GRC platform integrates with other business units for powerful data-sharing and automation capabilities.

This solution includes features and guided processes for implementing an effective IT risk management framework, including:

  • Risk and controls assessments
  • Developing a risk profile and risk appetite statement
  • IT risk register
  • Asset identification and management
  • Configurable reporting dashboards
  • Integrated workflow automation and task management
  • And more!

Watch a video overview of the software or schedule a personalized demo.