Over 10 years we helping companies reach their financial and branding goals. Onum is a values-driven SEO agency dedicated.

CONTACTS

Previously in one of the information systems audit engagements that I collaborated on, I had a great time reviewing the control environment, processes and the tools that the organization had put in place for their I&T-related risk management program.

Of course, after the fieldwork was completed, the obviously expected deliverable was a report. Upon issuance of a technical report to senior management, we had a close-out meeting to present the IT audit observations which were more of process opportunity improvement observations whose risk rating was OPPORTUNITY (blue).

After the presentation, one of the process owners from the audit client remarked; “I am now 100% sure that we are doing well, this report shows we are safe until next year’s audit”. In my mind, I was like, what is he talking about? So, while I gave closing remarks, and I mentioned that management would choose to implement mitigation strategies or alternative controls to proactively close the possible threat vectors identified despite the fact that they were rated blue at that time. I also reminded the Management team to keep in mind that control effectiveness is as effective as at the time controls are implemented, not forever i.e. scoring Blue (opportunity-risk ranking) or scoring Green (Low –risk ranking) on most of the IT control observations at the moment in time doesn’t guarantee that the organization is 100% secure and may not suffer a security breach or data breach, or vulnerabilities won’t arise or stop any emerging I&T-related risk from materializing.

The fact is, IT Risks evolve rapidly, and IT risks increase over time as they come in different forms which can cause varying degrees of disruption and damage to the business. As a result of increasing complexity, the approach to IT risk management has changed too. You cannot do the same thing every time and expect different results, so, some organizations have adopted new approaches towards risk management, and have adapted to change depending on the trends, the company’s risk profile, clarity of the risk, and IT risk appetite putting in mind that every company is unique yet I&T related risks touch all aspects of the business.

Here are how modern organizations have approached I&T-related risk management

  • Understanding the risk universe: this not only creates awareness about internal, external, and emerging risks but also helps in determining the risk profile and informs decision-making in the organization.
  • Structured methodology: When it comes to overall risk management, there is no right or wrong way to conduct a risk assessment. However, it is generally agreed that risk assessment should adhere to a structured methodology. Relatedly, as you manage identified I&T-related risks in your organization, you may not mitigate all risks fully at once, though the approach to managing risk should adhere to at least a structured methodology. Thus, the majority of risk functions have adopted a structured methodology for managing risks. This acknowledges that risk is an integral part of the organization.
  • Strategic alignment: in modern organizations, IT risk is treated as part of the overall business risk, not a standalone risk. Therefore, organizations are allowing their risk appetite to guide their decision-making. Organizations are approaching I&T risk management by preparing and addressing possible security threats & risks through creating a risk assessment strategy or comprehensive plan that not only complements but also champions organizational goals
  • IT Risk Budget: There is an increment in risk management budgets, where organizations are establishing risk functions, hiring senior risk practitioners, purchasing ERM tools, seeking insurance, engaging external consultants to advise on their risk strategy, and overall investment in the ERM programs in the organizations.
  • Senior management buy-in: Organization’s senior management buy-in. Board committees are exemplifying a commitment to the ERM programs in the organization.
  • Agile methodology adoption: Some organizations have adopted agile ERM practices to ensure iterative, continuous monitoring, and timely reporting on risks.
  • Fresh thinking & best practice: The majority of risk practitioners are applying best thinking and fresh practice when approaching emerging risks in a combination of best practices.  They are innovatively applying fresh thinking to deliver the best possible outcomes to ERM.
  • Training and awareness: Organizations have embarked on comprehensive and continuous training of all employees on the ERM strategy to ensure that risk is understood and known hence establishing a risk-aware culture.
  • IT Risk roles & accountability: Organizations are sponsoring control self-risk assessment exercises, developing risk scenarios, and employing Chief Risk Officers (CROs)and Digital Trust Officers (DTOs) to oversee I&T-related risk practices.
  • IT Risk reporting: through using risk maps, board risk committees are able to view and monitor risk ranking in defined ranges of frequency and magnitude. Modern organizations have established a culture for continuous risk monitoring and reporting to decision-makers.
  • ERM Automation: traditional organizations are dead in this digital age, they stayed stuck in the digital nursery while organizations that have embraced digital trust and transformation have automated their Enterprise Risk Management Frameworks (ERMs) to enable continuous reporting and continuous monitoring of I&T-related risks in a timely manner. ERM automation allows for risk analysis to be done more effectively, efficiently, extensively, and continuously. The I&T-related risk landscape evolves and yesterday’s preferred controls may not solve today’s emerging risks. Therefore, ERM automation is making data visible from multiple business units, risk analysis is simplified, reduces costs, and allows IT risk professionals to make more accurate decisions regarding the organization’s overall risk appetite.
  • Threat intelligence: modern organizations are leveraging tools to research, and analyze risk trends and technical developments to provide an understanding of potential risks, threat events, and related threat actors.
  • Third party risk management: Modern organizations engage their vendors from onboarding till exit to effectively manage I&T-related risks. Like I always say, as part of vendor management, “when you include your vendors in your enterprise risk management strategy, they will become key partners in assisting you to mitigate your known and emerging I&T related risks hence play a key role assisting your organization to accomplish common goals or objectives.
  • Lastly, risk culture: it is said that ‘culture eats strategy for breakfast”, so sound Boards and management teams are keen on their company cultures to ensure the effectiveness of risk management programs.

Conclusion: A commendable approach to I&T-related risk management requires keen attention to establishing a risk-aware culture Vs a risk-blame culture. I published a blog with ISACA where I highlighted scenarios that indeed reflect a risk-aware or risk-blame culture in different organizations. Read more here https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/risk-aware-or-risk-blame-culture-in-an-organization

How are you approaching I&T-related risk management in your organizations?

Author

Veronica

Published Author | Director, One In Tech, Foundation | Director, ISACA Board of Directors | IT Audit Professional | Speaker | Member of National Association for Corporate Directors | Vlogger | CISO | Global Mentor | Data Privacy Solutions Engineer | Award Winner in the Cybersecurity industry

Leave a comment

Your email address will not be published. Required fields are marked *