Previously in one of my information systems audit engagements, I collaborated on an IS audit project, and afterward, a technical report was issued to senior management. During the exit meeting, one of the audit clients remarked; “I am now 100% sure that we are doing well, this report shows we are safe until next year”. In my mind, I was like, what is he talking about? So, while I gave my closing remarks, I mentioned that the controls management would choose to implement to mitigate these risks are as effective as the time they are implemented, not forever i.e. scoring green (low risk) on most of the observations at that moment in time doesn’t guarantee that you may not suffer a breach, vulnerabilities won’t arise or stop any emerging risk from materializing.
Well, IT risks evolve, and not all risks are bad, risks increase over time and come in different forms which can cause varying degrees of disruption which can cause damage to the business and on the other hand opportunities to the organization. As a result of increasing complexity, the approach to IT risk management has changed too. You cannot do the same thing every time and expect different results, so, some organizations have adopted new approaches towards risk management, and have adapted to change depending on the trends, the company’s risk profile, clarity of the risk, and IT risk appetite putting in mind that every company is unique yet I&T related risks touch all aspects of the business.
A new approach to IT risk management
- ERM Automation: traditional organizations are dead in this digital age, most organizations have automated their ERMs to enable continuous reporting and continuous monitoring of risks in a timely manner. ERM automation allows for analysis to be done more effectively, efficiently, and extensively. The risk landscape evolves and yesterday’s controls may not solve today’s risks. Therefore, ERM automation is making data visible from multiple business units, risk analysis is simplified, reducing costs, and allows risk professionals to make more accurate decisions regarding the organization’s risk.
- Structured methodology: When it comes to overall risk management, you may not manage all risks fully, though the approach to managing risk should adhere to at least a structured methodology. Thus, the majority of risk functions have adopted a structured methodology of managing risks.
- Kill the risk manager but ensure you have a risk coordinator: I don’t mean killing the individual, I mean the title “Risk Manager” within the organization. Everyone in the organization should be assigned a responsibility when it comes to IT risk management.
- IT risk is treated as part of the overall business risk, not a standalone risk. Therefore, organizations are allowing their risk appetite to guide their decision-making.
- Risk Budget: There is an increment in risk management budgets, where organizations are establishing risk functions, hiring senior risk practitioners, purchasing ERM tools, and overall investing in the ERM programs in the organizations.
- Risk assessment strategy: Organizations are approaching I&T risk management by preparing and addressing possible security threats through creating a risk assessment strategy or comprehensive plan that not only complements but also champions organizational goals.
- Tone at the top: Organization’s senior management and Board are exemplifying a commitment to the ERM programs in the organization.
- Agile ERM practices: Some organizations have adopted agile ERM practices to ensure iterative, continuous monitoring, and timely reporting on risks.
- Applying fresh practice: The majority of risk practitioners are applying best thinking and fresh practice when approaching emerging risks in a combination of best practices. They are innovatively applying fresh thinking to deliver the best possible outcomes to ERM.
- Training and awareness: Organizations have embarked on comprehensive and continuous training & awareness for all employees on the ERM strategy.
- Lastly, risk aware culture: it is said that culture eats strategy for breakfast, so sound Boards are keen on cultures to ensure the effectiveness of risk management programs. I also urge that a better approach to risk management requires keen attention to establishing a risk-aware culture Vs a risk-blame culture. I recently published a blog with ISACA where I highlighted scenarios that indeed reflect a risk-aware or risk-blame culture in different organizations. See more here https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2021/risk-aware-or-risk-blame-culture-in-an-organization
I first published this article here
Looking forward to upskill your knowledge in IT risk management? Here is how I did
How are you approaching IT risk management in your organizations? Leave a comment below;