IT Risk Management - Meeting the changing requirements and demands of today's business enterprises, July 2009
Changes in IT Risk Management
As a leading provider of Information Technology risk management services in Australia and the Asia Pacific region, RSM Bird Cameron is closely following developments in the IT risk management sphere during the economic slowdown. In recent months, a number of changes have occurred that underscore the need to align IT risk management services with shifting market demand.
Traditionally, IT risk management has been viewed as a professional service whose foremost purpose is to support external audits:
- Assessing the effectiveness of general IT controls (i.e., control procedures affecting all IT infrastructure but not related to specific business application systems)
- Evaluating the effectiveness of IT controls internal to computer application systems (the systems supporting business operations and administration)
- Conducting specialist reviews (e.g., disaster recovery planning, business continuity planning, access and data security, pre-implementation reviews)
- Undertaking data analysis and computer assisted audit techniques
These services remain vital to corporate clients. However, the needs of the IT risk management market have expanded due to (1) the rising importance of legislative and regulatory requirements pertaining to corporate governance, information and data management, and (2) the growing involvement of senior company executives and Board members in IT risk management. The concepts of IT risk management have now progressed far beyond traditional IT assurance, such that they are core components of organisational business and risk management strategies.
Increasing Exposure to IT Risks
The results of a survey conducted at a recent workshop of Australian public sector risk management and internal audit executives gauged their views of IT risk. The survey demonstrated that risk management and internal audit executives are increasingly sensitive to the risks associated with enterprise IT systems and the data processed and stored in those system, which ranked as the highest priority.
Another conclusion is that senior risk management and internal audit executives are increasingly concerned about their ability to secure the human and technical resources required to manage and audit IT risks, especially the risk management capabilities needed to service the Internal Audit Strategic Plans approved by their Audit and Risk Committees
Information Governance
High on the list of recent focus areas for Boards and members of the Executive is Information Governance.
“Governance” is the set of responsibilities and practices exercised by the Board and Executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately, and verifying that the Department’s resources are used responsibly.
“Information” and the knowledge based on it have increasingly become recognised as business-critical assets without which most organisations would simply cease to function. Information is a business enabler requiring careful attention by senior managers and Board members. In today’s complex, interconnected world, protection of information assets has become a core corporate function that must be addressed at the highest levels of the organisation and not be regarded as a technical speciality with accountability relegated to the IT department.
An enlightened approach to information security takes the holistic view that an organisation’s information must be adequately protected regardless of how it is handled, processed, transported or stored. This model addresses organisational information at the total enterprise level, engaging the universe of risks, benefits and processes involved with all information resources.
In brief, information governance is not only a technical issue, but a business and governance challenge that involves competent risk management, reporting and accountability. Effective security requires the active involvement of executives to assess emerging threats and the organisation’s response to them.
IT Governance
A related subject of growing interest to Boards and the Executive is IT Governance. The subject is complex and diverse, including the following themes:
1. Importance of IT to the organisation; the extent to which it is relied upon to service the business requirements and ensure the integrity, availability and confidentiality of information
• How important is IT to the enterprise, and why?
• What is the contribution expected from IT to the overall business?
2. IT Performance
• How satisfied is the Executive with the current contribution of IT to the business?
3. IT Accountability
• What is the role of the business and IT stakeholders in governing IT?
• Where does the CEO look for IT leadership (leadership of IT)?
• Are accountabilities effectively defined and accepted?
4. Effectiveness of IT Governance
• Are IT governance efforts integrated with overall enterprise governance arrangements?
• How effective are IT governance arrangements within the organisation?
IT governance should be an integral part of corporate governance. Effective IT governance ensures that the technology investments generate value for the enterprise, IT resources are used responsibly, and IT risks are properly mitigated.
Views of Non-IT Executives
The Information Systems Audit and Control Association (ISACA) conducted research on information governance, surveying top non-IT executives to ascertain their views on IT’s contribution to the business and identify ways their enterprises are governing IT. The results support the need to provide more focus and assistance in all areas of information governance. Click on the full report below to see the graphs.
Role of IT Risk Management Service Providers
The increased awareness of corporate managers of the importance of Information Technology risk management creates major opportunities for IT risk service providers:
- Board members and senior executives are more approachable and willing to discuss IT risks and information management
- Company managers are more likely to request coverage of Information Technology and information about IT risks, unsolicited by auditors and risk managers
- There is greater acceptance by members of Boards and the executive of the need to educate employees about information management and to strengthen IT processes and controls
As corporate managers and Board members become more engaged in information governance, professional service providers should focus on aligning their suite of IT risk management services with the changing needs of clients:
IT Governance
• Control & Governance Frameworks
• Strategic Alignment
• Performance Measurement
• Benefits realization reviews
Information Security
• Confidentiality & Security
• Custodianship/Ownership
• Accountability & Responsibility
IT Project Governance
• Integration Management
• Time & Scope Management
• Cost & Quality Management
• Procurement Management
• Compliance with Methodology
eDiscovery and CAAT
• Data Extraction & Analysis
• Data Asset Management
• External Audit Support
Disaster recovery and business continuity planning
Post implementation reviews