ITs Role In Enterprise Risk Management

by Michael Rasmussen and Paul Stamp

EXECUTIVE SUMMARY

Increased regulation and more stringent contractual obligations have resulted in greater accountability for corporate officers when it comes to managing risk in their organization. Companies are facing pressure to adopt a comprehensive approach to risk management, and nowhere is this more evident than in the IT department. IT risk and compliance are central to many organizations enterprise risk management strategies, and this in turn is having a profound effect on the way IT departments approach their responsibilities and interact with others in the organization. The role of IT in enterprise risk management is twofold. First, IT has to manage risk and compliance within the IT department. Second, IT becomes an enabler for enterprise risk management by leveraging technology to proactively monitor and manage broader business risks and compliance.

AS ENTERPRISE RISK MANAGEMENT MATURES, IT BECOMES A CENTRAL COMPONENT

Organizations are structuring enterprise risk management (ERM) to identify and manage risks to the organization. The goal is to understand and manage threats alongside risks associated with new business opportunities. Corporate disasters, market and economic pressures, and increased regulatory oversight are requiring that organizations manage risk and compliance. Where risk ignorance was once the norm, now organizations are driving toward a state of risk awareness.

Defining Enterprise Risk Management

At the highest level, risk falls into three categories:

• Credit risk Credit risk is the risk of economic loss suffered due to the default of a borrower or counterparty.
• Market risk Market risk is the exposure to potential loss that would result from changes in market prices or rates.
• Operational risk Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.^1.

These three categories look at the downside of risk threats and losses. On the other hand, risk management is also about taking risks: understanding opportunities for potential gain in market and operations.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:

. . . a process, affected by an entitys board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.^2.

In an effort to measure and control risk and compliance, organizations are looking for a structured approach that lets them quantify risk, establish risk appetite/tolerance, identify and prioritize controls, and establish a system of record in response to risk and compliance.

Multiplicity Of IT Risk Drives A More Structured Approach

As organizations rely more heavily on their IT infrastructure, IT risk and compliance become central components of operational risk. Companies are stepping up efforts to formalize IT risk and compliance management and integrate them into their overall ERM program (see Figure 1 and see Figure 2).

The complexity of todays business environment where organizations depend not only on internal IT and processes but also on those of multiple business partners means that organizations face a plethora of interdependent IT risks. Increased liability and regulatory oversight of organizations information handling means that companies are obligated to take a more structured approach to IT risk management.

This has meant a huge growth in interest in IT governance frameworks like COBIT, operations frameworks like ITIL, and security frameworks like ISO17799. Many organizations are starting to implement these frameworks or at least adopt the underlying principles in their own IT risk management program.

IT Morphs Into An ERM Enabler

So far, IT has played a largely reactive role in ERM, a role focused on responding to IT risk and meeting IT compliance requirements. But IT is morphing into a central role that facilitates ERM, automating risk management and measurement processes.

Organizations are moving toward using technology to provide dashboards, business intelligence, business process management, compliance/control systems, and environment monitoring technologies to identify and manage risks in real time. In these capacities, IT will enable organizations to move from risk ignorance to risk awareness and control, and it will move from managing its own risks to being the critical linchpin that makes enterprise risk management a reality.

Figure 1 ERM Programs Are Developing So Are IT Counterparts

Figure 2 IT Has A Seat At The Enterprise Risk Management Table

RECOMMENDATIONS

GETTING IT READY FOR ENTERPRISE RISK MANAGEMENT

To prepare for enterprise risk management, IT needs to:

• Get invited to the ERM table. If the organization has established an enterprise risk management program, IT should have a prominent seat at the risk table. If IT is not currently engaged in enterprise risk management, the CIO must clearly articulate the role of IT risks and compliance and their impact on the broader organization.
• Build the ERM table if its not already there. Many organizations have siloed risk management programs that only look at one aspect of risk, such as information security. If this is the case, IT should facilitate building an enterprise risk management program. This can start with a working group that provides collaboration of risk and compliance across the business. IT, as an infrastructure component, can step in to identify the interdependency of risks across these silos and use technologies to facilitate enterprise risk communication.
• Establish IT risk and compliance oversight. From compliance and privacy to business continuity and IT project risk, IT has significant risk and compliance concerns within its own domain. Large organizations should appoint risk and compliance officers specifically to manage ITs risk and compliance efforts. IT/information security and business continuity would ideally report into this role to provide consistency if these roles do not already report outside of IT to a chief risk officer.
• Develop a risk and compliance technology strategy. IT needs a comprehensive and measurable view of risks within IT and in the broader business framework of ERM. As such, it should consider investigating risk and compliance dashboards and management systems. When evaluating these technologies, particularly look for scalability alongside the ability to integrate into ERP, BPM, and BI technologies.

WHAT IT MEANS

IT BECOMES A RISK CENTRAL NERVOUS SYSTEM

IT is in the process of evolving its approach to risk and compliance:

• Yesterday. IT was focused on firefighting and reacting to risk and compliance.
• Today. IT is proactively managing risk and compliance within the IT department.
• Tomorrow. IT will move beyond proactively managing its own risk and compliance to a point where technology is used in business to build a risk central nervous system that monitors risk and compliance thresholds across the organization in real time.

ENDNOTES

¹ These generally accepted categories of defining risk are established by the Bank for International Settlements, particularly in Basel I and Basel II. For additional information, see Basel II: Revised international capital framework

² COSO is the Committee of Sponsoring Organizations of the Treadway Commission. It is a cooperative effort between the American Institute of Certified Public Accountants, the American Accounting Association, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants. Further information on COSO and the Enterprise Risk Management framework can be found at COSO website.