In this article, Protiviti’s Jim DeLoach discusses two ways that risk management can contribute value to the organization (strategic and proprietary views). Jim makes many excellent points and the whole article is worth a thorough reading. I was interested in how these broader Risk Management concepts could apply to IT Risk Management. I’ve summarized my thoughts below:
Strategic View:
- IT should perform regular risk assessments, especially when considering major initiatives (like replacing a critical piece of software or changing an important process). These risk assessments should be revisited on a periodic basis to determine if critical assumptions have changed.
- Significant IT risks should be associated with quantifiable metrics (where possible) to act as early warning alerts that management’s assumptions are not accurate. As IT personnel, we have access to a considerable amount of systematically gathered information. Think about it, if you assumed you had mitigated an IT risk (like unauthorized access to critical systems) to a manageable level, wouldn’t you want to know if the controls you have implemented were failing?
Proprietary View:
I really liked the multiple lines of defense concept that Jim outlined. Specifically, he suggests three lines of defense:
- Business unit management and customer-facing process owners;
- Independent risk management and compliance functions; and
- Internal audit
In the case of IT, I would suggest that there is also value in a fourth, IT-centric line of defense: an internal IT risk management function. For organizations of sufficient size, having a team within IT to evaluate and proactively respond to risk events can prevent issues from significantly impacting the organization through the other lines of defense. It enables IT from reacting to issues identified by these lines of defense and shift to a proactive response.
What do you think about this article and the outlined approach? How can you see it being applied to IT?
Read the Article: A Value-Based Approach to Risk Management (via Corporate Compliance Insights)
Comments are closed.