Aligning IT risks with Enterprise Risk Management (ERM)
An organization’s viability depends more than ever on its ability to maneuver a minefield of emerging risks. That’s a formidable challenge, particularly in an era in which cyberthreats can disrupt operations overnight and prompt a volley of questions from business leaders the next day.
After a disruption results from a cyber or IT failure, for instance, executives will want to know why the IT team didn’t prevent the disruption – or at least anticipate it and respond more effectively and quickly. They may also ask why estimates of the duration and consequences of the event were inaccurate or lacking.
If the organization has unified enterprise and IT risk management, the combined team can more readily answer these questions. Integrated enterprise risk management (ERM) and IT risk programs help a company consolidate enterprise risks and IT threats and vulnerabilities. This makes it easier to identify vulnerabilities and proactively facilitate risk management across the enterprise. Alignment also ensures that the integrated risk management strategy incorporates the organization’s business objectives.
Unlike ERM, IT risks are often addressed within siloed departments such as cybersecurity, regulatory compliance, business continuity, IT operations, and project management.
To help pave the way to successful integrated risk programs, leaders in IT, security and risk leaders should:
- Explore and identify risks by category, such as financial, reputational, regulatory, operational, and strategic. Be sure to consider the entire lifecycle of risks.
- Determine your organization’s tolerance for risk, and then identify processes and controls that can reduce the likelihood and impact of inherent threats. Risk mitigation also should include opportunities to improve IT processes and overall operations.
- Develop a custom risk-response strategy and implement measures to contain risks at acceptable levels. Organizations should integrate this strategy with business continuity programs to create a comprehensive plan for resuming core operations for the short, middle, and long terms.
Once the foundational elements are in place, organizations can use qualitative and quantitative metrics to further refine the integrated plans using risk evaluation. Robust metrics examine three key dimensions of risk: the likelihood, potential consequences, and velocity of risks. Companies can calculate risk severity by measuring possible hindrances to overall enterprise objectives. The following outlines metrics for the three risk dimensions.
1. Likelihood — Plot the likelihood of risks on a numeric scale and include a threshold at which a risk becomes a business priority. For instance, a company might assign a risk value to threats on a numeric scale of 0 to 25 and prioritize those ranked at 15 and above.
2. Impact — Estimate potential damage by identifying likely consequences such as lost productivity, lower revenues, system downtime, reputational damage, and response and remediation costs. For a more complete forecast, factor in the duration of impact: the hours, days, weeks, or months that systems and processes will be compromised or inoperable.
3. Velocity — Understand the destructive capacity of risks by factoring in velocity. This comparatively new metric tracks the speed at which a threat can spread and affect operations across the enterprise. Organizations can measure velocity by using simple qualitative metrics like high, medium, or low. A quantitative comparison will be similar to the duration of impact.
These metrics help organizations plan pre-emptive controls and post-incident responses to address threats and mitigate impact more quickly. Companies should embed the results of the metrics in corporate strategy, business drivers, and a risk-aware corporate culture, then align them with overall ERM and organizational priorities.
InsightFed chief: Cyberattacks are the greatest risk to the financial sectorBhavesh Vadhani, Jeremy SwanCybersecurity is the responsibility of everyone participating in the economy. Read about the current risks and top threats financial institutions should watch for.
InsightVirginia’s new privacy law offers a preview into the future of privacy and complianceBhavesh Vadhani, Deborah NitkaRead how the new data privacy legislation compares with the CCPA and GDPR, what affected companies should do moving forward, and more.
InsightSupport rapid delivery of secure software with DevSecOpsBhavesh Vadhani, Thomas McDermott, Tauseef ShaikhThe DevSecOps software development model has security built into all phases of its lifecycle, which can help reduce flaws and the costs of fixing them. Learn more.
InsightHow to assess risk for emerging technologies – before you use themBhavesh Vadhani, Thomas McDermottDon’t start using artificial intelligence, robotic process automation, and other newer tools without taking these steps to protect your organization and data.