Aligning IT risks with Enterprise Risk Management (ERM)

    An organization’s viability depends more than ever on its ability to maneuver a minefield of emerging risks. That’s a formidable challenge, particularly in an era in which cyberthreats can disrupt operations overnight and prompt a volley of questions from business leaders the next day.

    After a disruption results from a cyber or IT failure, for instance, executives will want to know why the IT team didn’t prevent the disruption – or at least anticipate it and respond more effectively and quickly. They may also ask why estimates of the duration and consequences of the event were inaccurate or lacking.

    If the organization has unified enterprise and IT risk management, the combined team can more readily answer these questions. Integrated enterprise risk management (ERM) and IT risk programs help a company consolidate enterprise risks and IT threats and vulnerabilities. This makes it easier to identify vulnerabilities and proactively facilitate risk management across the enterprise. Alignment also ensures that the integrated risk management strategy incorporates the organization’s business objectives.

    Presenting a united front against risks

    Unlike ERM, IT risks are often addressed within siloed departments such as cybersecurity, regulatory compliance, business continuity, IT operations, and project management. 

    To help pave the way to successful integrated risk programs, leaders in IT, security and risk leaders should:

    - Explore and identify risks by category, such as financial, reputational, regulatory, operational, and strategic. Be sure to consider the entire lifecycle of risks.

    - Determine your organization’s tolerance for risk, and then identify processes and controls that can reduce the likelihood and impact of inherent threats. Risk mitigation also should include opportunities to improve IT processes and overall operations.

    - Develop a custom risk-response strategy and implement measures to contain risks at acceptable levels. Organizations should integrate this strategy with business continuity programs to create a comprehensive plan for resuming core operations for the short, middle, and long terms.

    Focus on likelihood, impacts, and velocity

    Once the foundational elements are in place, organizations can use qualitative and quantitative metrics to further refine the integrated plans using risk evaluation. Robust metrics examine three key dimensions of risk: the likelihood, potential consequences, and velocity of risks. Companies can calculate risk severity by measuring possible hindrances to overall enterprise objectives. The following outlines metrics for the three risk dimensions.

    1. Likelihood — Plot the likelihood of risks on a numeric scale and include a threshold at which a risk becomes a business priority. For instance, a company might assign a risk value to threats on a numeric scale of 0 to 25 and prioritize those ranked at 15 and above. 

    2. Impact  Estimate potential damage by identifying likely consequences such as lost productivity, lower revenues, system downtime, reputational damage, and response and remediation costs. For a more complete forecast, factor in the duration of impact: the hours, days, weeks, or months that systems and processes will be compromised or inoperable.

    3. Velocity  Understand the destructive capacity of risks by factoring in velocity. This comparatively new metric tracks the speed at which a threat can spread and affect operations across the enterprise. Organizations can measure velocity by using simple qualitative metrics like high, medium, or low. A quantitative comparison will be similar to the duration of impact.

    These metrics help organizations plan pre-emptive controls and post-incident responses to address threats and mitigate impact more quickly.  Companies should embed the results of the metrics in corporate strategy, business drivers, and a risk-aware corporate culture, then align them with overall ERM and organizational priorities.

    An integrated response to digital risks

    Rapid changes in technologies, compliance requirements, and threat complexity make it more difficult to prepare for and mitigate risks. Alignment of ERM and IT risks helps organizations implement a defined, effective, and repeatable approach to assess and prioritize threats. It can also improve processes and reduce the costs of disruptive incidents. The most agile organizations develop their integrated risk management plans as a digital program and integrate it with digital transformation initiatives.


    Bhavesh Vadhani, Principal



    Get in touch with our specialists

    View All Specialists
    Bhavesh Vadhani

    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

    Looking for the full list of our dedicated professionals here at CohnReznick?



    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic
    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.