Aligning IT risks with Enterprise Risk Management (ERM)
An organization’s viability depends more than ever on its ability to maneuver a minefield of emerging risks. That’s a formidable challenge, particularly in an era in which cyberthreats can disrupt operations overnight and prompt a volley of questions from business leaders the next day.
After a disruption results from a cyber or IT failure, for instance, executives will want to know why the IT team didn’t prevent the disruption – or at least anticipate it and respond more effectively and quickly. They may also ask why estimates of the duration and consequences of the event were inaccurate or lacking.
If the organization has unified enterprise and IT risk management, the combined team can more readily answer these questions. Integrated enterprise risk management (ERM) and IT risk programs help a company consolidate enterprise risks and IT threats and vulnerabilities. This makes it easier to identify vulnerabilities and proactively facilitate risk management across the enterprise. Alignment also ensures that the integrated risk management strategy incorporates the organization’s business objectives.
Unlike ERM, IT risks are often addressed within siloed departments such as cybersecurity, regulatory compliance, business continuity, IT operations, and project management.
To help pave the way to successful integrated risk programs, leaders in IT, security and risk leaders should:
- Explore and identify risks by category, such as financial, reputational, regulatory, operational, and strategic. Be sure to consider the entire lifecycle of risks.
- Determine your organization’s tolerance for risk, and then identify processes and controls that can reduce the likelihood and impact of inherent threats. Risk mitigation also should include opportunities to improve IT processes and overall operations.
- Develop a custom risk-response strategy and implement measures to contain risks at acceptable levels. Organizations should integrate this strategy with business continuity programs to create a comprehensive plan for resuming core operations for the short, middle, and long terms.
Once the foundational elements are in place, organizations can use qualitative and quantitative metrics to further refine the integrated plans using risk evaluation. Robust metrics examine three key dimensions of risk: the likelihood, potential consequences, and velocity of risks. Companies can calculate risk severity by measuring possible hindrances to overall enterprise objectives. The following outlines metrics for the three risk dimensions.
1. Likelihood — Plot the likelihood of risks on a numeric scale and include a threshold at which a risk becomes a business priority. For instance, a company might assign a risk value to threats on a numeric scale of 0 to 25 and prioritize those ranked at 15 and above.
2. Impact — Estimate potential damage by identifying likely consequences such as lost productivity, lower revenues, system downtime, reputational damage, and response and remediation costs. For a more complete forecast, factor in the duration of impact: the hours, days, weeks, or months that systems and processes will be compromised or inoperable.
3. Velocity — Understand the destructive capacity of risks by factoring in velocity. This comparatively new metric tracks the speed at which a threat can spread and affect operations across the enterprise. Organizations can measure velocity by using simple qualitative metrics like high, medium, or low. A quantitative comparison will be similar to the duration of impact.
These metrics help organizations plan pre-emptive controls and post-incident responses to address threats and mitigate impact more quickly. Companies should embed the results of the metrics in corporate strategy, business drivers, and a risk-aware corporate culture, then align them with overall ERM and organizational priorities.
InsightREAL ESTATE: How coronavirus will shape the smart workplaces of the futureVincent DermodyIn a post-pandemic world, office building design priorities will need to shift from function to the purpose of the space and the behavior of the people occupying it.
InsightRISK MANAGEMENT: As coronavirus spreads, factor cybersecurity into remote-work policiesShahryar ShaghaghiEfforts to limit coronavirus contagion have upended global commerce and shifted operating models in ways that are intensifying IT risks.
InsightRISK MANAGEMENT: Companies need proactive, continuous contingency planningThe COVID-19 outbreak should serve as a driver to increase organizational efforts related to contingency planning for all organizations and their vendors.
InsightA place for humans in real estate data architectureThe people living and working within a building’s four walls not only generate data, but they also bring it to life. Without people occupying and using its spaces, a physical building provides significantly less usable information on its own. No people equates to no leasing information, no occupancy data, no utility usage, no foot traffic reads, no sales generated, no amenities needed, no services provided, no maintenance requests, no qualitative feedback given.