Aligning IT risks with Enterprise Risk Management (ERM)
An organization’s viability depends more than ever on its ability to maneuver a minefield of emerging risks. That’s a formidable challenge, particularly in an era in which cyberthreats can disrupt operations overnight and prompt a volley of questions from business leaders the next day.
After a disruption results from a cyber or IT failure, for instance, executives will want to know why the IT team didn’t prevent the disruption – or at least anticipate it and respond more effectively and quickly. They may also ask why estimates of the duration and consequences of the event were inaccurate or lacking.
If the organization has unified enterprise and IT risk management, the combined team can more readily answer these questions. Integrated enterprise risk management (ERM) and IT risk programs help a company consolidate enterprise risks and IT threats and vulnerabilities. This makes it easier to identify vulnerabilities and proactively facilitate risk management across the enterprise. Alignment also ensures that the integrated risk management strategy incorporates the organization’s business objectives.
Unlike ERM, IT risks are often addressed within siloed departments such as cybersecurity, regulatory compliance, business continuity, IT operations, and project management.
To help pave the way to successful integrated risk programs, leaders in IT, security and risk leaders should:
- Explore and identify risks by category, such as financial, reputational, regulatory, operational, and strategic. Be sure to consider the entire lifecycle of risks.
- Determine your organization’s tolerance for risk, and then identify processes and controls that can reduce the likelihood and impact of inherent threats. Risk mitigation also should include opportunities to improve IT processes and overall operations.
- Develop a custom risk-response strategy and implement measures to contain risks at acceptable levels. Organizations should integrate this strategy with business continuity programs to create a comprehensive plan for resuming core operations for the short, middle, and long terms.
Once the foundational elements are in place, organizations can use qualitative and quantitative metrics to further refine the integrated plans using risk evaluation. Robust metrics examine three key dimensions of risk: the likelihood, potential consequences, and velocity of risks. Companies can calculate risk severity by measuring possible hindrances to overall enterprise objectives. The following outlines metrics for the three risk dimensions.
1. Likelihood — Plot the likelihood of risks on a numeric scale and include a threshold at which a risk becomes a business priority. For instance, a company might assign a risk value to threats on a numeric scale of 0 to 25 and prioritize those ranked at 15 and above.
2. Impact — Estimate potential damage by identifying likely consequences such as lost productivity, lower revenues, system downtime, reputational damage, and response and remediation costs. For a more complete forecast, factor in the duration of impact: the hours, days, weeks, or months that systems and processes will be compromised or inoperable.
3. Velocity — Understand the destructive capacity of risks by factoring in velocity. This comparatively new metric tracks the speed at which a threat can spread and affect operations across the enterprise. Organizations can measure velocity by using simple qualitative metrics like high, medium, or low. A quantitative comparison will be similar to the duration of impact.
These metrics help organizations plan pre-emptive controls and post-incident responses to address threats and mitigate impact more quickly. Companies should embed the results of the metrics in corporate strategy, business drivers, and a risk-aware corporate culture, then align them with overall ERM and organizational priorities.
InsightHEALTHCARE: Boost your cybersecurity and interoperability for the new remote landscapeCaroline Znaniec, Bhavesh Vadhani, Deborah NitkaAfter the rush to implement new technologies amid COVID-19, cybersecurity and privacy risks are higher than ever, and interoperability is critical. Learn more.
InsightNYDFS Cybersecurity Compliance: Maintaining Continuing ComplianceDaryouche BehboudiIs your financial services institution meeting the rigorous new cybersecurity requirements of 23 NYCRR 500? Here’s what to ask yourself, and how CohnReznick can help.
InsightFrom survival to revival: How CFOs can drive success in an upended economic landscapeKeith Denham, Swami VenkatIn the current business environment, chief financial officers can help maximize revenue, minimize costs, manage risk, and improve financial planning. Read more.
InsightImproving mobile app security in a BYOD worldBhavesh Vadhani, Deborah NitkaProtect your networks and data amid the rising use of personal devices for remote work and the security and privacy risks posed by Zoom, TikTok, VPN, and more.