Aligning IT risks with Enterprise Risk Management (ERM)
An organization’s viability depends more than ever on its ability to maneuver a minefield of emerging risks. That’s a formidable challenge, particularly in an era in which cyberthreats can disrupt operations overnight and prompt a volley of questions from business leaders the next day.
After a disruption results from a cyber or IT failure, for instance, executives will want to know why the IT team didn’t prevent the disruption – or at least anticipate it and respond more effectively and quickly. They may also ask why estimates of the duration and consequences of the event were inaccurate or lacking.
If the organization has unified enterprise and IT risk management, the combined team can more readily answer these questions. Integrated enterprise risk management (ERM) and IT risk programs help a company consolidate enterprise risks and IT threats and vulnerabilities. This makes it easier to identify vulnerabilities and proactively facilitate risk management across the enterprise. Alignment also ensures that the integrated risk management strategy incorporates the organization’s business objectives.
Unlike ERM, IT risks are often addressed within siloed departments such as cybersecurity, regulatory compliance, business continuity, IT operations, and project management.
To help pave the way to successful integrated risk programs, leaders in IT, security and risk leaders should:
- Explore and identify risks by category, such as financial, reputational, regulatory, operational, and strategic. Be sure to consider the entire lifecycle of risks.
- Determine your organization’s tolerance for risk, and then identify processes and controls that can reduce the likelihood and impact of inherent threats. Risk mitigation also should include opportunities to improve IT processes and overall operations.
- Develop a custom risk-response strategy and implement measures to contain risks at acceptable levels. Organizations should integrate this strategy with business continuity programs to create a comprehensive plan for resuming core operations for the short, middle, and long terms.
Once the foundational elements are in place, organizations can use qualitative and quantitative metrics to further refine the integrated plans using risk evaluation. Robust metrics examine three key dimensions of risk: the likelihood, potential consequences, and velocity of risks. Companies can calculate risk severity by measuring possible hindrances to overall enterprise objectives. The following outlines metrics for the three risk dimensions.
1. Likelihood — Plot the likelihood of risks on a numeric scale and include a threshold at which a risk becomes a business priority. For instance, a company might assign a risk value to threats on a numeric scale of 0 to 25 and prioritize those ranked at 15 and above.
2. Impact — Estimate potential damage by identifying likely consequences such as lost productivity, lower revenues, system downtime, reputational damage, and response and remediation costs. For a more complete forecast, factor in the duration of impact: the hours, days, weeks, or months that systems and processes will be compromised or inoperable.
3. Velocity — Understand the destructive capacity of risks by factoring in velocity. This comparatively new metric tracks the speed at which a threat can spread and affect operations across the enterprise. Organizations can measure velocity by using simple qualitative metrics like high, medium, or low. A quantitative comparison will be similar to the duration of impact.
These metrics help organizations plan pre-emptive controls and post-incident responses to address threats and mitigate impact more quickly. Companies should embed the results of the metrics in corporate strategy, business drivers, and a risk-aware corporate culture, then align them with overall ERM and organizational priorities.