April 25, 2008

Global financial firms recognize the need to improve the alignment of IT risk management with the rest of the organization, according to a report by Ernst & Young Financial Services (New York). In its recently released study of 145 global financial institutions conducted in August and September 2007, E&Y found that the majority of institutions are dedicating resources to converge existing, disparate IT risk assessment processes into a single approach to reduce costs and improve transparency.

While more than three-quarters (78.6 percent) of survey respondents said they plan to increase their financial investment in IT risk management in the next 12 to 18 months, Bill Barrett, technology and information leader in E&Y's financial services office, says financial institutions still need to do more to eliminate problems stemming from multiple risk languages, differing control processes and duplication of effort. "Financial services have not effectively aligned their IT risk management with their overall organizational management strategy," he contends. "There is a need to better align IT risk management with the overall internal and external risk management processes of the organization. We see IT risk management as an element of overall operational risk management, and there is an opportunity to more effectively align IT risk management with operational risk management."

Same Old Siloed Story

Lack of alignment is caused, in part, by IT's historically siloed approach to technology risk management, Barrett explains. "Within IT, one group is responsible for information security risk, one group is responsible for disaster recovery and business continuity, and another group manages project risk," he says. The existence of multiple IT organizations within the largest financial institutions also makes getting a holistic view of IT risk at the CIO level very difficult, Barrett adds.

Automation tools, however, can make it easier to integrate IT risk management with the rest of the organization, Barrett says. "Automation tools used to be siloed and addressed individual components of risk management," he continues. "But those tools have become more integrated and make IT risk management more efficient than ever before." Barrett gives high marks to organizations using dashboards to more effectively disclose risk exposure to management.

In addition, the cost of automation technologies, such as workflow tools, is coming down, notes Adam Honore, senior analyst with Boston-based Aite Group. This makes it much easier for banks to justify the investment, he says.

E&Y's Barrett points out that an organizational overhaul isn't necessary to improve alignment of IT risk management. Rather, he suggests, companies can do a better job of linking different areas of the organization -- such as IT, audit and compliance -- through standardized processes so they are talking the same risk language.

Better enterprise data management also is key, Aite's Honore stresses. He points out, however, that while IT executives are well aware of the importance of data structure projects, the cost often makes it difficult to sell such initiatives to upper management since the return doesn't include new products or services. To combat this, he insists, upper management must be educated about the dangers of poor IT risk management.

OPERATIONAL RISK

Key Success Factors for an Effective IT Risk Management Program

• Leadership direction and management support. ,

• Managed accountability and authority to effect change. ,

• Close alignment with the corporate culture. ,

• Consistent and standardized risk management processes supported by tools and technology.,

• Measurable results. ,

Source: Ernst & Young, "Managing Information Technology Risk"