“The most successful technology GRC programs have initially identified the various internal and external groups responsible for auditing and monitoring compliance across the organization. The charters and scope of these groups are aligned, where possible, with the key technology risks identified by management to avoid redundant efforts.” – PwC, Leveraging IT Risk Management to Boost Competitive Advantage
To keep pace with today’s dynamic risk environment, it is increasingly important to advance IT risk efforts toward achieving a state of continuous risk monitoring. One common impediment to advancing IT risk maturity is a siloed approach IT governance, risk, and compliance that results in inefficient, reactive, and costly risk management efforts.
Aggregated IT risk data and formal alignment among risk groups are critical for achieving continuous risk monitoring. Although all three lines of business are involved in managing IT risk, only 10% of respondents in AuditBoard’s IT Risk Survey said there were distinctly articulated responsibilities and roles for doing so. Tellingly, the majority of survey respondents also stated that “poor coordination between the three lines” was the biggest challenge to maturing their IT risk program.
Source: AuditBoard, 2021 IT Risk Management Survey
The benefits of decreasing silos in favor of integrating efforts include:
- Enhanced visibility into IT risks due to integrated risk data and insights.
- Elimination of redundant risk management activities across business groups.
- More aligned reporting of IT risk insights to executive management.
- Greater efficiency and coordination among groups that increases over time.
Develop an IT Risk Management Charter
The first step is to formally establish a governance process for IT risk management in a charter. This charter should clearly define accountability and responsibility for each aspect of the IT risk management program and be aligned with the company’s overall risk tolerance. It is also important to ensure the IT risk charter is aligned with the charters and scope of the individual groups responsible for auditing and monitoring IT compliance across the organization. An additional best practice is to align the scope, objectives, and activities of internal audit with the IT risk program to minimize duplication and overlap of audit activities.
Create a Universal Risk Taxonomy and Risk Scoring System
Developing a universal risk taxonomy that exclusively defines policies, standards, procedures, and internal controls for use across all risk groups is critical for eliminating multiple, contradictory definitions. Nearly 90% of respondents in AuditBoard’s IT Risk Survey either have or are currently creating a standardized risk taxonomy. Additionally, nearly 90% of respondents also have or are currently developing a risk scoring system for use across functions in risk assessments. Using a universal risk scoring system for IT risk assessments also contributes to greater cohesion in overall IT risk management activities.
Source: AuditBoard, 2021 IT Risk Management Survey
Source: AuditBoard, 2021 IT Risk Management Survey
Purpose-built, cloud-based risk management solutions that can integrate with existing solutions can facilitate the implementation of universal risk taxonomies and risk scoring systems. In addition, cloud-based systems enable remote collaboration among various IT risk stakeholders, consultants, and external auditors. Ultimately, when evaluating IT risk platforms, be sure to look for the following essential qualities:
- Consolidates risk data into a core system of record.
- Can integrate with existing systems of record in the business.
- Automates manual processes in the risk management workflow (risk assessments, testing, issue management/followup, reporting).
- Has deep domain expertise, with use cases specific to and optimized for IT risk groups
- Intuitive user experience.
- Optimized for collaboration with automated notifications, role-based permissions, and other features.
Though implementing a solution is an investment of time and money, it is also an opportunity to embed continuous risk monitoring practices into the foundation of your organization’s IT risk program. The end result — an automated risk management framework — can set your organization up to successfully and efficiently manage IT risk in the months and years to come.
For a deeper dive into an integrated IT risk management approach, download the full 3 Fundamentals of Integrated IT Risk Management research report.