The added value of IT risk management

Companies are relying more and more on information technology (IT).

Today companies are growing faster than their ability to oversee and control their operations. What's more, the interdependencies and complexity of global markets have increased the risks businesses face, and the consequences can be even more serious than a decade ago. Protecting a company's value requires major investments not only to ensure day-to-day operations but also to avoid potential risks that could be detrimental to its survival.

In this environment, companies are relying more and more on information technology (IT). They have to be able to deal with new types of threats if they want to protect their assets, as well as improve their operational efficiency and market agility. Therefore, they must focus on ways to maximize their performance while staying within the confines of accepted risk.

IT risk management is vital because it strikes a balance between corporate performance and exposure to potential risks. Often lacking an overall vision, companies do not adequately assess risks and their impact on activities and productivity, which should ultimately be the goal of their investment. Consequently, they are not optimizing the value of their IT.

Role and bases of sound IT risk management

The main role of IT risk management is to prevent IT-related incidents, whether caused by an unplanned service disruption, a cyber attack, cost overruns in an IT project or noncompliance with a regulation. The types of incidents are numerous and can disrupt activities in many areas of an organization.

Regardless of an organization's structure, IT risk management is built around two components:

  • Risk governance: is the set of policies, procedures, frameworks, roles and responsibilities that enable an organization to gain an overall vision and make decisions regarding risks that can jeopardize the organization.
  • IT infrastructure: includes all computer equipment (servers, networks, etc.) and applications that support business units.

Therefore, to reap the benefits of IT risk management, it is crucial to develop these two components as much as possible.

An effective risk governance process is essential as it draws managers' attention to major risks and increases their involvement in the decision-making process based on the organization's strategic objectives. But sound IT risk management also requires an efficient infrastructure. Companies equipped with an efficient Infrastructure on average report fewer incidents and benefit from greater efficiency and alignment of IT with their business, and as a result increase their business volume. The quality of these components can be evaluated in different ways, for example using capability maturity model integration standards compliance audits, performance indicators, etc.

What measures should a business take to achieve effectiveness in both its risk governance and IT infrastructure?

An effective risk governance process is based on:

  • classifying business risks;
  • adopting a risk assessment methodology;
  • developing a dashboard to monitor key risk indicators.

Risk classification

Risk classification enables an organization to identify risks that are a threat and make a quantitative comparison, and then take appropriate action to mitigate those risks.

Risk assessment methodology

A rigorous methodology should be adopted to ensure comparability of the IT risk assessment results. If the company does not use a well-defined method, the auditor or risk manager will have difficulty reproducing the results of the analysis. In addition, a number of certifications such as ISO 27001 recommend adopting a recognized method.

Key risk indicators

Key risk indicators (KRI) alert the organization to a potential danger; however, maintaining a comprehensive KRI dashboard is a challenge. It is recommended to start with major risks that can directly affect the organization's mission or strategic objectives. For example, a company could focus on tracking key indicators, such as IT project completion rates, the number of intrusion attempts, infrastructure recovery times, etc.

While the adoption of these practices is not an indication of the effectiveness of the risk governance process, it is a clear sign that the organization has made it a priority.

The effectiveness of IT infrastructure management depends on:

  • a mature IT infrastructure;
  • a simple IT architecture; and
  • a clear link between IT and business processes.

A mature IT infrastructure

An outdated IT infrastructure is a major source of risks. It is important for the person responsible for the infrastructure to ensure that the IT assets are always up to date to prevent any malicious users from exploiting the infrastructure's vulnerabilities. Note for instance that servers that are not updated regularly are hackers' main targets.

A simple and non-complex IT architecture

Good IT management is based on simple architecture. Complex interdependencies overburden recovery and maintenance processes and are especially difficult to change. Many organizations have lost new markets due to an IT infrastructure that is too complex and heavy to keep up with changes in the business and seamlessly shift towards new strategic objectives.

A clear link between IT and business processes

A clear link between business processes and IT is critical. It is especially important to understand the information technology that supports a business process. In this way, it is easier to assess risks and especially to mitigate them as effectively and economically as possible. It is also easier to prioritize IT projects if the effects on business processes are clear and the projects are in line with the organization's strategic directions.

Added value of IT risk management

Running a business comes with its share of risks. In order to stay competitive in the global marketplace, a company must have an enterprisewide view of its risk exposure, treating IT risks the same way as other business risks.

According to South African judge Mervyn King, who chaired the King Committee on Corporate Governance, "Enterprise is the undertaking of risk for reward. A proper understanding of the risks accepted by a company in the pursuance of its objectives, together with the strategies employed to mitigate those risks, is thus essential to a proper appreciation of its affairs by the board and relevant stakeholder."

There is no shortage of companies that have experienced enormous losses due to a weakness in their IT infrastructure or the lack of adequate IT risk governance, from technical deficiencies (such as service disruptions) to security breaches (such as the disclosure of confidential data) or simply an IT infrastructure that is so complex it cannot keep up with changes in the business.

Besides aligning IT with business objectives, good IT risk management adds value in many respects to an organization. Here are a few examples:

Strengthens IT governance

A number of studies have found that companies spend more than 4% of their revenue on IT. Consequently, boards require that these IT investments produce results in keeping with the company's business objectives. An IT or business risk-based approach to investments reduces duplication of efforts and provides an overall picture of the IT department's priority needs.

Mitigates risk more effectively

In recent years, a number of organizations went through nightmarish experiences when their clients' confidential information ended up on the Internet. Many large Quebec enterprises made headlines because their clients' confidential information was disclosed online. An effective IT risk management program prioritizes risks and ensures that the most at-risk areas are dealt with in a timely manner and that management is informed of any residual risks.

Harmonizes IT controls and compliance

The risk analysis process and audit process can be disparate. However, if risk governance is adequate, these two processes can use a common control framework to develop IT controls and measure their efficiency. Implementing a framework that meets internal and external compliance requirements and is in line with the risk management governance process reduces work duplication and ensures consistency in risk mitigation measures.

Simplifies compliance with regulations

Organizations are required to comply with various legislation and standards, such as SOX, HIPAA, PCI DSS, SAS 70, SSAE-16 or ISO 27001. The financial penalties imposed for noncompliance have forced executives to focus exclusively on audit and compliance. As indicated above, effective risk management governance harmonizes IT and compliance controls, and by extension simplifies the audit process and reduces related recurring costs.


Organizations with an effective IT risk management program note a direct effect on their performance — fewer losses due to IT incidents, more gains resulting from highly effective IT, better alignment of IT with business objectives and increased business volume, often a key factor in successfully moving into new markets.

However, effectiveness also requires going beyond basic measures, i.e. identifying and analyzing risks, safeguarding IT assets and tracking potential threats. With an effective IT risk management program, an organization is forced to simplify its IT structure and switch from a reactive to a proactive mode. In conclusion, effective IT risk management results in an organization taking risks, without too much risk.