OR-IT_Risk_Managemen.. - ErmsCo

obsequiousravioliSoftware and s/w Development

Oct 29, 2013 (3 years and 7 months ago)



Apr 25, 2008
URL: http://www.banktech.com/showArticle.jhtml?articleID=207400600

Global financial firms recognize the need to improve the alignment of IT risk management with the rest
of the organization, according to a report by Ernst & Young Financial Services (New York). In its
recently released study
of 145 global financial institutions conducted in August and September 2007,
E&Y found that the majority of institutions are dedicating resources to converge existing, disparate IT
risk assessment processes into a single approach to reduce costs and improve transparency.
While more than three-quarters (78.6 percent) of survey respondents said they plan to increase their
financial investment in IT risk management in the next 12 to 18 months, Bill Barrett, technology and
information leader in E&Y's financial services office, says financial institutions still need to do more to
eliminate problems stemming from multiple risk languages, differing control processes and duplication
of effort. "Financial services have not effectively aligned their IT risk management with their overall
organizational management strategy," he contends. "There is a need to better align IT risk management
with the overall internal and external risk management processes of the organization. We see IT risk
management as an element of overall operational risk management, and there is an opportunity to more
effectively align IT risk management with operational risk management."
Same Old Siloed Story

Lack of alignment is caused, in part, by IT's historically siloed approach to technology risk management,
Barrett explains. "Within IT, one group is responsible for information security risk, one group is
responsible for disaster recovery and business continuity, and another group manages project risk," he
says. The existence of multiple IT organizations within the largest financial institutions also makes
getting a holistic view of IT risk at the CIO level very difficult, Barrett adds.
Automation tools, however, can make it easier to integrate IT risk management with the rest of the
organization, Barrett says. "Automation tools used to be siloed and addressed individual components of
risk management," he continues. "But those tools have become more integrated and make IT risk
management more efficient than ever before." Barrett gives high marks to organizations using
dashboards to more effectively disclose risk exposure to management.
In addition, the cost of automation technologies, such as workflow tools, is coming down, notes Adam
Honore, senior analyst with Boston-based Aite Group
. This makes it much easier for banks to justify the
investment, he sa
e 1 of 2
E&Y's Barrett points out that an organizational overhaul isn't necessary to improve alignment of IT risk
management. Rather, he suggests, companies can do a better job of linking different areas of the
organization -- such as IT, audit and compliance -- through standardized processes so they are talking
the same risk language.
Better enterprise data management also is key, Aite's Honore stresses. He points out, however, that
while IT executives are well aware of the importance of data structure projects, the cost often makes it
difficult to sell such initiatives to upper management since the return doesn't include new products or
services. To combat this, he insists, upper management must be educated about the dangers of poor IT
risk management.

Key Success Factors for an Effective IT Risk Management Program
• Leadership direction and management support. ,
• Managed accountability and authority to effect change. ,
• Close alignment with the corporate culture. ,
• Consistent and standardized risk management processes supported by tools and technology.,
• Measurable results. ,
Source: Ernst & Young, "Managing Information Technology Risk"

2004/5 CMP Media, LLC
| Privacy Statement

e 2 of 2