Better Integrate IT Risk Management With Enterprise Risk Activities

As IT security executives seek to gain greater buy-in for their risk mitigation efforts in 2013, they should be looking to improve their enterprise relevance, experts say. And in order to gain that, IT governance, risk, and compliance (GRC) programming has to be better merged with overall enterprise risk management strategies.

"By aligning IT GRC with its cousins in financial and legal GRC, organizations can accelerate GRC program growth and maturity to better realize the value of information risk management and its disproportionately high impact on operational risk management," says Ben Tomhave, senior consultant for security consultancy LockPath.

[How are CISOs preparing for 2013? See 7 Risk Management Priorities For 2013.]

As Ernst & Young (EY) explained in a report this summer on overall enterprise risk management practices (PDF), risk control and compliance activities tend to grow "fragmented, siloed, independent, and misaligned" as the organization grows. This is a problem considering that the board of directors rarely views risk in separate buckets.

"A challenging economy, natural disasters, and technology threats have dominated the news of recent years," says Jerry Goldberg, partner at Navigate, a management consulting firm in Philadelphia. "Governance boards and executives are under increased scrutiny to provide shareholders with peace of mind that a company's risks -- strategic, operational, financial, and compliance -- are proactively being identified and mitigated."

Unfortunately, when IT risk management is siloed off from the rest of the enterprise risk management program, it becomes difficult to offer that peace of mind when communication is confused because the language that IT risk managers speak doesn't jibe with the language financial risk managers speak, for example.

"Many organizations do not manage risk in a holistic way," says Bryan Fite, BT Assure portfolio manager for BT Global Services U.S. and Canada operations. "However, it does provide a unique opportunity for the savvy security professional to bring the silos together by normalizing the way they express, communicate, and treat risk."

This is increasingly apropos considering how the intersection of technology with new business processes has upped the relevance of IT risks on overall business operations.

"Business operations are increasingly reliant on information technology, and with the convergence of the business and the information technology environment comes new kinds of vulnerabilities, risks, and threats," says Vasant Balasubramanian, a vice president of product management for GRC vendor MetricStream. "Organizations are quickly turning to IT GRC programs to facilitate true enterprisewide risk management, provide increased resource savings, and ensure compliance with new laws and mandates, all of which enables organizations to thrive in this increasingly complex business and IT landscape."

According to EY consultants, one of the most important steps to achieving a more consistent enterprise risk management approach is to use consistent methods and practices across disparate risk management activities. That means IT security has to coordinate with financial and operational risk managers across the organization. On the flip side, EY also suggests common information and technology platform to collect metrics and track risk management activities.

"Now more than ever, organizations need to have a comprehensive and coordinated governance, risk, and compliance management approach," says Paul van Kessel, global IT risk and assurance leader for EY. "Technology can play an important role in enabling change and in finding the right balance among risk, cost, and value across the enterprise."

Not only will this alignment help meet the baseline goals of reducing immediate risks to technology infrastructure and to the processes it supports, but better alignment with business objectives could give IT risk managers the opportunity to offer greater business value though previously unheard of performance gains.

"Further evolution of GRC processes, such as data mining and modeling, could transform a company's risk management program into one that drives action, facilitating process improvement and re-engineering, and ultimately resulting in performance gains," says Steve Schlarman, eGRC solutions architect for RSA.

In fact, numbers from EY substantiate those claims. The firm found that companies in the top 20 percent of risk maturity generated three times the level of earnings as those in the bottom 20 percent, based on a review of more than 2,750 analyst and company reports.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.