1.5 IT Risk Strategy of the Business
1.5 IT Risk Strategy of the Business
IT Risk Strategy of the Business
It is very important for a risk practitioner to understand a business's overall risk strategy to guide development of an IT risk strategy that aligns with organizational goals and priorities.
IT risk must be measured not only by its impact on IT services but also by the impact of risk on business operations
Types of IT-related Business Risk
It is expected from a CRISC aspirant to understand below risk:
Senior Management Support
Support from senior management is utmost important for the success of risk management process.
Support from senior management ensures budget, authority, access to personnel and information, and legitimacy that will provide a successful result.
Senior management having a strategic view and knowledge of the performance metrics and indicators should be involved in the sign-off process of IT Risk Management.
Alignment with Business Goals and Objectives
Interaction with senior management is the best way to understand the goals and objectives of the organization.
This gives risk practitioner insight into the potential & evolving risk universe of the organization.
Risk practitioner can enhance the risk management process by:
Understanding the business & strategy
Taking proactive steps to secure new technologies and processes
Embedding risk management process & culture into each business
Be aware of and mitigate the risk of change
Watching for new threats and future issues
Risk appetite should be aligned with business objectives. This helps an enterprise to evaluate and deploy valuable resources toward high risk areas which can impact business objectives.
Organizational Structures and Impact on Risk
Risk management to be effective should provide a consistent way to manage risk. Risk framework should serve as a basis for risk management for all departments and business functions.
The organization should have established three lines of defense as follow:
First line should actively manage the risk.
Second line should guide, direct, influence and assess risk management processes.
Third line should have independent oversight, review and monitoring.
Key factor in managing risk is the size and the diversity of the organization.
Information security governance models are highly dependent on the overall organizational structure and complexity of the business.
Risk management methodology depends on the risk culture of the organization.
RACI (Responsible, Accountable, Consulted, Informed)
Following are the four roles that are involved in the risk management process:
The RACI model assists in understanding the relationships or interactions between the various stakeholders and the roles of each stakeholder in the successful completion of the risk management effort.
Organizational Culture, Ethics and Behavior and the Impact on Risk
It is very important for a risk practitioner to determine the risk appetite of the organization.
It must be noted that risk appetite may change over time and hence requires periodic re-determination.
Ethics plays an important role in risk management. Organizations with poor ethical standards may be more prone to risk of fraud or theft.
Ethics are related to an individual’s view about what is right and what is wrong. Policy and processes should be clearly communicated to address the risk of a person violating the ethics. Processes should be visibly enforced and equally applicable for the employees.
Laws, Regulations, Standards and Compliance
It is very important for a risk practitioner to know what laws apply to the organization.
It is advisable for organizations having global presence to build a global program of policies and a control suite to handle the common regulations and then have a regional or nation-specific addendum to handle the exceptions and their controls.
It is recommended to have a global policy that can be locally amended to comply with local laws.
In case of foreign assignments, the most critical consideration is that laws and regulations of the origin country may not be enforceable to foreign countries
Establishing an Enterprise Approach to Risk Management
It is ideal to have a standardized and structured risk management approach that can be applied to the entire enterprise without substantial modification or customization.
In absence of a structured approach, there can be a gap in risk measurement of different projects or systems.
Risk identified on a system-by-system or project-by-project basis creates new risk of false assurance by having neither consistency nor interoperability among the risk solutions that are implemented.
Results of risk management in one process should be comparable to the results in another.
A critical part of establishing the risk management process is availability of concise and coherent risk management policy.
A compliance-oriented business impact analysis (BIA) will identify all of the compliance requirements to which the enterprise has to align and their impacts on business objectives and activities.
Key aspects from CRISC exam perspective