IT risk too hot to handle?

11 Oct 2005

A survey has identified IT risk as a major issue, with many organisations taking it so seriously that it’s considered too important a task to leave to the chief information officer (CIO).

Findings from the Economist Intelligence Unit’s (EIU) report, entitled Digital Risk: The Challenge for the CRO, shows that IT risk has become one of the most significant business threats.

As a background to the current situation, almost 60pc of companies surveyed incurred significant financial damage as a result of systems failure in the past 12 months. A third of respondents said they suffered financial damage from cyber crime such as hacking and phishing over the same period. The result is that 48pc of senior executives now see IT risk as a high or very high risk to their business.

The survey of 218 senior risk managers in companies across a range of industry sectors took the views of CEOs, chief financial officers, chief risk officers (CROs) and other executives responsible for managing risk.

More than one third of firms require close oversight from the CEO. The chief information officer (CIO) remains the primary person responsible for IT risk in most companies, but one third of CROs now spend at least 15pc of their time addressing technology risks, the survey found.

Almost half of those polled (48pc of respondents) said one of the main difficulties in managing risk is an over-reliance on IT management to control electronic risks. Chief among these threats is cyber crime, as cited by 55pc of respondents.

Respondents also recognise a factor that those in the security industry have been pointing out for some time – namely, that remote working is a source of risk: 57pc of executives surveyed acknowledged that the trend towards allowing staff to work outside the office increases their organisation’s exposure to electronic threats.

The survey also highlighted a grey area over the responsibilities of CIOs and risk managers in dealing with how risk affects IT, because the technology is complex and due to the difficulty of communicating technical issues. Two in five risk managers said their understanding of IT risks was moderate, limited or poor. Some 42pc said that a lack of communication between the technology and the risk functions was a stumbling block in addressing IT-related issues. According to the report, the roles and responsibilities of CIOs and CROs must be clearly defined in order to ensure that any risks are managed and tracked properly.

Commenting on the report, Daniel Franklin, editorial director of the EIU, said: “Digital risk has become too big an issue to leave exclusively to IT managers. Risk managers need to ensure IT threats are addressed as part of their wider strategy for enterprise risk management.”

By Gordon Smith