Closing the gaps between ICT and Enterprise Risk Management

As Irish organisations evolve their enterprise risk management practice, closely integrating the IT Department into an overall ERP framework will avoid costly oversights, deliver more effective risk mitigation and a better return on ICT investment.

Enterprise Risk Management (ERM) is becoming increasingly common across Irish organisations seeking ways to protect business value and prioritise expenditure. But are IT departments integrated into this process, and what are the challenges they face?

When disengaged from ERM process, IT managers are less likely to fully understand the rationale behind business priorities set by management, with potentially serious consequences. In this situation, IT managers focus their ICT investment priorities around processes which directly impact their department, or in response to a clear need such as threat management. Consequently, vital business services may go unprotected, resulting in such issues as data leakage, asset theft and reputational damage. The organisation’s compliance objectives may also be undermined.

Getting better value for ICT investment

To gain best return for ICT risk management investment, organisations must move away from an IT department-centred approach. By better aligning ICT decision-making with the overall Enterprise Risk Management process, organisations can ensure that all ICT budget decisions flow from clearly identified business priorities and associated risks. In this way, ICT budget is invested where and when it is needed, and the overall value of the organisation and its vital services are truly safeguarded. 

While some organisations have successfully adopted an integrated approach to risk management in the drive for compliance, there are an equal number who are driven by other considerations and are at the early stages in identifying the potential risk exposure. Gaps can exist at any stage and they can be identified from five key questions:

1. Are you confident that a full inventory of company assets (including people, physical items or information) has been captured?
2. Have you fully assessed and prioritised assets based on their mission criticality?
3. Have you identified the most likely risks assigned to each asset?
4. Do you have sufficient information to know whether the actions you’ve taken – mitigating, avoiding, transferring, or accepting a risk – are in the organisation’s best interests?
5. Do you reassess the inventory, asset value and prioritisation periodically and modify your risk mitigation activities accordingly?

Unless your enterprise can answer yes to all questions, it’s likely that a gap exists in your ICT risk management processes.

Closing the gaps in ICT risk management practice

By organising your ICT risk management processes alongside a globally accepted standard or framework (see panel), you gain additional confidence that your approach is structured and prioritised to deliver maximum value for the organisation. And as compliance consideration is a key driver for ERM investment, adopting such a framework will make this process less complicated.

Organisations implementing any ICT risk management framework should be aware of these factors:

Management buy-in is critical: A risk-centric approach to ICT considers the organisation’s needs holistically by aligning ICT and enterprise risk management processes. This must closely involve C-level executives.  Secure management buy-in for this approach with a detailed business case that emphasises overall benefits to the organisation.

Certification isn’t always a prerequisite: Certification for such standards as ISO/IEC 27001:2005 and PCI-DSS are more easily achieved by working though a recognised framework. This is important for organisations who are mandated to be ISO/IEC 27001:2005 certified. However, it is valid and cost effective to adopt processes from the standards even if you don’t proceed to full certification.

Risk assessment is a continuous process: As well as the initial capital outlay on risk management activity, you should budget for ongoing, operational risk management expenditure. Activity such as logfile analysis and correlation, or reassessment and reprioritisation of ICT assets and threats, requires resources. To achieve a certification like ISO, you will need to be re-certified periodically by an auditor, who will seek historic data to prove risk management techniques are integrated into day-to-day processes.

Specialist skills may be required: ensure that your organisation or your risk management partner can provide specialist skills on an ongoing basis. One option is to use managed security services, which include technical skills to detect potential threats, as well as risk management and compliance expertise. Such skills are critical if your risk management programme is driven by requirements like Sarbanes-Oxley, PCI-DSS or the Data Protection Act. Requirements may overlap and even conflict in places, and an experienced advisor can help you navigate through these complexities.

By aligning your ICT risk management and enterprise risk management processes to an internationally recognised model, you develop a structured approach to justifying ICT spend and protecting vital business services. In doing so, you can achieve the core aim of risk management – to protect and enhance the value of the organisation

By: Andrew O’ Kelly, eircom Solutions Director