
Bridging the risk gap
SPONSORED STATEMENT
The results of the IT risk management survey of almost 100 business line and information technology managers from a wide range of financial service institutions, primarily in Europe and North America, show a gap between business line and IT department operational risk managment efforts. Business line managers tend to think of risks in the context of financial impact, while IT managers tend to think of risks in terms of exceptions to performance thresholds. How the two relate is not clear. Several indications of this gap were apparent in the responses to the survey. First, 68% of the survey respondents stated business lines "inadequately" or "not at all" understood the effectiveness of IT controls that mitigate business lines' risks when performing risk control self-assessments (RCSAs) . Second, 81% of the respondents are only "somewhat" or less involved with setting the priority of IT assessment activities. The survey results identified two activities that address this divide: (1) creating a common language relating the business line managers' view of operational risks to IT managers' view of IT risks; and (2) sharing quantifiable IT risk information with the business lines, using that common language.
Creating a common language
A majority of the respondents (55%) said their companies' IT departments classify IT risks using CobiT, an IT control-based framework. CobiT works well for IT departments because it aligns closely with information security and business continuity risks. With the introduction of Basel II, a risk-based framework, business lines have moved towards risk-event categories, while IT departments have tended to stay with their traditional ways of looking at IT risks and controls. While this shift to a risk-based framework improved business line managers' ability to classify and quantify their risks, it created a divide with IT managers' views of risk, which are mostly qualitative and control-oriented.
IT organisations seem to be moving towards classifying their risks in a way that is relevant to the business yet also useful for making resource allocations within the IT department. If IT organisations classify their risks using a CobiT framework (which can be mapped to exceptions in performance metrics) and using Basel II-type risk-event categories (which can be mapped to business lines' view of operational risk), they are able to create a common risk language with the business lines. The survey showed 26% of the respondents use both Basel II and CobiT frameworks. Linking both frameworks facilitates business line and IT managers' ability to discuss risks – operational and IT – putting organisations on a path of greater understanding of their business risks and IT controls.
Sharing quantifiable IT risk information
Creating the language to bridge the gap is not sufficient – actionable IT risk information must be passed to the business lines. Likewise, actionable information from the business lines must be translated into IT managers' views of risk so resources can be assigned to the IT areas that would provide the greatest reduction in risk exposure. A key finding from the survey was that 71% of respondents do not quantify IT risks at all, or at least not in ways that would be meaningful to their business partners.
Almost two-thirds of the respondents stated IT risks should be quantified. The quantification of IT risks is beneficial both to IT risk management departments and to business lines. For IT risk management departments, quantification should lead to improved allocation of resources. In fact, 24% of the respondents stated they are able to view IT risk management projects on a portfolio basis – most of these respondents also said they quantify their IT risks using methodologies such as CobiT and Basel II. The quantification of operational risk would include elements of the advanced measurement approach, including internal loss data, external loss data and RCSA results. For business lines, quantification of IT risks would provide insights into materiality and control deficiencies, which could be ranked by impact to help with cost/benefit decisions related to changes in service-level agreements with IT.
Conclusion
The survey shows IT risk information is not sufficiently being captured. And, even if it were, there is not an established way to share that information. So the level of risk management effectiveness suffers, resulting in less value from resource expenditures. Once a common language and quantified IT risks are created, effective IT risk management might evolve from an aspiration into reality. Only then will IT departments' role in operational risk management be well understood; and, only then will they become a major player in business line operational risk efforts.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Risk management
After SVB downfall, EBA stress test seeks out unrealised losses
European regulator asks for data on the fair value and sensitivity of bonds and their hedges
Risk modellers navigate fearful new world of depositor behaviour
Silicon Valley Bank suffered fastest bank run in history, but how should others respond?
Eurex scrambles to avert Treasury collateral ban on US default
Current policy prevents CCP from selectively excluding eligible collateral
Quant Finance Master’s Guide 2023
Risk.net’s guide to the world’s leading quant master’s programmes, with the top 25 schools ranked
UBS found no advantage in quantum computing – ex data chief
Swiss bank tested various use cases in the trading business before giving up on the technology
Op risk data: Frank fiasco costs JP Morgan $175m
Also: Internal fraud burns fewer fingers, but flame is far from out. Data by ORX News
Eurex clearing chief calls for active account carve-outs
Isda AGM: Müller says EU clearing thresholds should exempt market-making and US client trades
CCPs mull collateral options amid debt ceiling deadlock
Isda AGM: Raising haircuts and minimum maturities are among measures on the table to avoid a cliff-edge