Bridging the risk gap

The results of the IT risk management survey of almost 100 business line and information technology managers from a wide range of financial service institutions, primarily in Europe and North America, show a gap between business line and IT department operational risk managment efforts. Business line managers tend to think of risks in the context of financial impact, while IT managers tend to think of risks in terms of exceptions to performance thresholds. How the two relate is not clear. Several indications of this gap were apparent in the responses to the survey. First, 68% of the survey respondents stated business lines "inadequately" or "not at all" understood the effectiveness of IT controls that mitigate business lines' risks when performing risk control self-assessments (RCSAs) . Second, 81% of the respondents are only "somewhat" or less involved with setting the priority of IT assessment activities. The survey results identified two activities that address this divide: (1) creating a common language relating the business line managers' view of operational risks to IT managers' view of IT risks; and (2) sharing quantifiable IT risk information with the business lines, using that common language.

Creating a common language

A majority of the respondents (55%) said their companies' IT departments classify IT risks using CobiT, an IT control-based framework. CobiT works well for IT departments because it aligns closely with information security and business continuity risks. With the introduction of Basel II, a risk-based framework, business lines have moved towards risk-event categories, while IT departments have tended to stay with their traditional ways of looking at IT risks and controls. While this shift to a risk-based framework improved business line managers' ability to classify and quantify their risks, it created a divide with IT managers' views of risk, which are mostly qualitative and control-oriented.

IT organisations seem to be moving towards classifying their risks in a way that is relevant to the business yet also useful for making resource allocations within the IT department. If IT organisations classify their risks using a CobiT framework (which can be mapped to exceptions in performance metrics) and using Basel II-type risk-event categories (which can be mapped to business lines' view of operational risk), they are able to create a common risk language with the business lines. The survey showed 26% of the respondents use both Basel II and CobiT frameworks. Linking both frameworks facilitates business line and IT managers' ability to discuss risks – operational and IT – putting organisations on a path of greater understanding of their business risks and IT controls.

Sharing quantifiable IT risk information

Creating the language to bridge the gap is not sufficient – actionable IT risk information must be passed to the business lines. Likewise, actionable information from the business lines must be translated into IT managers' views of risk so resources can be assigned to the IT areas that would provide the greatest reduction in risk exposure. A key finding from the survey was that 71% of respondents do not quantify IT risks at all, or at least not in ways that would be meaningful to their business partners.

Almost two-thirds of the respondents stated IT risks should be quantified. The quantification of IT risks is beneficial both to IT risk management departments and to business lines. For IT risk management departments, quantification should lead to improved allocation of resources. In fact, 24% of the respondents stated they are able to view IT risk management projects on a portfolio basis – most of these respondents also said they quantify their IT risks using methodologies such as CobiT and Basel II. The quantification of operational risk would include elements of the advanced measurement approach, including internal loss data, external loss data and RCSA results. For business lines, quantification of IT risks would provide insights into materiality and control deficiencies, which could be ranked by impact to help with cost/benefit decisions related to changes in service-level agreements with IT.

Conclusion

The survey shows IT risk information is not sufficiently being captured. And, even if it were, there is not an established way to share that information. So the level of risk management effectiveness suffers, resulting in less value from resource expenditures. Once a common language and quantified IT risks are created, effective IT risk management might evolve from an aspiration into reality. Only then will IT departments' role in operational risk management be well understood; and, only then will they become a major player in business line operational risk efforts.