
Bridging the risk gap
SPONSORED STATEMENT
The results of the IT risk management survey of almost 100 business line and information technology managers from a wide range of financial service institutions, primarily in Europe and North America, show a gap between business line and IT department operational risk managment efforts. Business line managers tend to think of risks in the context of financial impact, while IT managers tend to think of risks in terms of exceptions to performance thresholds. How the two relate is not clear. Several indications of this gap were apparent in the responses to the survey. First, 68% of the survey respondents stated business lines "inadequately" or "not at all" understood the effectiveness of IT controls that mitigate business lines' risks when performing risk control self-assessments (RCSAs) . Second, 81% of the respondents are only "somewhat" or less involved with setting the priority of IT assessment activities. The survey results identified two activities that address this divide: (1) creating a common language relating the business line managers' view of operational risks to IT managers' view of IT risks; and (2) sharing quantifiable IT risk information with the business lines, using that common language.
Creating a common language
A majority of the respondents (55%) said their companies' IT departments classify IT risks using CobiT, an IT control-based framework. CobiT works well for IT departments because it aligns closely with information security and business continuity risks. With the introduction of Basel II, a risk-based framework, business lines have moved towards risk-event categories, while IT departments have tended to stay with their traditional ways of looking at IT risks and controls. While this shift to a risk-based framework improved business line managers' ability to classify and quantify their risks, it created a divide with IT managers' views of risk, which are mostly qualitative and control-oriented.
IT organisations seem to be moving towards classifying their risks in a way that is relevant to the business yet also useful for making resource allocations within the IT department. If IT organisations classify their risks using a CobiT framework (which can be mapped to exceptions in performance metrics) and using Basel II-type risk-event categories (which can be mapped to business lines' view of operational risk), they are able to create a common risk language with the business lines. The survey showed 26% of the respondents use both Basel II and CobiT frameworks. Linking both frameworks facilitates business line and IT managers' ability to discuss risks – operational and IT – putting organisations on a path of greater understanding of their business risks and IT controls.
Sharing quantifiable IT risk information
Creating the language to bridge the gap is not sufficient – actionable IT risk information must be passed to the business lines. Likewise, actionable information from the business lines must be translated into IT managers' views of risk so resources can be assigned to the IT areas that would provide the greatest reduction in risk exposure. A key finding from the survey was that 71% of respondents do not quantify IT risks at all, or at least not in ways that would be meaningful to their business partners.
Almost two-thirds of the respondents stated IT risks should be quantified. The quantification of IT risks is beneficial both to IT risk management departments and to business lines. For IT risk management departments, quantification should lead to improved allocation of resources. In fact, 24% of the respondents stated they are able to view IT risk management projects on a portfolio basis – most of these respondents also said they quantify their IT risks using methodologies such as CobiT and Basel II. The quantification of operational risk would include elements of the advanced measurement approach, including internal loss data, external loss data and RCSA results. For business lines, quantification of IT risks would provide insights into materiality and control deficiencies, which could be ranked by impact to help with cost/benefit decisions related to changes in service-level agreements with IT.
Conclusion
The survey shows IT risk information is not sufficiently being captured. And, even if it were, there is not an established way to share that information. So the level of risk management effectiveness suffers, resulting in less value from resource expenditures. Once a common language and quantified IT risks are created, effective IT risk management might evolve from an aspiration into reality. Only then will IT departments' role in operational risk management be well understood; and, only then will they become a major player in business line operational risk efforts.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Risk management
Ion wasn’t deemed a ‘critical vendor’ by most clients
Software firm escaped heavy scrutiny ahead of cyber attack, says US Treasury official
Op risk data: Stanford fraud haunts banks for billions
Also: Helaba’s crank capital relief; TSE stock price sanction; 1MDB mauls Mudabala. Data by ORX News
Hacked off: banks demand answers after Ion cyber attack
Clients left in the dark about ransomware attack that disrupted futures trading last month
Digital exposure makes fraud management a vital responsibility for financial institutions
Fraud management and detection continue to be an increasing area of concern for financial institutions worldwide
UBS takeover of Credit Suisse to trigger higher G-Sib surcharge
At 14.2%, UBS’s CET1 capital ratio is more than sufficient to absorb the deal
Nasdaq exec criticises VAR models in erratic energy markets
FIA Boca 2023: Model being adopted by rivals is “bad choice” for unpredictable assets, says exchange tech official
Ice exec rejects cloud for critical infrastructure
FIA Boca 2023: SVP Bland “can’t imagine” outsourcing critical infrastructure; DRW’s Wilson warns of concentration risk
Dealing with multi-currency inventory risk in FX cash markets
A market-making model that considers correlation, transaction costs and market impact is presented