The myth of IT risk
People talk all the time about “IT risk”.
But, is this a useful term? Or can it lead people astray?
As my good friend Jay Taylor has said, I believe that “there is no such thing as IT risk, only [IT-related] business risk”.
Why the distinction?
What matters is the effect of a potential situation or event on the achievement of organizational objectives – not the effect on the IT function’s objectives (ok, it may matter to IT’s management, but how much should it matter to the board and executives?)
The investment that should be made by in addressing so-called IT risks should depend on its significance to the achievement of organizational objectives. Any “IT risk” should be assessed in those terms.
That is why I prefer to talk about IT-related business risks (although I am amending that, as explained later).
ISACA got it right in their RiskIT methodology (now consolidated into COBIT): “IT Risk is Business risk associated with the use, ownership, operation involvement, influence and adoption of IT within an enterprise. It consists of IT related events that could potentially impact the business.”
A few reasons why this is important:
- A technology-related risk may be only one of several that could affect the achievement of a corporate objective. All risks related to an objective need to be considered as, when considered together, they may, in aggregate but not individually, indicate a need for action. IT management may consider the risk acceptable, but when considered in combination with other risks to an objective, it is not acceptable to the organization as a whole.
- Some technology-related risks may seem significant to IT and other technical staff, but when considered within the context of business objectives pale in comparison to other risks. Executives and boards have limited capital and resources and they cannot afford to invest them based on the assessment by a silo within the organization.
- There is only too often a disconnect between those in technical functions and those in the executive suite and on the board – due to the technical people talking in technical terms and not being able to explain an issue in business terms. Talking about technology-related business risk forces the discussion to address how the business will be affected.
I have amended my thinking on this in the last year or so. Instead of talking about “IT-related business risk”, I now talk about “technology-related risk”.
Why:
- Technology is no longer the sole domain of the IT function. For years, other parts of some organizations (such as the engineering function or similar) have owned specialized technologies. Now, the advent of cloud has enabled every organization to acquire software, often without the need for IT support or capital. I am not sure that the IT department even knows about all the technology deployed across their organization.
- It’s about the use, deployment, etc. of technology broadly across the extended enterprise, which is a clear business issue, not just an IT issue. In addition, many risks are affected by actions and decisions made by the business.
- Not all technology is information technology. While I know some disagree, I don’t consider robots, process control systems or the like “information technologies”.
A recent report from the IIA talks about technology risks. That’s better, but not as good or clear as “technology-related business risks”.
Do you agree? Is there a risk (pun intended) of assessing (and of auditing) risk in silos?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Norman, you are right – the corporate objective must be the starting point and technology related risks will hinder these objectives alongside other risks. The danger of considering IT risks in a silo is that some risks may be missed or their significance not appreciated (related to your first point above). Taking accounts payable as an example, an IT audit of access controls may see no serious risk in having one person able to set up vendors, input invoices and generate payments. An audit of AP, including technology related controls, would see such access as a major risk.
Norman, yes clearly the earlier reference to “IT-related business risk” needs to evolve with the times, and “technology-related risk” is a good improvement given IoT, cloud, and emerging technologies. But that phrase still appears to lack the connection to the business, in other words the “so what” that will get management and the board to give it the air time versus all the other risks. That has been my point. Auditors often write comments about an IT or technology issue but fail to make the connection to a real business impact. Without the connection to business objectives and strategy we have technology but not necessarily relevance. Foe example, issues around plant floor process control software connected to a discontined robotic welder, or a cloud environment that only stores public phone books may be technology related but do not pass the test of relevance. Would “technology-related business risk” get folks thinking the right way about this topic?
I agree, we should use the term “technology-related business risk” or even better “business-technology related risk” due to various reasons which includes:
The information technology premier is being dissolved into the business technology setup, with plenty of new technologies are being generated
The CIO role have changed as a Chief Integration Officer, liaising between business objective and technology movements.
Enterprises are moving toward extensible-enterprise architecture, where processes are becoming versatile and decoupled to remove dependencies so that each process can be used independently from inside or outside the enterprise
Cloud is creating the possibility that business can acquire services or processes without going back to IT, however Technology governance should be generated in advance to avoid any conflicts
Currently Technology people should partner with the business and be proactive in driving down costs and improving levels of efficiency, as technology should be an asset that has longevity and can generate income to the organization
One more reason is that agile scrum initiation and rollout of technology projects is a must nowadays to keep the leading edge business in such a moving technologies
Norman – yes a sensible observation. IT risk is of course just a flavour of business risk and I think only retains some siloed independence through the professional services firms charging more for such services. See my blog for more comment https://chiefauditexecutive.wordpress.com/2015/06/21/models-of-effective-internal-audit/
Hello!… silos are not bad perse! they are bad when they don’t communicate! – so, ultimately they are bad! Practically, no one can asses all the risks, no matter how they are classified. So, you need some sort of specialization ( silos) to classify the “findings” and mitigate them across the board. That being said!- I want to add one more classic definition of risk! ” Systems, People and Events” then all the Risk will tie into those elements and then the board or committee will decide on their appetite!
Norman .. For the most part, this aligns with my thinking. However, I believe there are some specific scenarios which are IT driven and need to be accommodated: one is a major system implementation failure, the other encompases opportunities for emerging technologies. I provide more detail at TheIntersection – Insurance-Canada.ca’s blog http://insurance-canada.ca/blog/2015/08/30/should-it-risks-be-part-of-corporate-governance/
Patrick, we had a huge systems implementation at Tosco where my team (two IT auditor managers and a financial/operational manager) reported to the project oversight committee (chaired by the CFO with the CIO and division CEO) that the systems were highly likely to fail. The committee decided that the business risk of not going forward exceeded the risk of the system failing!
My team (led by Tim Cox and Bruce Taylor) were able to help with mitigation. They predicted precisely where the system would fail; management put triage teams in place; the system failed precisely where Tim said; the triage efforts were effective and the implementation was successful.
Sometimes, even with a large and complex systems implementation, it is necessary to make the decision based on the risk to the organization as a whole.
This can be explained by looking at (and maybe learning from) history. When automated information systems were introduced, the new “IT department” was created. Lacking knowlegde, business was only to willing to let the IT-department run everyhing related to IT, including IT-risk and security. Although for instance IT-auditors are calling for years (in my case from 1985) that business should take it’s responsability, you can see that only from recent times it actually does. In my opionion for two reasons:
– it took many years before we have senior managers with sufficiant knowledge of IT;
– many IT-departement claimed everything about IT and neglected business with sometimes catastrophic disasters regarding business continuity or safeguarding valuable company data.
Nevertheless, it may still help to give direction to still talk about IT-risk as part of the broad risk landscape.
I cannot and would not argue that risks should not be connected to business objectives. But is not this concept shifting the focus from IT to IT-related also true of reputation risks, supply-chain risks, distribution risks, marketing risks, etc.? As a general principle I see value in maintaining clear visibility to the root-cause end of the risk life cycle to facilitate better risk management, which I define as Identify, Avoid (if possible) and Anticipate. The management of risks is performed at the root cause end. About all one can do at the other end is put spin on it.
Tom, first of all we have to take risk to survive, and situations and events may have potential negative effects in one area and positive in another. Only by looking at the bigger picture can we know whether we should accept a risk related to technology in order to take advantage of the business opportunity.
I need to add that roles are being changed today, thus IT terminology is becoming some how meaning-less, as the extensible-enterprise strategy will require each member of the C-suite to stretch in some way. CEOs will need to grapple with what technology can do for business growth, and CFOs will need to recognize the ramifications of the technology for governance and risk.
For their part, CIOs will continue to be masters of Technology but will also need to acquire deeper understanding of the business opportunities to allow business processes extension and integration.