2. BENEFITS OF IT AND BUSINESS RISK ALIGNMENT
• Technology risks are identified and understood.
• The business impact of technology risks is easily quantified.
• Operational risk management is more effective.
• Preventive capabilities are stronger.
• Collaboration between IT and business is healthier and practiced more.
• IT investment decision making is better and prioritized.
• Approaches to risk and control solutions are less tactical and reactive, enabling a more strategic approach.
• Funding battles over IT investments occur less.
• Capital use is more effective.
2
3. KEY CHALLENGES OF ALIGNING IT SERVICES WITH
BUSINESS SERVICES
• IT operations are traditionally calibrated to IT components.
• Existing environments are complex for the following reasons:
− Decades of mergers and acquisitions activity
− Layers upon layers of technology “plaque” accumulating over time
− Duplicative, fragmented and overlapping solutions built in through line-of-business, product or departmental “silos.”
• Change pace is accelerated, and outsourcing is common. Emerging and disruptive technologies are explosively adopted.
• Rising technology investments are conducted outside the IT function.
3
4. SIGNS OF MISALIGNMENT
• Technology risk reporting occurs just because or is seen as a compliance exercise.
• Technology risk data is overwhelmingly high, but underwhelming amounts of technology risk information exist.
• Technology risk metrics are expressed solely in IT terms (e.g., server or network availability, number of incidents, etc.).
• Business support is lacking for critical technology investments focused on risk management or control.
• IT investment prioritization is undefined and confusing.
• IT infrastructure leaks are plugged rather than invested in more strategic, comprehensive improvements.
• A widening wedge exists between IT and the business.
4
5. TYPES OF MISALIGNMENT
• Complete disconnection: The technology risk approach exists without any meaningful links to an enterprise risk framework. The risk
appetite and risk language used in the enterprise risk framework are absent from the technology risk framework.
• Misalignment: Attempts to map technology risks to business risks have been made, but they are off the mark. For example, the links
may reflect lack of context and prioritization (e.g., treating technology risks that underpin an employee application with the same urgency
as the technology risks lurking in a proprietary trading system).
• Technology-heavy measures: Some technology and business risk alignment exists, but the management of those risks lacks precision
because it remains too technology-focused. Measures of root-cause technology risk is predominate over business measures, and this
imprecision clouds risk decision-making and slows technology funding decisions.
5
6. ALIGNMENT IN PRACTICE: TWO CASE STUDIES (1/3)
1) Top 10 U.S. Retail and Commercial Bank
• Problem Statement: IT metrics were not aligned to critical business outcomes.
− Implement mature Level 2 IT risk management processes.
− Focus was on reducing the number and duration of critical incidents.
− Declare IT success and ensure that it resonates with business stakeholders.
• Approach: Advance to Level 3 maturity.
− Map IT services to critical business services.
− Align metrics and IT reporting to business services expressed in business terms.
• Benefits
− Communications between IT and business stakeholders are improved.
− IT investment priorities are better aligned.
− IT service management priorities and architectural patterns change – shift in focus from reduction in number and duration of incidents
to reductions in planned maintenance windows.
6
7. ALIGNMENT IN PRACTICE: TWO CASE STUDIES (2/3)
2) Top 10 Global Retail and Commercial Bank
• Problem Statement: Risk and control data is high with no real understanding of risk exists.
− Spend a significant amount of time documenting and testing controls.
− Provide long lists of potential control issues with real understanding of business consequences.
• Approach
− Adopt a service model to establish a link between IT risks and business functions/processes.
− Develop a reporting tool, which consolidates all relevant risks to an aggregated level and classifies the potential business impact in
terms of availability, confidentiality, integrity or compliance for each system or service.
− Establish a process and structure to enable both IT and business partners to interpret IT risk and control information and to quantify
the potential impact of the risk on the business.
− Establish a communication channel into the impacted business areas to enable everyone to understand, interpret and provide a
judgment back to IT on risk appetites and priorities.
• Benefits
− The significance of the IT risks is vastly understood.
− The cost of risk and compliance activities is reduced by over XX%.
− Strategic investment in core IT processes is better prioritized and supported by the business.
7
8. ALIGNMENT IN PRACTICE: TWO CASE STUDIES (3/3)
Lessons Learned/Project Challenges
• Define reporting requirements upfront and design processes to deliver against these requirements.
• Analyze risk and control data in aggregate to understand risk. Avoid information overload. Develop transparency reporting to aggregate
control issues effecting services managed by IT, enabling the business impact of IT issues to be assessed and quantified.
• Design the risk assessment methodology to facilitate the identification of duplicate controls. Linking common controls is key to avoid
information overload and to fully understand control failure implications.
• Utilize standardized risk and control assessment templates if quality and consistency is achieved globally and reliance is placed on
process owners to support the risk assessment process.
• Structure risk assessment around entities to significantly reduce duplication efforts. Service and entity models reduce the time to
complete assessments and the associated costs by over XX%.
• IT control/process owners are good at assessing the impact on individual IT control failures. The business is much better at assessing
the true business impact of control failures if information is provided that they understand.
• Analyze actual incidents to significantly improve the quality of the risk assessment process. Analyze the root cause of all significant
incidents, and establish a process to update risk and control data based on actual findings. Transparency reporting enabled risk
assessment benchmarking against actual incidents.
• Ensure full integration with other assurance activities to maintain buy-in from IT and the business. The IT departments believe they are
over audited.
• Utilize training processes and control owners since risk and control concepts are not well understood by IT professionals.
8
9. KEEP IN MIND THREE IMPORTANT QUALITATIVE
ASPECTS
• Readiness and maturity vary.
− A “one-size-fits-all” approach does not exist, but basic underlying principles are consistent.
• It may take time.
− Processes require time, patience and an organization’s fortitude.
• Companies can begin anywhere and/or go as deep as they like.
− Small successes can help sway skeptics and encourage buy-in for expanding the effort.
9
10. AND REMEMBER: NEAR MISSES WILL ADD VALUE
• The most telling sign of alignment success is things, previously qualified as near misses, are spotted and responded to in a way that
adds value.
• By elevating technology risk management to a Level 4 maturity stage, organizations achieve the following:
− Better overall risk management and better alignment to operational risk management
− Better IT and business alignment
− A nimbler IT organization that is better positioned to address the ever-increasing pace of change, the risk-sensitive introduction of
emerging technologies and greater support for innovation
10