During our GRC Forum 2008 which we’ve held in Frankfurt, one of the important discussions was around the way risk management should be implemented. There was broad agreement on the thesis that IT Risk Management and Enterprise Risk Management can’t be separated – at least not beyond the part which deals with strategic risks.
Overall, there are three different types of risks which are usually differentiated:
- Strategic risks, the risks of strategic decisions like acquiring companies or developing specific products. Even while they might be related to IT risks (especially in the capability of organizations to integrate the IT of acquired companies fast and seamless), they are mainly specific beyond the scope of the integrated risk management approaches.
- Operational risks, e.g. the risk related to the day-by-day business of organizations.
- IT risks, e.g. risks related to IT.
Operational risks and IT risks are tightly coupled. There are virtually no operational risks which aren’t related to IT risks – and vice versa.
Even more, IT risks are only risks because they might affect the business. Any IT risk is related to a business risk. The performance risks of IT are relevant because they might be related to higher implementation costs or a prolonged time-to-market. In both cases, this is about financial risks for the organization. The same is true with security risks. The risk of someone accessing internal documents is related with risks in competition, image, or other areas – and with financial risks.
Operational risks like the control of dealing with options in a financial institution and the related Segregation-of-duties controls are as well related to IT risks. Weaknesses in Identity and Access Management will increase these risks – and, the other way round, without a strong GRC and IAM implementation, organizations aren’t able to implement working SoD controls, to measure the risk and to reduce it.
This relationship exists for virtually any IT risk and any operational risk. That imposes the question why there are offerings for Enterprise Risk Management (focusing on operational risks) and IT Risk Management. Kuppinger Cole had several briefings with vendors of Enterprise Risk Management solutions within the last few months. Several of these solutions aren’t connected to IT Risk Management solutions or provide only weak connections. But, with IT and operational risk so tightly related: How shall Enterprise Risk Management deliver without this integration?
Our perspective is that there is a clear need for an integrated risk management. Some vendors like Agiliance try to address this, claiming to be sort of the “control of controls”. At least they support an enterprise view on IT Risk Management.
Enterprise Risk Management without this integration is, from our perspective, only a means to fuzz the real issues. It appears to improve the Risk Management without really controlling risks. We strongly recommend focusing on an overall risk management approach, without differentiating between operational risks and IT risks.
A core element of any approach to risk management is the capability for ongoing identification and measurement of risks. That requires infrastructures which provide this information and which can enforce the business policies, especially in the area of SoD controls.
When investing into Risk Management, we strongly recommend to invest into an integrated methodology as well as in Risk Management tools which focus on as well operational risks as IT risks. Tools which just replace some spreadsheets might be a step forward – but a small one, leading into the wrong direction. That might provide the feeling of an improved risk management, without real improvements.