Financial services organizations have recognized the need to broaden the scope of risk governance and management to include IT. This awareness is growing in the wake of highly publicized identity theft incidents and other security breaches, as well as legislation aimed at better managing financial, market and operational risk exposures. (And check out our IT Risk Management resource center.)

The majority of firms see effective IT risk management as a business imperative designed to execute, manage, measure, control and report on risk matters related to IT. If successful, a firm's program should provide the board of directors, senior management, regulators and other stakeholders with the confidence that IT can deliver business value efficiently and securely while providing high-quality assurance around data integrity, availability and confidentiality.

Progress has been made, but there is still significant room for improvement. As programs continue to mature, organizations will be able to identify the truly significant risk areas that can impact the organization. For IT risk management teams to meet the expectations of senior management, they should consider a variety of success criteria. First, a top-down risk assessment methodology should be employed that incorporates both qualitative and quantitative evaluation. The program should also incorporate defined risk categories, risk tolerances and risk weighting that can be applied to various views, including overall enterprise, geographic regions, lines of business and business processes. Another key to success is taking a holistic rather than siloed approach to important risks and key IT processes and controls. This enterprisewide strategy can also be employed to streamline processes via automation and integrated tools as well as to implementing more robust and effective risk reporting.

IT risk management frameworks and processes must address the accuracy, confidentiality, availability, security and speed of information that is created, processed and shared within the firm and among clients. A compromise of one or all of the above could result in substantial reputation and/or financial impact.

To delve deeper into current trends in IT risk management, Ernst & Young recently completed a global survey of leading financial institutions. The survey results spotlight five key topics: program maturity and effectiveness; convergence; IT risk management processes; tools and technology; and reporting and metrics.