The key findings from the survey "Managing Information Technology Risk" are:

1. Financial services firms have not effectively aligned IT risk management with their organization's overall risk management strategy.
One of the cornerstones of an effective IT risk management program is the standardization of an overall process-risk-control framework that reflects and aligns business processes, policies, risks and controls. However, the research shows that nearly 60 percent do not have their IT risk management programs aligned, or it is just partially aligned, with their organization's Enterprise Risk Management (ERM) strategies and framework—including the operating model, governance/oversight, process and methodology, and integrated reporting. The effective coordination of risk and compliance activities also proved to be lacking and many did not feel that their organization was effective in risk reporting and disclosure, risk and issues management, and trend analysis. These points of view shared by slightly more than 40 percent of the respondents suggests there is a considerable opportunity for improvement in the alignment with ERM, compliance, audit and other key stakeholders.

2. Risk management is not being approached holistically.
Over one-third of the survey respondents stated that their risk management programs had no common control library and that there was no common risk language that was broadly accepted and understood throughout their organization, or they were uncertain if they existed. The siloed operating-unit structure seen at most firms adds to this problem, as software, processes and even the language of risk differ from unit to unit. It is critical that organizations establish a common risk language across the enterprise, which ultimately leads to a common understanding of IT risks and controls throughout an organization.

3. Most firms recognize the importance of improving their IT risk management programs and are planning to increase IT risk management spending.
As more companies recognize the significance of IT risk management programs, they are allocating resources to invest in this area of risk management. In fact, nearly 80 percent of the technology executives surveyed anticipate that their global firms will increase spending on IT risk management in the next 12-18 months. Furthermore, more than half said their organizations would increase spending 5 percent to 25 percent or more during this time period. For companies looking for efficiencies and ways to optimize their IT risk management processes, the largest portion will be spent on new technology and process automation.

4. Convergence of risk and control processes will lead to efficiencies and cost savings.
The goal for organizations is to develop risk programs that identify critical risks to the organization in a cost-effective manner. This is where risk convergence comes in.

Risk convergence is the establishment of an integrated approach and consistent set of processes that reduce redundant risk and control activities, eliminate duplication in the business units, drive down costs and support strategic decision making. At the cornerstone of risk convergence is collaboration, coordination, alignment and integration; therefore, for convergence to become a reality, a framework must be created across risk functions and data must be shared seamlessly across the organization. Key steps on the road to convergence include an integrated approach and consistent set of processes; a consistent taxonomy; an overall reduction of redundant risk and control activities; metrics and reporting consistency across functional areas; mechanisms to support strategic decision making; and the ability to leverage risk management processes and information across functional areas and workflows.

By realizing risk convergence, organizations can create an enterprisewide view of risk in order to align and create efficiencies in processes across governance, risk and compliance.