Tips to an Effective IT Risk Management Plan for Financial Services

As global financial services institutions seek to link risk management, compliance and audit processes, 2008 promises to be a year of continued change for the industry with information technology risk management playing a critical role. (Also read Compliance, Convergence and How IT Fits.)

Financial services organizations have recognized the need to broaden the scope of risk governance and management to include IT. This awareness is growing in the wake of highly publicized identity theft incidents and other security breaches, as well as legislation aimed at better managing financial, market and operational risk exposures. (And check out our IT Risk Management resource center.)

The majority of firms see effective IT risk management as a business imperative designed to execute, manage, measure, control and report on risk matters related to IT. If successful, a firm’s program should provide the board of directors, senior management, regulators and other stakeholders with the confidence that IT can deliver business value efficiently and securely while providing high-quality assurance around data integrity, availability and confidentiality.

Progress has been made, but there is still significant room for improvement. As programs continue to mature, organizations will be able to identify the truly significant risk areas that can impact the organization. For IT risk management teams to meet the expectations of senior management, they should consider a variety of success criteria. First, a top-down risk assessment methodology should be employed that incorporates both qualitative and quantitative evaluation. The program should also incorporate defined risk categories, risk tolerances and risk weighting that can be applied to various views, including overall enterprise, geographic regions, lines of business and business processes. Another key to success is taking a holistic rather than siloed approach to important risks and key IT processes and controls. This enterprisewide strategy can also be employed to streamline processes via automation and integrated tools as well as to implementing more robust and effective risk reporting.

IT risk management frameworks and processes must address the accuracy, confidentiality, availability, security and speed of information that is created, processed and shared within the firm and among clients. A compromise of one or all of the above could result in substantial reputation and/or financial impact.

To delve deeper into current trends in IT risk management, Ernst & Young recently completed a global survey of leading financial institutions. The survey results spotlight five key topics: program maturity and effectiveness; convergence; IT risk management processes; tools and technology; and reporting and metrics.

The key findings from the survey “Managing Information Technology Risk” are:

1. Financial services firms have not effectively aligned IT risk management with their organization’s overall risk management strategy.

One of the cornerstones of an effective IT risk management program is the standardization of an overall process-risk-control framework that reflects and aligns business processes, policies, risks and controls. However, the research shows that nearly 60 percent do not have their IT risk management programs aligned, or it is just partially aligned, with their organization’s Enterprise Risk Management (ERM) strategies and framework—including the operating model, governance/oversight, process and methodology, and integrated reporting. The effective coordination of risk and compliance activities also proved to be lacking and many did not feel that their organization was effective in risk reporting and disclosure, risk and issues management, and trend analysis. These points of view shared by slightly more than 40 percent of the respondents suggests there is a considerable opportunity for improvement in the alignment with ERM, compliance, audit and other key stakeholders.

2. Risk management is not being approached holistically.

Over one-third of the survey respondents stated that their risk management programs had no common control library and that there was no common risk language that was broadly accepted and understood throughout their organization, or they were uncertain if they existed. The siloed operating-unit structure seen at most firms adds to this problem, as software, processes and even the language of risk differ from unit to unit. It is critical that organizations establish a common risk language across the enterprise, which ultimately leads to a common understanding of IT risks and controls throughout an organization.

3. Most firms recognize the importance of improving their IT risk management programs and are planning to increase IT risk management spending.

As more companies recognize the significance of IT risk management programs, they are allocating resources to invest in this area of risk management. In fact, nearly 80 percent of the technology executives surveyed anticipate that their global firms will increase spending on IT risk management in the next 12-18 months. Furthermore, more than half said their organizations would increase spending 5 percent to 25 percent or more during this time period. For companies looking for efficiencies and ways to optimize their IT risk management processes, the largest portion will be spent on new technology and process automation.

4. Convergence of risk and control processes will lead to efficiencies and cost savings.

The goal for organizations is to develop risk programs that identify critical risks to the organization in a cost-effective manner. This is where risk convergence comes in.

Risk convergence is the establishment of an integrated approach and consistent set of processes that reduce redundant risk and control activities, eliminate duplication in the business units, drive down costs and support strategic decision making. At the cornerstone of risk convergence is collaboration, coordination, alignment and integration; therefore, for convergence to become a reality, a framework must be created across risk functions and data must be shared seamlessly across the organization. Key steps on the road to convergence include an integrated approach and consistent set of processes; a consistent taxonomy; an overall reduction of redundant risk and control activities; metrics and reporting consistency across functional areas; mechanisms to support strategic decision making; and the ability to leverage risk management processes and information across functional areas and workflows.

By realizing risk convergence, organizations can create an enterprisewide view of risk in order to align and create efficiencies in processes across governance, risk and compliance.

5. Effective IT risk management processes reduce costs and can provide top-line benefits.

Most organizations are expecting a high return on their investment in IT risk management. They are looking to achieve enhanced business value in the form of process, risk and control efficiencies; elimination of redundancies; expense reduction; issues and risk prioritization; risk mitigation; greater return on investments; more effective resource management; and legal and regulatory compliance. While the direct, bottom-line cost savings from an effective IT risk management program can be significant, it is the top-line benefits that result from actionable risk reporting, more strategic investments and enhanced organizational performance that will be significantly more valuable over the long term to the individual organization and the financial services industry as a whole.

The Future of IT Risk Management

Based on the current marketplace, it will take two to three years on average to build an effective and mature IT risk management framework that will enable organizations to better manage their IT risk and compliance requirements. Businesses will realize the convergence of key processes that will in turn create integrated approaches, and ultimately promote coordinated risk and control activities. Firms will realize that incorporating IT risk management into their overall enterprise risk management programs can help protect client information, safeguard assets and provide shareholder value without stifling innovation. Doing so will not only improve performance but can also reduce costs and minimize events that may negatively impact the organization.

Regulatory compliance will continue to be a key driver impacting IT risk management programs. The challenge will not only be an organization’s ability to take a risk-based approach to regulatory requirements, but also to recognize the many other business benefits resulting from an IT risk management program. Overcoming these challenges will contribute significantly to increasing the maturity and effectiveness of an organization’s IT risk management program. The ultimate benefits could include control optimization, rationalization of appropriate investments, balanced decision making, reduced overall costs to the organization and more timely identification of new risks.

Bill Barrett is a partner and practice leader of the Technology and Information practice in Ernst & Young’s New York Financial Services Office. He can be reached at 212-773-2999. Tim Purtell is a senior manager in the same practice and can be reached at 212-773-1232. For a copy of Ernst & Young’s Managing Information Technology Risk: A Global Survey for the Financial Services Industry, please contact Tim Purtell.