IT risk management is evolving: OpenPages survey

OpenPages has published survey results that highlight the current state and future direction of IT risk management in organizations today. The IT Risk Management Survey, which was sponsored and conducted by OpenPages this past month, was distributed to IT risk and compliance management executives from a variety of industries including financial services, energy, government, health care, consumer goods and retail.

The survey results show that most organizations are making progress on improving IT risk management but still have room to make progress in the areas of internal leadership and integration with enterprise GRC initiatives. The survey found that overall ownership of IT risk management varies, with no consensus on what part of the organization is responsible for the function. Further, organizations view IT risk as the area with the most room for improvement in delivering effective risk management when compared with regulatory compliance, financial risk and operational risk. Finally, the survey revealed that most organizations still have considerable work to do in converging their IT risk initiative with their overall enterprise GRC initiatives.

Survey results

Basic IT risk management practices that are working well

* The survey illustrated that companies are managing the basics of IT risk management practices effectively. For instance, participants identified IT security and IT regulatory compliance as two of the most effective areas of risk management today. However, fewer are managing effectively beyond the basics.

* Communication and culture – 66 percent of respondents said their employees can speak openly about IT risk, but less than half are taking active steps to build or maintain a risk-aware culture.

* Managing the IT foundation: Approximately 80 percent of respondents said their IT environment is well-maintained and that they have a business continuity plan in place, while only about half said the level of complexity in their IT environment is appropriate.

* Risk governance process: When asked to describe the organization's IT risk program, 51 percent of respondents reported that they have a formal process for evaluating potential exceptions to IT policy in place, and 43 percent have guidelines to help individuals assess the magnitude of risks in a consistent way.

* Automation: According to respondents, many organizations have automated their risk management processes: 78 percent reported have automated risk identification, 69 percent management, and 67 percent monitoring.

Organizational structures and technology strategies for IT risk still evolving

* The survey found that a consistent organizational structure and leadership model for IT risk management has yet to emerge across responding organizations. Perhaps reflecting this finding about IT risk governance, most companies report managing IT risk with a standalone application and have yet to implement a coordinated effort within their company's overall GRC strategy. According to the survey:

* When participants were asked who is responsible for IT risk management, the results showed that organizations vary widely in their IT risk management philosophy as 40 percent of survey respondents reported that the CIO was responsible, while 24 percent identified the Head of Enterprise Risk or CRO, 7 percent said the Chief Information Security Officer, 2 percent the CFO, and 27 percent selected "other."

* Regarding the types of technology solutions they use to support IT risk management, the OpenPages survey found that companies still have yet to take a holistic approach to managing IT risks. While 28 percent of those surveyed indicate using a single, integrated solution, nearly 30 percent report using point solutions for risk and compliance, and a surprising 43 percent report that they still rely on spreadsheets.

* In addition, few respondents have standardized and automated workflows for key risk management processes such as review and approval, remediation and event analysis and escalation.

Investment in IT risk management to increase, solutions will converge with enterprise GRC

Looking ahead to 2010, the OpenPages IT Risk Management Survey indicated that organizations will continue to adopt technologies to improve their management of IT risk and to integrate IT risk into overall enterprise GRC initiatives. According to survey respondents:

* When asked about IT risk management budgets for the coming year, more than 95 percent of respondents expect that budgets will increase or stay the same in 2010.

* In a separate survey conducted at the OpenPages European Network (OPEN) Summit this fall, 93 percent of respondents stated that within 2-3 years, they are likely to converge or coordinate IT Risk and Compliance Management activities with GRC.

www.openpages.com

•Date: 4th Nov 2009• Region: World •Type: Article •Topic: IT continuity
Rate this article or make a comment - click here