How to effectively govern information risk

Want business executives to take bigger responsibility for managing IT risk? Here are tips to get executives on board.

The business impact of an IT failure--whether an operational crash, a security breach or a failed project--can be devastating.

Yet, despite the potential financial, reputational and related losses, IT management, rather than business executives, is responsible for managing IT risk in 80 percent of organizations, according to a survey conducted by the IT Governance Institute (ITGI) of 200 IT professionals from 14 countries.

Since IT is such a significant asset, IT-related risks should be a board-level issue. But, according to the ITGI survey, CEOs sign off on the IT risk management plan in only one-third of all organizations.

Understanding the risks related to IT is still a challenge for business executives, many of whom are not technical experts. Without that technical background, how can business executives better manage risks to ensure that their organizations' strategic objectives are supported and not jeopardized by IT risks?

In its new publication entitled "Information Risks: Whose Business are They?", ITGI offers the following guidance:

1. Board members and executives should establish an IT governance structure that addresses risk management and expresses IT risks in a business context. At this point it is vital to obtain commitment and ownership of IT risks at the senior management level. This can be accomplished by establishing an IT Strategy Committee consisting of IT and business executives that reports to the board.

2. Risk management should be fully embedded in management processes and consistently applied, such as regular presentations of significant risks to the board and other key stakeholders. Another key initiative is to closely link risk management to the achievement of business objectives, then actively monitor and review risks on a constructive, no-blame basis.

3. The board's audit committee should consider IT risks, commission audits and follow up with recommendations. The board can also ensure that there is an internal--and, if necessary, external--audit plan that adequately addresses IT risks, and that adequate resources are available to address IT objectives and handle risks as they arise.

4. Significant IT control weaknesses need prompt attention from management. When approving new IT initiatives, executives should make sure the risks vs. returns have been explicitly and properly considered during strategic planning, and that a regular risk assessment and action planning process addresses key risk exposures.

5. Ultimately, the business--the user of IT services--must own business-related risks, including those related to the use of IT. The IT service provider should offer guidance and work with business management to ensure that adequate safeguards are in place.

An absence of top management responsibility and accountability for risk management can result in serious risks being ignored, potentially misguided actions and even the waste of costly investments. However, a strong commitment to risk management strengthens IT governance and overall enterprise governance, helping the organization avoid the consequences that result from IT failures and reap the benefits of optimizing the use of its IT.

Gary Hardy is the director of IT Winners and advisor to the IT Governance Institute Committee. Read the second installment of this series on IT goverance, which delves more into risk management issues and how companies can maximize value from their IT investments.