Enterprise Management Associates, Aug 2007, Pages: 50
In recent years, the number and range risks facing IT have exploded. From business malfeasance and insider risks, to new and more malicious classes of security attacks, enterprises are challenged as never before to contain threats to critical information resources. The introduction of numerous regulatory and industry compliance measures have raised the challenge to the level of mandate: businesses must adopt a more consistent and comprehensive approach to IT governance. In each of these demands, a consistent theme is heard with increasing urgency: the enterprise must take a more strategic approach to IT risk management.
In today's technology-dependent enterprise, business risk managers increasingly recognize that IT controls are often the key to the management of a wide range of operational risks. Conversely, information technologists are embracing risk management practices in the management of business-critical information resources by:
- Taking a disciplined approach to IT control objectives in domains from performance, availability, configuration, and change management, to business risk, trust and security controls.
- Applying objective metrics for the measurement of IT risk control effectiveness.
- Merging workflow and content management with frameworks of policy and best practices standards to help develop the consensus needed to establish governance and risk management policies and priorities.
Effective risk management must rationalize different views of criticality, business impact, and policy across the enterprise. Professionals throughout the business are becoming increasingly aware that IT and enterprise risk management are interrelated, and that, in some cases, the effective management of risk in one technology silo may be directly dependent on other domains. The challenge to the enterprise today is achieving the coherence and consistency essential to the management of risk in, of, and by IT - across domains and throughout the enterprise.
In this report, EMA defines a new initiative arising to address this challenge: Strategic IT Risk Management. Strategic IT Risk Management seeks to unify siloed approaches to managing security, business, technology, and trust risks in IT and to align them with strategic business objectives in ways that enable the enterprise to consistently manage and measure their control.
This report takes a look at the evolution of Strategic IT Risk Management and how it seeks to transcend silos of technology, process and culture to provide the insight and control essential to managing risk strategy. The convergence of key technologies in multiple market segments is examined, with a look at how they are building increasing maturity in layers of more comprehensive scope and capability:
- The need to integrate the management of policy and process, coupled with the monitoring and validation of control throughout the environment, means that Strategic IT Risk Management is giving rise to new classes of technologies and tools. These include not only business and financial risk management tools, but also IT Governance, Risk and Compliance Management (IT GRC) solutions and other tools that bring coherence to strategy, policy, and process definition, combining it with the monitoring and validation of controls specific to IT governance, risk, and compliance management priorities.
- In order to contribute significantly to improving business agility, Strategic IT Risk Management solutions must be geared toward flexibility in adapting to changing risk management priorities. Integration and interoperability with IT Service, Operations, and Security Management technologies and processes are therefore essential aspects of this emerging domain. Enterprise application platforms offer a focus for many efforts. These all contribute to Strategic IT Risk Management-and in fact, initiatives such as the Configuration Management Database (CMDB) and "next generation" asset management systems may considered primary enablers, as they build inventories of assets, management tools, and processes essential to correlating risk and control.
EMA believes that enterprise efforts to implement Strategic IT Risk Management tools and techniques are becoming a key measure of how effectively IT ultimately serves the enterprise. Putting a Strategic IT Risk Management program into place program is complex and requires the collaboration of virtual teams from the business, IT, security, compliance, and auditing in order to be truly effective. However, it can provide substantial benefits for the enterprise, not only in controlling threats to critical IT services, but also in giving the business a stronger competitive edge through more effective technology discipline.
