Our recent survey on IT risk management published some interesting findings on risk management in the IT function. One of the surprising findings was how many different titles can be responsible for IT risk management. Sovency II and several pieces of draft legislation in the US require that the CRO be responsible for overall risk management. So, there’s clearly a regulatory trend towards consolidating the responsibilities of risk management in the hands of fewer people — the “one throat to choke.” While there may be one throat to choke in the IT organization, finding that throat may be difficult.
Only 40% of organizations said that the CIO was responsible for IT risk management. Others responsible for risk management included the CISO, CRO, CFO, and Head of Enterprise Risk. The surprising finding was that over 25% said “other.” See results here. You can infer that the other category consists of people at the manager/director level, which would mean that 25% of organizations haven’t elevated IT risk management to an executive function.
One of the key issues that IT risk manager face is making sure they are addressing the key risks in the business. We’ve had many conversations with IT risk managers that have a control-oriented view of the world — they see their job as making sure all the controls they manage are effective. The question is whether you have the right controls in place, and you can only answer that question with an understanding of what are the business objectives. Building this bridge between business objectives and controls infrastructure is difficult, and frequently the two are totally disconnected. Given the survey findings on who is responsible for IT risk management, there’s no clear organizational model for how to make this connection.