The Role of IT in Risk Management (via ISACA)
September 28, 2015
This short article by Sunil Bakshi outlines common issues that IT faces when addressing organizational risk:
- IT being a service provider to the business function. The level of IT controls might be different for each business function and, hence, IT finds it difficult to implement a common control.
- Business owners request IT to relax controls by approving exceptions to policy for their business area, resulting in the hidden risk of false comfort or relaxing common control for all business functions.
- IT managers and administrators, unaware of the nature of risk impact, might implement weak control for the convenience of IT operations.
- The business side, due to a lack of knowledge or an assumption that it is not its responsibility, does not communicate appropriate control requirements to IT.
Mr. Bakshi provides some actionable recommendations for IT to address these issues. Ultimately, IT and the business must recognize that they must work together to mitigate risks for the good of the broader organization. This strategic alignment will help not only in the ownership of IT risks but in the development and execution of other business objectives.