Professional Documents
Culture Documents
Insights On It Risk 2012 08 02 en PDF
Insights On It Risk 2012 08 02 en PDF
Business briefing
June 2011
The evolving
IT risk landscape
The why and how of
IT Risk Management today
Contents
IT risks in today’s business risk landscape.............................. 1
1 For further detailed reading on information security, ask for a copy of Borderless security: Ernst & Young’s 2010
Global Information Security Survey, or download from www.ey.com.
Banking Technology
Co Co
ial m
pl cial m
pl
nc
J]\m[]\hjgÕlk
an\nadmalignk n
na
na
ia
ia
nc
nc
Fi
Fi
;gjhgjal]ggn]jnan[]an\
e
e
at
io
ra
integration
gi change
r gi r
c
O pe c Attracting and
O pe
managing talent
Most of the business risks have a strong link to IT risks Most of the business risks have a strong link to IT risks
• Regulatory risk. How will regulators respond to the increasing • Expansion in emerging markets. Does increasing your company’s
threat of IT risk? footprint add to the challenge of business continuity?
• Geopolitical shocks. What is your exposure to these shocks? • Reshaping the business. How much would your IT risk profile change?
How responsive is your IT organization?
• Shared services centers. Would this increase the risks to security
• Reputation risk. How would a cyber attack affect your
and IT sourcing?
reputation and brand?
• IP and data security. Are you covered against data leakage, loss
• Control failures. Could gaps or weaknesses in IT controls and
security be contributing factors? and rogue employees?
• IT risk. How will you address the key risk areas of security, • Selective acquisitions and effective integration. How successful
resilience and data leakage? are your investments if you are not able to integrate the IT
environment of an acquired company?
Source: The Ernst & Young Business Risk Report 2010. This item is available to download from www.ey.com.
Market
IT Ee_atrends EfÔciency Outcomes
Business
forces objectives
Third-party
suppliers and E Enable
Globalization outsourcin_ Pro_rams innovation
ffe
ce
De_al and
an
re_ulatory
mana_ement
ive
pli
Reduced cost
Com
Consumerization
nes
Cloud computin_
Applications Security Predictability
Resiliency and databases and privacy
Regulatory IT Risk Transparency Manage
pressure Universe and conÕdence compliance
Cybercrime
Physical and expectation
Co n Ô
A li
models and gnm e nt customer
Chan_e a_enda
den
a bi
Economic
Av
KtafÕn_
li t
market volatility
Operations
Investor I n te g r i t y Operational
conÕdence excellence
Increasing trend
towards BPO/IT
Risk outsourcing
Major damage incidents Focused
exposure through intrusions (viruses, terrorist
worms, DOS attacks, etc.) Rise on threats
online fraud
EU - Data
protection Sarbanes-Oxley Increased
directives cybercrime Increasing
Internet and web identity theft
service attacks Extended and phishing
enterprises
Organized
9/11 - War against industrial
E-commerce
terrorism espionage
boom
Start of Y2k
internet era Evolution of
connected Increased awareness
economy of insider risks,
intellectual property
Has managing IT risk become more challenging over The growth of technologies such as mobile computing, cloud
the past years? computing and virtualization, and the rapid adoption of social
media platforms and online commerce/payments shows little
3% sign of slowing. Newer technologies will continue to be created,
12% 18% each posing their own new set of risks and challenges, the nature
of which cannot be easily predicted. Some organizations have
embraced the new technology and harnessed it to help grow their
businesses. (For example, the new consumer product and services
19%
discount website ‘Groupon’ needed only three years to achieve
US$ 1 bn in revenue). For these fast-moving companies, reliance
on effective ITRM is considerable. They understand that an IT risk
incident imperiling data and undermining consumer confidence
48%
could threaten their very existence.
Cybercrime is a highly unpredictable risk and has inevitably drawn
increasing governmental regulation and oversight scrutiny. The EU
data protection directives, Sarbanes-Oxley and the Payment Card
Strongly agree Industry data security standards have therefore also become significant
drivers of investments in ITRM-related processes and procedures.
Agree
Disagree
Strongly disagree
Operations
• Disclosure of
sensitive data
• Loss of key IT resources
• Corruption of data
• Inability to recruit IT staff
• Unauthorized access
• Mismatch of skills
• Failure to mine
information • Lack of business
knowledge
• Operator errors during
backup or maintenance
• Breakdown of operational
processes
Defensive Offensive
Factory mode Strategic mode
Increasing need for reliable information technology
• If a system fails for more than one minute, there is • If a system fails for more than one minute, there is
an immediate loss of business an immediate loss of business
• Decrease in response time beyond one second has • Decrease in response time beyond one second has
serious consequences for internal and external users serious consequences for internal and external users
• New systems promise major process and service
• Most core business activities are online
transformations
• Systems work is mostly maintenance • New systems promise major cost reductions
• Systems work provides little strategic differentiation • New systems will close significant cost, service and/
or dramatic cost reduction or process performance gaps with competitors
Source: “Information Technology and the board of directors,” Nolan & McFarlan, Harvard Business Review, October 2005.
Categories of IT Risk
Megatrends Business benefit Business/IT risks
Universe affected
• Mobile computing: Anytime • Increased vulnerability due to anytime, anywhere accessibility • Security and privacy
and anywhere connectivity/ • Risk of unintended sharing, amplification of casual remarks, and • Data
high volume portable data disclosure of personal and company data. The availability of this • Legal and regulatory
storage capability data on the web facilitates cyber attacks
Emerging • Infrastructure
• Social media: New and • Employees may violate company policies in terms of data leakage
consumerization advanced information
sharing capabilities such as
crowdsourcing.
• Lower total cost of ownership • Lack of governance and oversight over IT infrastructure, • Security and privacy
• Focus on core activities and applications and databases • Data
reduction of effort spent on • Vendor lock-in • Third-party suppliers and
managing IT infrastructure • Privacy and security outsourciing
and applications • Availability of IT to be impacted by the use of • Applications and databases
The rise of cloud • Contribute to reduction of the cloud • Infrastructure
computing global carbon footprint • Increased risk to regulatory non-compliance (SOX, PCI etc.). • Legal and regulatory
The cloud also brings about challenges in auditing compliance.
• The cloud may impact the agility of IT and organizations; the
platform dictated by the provider may not align with software
development and strategic needs of the user
• 24/7/365 availibility of IT • Failure of the business continuity and disaster recovery plans • Infrastructure
systems to enable continuous causing financial or reputational loss • Applications and databases
The increased consumer support, operations, • Staffing
importance of e-commerce, etc.
• Operations
business continuity
• Physical environment
• N/A • Spread of malicious code in company systems causing system • Security and privacy
outages • Data
Enhanced persistence • The risk of theft of personal, financial, and health information
of cybercrime • Loss of confidential data due to external vulnerabilities
• Financial loss due to unauthorized wire transfers
• N/A • Assigning access rights that are beyond what is required for • Data
the role by employees or contractors • Applications and databases
Increased exposure
• Failure to remove access rights for employees or contractors
to internal threats
on leaving the organization
• Fast adoption of new business • Failure to deliver IT projects and programs within budget, timing, • Programs and change management
models or reducing costs quality and scope causing value leakage
The accelerating
provides organizations with
change agenda
competitive advantage
Managed by vendor
12.00%
In our survey, we asked executives in which categories of the
IT Risk Universe they had experienced the most negative IT-
10.00%
related incidents. Our results show that the three most commonly
8.00%
experienced incidents were in the categories of (1) security and
6.00%
privacy, (2) infrastructure and (3) data. It is not a surprise that all
4.00% three categories also relate to most of the IT megatrends.
2.00%
We then also asked the participating executives if they planned to
0.00%
spend more or less on the different IT Risk Universe categories.
Their response (see below) shows that:
• security and privacy and infrastructure are recognized as high
risk areas and organizations are planning to spend more to
mitigate these risks
• although applications and databases are not immediately a
high risk category, organizations plan to spend more (with the
potential risk of overspending)
• the risks around data are not yet very high on the corporate
For each of the following areas of IT risk, does your
agenda (implying a potential risk of underspending).
organization plan to spend more, less or the same over the
next 12 months (in comparison with the previous 12 months)
to mitigate the associated risks? (Y-axis scale: % participants
responding ‘more’ - % participants responding ‘less’)
12%
10%
8%
6%
4% Under spend?
2%
0%
Enable innovation
Globalization
R&D and change
Consumerization Transactions
Business support functions
Procurement
Regulatory Manage compliance
Strategy
Operations
Oversight
Cost
Business drivers and
Risk srategy
and redundancies
management
Ris
Issues
e
k m orting
anc
rep
acc Risk
su ula at
ag ab d
etri
ept
an r an
en y
ra to ion
co
Value
em ilit
t
nc ry
o
m lne at
cs
e
vu hre
an
Inc t
T
en
d
ma iden em
• Enabling confidence to take risk as opposed
na t lo
ge nag to avoid risk
me ss s ma
nt isi
Cr • The risk function provides process
improvement suggestions
2 Scenario analysis 5 Awareness and
training
2
1 IT risk governance & compliance monitoring and reporting. 2 Business drivers, regulatory requirements and (IT) risk
Ownership, accountability, and oversight are the cornerstones strategy. Most organizations do not spend enough time clearly
of any risk management program. The risk governance defining those critical business issues or business drivers that
component of the ITRM program should have a strong leader, create the need for an ITRM program. These drivers must be
an executive who can juggle strategic and tactical enterprise aligned with business objectives, regulatory requirements,
initiatives across diverse and distributed IT environments. The and board of directors and executive management directives.
overall governance of an ITRM program is supported by the IT Without such alignment, there is the potential for confusion in
risk dashboard to enable ongoing (compliance) monitoring and coordinating various agendas and communicating the overall
reporting on program effectiveness and risk posture. enterprise risk vision. This vision should encompass risk-
tolerance guidance, risk processes, expectations for the risk
This is where organizations put in place their processes to
management function, and the integration of risk processes
assess compliance with policies, standards, procedures, and
such as IT security into standard IT operations.
regulatory requirements. Monitoring and reporting capabilities
are designed to provide management with organizational views
and trend analyses for risks, control issues, and vulnerabilities.
17%
22%
The use of tools
Many software vendors offer risk management or GRC (Governance Risk & Compliance)
services. These tools often link their business requirements with a reporting tool that
Level 5 can aggregate various risk elements and information in order to obtain an enterprise-
The program has been well-established wide view of IT risk. We asked the participants in the IT Risk Agenda Survey if they
for several years
used such supporting tools. We found that the more mature the ITRM program is within
Level 4
We introduced a program within the an organization, the more likely it is that the organization uses tools. In our view an
past three years organization should seriously consider the adoption of appropriate tools – our survey
Level 3 suggests that the use of tools may be a key component in the achievement of a mature
We are in the process of implementing
ITRM program.
a program
Level 2
We are currently evaluating options
for a program
Level 1
We are not considering a program
Does your organization use any tools or software applications to support ITRM (e.g., GRC tools)?
100%
90%
80%
22%
27% 70%
60%
50%
40%
20%
30%
31% 20%
10%
–
0%
Level 5 Level 4 Level 3
How would you compare the effectiveness of your organizations’s ITRM with that of your competition?
(% participants responding ‘ours is more effective’ )
Level 5 30%
The program has been well-established
for several years 25%
Level 4
We introduced a program within the 20%
past three years
Level 3 15%
We are in the process of implementing
a program 10%
Level 2
5%
We are currently evaluating options
for a program Level 1
0%
Level 1 Level 5 Level 4 Level 3 Level 2
We are not considering a program - 5%
In any case, ITRM work needs to be far-reaching and thorough. The 4. Do you understand the mode that (parts of) your
evolving nature of the IT risk landscape means that organizations organization are in: ‘factory’, ‘strategic’, ‘support’,
must continuously monitor whether they have become significantly or ‘turnaround’? What are the key risk areas?
‘out of step’ with the nature of today’s threats, and in comparison
5. How do the 6 mega trends in IT risk affect the
to their industry peers are vulnerable to reputational and brand
IT risks your organization is facing?
asset damage.
6. Do you have an accurate perspective on the use
We therefore propose the following next steps that organizations
could embrace to take ITRM into action: of mobile devices and social media by your
employees in conducting their work? Especially
with regards to the flow of company data and
potential data leakage?
www.ey.com