Risk Management in the New Digital Economy
The business environment is experiencing significant change as a large percentage of most organizations’ value shifts from tangible items, such as inventory and facilities, to intangibles, such as information, knowledge, expertise and reputation. In most cases, these intangible assets are highly dependent on information technology. This shift is sometimes referred to as the “new digital economy.” As a result, auditing, securing, controlling and governing IT have become even more critical to the ongoing health and success of businesses around the world.
A key element of IT governance is risk management, which helps ensure that an organization’s strategic objectives are not jeopardized by IT failures. As organizations increasingly rely on IT, the business impact of an IT failure, whether it results from a natural disaster, human error, intentional fraud or other cause, can have devastating consequences. Conversely, organizations with a strong focus on risk management can provide confidence to shareholders regarding the organization’s transparency. Effective security and governance over IT helps protect reputation and strengthen trust from customers, investors, employees, vendors and other stakeholders. It can also improve efficiency by reducing wasted time and effort when recovering from a security incident.
While the board of directors is responsible for managing risk by determining an enterprise’s appetite for risk and insisting that risk management be embedded into the operation of the organization, internal auditors play a critical role in risk management in addition to their traditional responsibilities for independent verification. It is the auditor’s job to highlight to senior management their assessment of risk management practices or specific risks that are not sufficiently addressed. Auditors also align their audits with key business risks and known areas of weakness. Through their independent reviews, they provide independent assurance to management that appropriate risk management plans are in place and are being followed in all key areas.
An additional important responsibility of auditors is their guidance to the audit committee. While the audit committee is not a new concept, its charter has expanded in the digital economy to include additional IT governance responsibilities. Recently, companies have been creating an IT strategy committee as a separate committee of the board, or as a subcommittee of the audit committee. This group provides an additional focus on IT strategy and performance.
The audit committee and IT strategy committee play an important role in the IT Governance Institute’s (ITGI) recommended steps to help ensure that IT risks are managed effectively, which include:
- Embed an IT governance structure into the organization, and provide for accountability, effectiveness and transparency. It must include defined activities and unambiguous responsibilities.
- Establish an audit committee and an IT strategy committee to determine the significant risks; assess how they are identified, evaluated and managed; commission IT and security audits; and provide recommendations.
- Define the scope and charter of the audit committee, ensuring that the committee covers IT and security risks.
- Appoint and oversee an internal audit function with a direct reporting line to the chief executive and audit committee.
- Coordinate and review charters, budgets and plans using risk-based planning, scope, coverage and quality of work of IT auditors and other IT assurance providers.
- Pay special attention to IT control failures and weaknesses in internal control and their actual and potential impact, and observe whether management acts promptly on them.
- Evaluate the scope and quality of management’s ongoing monitoring of IT risks and controls.
- Ensure that risk analysis is part of management’s strategic planning process and that it considers the vulnerabilities of the IT infrastructure and the exposure of intangible assets.
Given that information is among an organization’s greatest assets and IT is often among the highest expenditures, it is critical for organizations to commit to a strong risk management program as part of their overall IT governance efforts. However, according to ITGI’s IT Governance Global Status Report, a survey of 335 CEO/CIO-level executives in 21 countries, 42 percent of organizations have not considered adopting an IT governance framework. More than 80 percent of those organizations have not implemented any measures to improve risk management.
With legislation such as the Sarbanes-Oxley Act and numerous other regulations worldwide, organizations must ensure that they have adequate internal controls and security. IT governance is no longer just a recommended initiative—it is a mandatory way of doing business. Strong IT governance also provides additional advantages to organizations. The ITGI survey found that organizations that place a high priority on IT governance through board-level support and commitment often realize added value and competitive advantage in the form of improved reputation, productivity and profitability.
As businesses increase their dependence on IT and benefit from the added capabilities in the digital economy, they need to assess and prepare for the related risks. IT has become integral to daily business. Thus, it is critical for organizations to make IT risk management and IT governance a high priority.
Michael P. Cangemi, CISA, CPA, is president of Cangemi Company LLC, a management consulting and media firm, with a focus on management, IT and financial governance. He is editor in chief of the Information Systems Control Journal and author of “Managing the Audit Function.” He can be reached at firstname.lastname@example.org.
Risk Management Roles and Responsibilities