In today’s technology-dependent enterprise, business risk managers increasingly recognize that IT controls are often the key to the management of a wide range of operational risks. Conversely, information technologists are embracing risk management practices in the management of business-critical information resources by:
- Taking a disciplined approach to IT control objectives in domains from performance, availability, configuration, and change management, to business risk, trust and security controls.
- Applying objective metrics for the measurement of IT risk control effectiveness.
- Merging workflow and content management with frameworks of policy and best practices standards to help develop the consensus needed to establish governance and risk management policies and priorities.
Effective risk management must rationalize different views of criticality, business impact, and policy across the enterprise. Professionals throughout the business are becoming increasingly aware that IT and enterprise risk management are interrelated, and that, in some cases, the effective management of risk in one technology silo may be directly dependent on other domains. The challenge to the enterprise today is achieving the coherence and consistency essential to the management of risk in, of, and by IT - across domains and throughout the enterprise.
In this report, EMA defines a new initiative arising to address this challenge: Strategic IT Risk Management. Strategic IT Risk Management seeks to unify siloed approaches to managing security, business, technology, and trust risks in IT and to align them with strategic business objectives in ways that enable the enterprise to consistently manage and measure their control.
This report takes a look at the evolution of Strategic IT Risk Management and how it seeks to transcend silos of technology, process and culture to provide the insight and control essential to managing risk strategy. The convergence of key technologies in multiple market segments is examined, with a look at how they are building increasing maturity in layers of more comprehensive scope and capability:
- The need to integrate the management of policy and process, coupled with the monitoring and validation of control throughout the environment, means that Strategic IT Risk Management is giving rise to new classes of technologies and tools. These include not only business and financial risk management tools, but also IT Governance, Risk and Compliance Management (IT GRC) solutions and other tools that bring coherence to strategy, policy, and process definition, combining it with the monitoring and validation of controls specific to IT governance, risk, and compliance management priorities.
- In order to contribute significantly to improving business agility, Strategic IT Risk Management solutions must be geared toward flexibility in adapting to changing risk management priorities. Integration and interoperability with IT Service, Operations, and Security Management technologies and processes are therefore essential aspects of this emerging domain. Enterprise application platforms offer a focus for many efforts. These all contribute to Strategic IT Risk Management—and in fact, initiatives such as the Configuration Management Database (CMDB) and “next generation” asset management systems may considered primary enablers, as they build inventories of assets, management tools, and processes essential to correlating risk and control.
EMA believes that enterprise efforts to implement Strategic IT Risk Management tools and techniques are becoming a key measure of how effectively IT ultimately serves the enterprise. Putting a Strategic IT Risk Management program into place program is complex and requires the collaboration of virtual teams from the business, IT, security, compliance, and auditing in order to be truly effective. However, it can provide substantial benefits for the enterprise, not only in controlling threats to critical IT services, but also in giving the business a stronger competitive edge through more effective technology discipline.
Background and Context: The Evolution of IT Risk Management
IT Management Is Risk Management
Driving the Trend: Security and Regulatory Compliance
Converging on Goals: Risk Management as the Objective…
…with IT Governance as the Means of Control
The Rise of GRC Platforms
What Does “Strategic” Risk Management Mean in IT?
Strategic Management vs. Strategic Risk
Strategic IT Risk Management and the Scope of This Report
What are the Challenges that Strategic IT Risk Management is arising to Address?
Senior Management Risk Visibility Is Often Blurred Across Silos and Through Layers
IT Operations Struggles to Rationalize Multiple Views of Criticality
Complexity and Proliferation of Technology Point Solutions
“Three P’s” Are Key: Policy, Process and Procedure
Strategic IT Risk Management Lifecycle
Strategic IT Risk Management Scope and Functionality
Qualifying the Landscape: Layers and Segments
The Four Layers of Strategic IT Risk Management
Strategic IT Risk Management Market Segmentation
IT Service, Operations and Security Management
IT Service Management and Business Service Management
“Next-Generation” Asset Management
Data Protection, Disaster Recovery and Business Continuity
Project Portfolio Management
Identity and Access Management
Configuration Audit and Control
Security Information and Event Management (SIEM)
Content Risk Management
Database Governance and Risk Management
IT Security Risk Management
Further Consolidation Likely
Policy Compliance and IT GRC Systems
Business and Financial GRC with IT Governance or IT GRC Modules
Enterprise Application Platforms and Integrators
Looking Forward: The Future of Strategic IT Risk Management
Advances in the Automation of IT Management
The Evolution of IT Risk Metrics
Increasing Relationships between IT, Business and Financial Risk Management
Business Intelligence (BI) and Enterprise Decision Management (EDM)
Modeling and Enterprise Architecture
Challenges Facing Strategic IT Risk Management
Lack of Maturity in IT Management
Lack of Consensus Among Stakeholders
Lack of Consensus on “Acceptable” IT Risk
Make the Most of Shared Opportunities
More Than Cooperation, Active Participation among Stakeholders Is Vital
Consensus Must Be Grounded in Reality
Make Room for Agility in Responding to Rapidly Changing Perceptions of Risk
Toward IT Risk Management Maturity
Related and Upcoming EMA Research
Appendix A: Indicators of Maturity in Strategic IT Risk Management
Appendix B: Definitions