Consider an information technology (IT)-centric metric such as “99.9% server availability.” The metric sounds interesting, perhaps even impressive, but it is insufficient on its own. What is critically missing is a business risk management perspective: What are the potential business consequences of the 0.1% of the time the server is unavailable? This is the question that really needs to be answered.
Comprehensive, detailed assessment of risks requires aligning technology risk management and business risk management. Achieving this goal is not easy, but it is essential to establish a transparent and understandable link between the two elements to better achieve company objectives.
The general steps required to achieve an effective alignment of the two perspectives include:
- Identification of key business services
- Mapping of IT services to business services
- Monitoring, measuring and managing the risks this process identifies
Take, for example, a major global bank that spent significant time identifying, managing and massaging its technology risk factors. Its efforts focused singularly on incidents, by tackling questions such as: How many incidents occurred? What was their duration? How long did it take IT to recover from the incidents?MORE: 10 Actionable Steps for Audit Committees
A different exercise–refocusing efforts on the success rate of completing transactions instead of the incidents impacting availability of the system–led to surprising insights. Though the reduction in incidents was helpful, the bank discovered that planned maintenance windows, which temporarily prevented transactions from occurring, had a greater impact on the number and success of online transactions. Immediately, the bank’s IT function redirected efforts to reduce the number and duration of the maintenance windows. This resulted in redesigned architecture and practices, which yielded a positive effect on transaction success rates.
As illustrated by the bank’s initial attempt, a misaligned technology risk approach often yields isolated and less-impactful results. Instead, by starting with the examination of a business service and working backward to IT, companies can identify and quantify risks that were more relevant to business success.
Some key signs of misalignment companies should watch for are:
- Technology risk reporting that is performed for reporting’s sake or seen as a compliance exercise
- Technology risk metrics expressed solely in IT terms (e.g., server or network availability, number of incidents)
- Confusion about prioritization of IT investments
As companies begin to work toward alignment, it is important to remember that the process may take time. Misalignment is so prevalent because it runs deep and is often embedded into IT organizational processes and habits. Fixing this requires patience and organizational fortitude.
Once implemented, however, risk alignment not only leads to operational efficiencies but yields other positive byproducts, such as facilitating IT funding requests. Budget increase requests tied to improving specific or critical business operations are likely to be considered more seriously than requests for general IT asset improvements.
Ultimately, alignment of IT and business needs leads to a more nimble organization that is better equipped to manage emerging technology risks and support innovation vital for success.
This post was published originally on The Protiviti View by Protiviti Inc. Copyright 2015. Protiviti is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit (www.protiviti.com). Ed Page is the managing director and FSI IT Consulting practice leader at Protiviti, and Jonathan Wyatt is the IT Consulting practice leader.
