@ISACA Volume 18  9 September 2015

The Role of IT in Risk Management


One challenge a risk manager generally faces is identifying a risk owner who is accountable for managing the risk. Generally, a business function owns (suffers) the loss when risk materializes. However since most business processes are automated and depend on information technology (IT) or information and communications technology, technology-related risk impacts the business, and the risk owner may have no or limited knowledge about technology. This results in leaving IT in charge of the risk mitigation plan, making it the default risk owner.

Another issue is that the IT function supports almost all business processes in which common services are shared, such as networks and communication (e.g., emails, telephone) storage. The common risk to these services has a different impact on each different business processes. This requires the risk manager to aggregate the risk impact, which was assessed by different business owners. The result is a big question: “Who should define the risk response that will be appropriate for all business functions supported by IT services?” In practice, it is difficult to make business process owners, although risk owners by definition, accept ownership of IT-related common risk services. And IT is left alone to assess risk, define it and implement a mitigation program for common IT-related risk.

The issues that IT faces in such a situation are:

  • IT being a service provider to the business function. The level of IT controls might be different for each business function and, hence, IT finds it difficult to implement a common control.
  • Business owners request IT to relax controls by approving exceptions to policy for their business area, resulting in the hidden risk of false comfort or relaxing common control for all business functions.
  • IT managers and administrators, unaware of the nature of risk impact, might implement weak control for the convenience of IT operations.
  • The business side, due to a lack of knowledge or an assumption that it is not its responsibility, does not communicate appropriate control requirements to IT.

The result is a flawed risk mitigation program and IT often takes the blame if the risk materializes. Can this issue be addressed?

Every organization may have its own unique views depending upon the culture, dependency on IT, organization structure and business objectives. However, following few steps may help IT with risk management:

  1. Form an IT risk committee consisting of representatives from business functions, including IT. It is a good idea to have a senior manager as chair.
  2. Define roles and responsibilities for this committee and create a basic agenda to determine a mitigation program for common risk. The committee members must be available for decisions on common risk-related issues.
  3. Ensure that IT understands its role as custodian (or co-owner) for all IT-related risk.
  4. Define a common mandatory baseline mitigation program for common IT services.
  5. Ensure that IT, as the implementer of the risk mitigation program, is aware of the associated risk.

Although the actual implementation may vary from organization to organization, this approach may help in addressing issues related to common risk and avoiding the blame game when risk materializes.

Sunil Bakshi, CISA, CISM, CGEIT, CRISC, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.


Register for the Inaugural CSX 2015 North America


To address the cybersecurity skills gap, ISACA created the Cybersecurity Nexus (CSX). As part of this program, ISACA is offering the inaugural CSX 2015 North America event. This cybersecurity conference will take place on 19-21 October in Washington DC, USA. Attendees can earn up to 32 continuing professional education (CPE) hours by attending this conference.

The conference will include valuable resources for people at all skill levels. Five of the 8 tracks (identify, protect, detect, respond, recover) are based on the US National Institute of Standards and Technology’s (NIST) cybersecurity framework. The remaining 3 tracks are elevate, defend and explore.

The closing keynote speaker for this conference is Robert Herjavec, founder of the Herjavec Group and star of ABC-TV’s “Shark Tank.” His keynote address, “The Cybersecurity Dance—Protecting the Currency of the 21st Century,” will cover how to weigh risk and opportunity and the importance of an offensive approach to cybersecurity.

To learn more about the conference or to register for it, visit the CSX 2015 North America page of the ISACA web site.


CISA Job Practice Change Coming in 2016


The Certified Information Systems Auditor (CISA) job practice will change with the June 2016 CISA exam. The December 2015 exam will be the last exam using the current CISA job practice areas. Details regarding the new job practice will be posted to the ISACA web site soon. You can view the current job practice on the Job Practice Areas page of the ISACA web site.

Individuals who have been studying from the current job practice areas are encouraged to take the December 2015 exam. Registration for December’s exam will remain open until 23 October 2015.


Deadline to Apply for Certification for 2010 CISA, CISM, CGEIT Exam Passers Is Approaching



Exam passers have 5 years to apply for certification once they have passed an exam. The 5-year period to apply for certification for those who passed a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM) or Certified in the Governance of Enterprise IT (CGEIT) exam in 2010 will end on 31 December 2015. If you fall into this category and have not yet submitted your completed application, you must to do so prior to the deadline. Retaking and re-passing the examination will be required if the completed application for certification is not submitted within 5 years from the exam passing date.

Please note that individuals are not certified and cannot use the CISA, CISM, CGEIT or CRISC title designation until the completed application is received and approved by ISACA. Applications can be found on the Apply for CISA, CISM, CGEIT and CRISC Certification pages of the ISACA web site.

Individuals are encouraged to reach out to the ISACA Certification Department with any questions or if assistance is needed in completing the application form. Questions? Contact certification@isaca.org.


Book Review:  Enterprise Architecture as Strategy: Creating a Foundation for Business Execution

Reviewed by Upesh Parekh, CISA

What common thread can be observed among unsuccessful companies? The most common factor would be the inability of such companies to execute the most basic and core processes effortlessly. Examples of such core processes, say, for a bank, would be opening a customer account or disbursing a loan. When any bank or financial institution falters in execution of such basic core processes, it is doomed to fail.

Why do companies stumble when they execute core processes? Most likely, these companies do not have a robust operating model that is supported by agile IT.

Research scientists Jeanne Ross, Peter Weill and David Robertson have studied more than 200 companies on this topic. The findings from this study are laid out in this 220-page book, titled Enterprise Architecture as Strategy: Creating a Foundation for Business Execution.

The authors begin by describing the importance of getting the basics right, which they define as “building the foundation for execution.” The authors then stress the importance of the operating model to lay the foundation for execution. There is no single standard operating model, and the operating model should be based on the company’s desire for the degree of standardization and integration of the process. This is dependent upon the type of business, industry and preferences of management.

The authors then discuss enterprise architecture to support the operating model. The enterprise architecture varies for different operating models.

The enterprise architecture cannot mature in 1 day—it moves through the maturity journey. At each stage of the journey, different processes are initiated by the organization. Each stage requires a different level of investment and offers various benefits and returns.

The authors then describe different engagement models that need to be in place to bring the architecture to life. Here, the topic of IT governance is described in relation to the enterprise architecture and engagement model.

Though enterprise architecture is considered an important driver for adding IT value to the organization, the architecture has never been so lucidly connected to IT and business strategy. Real-life examples, facts, figures and interesting anecdotes make this book a must-read for upper management.

Enterprise Architecture as Strategy: Creating a Foundation for Business Execution is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Upesh Parekh, CISA, is a risk and governance professional with more than 10 years of experience in the banking and finance industry. He is based in Pune, India.