A leading Big 4 professional services firm in the Middle East was selected by a large retail bank in the region to assist in enabling IT risk management practices to deliver value to the enterprise in a cost-effective manner. The bank was facing and continues to face a growing and ever-changing IT risk landscape. Given the bank is heavily dependent on IT infrastructure and IT application systems to deliver efficient and effective banking experiences to its customers, the risk committee (RC) of the board of directors (BoD) decided that IT risk management practices of the highest order must be implemented at the bank.
The Fundamental Problems Faced
The chief risk officer (CRO) and the RC of the BoD agreed that improvement in IT risk management wasrequired. The following areas required specific attention:
· Fragmented IT risk management efforts—Over the years, sections within the organization (e.g., information security function, business continuity function, IT governance function, project management office) developed their own IT risk management frameworks and their own IT risk registers. Furthermore, the enterprise risk management (ERM)function also had an enterprise wide ERM framework and facilitated enterprise wide risk self-assessment exercises that included the IT division.Needless to say, this resulted in inefficient and ineffective IT risk management. On many occasions, the variety of risk management frameworks and IT risk registers resulted in the same risk being identified, owned and monitored in different ways at the same time. The IT division employees felt overwhelmed with the number of IT risk management activities being driven by divergent functions and, ultimately, not reaching any conclusive actions or remediation plans to implement.
· Absence of consolidated reporting—The different risk registers at the bank could not be consolidated into one. Their structures and risk rating methodologies were completely different.Furthermore, a number of risk factors would be repeated. Consolidating all IT risk together into a single IT risk register would be extremely difficult and time-consuming to perform. As a result, the overall impression of the RC and the CRO was that IT risk management activities were unreliable and ineffective.
· Risk culture—The IT division and the bank as a whole did not have a risk culture. The bank was driven by a culture that encouraged and emphasized service delivery and deploying new and innovative solutions in the shortest amount of time.
To read the rest of the article, click here: http://bit.ly/2reyGjZ