Rajesh Kapur, CISA, FIETE, MIE
Risk management, in its essence, is subjective. Though it is a structured approach to determine whether to accept, mitigate, transfer or avoid a risk, it is based on a subjective assessment of the business impact of the exercise on organizational vulnerability. The current slowdown in business profitability has brought into greater focus the need for risk management initiatives to quickly align with the business goals of an enterprise. Business goals will change from time to time, as will the perception of their associated vulnerabilities and their consequent impact. The process of risk management must be in line with this change. In a dynamic business environment necessitating change in business goals and objectives, the “in line” aspect of risk management (with business goals) percolates down to the management of risks associated with the optimal deployment of IT resources.
There are numerous factors that impact the business goals and objectives of an enterprise and, thereby, contribute to the need for change. The change may be driven by market forces or may be a result of an internal shift in priorities. These factors, varied and divergent as they are, can be effectively abstracted by means of a balanced scorecard (BSC) approach.
The BSC approach has evolved from its early use as a simple performance measurement framework to a full-fledged strategic planning and management system. It is used across all sectors of business and industry to align enterprises’ business activities to the vision and mission of the organization, to improve internal functioning and customer perception of an organization, and to monitor the organization’s performance against strategic goals. It spawns a framework for performance metrics and delineates objectives, from which management can execute strategies. BSC has the potential to oversee the mechanism of converting a long-term strategic plan into sets of immediately doable activities.
Although a great deal of literature is available on the BSC, it is abstracted for the purposes of this article in figure 1. Each of the four perspectives is briefly elucidated as follows:
The BSC methodology can provide a measurement and management system that supports the process of IT governance as well as the more critical aspect of alignment of IT governance to corporate goals and objectives.1 Under this proposal, an IT BSC links with business through the business contribution perspective—by explicitly expressing the relationship between IT and business via a mapping of business goals and objectives to IT goals and objectives. The IT BSC, after mapping the various perspectives, is shown in figure 2 (the mapped IT perspectives are shown in bold italics).
The mapping is a tool used to provide direction on how to impart maximum value for the organization through technology. It traces the consequential relationship between strategic goals determined by the corporate BSC and the consequent strategic objectives as relevant to the IT domain of an IT BSC (the respective objectives are within ovals in figure 2). For example, improving performance in the objectives found in future orientation (learning and growth) enables the organization to improve its operational excellence (internal business processes), which in turn enables the organization to create desirable results in the customer and financial perspectives. There is a cause-and-effect relationship here that plays out as the enterprise moves through various stages of its life cycle.
IT departments can control risk by developing and deploying application controls to ensure completeness, accuracy, validity, authorization and segregation of duties, but accruing business value through risk management will require an understanding of the current priorities of the enterprise— in effect, those of senior management. These would be guided not only by various social, economic and environmental factors, but also by the specific stage of the life cycle of the enterprise.
Risk management, subjective as it may be, has to be an inherent aspect of any successful business effort; it is carried out either explicitly or implicitly at both the operational and strategic levels of an enterprise. It is an essential constituent of sound corporate governance. Just as the IT BSC can be deduced from the corporate BSC to better align itself with corporate business objectives, a methodology for technology risk management can be deduced from the corporate BSC to facilitate effective IT risk management.
This article aims at extrapolating the technique of using the BSC for IT governance to the task of IT risk management for an enterprise. It factors in the cause-and-effect relationship elucidated previously. Deployment of the methodology will enhance the level of sensitization of the technology risk management process to its most critical requirement— alignment with corporate goals and objectives.
The methodology includes the following seven steps (see figure 3):
Risk management has now become inherent in all corporate endeavors. Getting all the stakeholders to focus on true essentials remains a challenge. Critical success factors (CSFs) help in delineating the essential areas of activity that must be performed well to achieve business goals.
The CSFs for technology risk management through the use of the BSC are as follows:
At the end of the risk management activity, there is always a question that the stakeholders would like to have answered with a fair amount of certainty: “Have we got it right?”
The question can be answered to any acceptable amount of precision only by constant observation and review—by being proactive rather than reactive.
Success in any technology risk management activity, however, relies heavily on the commitment shown by senior management; the competence of the risk assessment team to translate business requirements into IT objectives; the support and participation of the IT team; and the awareness, cooperation and support of all employees in the organization who must comply with the controls to make the vision of their organization a reality.
1 Van Grembergen, W.; “The Balanced Scorecard and IT Governance,” Information Systems Control Journal, vol. 2, 2000
Collaborate with ISACA members and access additional resources on this topic in the ISACA Knowledge Center located at www.isaca.org/knowledgecenter.
Rajesh Kapur, CISA, FIETE, MIEis a director at Tyche IT Consultants. He has been a professor of computer science and engineering at BIET, Hyderabad, India; and a faculty member at the Institute of Chartered Financial Analysts of India (ICFAI) Business School, Hyderabad, India. Kapur has been a senior project manager at Synfosys Business Solutions, deputy general manager at the Corporate IT Division of Apollo Hospitals, and director (solutions) at winAMR Systems. He can be contacted at [email protected].
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.