“We need more executive support!” is a refrain I frequently hear when teaching ISACA audiences. Yet, when I ask, “Support for what?” I too often get a reply that is disconnected from revenue, cost or profit. Yes, executive support helps, but it is critical for you to frame a need in business terms that deserve executive focus. Improving network security management is far more relevant when connected to how quickly revenue can be generated from a new business partner than when a techie is perceived as wanting a new toy.
“One bad business-IT decision killed our company!” That was a comment from a gentleman at an ISACA chapter’s executive briefing after I discussed IT-related business risk. When I served on the task force that created ISACA’s Risk IT, we created three categories of IT-related business risk: operations/service delivery, programme/project management and business-IT investment portfolio. As I teach this material, attendees often perceive operations as having the most risk. Yet, when I work with senior IT and business leaders, they are more likely to put investment portfolio risks on top of the list.
ISACA members, being sharp people, increasingly want to learn more about “what the business wants.” For the past three years, I served on the team that shaped ISACA’s IT GRC Conference. In all three years, we responded by inviting keynotes who provided a business perspective, most recently the chair of the audit and risk committee of Capital One, Ron Dietz.
Good news: Enterprises are finally making progress toward formalizing IT risk management. Bad news: Too often this is hindered by silos, excessive focus on compliance and insufficient connection with the business. In enterprises that are increasingly dependent on IT, the failure to take a business view of IT risk borders on tragic.
More good news: drawing on lessons from a range of risk disciplines and industries, clear steps emerge to forge a more integrated, performance-focused approach to IT-related operations risk management. In 2009, Risk IT provided guidance to start bridging this gap. With two more years of analysis and refinement, The Operational Risk Handbook for Financial Companies harnesses the cross industry and discipline knowledge base to provide more practical guidance.
It is critical for enterprises to shift their view of risk management from a compliance to performance-focused perspective, taking a systems approach, understanding the value of having options to act and improving business agility. To achieve this shift to performance, life-like scenario analysis becomes the heart of risk management.
The Handbook provides guidance to business risk professionals, including business products’ dependencies on IT, process, frauds, continuity and more. To drive home the business perspective, it includes views from a panel of six board members, including Ron Dietz. For you as an IT professional, understanding the business perspective helps you be more relevant to your business leaders. This brings more value to your enterprise—and your career.
Brian Barnier, CGEIT
Principal, ValueBridge Advisors [email protected]