Get Instant Access
to This Blueprint

Cio icon

Integrate IT Risk Into Enterprise Risk

Don’t fear IT risks, integrate them.

  • IT risks, when considered, are identified and classified separately from the enterprise-wide perspective.
  • IT is expected to own risks over which they have no authority or oversight.
  • Poor behaviors, such as only considering IT risks when conducting compliance or project due diligence, have been normalized.

Our Advice

Critical Insight

  • Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize the organization’s ability to respond to risk.

Impact and Result

  • Understand gaps in the organization’s current approach to risk management practices.
  • Establish a standardized approach for how IT risks impact the enterprise as a whole.
  • Drive a risk-aware organization toward innovation and consider alternative options for how to move forward.
  • Integrate IT risks into the foundational risk practice.

Integrate IT Risk Into Enterprise Risk Research & Tools

Integrated Risk Management Capstone – A framework for how IT risks can be integrated into your organization’s enterprise risk management program to enable strategic risk-informed decisions.

This is a capstone blueprint highlighting the benefits of an integrated risk management program that uses risk information and data to inform strategic decision making. Throughout this research you will gain insight into the five core elements of integrating risk through assessing, governing, defining the program, defining the process, and implementing.


Integrate IT Risk Into Enterprise Risk

Don’t fear IT risks, integrate them.

Integrate IT Risk Into Enterprise Risk

Don’t fear IT risks, integrate them.

EXECUTIVE BRIEF

Analyst Perspective

Having siloed risks is risky business for any enterprise.

Photo of Valence Howden, Principal Research Director, CIO Practice.
Valence Howden
Principal Research Director, CIO Practice
Photo of Petar Hristov Research Director, Security, Privacy, Risk & Compliance.
Petar Hristov
Research Director, Security, Privacy, Risk & Compliance
Photo of Ian Mulholland Research Director, Security, Risk & Compliance.
Ian Mulholland
Research Director, Security, Risk & Compliance
Photo of Brittany Lutes, Senior Research Analyst, CIO Practice.
Brittany Lutes
Senior Research Analyst, CIO Practice
Photo of Ibrahim Abdel-Kader, Research Analyst, CIO Practice
Ibrahim Abdel-Kader
Research Analyst, CIO Practice

Every organization has a threshold for risk that should not be exceeded, whether that threshold is defined or not.

In the age of digital, information and technology will undoubtedly continue to expand beyond the confines of the IT department. As such, different areas of the organization cannot address these risks in silos. A siloed approach will produce different ways of identifying, assessing, responding to, and reporting on risk events. Integrated risk management is about embedding IT uncertainty to inform good decision making across the organization.

When risk is integrated into the organization's enterprise risk management program, it enables a single view of all risks and the potential impact of each risk event. More importantly, it provides a consistent view of the risk event in relation to uncertainty that might have once been seemingly unrelated to IT.

And all this can be achieved while remaining within the enterprise’s clearly defined risk appetite.

Executive Summary

Your Challenge

Most organizations fail to integrate IT risks into enterprise risks:

  • IT risks, when considered, are identified and classified separately from the enterprise-wide perspective.
  • IT is expected to own risks over which they have no authority or oversight.
  • Poor behaviors, such as only considering IT risks when conducting compliance or project due diligence, have been normalized.

Common Obstacles

IT leaders have to overcome these obstacles when it comes to integrating risk:

  • Making business leaders aware of, involved in, and able to respond to all enterprise risks.
  • A lack of data or information being used to support a holistic risk management process.
  • A low level of enterprise risk maturity.
  • A lack of risk management capabilities.

Info-Tech’s Approach

By leveraging the Info-Tech Integrated Risk approach, your business can better address and embed risk by:

  • Understanding gaps in the organization’s current approach to risk management practices.
  • Establishing a standardized approach for how IT risks impact the enterprise as a whole.
  • Driving a risk-aware organization toward innovation and considering alternative options for how to move forward.
  • Helping integrate IT risks into the foundational risk practice.

Info-Tech Insight

Stop avoiding risk – integrate it. This provides a holistic view of uncertainty for the organization to drive innovative new approaches to optimize its ability to respond to risk.

What is integrated risk management?

  • Integrated risk management is the process of ensuring all forms of risk information, including information and technology, are considered and included in the enterprise’s risk management strategy.
  • It removes the siloed approach to classifying risks related to specific departments or areas of the organization, recognizing that each of those risks is a threat to the overarching enterprise.
  • Aggregating the different threats or uncertainty that might exist within an organization allows for informed decisions to be made that align to strategic goals and continue to drive value back to the business.
  • By holistically considering the different risks, the organization can make informed decisions on the best course of action that will reduce any negative impacts associated with the uncertainty and increase the overall value.

Enterprise Risk Management (ERM)

  • IT
  • Security
  • Digital
  • Vendor/Third Party
  • Other

Enterprise risk management is the practice of identifying and addressing risks to your organization and using risk information to drive better decisions and better opportunities.

IT risk is enterprise risk

Multiple types of risk, 'Finance', 'IT', 'People', and 'Digital', funneling into 'ENTERPRISE RISKS'. IT risks have a direct and often aggregated impact on enterprise risks and opportunities in the same way other business risks can. This relationship must be understood and addressed through integrated risk management to ensure a consistent approach to risk.

Your challenge

Embedding IT risks into the enterprise risk management program is challenging because:

  • Most organizations classify risks based on the departments or areas of the business where the uncertainty is likely to happen.
  • Unnecessary expectations are placed on the IT department to own risks over which they have no authority or oversight.
  • Risks are often only identified when conducting due diligence for a project or ensuring compliance with regulations and standards.

Risk-mature organizations have a unique benefit in that they often have established an overarching governance framework and embedded risk awareness into the culture.

35% — Only 35% of organizations had embraced ERM in 2020. (Source: AICPA and NC State Poole College of Management)

12% — Only 12% of organizations are leveraging risk as a tool to their strategic advantage. (Source: AICPA and NC State Poole College of Management)

Common obstacles

These barriers make integrating IT risks difficult to address for many organizations:

  • IT risks are not seen as enterprise risks.
  • The organization’s culture toward risk is not defined.
  • The organization’s appetite and threshold for risk are not defined.
  • Each area of the organization has a different method of identifying, assessing, and responding to risk events.
  • Access to reliable and informative data to support risk management is difficult to obtain.
  • Leadership does not see the business value of integrating risk into a single management program.
  • The organization’s attitudes and behaviors toward risk contradict the desired and defined risk culture.
  • Skills, training, and resources to support risk management are lacking, let alone those to support integrated risk management.

Integrating risks has its challenges

62% — Accessing and disseminating information is the main challenge for 62% of organizations maturing their organizational risk management. (Source: OECD)

20-28% — Organizations with access to machine learning and analytics to address future risk events have 20 to 28% more satisfaction. (Source: Accenture)

Integrate Risk and Use It to Your Advantage

Accelerate and optimize your organization by leveraging meaningful risk data to make intelligent enterprise risk decisions.

Risk management is more than checking an audit box or demonstrating project due diligence.

Risk Drivers
  • Audit & compliance
  • Preserve value & avoid loss
  • Previous risk impact driver
  • Major transformation
  • Strategic opportunities
Arrow pointing right. Only 7% of organizations are in a “leading” or “aspirational” level of risk maturity. (OECD, 2021) 63% of organizations struggle when it comes to defining their appetite toward strategy related risks. (“Global Risk Management Survey,” Deloitte, 2021) Late adopters of risk management were 70% more likely to use instinct over data or facts to inform an efficient process. (Clear Risk, 2020) 55% of organizations have little to no training on ERM to properly implement such practices. (AICPA, NC State Poole College of Management, 2021)
1. Assess Enterprise Risk Maturity 3. Build a Risk Management Program Plan 4. Establish Risk Management Processes 5. Implement a Risk Management Program
2. Determine Authority with Governance
Unfortunately, less than 50% of those in risk focused roles are also in a governance role where they have the authority to provide risk oversight. (Governance Institute of Australia, 2020)
IT can improve the maturity of the organization’s risk governance and help identify risk owners who have authority and accountability.

Governance and related decision making is optimized with integrated and aligned risk data.

List of 'Integrated Risk Maturity Categories': '1. Context & Strategic Direction', '2. Risk Culture and Authority', '3. Risk Management Process', and '4. Risk Program Optimization'. The five types of a risk in Enterprise Risk Management.

ERM incorporates the different types of risk, including IT, security, digital, vendor, and other risk types.

The program plan is meant to consider all the major risk types in a unified approach.

The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning. Implementation of an integrated risk management program requires ongoing access to risk data by those with decision making authority who can take action.

Integrated Risk Mapping — Downside Risk Focus

A diagram titled 'Risk and Controls' beginning with 'Possible Sources' and a list of sources, 'Control Activities' to prevent, the 'RISK EVENT', 'Recovery Activities' to recover, and 'Possible Repercussions' with a list of ramifications.

Integrated Risk Mapping — Downside and Upside Risk

Third-Party Risk Example

Example of a third-party risk mapped onto the diagram on the previous slide, but with potential upsides mapped out as well. The central risk event is 'Vendor exposes private customer data'. Possible Sources of the downside are 'External Attack' with likelihood prevention method 'Define security standard requirements for vendor assessment' and 'Exfiltration of data through fourth-party staff' with likelihood prevention method 'Ensure data is properly classified'. Possible Sources of the upside are 'Application rationalization' with likelihood optimization method 'Reduce number of applications in environment' and 'Review vendor assessment practices' with likelihood optimization method 'Improve vendor onboarding'. Possible Repercussions on the downside are 'Organization unable to operate in jurisdiction' with impact minimization method 'Engage in-house risk mitigation responses' and 'Fines levied against organization' with impact minimization method 'Report incident to any regulators'. Possible Repercussions on the upside are 'Easier vendor integration and management' with impact utilization method 'Improved vendor onboarding practices' and 'Able to bid on contracts with these requirements' with impact utilization method 'Vendors must provide attestations (e.g. SOC or CMMC)'.

Insight Summary

Overarching insight

Stop fearing risk – integrate it. Integration leads to opportunities for organizations to embrace innovation and new digital technologies as well as reducing operational costs and simplifying reporting.

Govern risk strategically

Governance of risk management for information- and technology-related events is often misplaced. Just because it's classified as an IT risk does not mean it shouldn’t be owned by the board or business executive.

Assess risk maturity

Integrating risk requires a baseline of risk maturity at the enterprise level. IT can push integrating risks, but only if the enterprise is willing to adopt the attitudes and behaviors that will drive the integrated risk approach.

Manage risk

It is not a strategic decision to have different areas of the organization manage the risks perceived to be in their department. It’s the easy choice, but not the strategic one.

Implement risk management

Different areas of an enterprise apply risk management processes differently. Determining a single method for identification, assessment, response, and monitoring can ensure successful implementation of enterprise risk management.

Tactical insight

Good risk management will consider both the positives and negatives associated with a risk management program by recognizing both the upside and downside of risk event impact and likelihood.

Integrated risk benefits

IT Benefits

  • IT executives have a responsibility but not accountability when it comes to risk. Ensure the right business stakeholders have awareness and ability to make informed risk decisions.
  • Controls and responses to risks that are within the “IT” realm will be funded and provided with sufficient support from the business.
  • The business respects and values the role of IT in supporting the enterprise risk program, elevating its role into business partner.

Business Benefits

  • Business executives and boards can make informed responses to the various forms of risk, including those often categorized as “IT risks.”
  • The compounding severity of risks can be formally assessed and ideally quantified to provide insight into how risks’ ramifications can change based on scenarios.
  • Risk-informed decisions can be used to optimize the business and drive it toward adopting innovation as a response to risk events.
  • Get your organization insured against cybersecurity threats at the lowest premiums possible.

Measure the value of integrating risk

  • Reduce Operating Costs

    • Organizations can reduce their risk operating costs by 20 to 30% by adopting enterprise-wide digital risk initiatives (McKinsey & Company).
  • Increase Cybersecurity Threat Preparedness

    • Increase the organization’s preparedness for cybersecurity threats. 79% of organizations that were impacted by email threats in 2020 were not prepared for the hit (Diligent)
  • Increase Risk Management’s Impact to Drive Strategic Value

    • Currently, only 3% of organizations are extensively using risk management to drive their unique competitive advantage, compared to 35% of companies who do not use it at all (AICPA & NC State Poole College of Management).
  • Reduce Lost Productivity for the Enterprise

    • Among small businesses, 76% are still not considering purchasing cyberinsurance in 2021, despite the fact that ransomware attacks alone cost Canadian businesses $5.1 billion in productivity in 2020 (Insurance Bureau of Canada, 2021).

“31% of CIO’s expected their role to expand and include risk management responsibilities.” (IDG “2021 State of the CIO,” 2021)

Make integrated risk management sustainable

58%

Focus not just on the preventive risk management but also the value-creating opportunities. With 58% of organizations concerned about disruptive technology, it’s an opportunity to take the concern and transform it into innovation. (Accenture)

70%

Invest in tools that have data and analytics features. Currently, “gut feelings” or “experience” inform the risk management decisions for 70% of late adopters. (Clear Risk)

54%

Align to the strategic vision of the board and CEO, given that these two roles account for 54% of the accountability associated with extended enterprise risk management. (Extended Enterprise Risk Management Survey, 2020,” Deloitte)

63%

Include IT leaders in the risk committee to help informed decision making. Currently 63% of chief technology officers are included in the C‑suite risk committee. (AICPA & NC State Poole College of Management)

Successful adoption of integrated risk management is often associated with these key elements.

Assessment

Assess your organization’s method of addressing risk management to determine if integrated risk is possible

Assessing the organization’s risk maturity

Mature or not, integrated risk management should be a consideration for all organizations

The first step to integrating risk management within the enterprise is to understand the organization’s readiness to adopt practices that will enable it to successfully integrate information.

In 2021, we saw enterprise risk management assessments become one of the most common trends, particularly as a method by which the organization can consolidate the potential impacts of uncertainties or threats (Lawton, 2021). A major driver for this initiative was the recognition that information and technology not only have enterprise-wide impacts on the organization’s risk management but that IT has a critical role in supporting processes that enable effective access to data/information.

A maturity assessment has several benefits for an organization: It ensures there is alignment throughout the organization on why integrated risk is the right approach to take, it recognizes the organization’s current risk maturity, and it supports the organization in defining where it would like to go.

Pie chart titled 'Organizational Risk Management Maturity Assessment Results' showing just under half 'Progressing', a third 'Established', a seventh 'Emerging', and a very small portion 'Leading or Aspirational'.

Integrated Risk Maturity Categories

Semi-circle with colored points indicating four categories.

1

Context & Strategic Direction Understand the organization’s main objectives and how risk can support or enhance those objectives.

2

Risk Culture and Authority Examine if risk-based decisions are being made by those with the right level of authority and if the organization’s risk appetite is embedded in the culture.

3

Risk Management Process Determine if the current process to identify, assess, respond to, monitor, and report on risks is benefitting the organization.

4

Risk Program Optimization Consider opportunities where risk-related data is being gathered, reported, and used to make informed decisions across the enterprise.

Maturity should inform your approach to risk management

The outcome of the risk maturity assessment should inform how risk management is approached within the organization.

A row of waves starting light and small and becoming taller and darker in steps. The levels are 'Non-existent', 'Basic', 'Partially Integrated', 'Mostly Integrated', 'Fully Integrated', and 'Optimized'.

For organizations with a low maturity, remaining superficial with risk will offer more benefits and align to the enterprise’s risk tolerance and appetite. This might mean no integrated risk is taking place.

However, organizations that have higher risk maturity should begin to integrate risk information. These organizations can identify the nuances that would affect the severity and impact of risk events.

Integrated Risk Maturity Assessment

The purpose of the Integrated Risk Maturity Assessment is to assess the organization's current maturity and readiness for integrated risk management (IRM).

Frequently and continually assessing your organization’s maturity toward integrated risk ensures the right risk management program can be adopted by your organization.

Integrated Risk Maturity Assessment

A simple tool to understand if your organization is ready to embrace integrated risk management by measuring maturity across four key categories: Context & Strategic Direction, Risk Culture & Authority, Risk Management Process, and Risk Program Optimization

Sample of the Integrated Risk Maturity Assessment deliverable.

Use the results from this integrated risk maturity assessment to determine the type of risk management program that can and should be adopted by your organization.

Some organizations will need to remain siloed and focused on IT risk management only, while others will be able to integrate risk-related information to start enabling automatic controls that respond to this data.

Info-Tech research to support risk management maturity

1

Reporting & Analytics Scorecard

Identify new reports that the business needs, determine who needs access to self-serve and advanced analytics tools and why, and work with your key stakeholders to ensure they are satisfied.

2

Build a Security Metrics Program to Drive Maturity

A metrics program can be very simple and still effectively demonstrate the value of security to the organization. Leverage metrics to demonstrate increased maturity for the organization.

3

Mature Your Privacy Operations

Establish a holistic and integrated privacy program by employing a phased approach that speaks the language of the business.

Info-Tech Insight

Organizations that try to adopt integrated risk without having the maturity to adopt an advanced risk management program are setting themselves up for failure.

Governance

Establish a governance process to support the ongoing integration of information to inform good risk management

Governing integrated risk

Lacking defined governance is often one of the key problems in integrating risk management

Information and technology have enterprise-wide impacts on the organization. As a result, IT leadership does not have sole accountability to ensure the risk management process is successful, IT risk or not. IT is one of many different types of stakeholders that can and should have a role in providing critical information to enterprise-level decision makers.

Integrated risk management provides governance for the organization by setting the direction, allowances, and methods for measurement, as well as providing insight if the risk threshold has been exceeded.

Moreover, as organizations attempt to transfer their risk, access to cyberinsurance will depend on a formalized risk structure with defined governance. Mitigating losses and driving value for the enterprise is now dependent on someone overseeing risk management.

90% of business executives expect risk management to be a part of the decision-making process when it impacts the enterprise. (EY)

Integrated risk management benefits from governance

“The extent to which senior leaders model the principles of integrated risk management sets the tone for a sustained integrated risk management culture throughout the organization.” (Treasury Board Secretariat, Government of Canada) Oversight & Accountability

By setting the risk threshold and appetite, the governing body indicates how much risk can be accepted and enables automation of control reactions.

Risk-Informed Strategic Decision Making

Risk-related information about enterprise impact can be used to inform business decisions and ensure the organization operates within defined and approved risk barriers.

Risk-Aware Culture

Employees have a role in providing quality information that supports risk-informed decision making and appropriate risk-mitigation outcomes.

Steps to establishing integrated risk governance

  1. Decide who in the organization has risk ownership and accountability to ensure the risk management process is adhered to.
  2. Formalize and communicate the organization’s intended risk posture. Define both the organization’s appetite for risk and threshold for accepting risk.
  3. Identify what will make your integrated risk management process successful and how that success will be measured across key performance indicators.
  4. Implement processes, procedures, and behaviors that demonstrate the desired risk culture and reinforce the organization’s risk appetite.
  5. Approve what and how information will be integrated into the organization’s enterprise risk management practices to enable risk-aware business decisions.

Info-Tech Insight

IT leaders are rarely the accountable risk owners, even when it comes to information- and technology-related risks.

Info-Tech blueprints to support governing risk management

1

Management & Governance Diagnostic

Complete the diagnostic program to get the data you need to start your process improvement journey. You will get a customized report highlighting your organization’s most pressing IT process needs. Risk just might be one of them.

2

Implement IT Governance to Drive Business Results

Our client-tested methodology supports the enablement of IT-business alignment, decreases decision-making cycle times, and increases IT’s transparency and effectiveness in decisions around benefits realization, risks, and resources.

3

Establish Data Governance

Align your data governance with enterprise governance, business strategy, and the organizational value streams to ensure the program delivers measurable business value.

Program

Information integration can be the driver to enhance the scope of the enterprise’s risk management program

Establishing a program that supports integrated risk

Stop approaching risk in silos

A risk management program can be focused on as little or as much as the program requires. However, an integrated risk management program attempts to remove the organization’s siloed approach to risk. Instead, the program would be enterprise-wide and encompass the IT, operational, or digital risks that would have an impact on the business.

For organizations with a lower risk maturity, embracing this type of program might not be realistic. A lack of support from the executives, inability to gather and access risk data, or a risk-unaware culture in the organization could prevent this holistic approach. However, organizations in the process of maturing their risk management should be looking to embrace an integrated risk management program.

While only 42% of organizations that participated in Deloitte’s 2020 Extended Enterprise Risk Management Survey indicated that their organization has a formal ERM policy, we can see from the statistics on the right those that do embrace ERM are heavily skewed toward IT, cyber risk, and data.

Extended ERM budgets are already skewed toward information technology (65%), cyber risk (60%) and data privacy (60%). (Source: “Extended Enterprise Risk Management Survey, 2020,” Deloitte)

Remove the silos in your risk management program

“[V]ery sophisticated companies realize that cyber can impact multiple lines of business, and I think they are starting to realize that it’s a board-level issue, it’s a company financial health issue.” (Kelly Castriotta, Allianz Global Corporate & Specialty) A tree of risk management silos with 'ERM' at the top, 'Integration' below it bringing together 'IT Focused' RM with 'Security & Cybersecurity' and 'Information & Technology', 'Operational' RM with 'Third Party' and 'Human Resources', and 'Business Driven' RM with 'Digital' and 'Data'.

Steps to creating an integrated risk management program

  1. Determine if the program can and will include an enterprise-wide approach to risk.
  2. Identify the individual or individuals with authority rights over the risk management program. Ensure these individuals have established a regular cadence to discuss any risk-related items that require decisions to be made.
  3. Establish how risks will be identified, assessed, and reported. As an integrated risk program, this should be done through consultation with all areas of the organization.
  4. Implement a method to gather and report risk data, with automatic controls in place to respond should the risk likelihood or impact change.
  5. Empower employees with the tools and ability to respond to risk events if the threshold is being exceeded due to one or multiple risk events taking place.

“Compliance and risk activities are frequently undertaken by different departments using different data sets. As a result, they find themselves managing governance, risk and compliance initiatives discretely and in an uncoordinated manner in an era when risks are interdependent and controls are shared across the organization” (MetricStream)

Info-Tech blueprints to support risk management programs

1

Build an IT Risk Management Program

Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that matter most to the organization.

2

Combine Security Risk Management Components Into One Program

Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face.

3

Proactively Identify and Mitigate Vendor Risk

Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s most significant risks before they happen.

Process

Understand the impact and likelihood of any risk event as it applies to the organization

Advance the risk management process

Invest in a good process to enable greater focus on strategy

There are five key phases to the risk management process – identify, assess, respond, monitor, and report. When engaging in integrated risk, the main benefit is having access to key risk information. As a result, the monitoring process, once established, can be less time consuming for the organization, allowing a greater focus on strategic initiatives and risks.

The ability to assess the impact and severity of a risk is enhanced through access to risk information. A functional impact is a short-term negative impact on the operations of the organization. However, the reputational impact can be long-term and affect both internal and external sentiment toward the organization. Having controls that automate mitigation is crucial.

Moreover, if you don’t spend the money mitigating, risk will cost the organization more money in the long run. The average cost of a data breach is $5 million, while the average cost to mitigate is $1.78 million (IBC, 2022).

Executives in leading organizations will spend 35% or more of their risk focused time identifying strategic risks. (Wiggins, “Do you spend enough time assessing strategic risks?,” 2022)

Risk Management Process

The 'Risk Process' cycle starting with '1. Identify', '2. Assess', '3. Respond', '4. Monitor', '5. Report', and back to the beginning.
  1. Identify: Embed the identification process as a norm within the organization, where any role is responsible for identifying possible risk events and bringing them to the attention of the accountable person(s).
  2. Assess: Integrated risk allows the organization to view each risk event on the same scale, where impact and likelihood can be comparable, in order to view the risk events across a single severity matrix.
  3. Respond: Determining an appropriate response to the risk event requires research and subject matter expert involvement. Furthermore, the response needs to consider if new risks would be generated or if the severity of another risk event would be altered.
  4. Monitor: This is the most important step in the process of integrated risk, as monitoring of risk events (or key risk indicators) should be established in an automated environment. Set the right controls and have automatic responses to mitigate the risk impact.
  5. Report: Monitor the effectiveness of the automatic controls that are leveraging access to risk data. If insufficient data – or worse, the wrong information – is being provided, then improve how this risk event is being monitored and responded to.

Assessing risk events requires experience, knowledge, and research

Two bar charts stacked against each other comparing impact and likelihood. Impact and likelihood do not necessarily increase or decrease at the same rate. However, the compounding of these two parameters does increase the threat of any risk event.
Impact
Risk events are not static, and they do not occur independent of other risk events. It is important to make sure risk impact assessments take into consideration these constantly changing variables to make accurate assessments.
Likelihood
Likelihood does not just take into consideration the possibility of the risk event happening in a given time period but also how the organization would be altered in how it functions, accesses information, and recovers.

Implement and leverage a centralized risk register

The purpose of the risk register is to act as the repository for all the risks identified within your environment.

Frequently and continually assessing your organization’s maturity toward integrated risk ensures you can adopt the right risk management program.

Risk Register Tool

A simple tool that allows the organization to identify, assess, respond to, monitor, and report on risk events. It will describe the risk profile of the entire organization and how it compares to the overall risk tolerance.

Sample of the Risk Register Tool deliverable.

Use the results from the Integrated Risk Maturity Assessment to determine the type of risk events that should be captured here. Additionally, the output from the Integrated Risk Maturity Assessment should inform the level of detail to use when assessing the likelihood and impact of the risk. Mature organizations should use all three parameters, while less mature organizations should use one.

Express the risk severity in a statement

Risk statements are used to communicate the potential adverse outcomes of a particular risk event and can help stakeholders to make informed decisions.

What are risk statements?

Risk statements should include the following elements:

  1. What is the risk event (threat)?
  2. What is the risk impacting (asset) and in what ways (nature of the threat)?
  3. What are the sources (vector) of the risk?
  4. What are the consequences or outcomes of the risk event?
  5. What is the opportunity lost (if upside risk – e.g. there is a risk of revenue loss if we don’t do this)?

Risk statements can include the following element:

  1. What are contributing factors of the risk event?
    • Look beyond just the “symptom” of the risk event and examine underlying reasons why the risk event is occurring

Risk Statement Types

  • Analyze the risk of threat impacting the nature of an asset using a vector
  • If-Then-Because
  • Condition-Consequence

Info-Tech blueprints to support the risk management process

1

Establish an Effective System of Internal IT Controls to Mitigate Risks

This research will help prevent or resolve high-risk operations, lack of business clarity, lack of adherence, and lack of effectiveness when it comes to risk mitigation.

2

Implement Risk-Based Vulnerability Management

Create a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

3

Build Your Data Quality Program

Implement a set of data quality initiatives that are aligned with overall business objectives and aimed at addressing data practices and the data itself. Develop a prioritized data quality improvement project roadmap and long-term improvement strategy.

Implement

Implementation of a risk management program and process will lean on all members of the organization to be successful

Successfully implement integrated risk management

Risk management programs often fail due to an unsuccessful implementation into the organization.

Implementing an integrated risk management program successfully will require the involvement of several stakeholders, including the governance body/committees identified previously.

After all risks have been identified and assessed and appropriate mitigation responses determined, maintaining an understanding of whether that risk severity or likelihood has changed is critical. This should be done through a formalized process where key risk indicators (KRIs) are used.

KRIs are fundamental to the implementation process of integrated risk management because they use data to trigger a warning related to the risk event, informing the appropriate stakeholder.

Other elements of the implementation process include:

  • Adequate training and understanding.
  • Reinforcement of policies and procedures by leadership.
  • Alignment to compliance and audit requirements.
  • Access to tools to support the monitoring and reporting process.

55% — 55% of organizations have little to no training on ERM to properly implement such practices. (Source: AICPA & NC State Poole College of Management)

Integrated risks become a part of your DNA

A web of risk management processes tied together by 'Integrated Risk Management'.

Key risk indicators (KRIs)

KRIs are metrics that predict changes in potential risks that would negatively affect an organization. They support and enable risk monitoring.

KRIs are measurements that indicate the potential degree or trend of a risk event. They look at intermediate triggers that let you know that a risk might be emerging, has emerged, or is increasing in likelihood. They are viewed across the organizational landscape, not just in security, ensuring you don’t create blind spots and can properly calculate or measure risk.

KRIs are leading indicators that act as an early warning of increasing risk – especially within high-risk areas or for high-severity risks.

KRIs can:

  • Help identify emerging risks.
  • Help quantify changing likelihood or impact.
  • Support risk monitoring.
  • Provide lead time to develop and plan risk response.

KRIs can be qualitative or quantitative and can be operational, HR, technological, or financial.

Developing KRIs for success

Visualization of KRI development, from the 'Risk Event' to the 'Intermediate Steps' with 'KRI Measurements' to the image of a growing seed.

Examples of KRIs

  • Number of resources who quit or were fired who had access to critical data
  • Number of risk mitigation initiatives unfunded
  • Changes in time horizon of mitigation implementation
  • Number of employees who did not report phishing attempts
  • Amount of time required to get critical operations access to necessary data
  • Number of days it takes to implement a new regulation or compliance control

Info-Tech blueprints to support the risk management process

1

Revive Your Risk Management Program With a Regular Health Check

To prevent your IT risk management program from becoming an artifact, conduct quarterly, biannual, or annual health checks to reassess your risk portfolio and identify new threats and vulnerabilities.

2

Implement a Security Governance and Management Program

This project will guide you through the process of implementing and monitoring a security governance and management program that prioritizes security while keeping costs to a minimum.

3

Develop a Business Continuity Plan

Implement a structured and repeatable process that you apply to one business unit at a time to keep business continuity planning efforts manageable.

Research Contributors and Experts

Sandi Conrad
Principal Research Director
Info-Tech Research Group

Christine Coz
Executive Counselor
Info-Tech Research Group

Milena Litoiu
Principal Research Director
Info-Tech Research Group

Scott Magerfleisch
Executive Advisor
Info-Tech Research Group

Aadil Nanji
Research Director
Info-Tech Research Group

Andy Neill
Associate Vice President of Research
Info-Tech Research Group

Daisha Pennie
IT Risk Management
Oklahoma State University

Frank Sewell
Research Director
Info-Tech Research Group

Andrew Sharp
Research Director
Info-Tech Research Group

Chris Warner
Consulting Director – Security
Info-Tech Research Group

Plus 10 additional interviewees who wish to remain anonymous.

Bibliography

“6 Reasons Data is Key for Risk Management.” Clear Risk, 2021. Web.

“Accenture 2019 Global Risk Management Study, Financial Services Report.” Accenture, 2019. Web.

Beasley, Mark S. et al. “The State of Risk Oversight,” AICPA, NC State Poole College of Management, April 2021. Web.

Castriotta, Kelly. “Essentially Every Line of Business Can be Impacted by the Cyber Peril.” Allianz Global Corporate & Specialty, 2019. Web.

“Cyber Risk Management.” Insurance Bureau of Canada (IBC), 2022. Web.

“Enterprise Risk Management Maturity Model.” OECD, 9 Feb. 2021. Web.

“Extended Enterprise Risk Management Survey, 2020.” Deloitte, 2021. Web.

Ganguly, Saptarshi, et al. “Digital Risks: Transforming risk management for the 2020s.” McKinsey & Company, 10 Feb. 2017. Web.

“Global risk management survey, 12th edition,” Deloitte, 2021. Web.

“Governance Institute Risk Management Survey Report 2020.” Governance Institute of Australia, 2020. Web.

IDG. “2021 State of the CIO.” IDG, 28 January 2021. Web.

“Integrated Risk and Compliance Management for Banks and Financial Services Organizations: Benefits of a Holistic Approach.” MetricStream, 2022. Web.

“ISACA’s Risk IT Framework Offers a Structured Methodology for Enterprises to Manage Information and Technology Risk.” ISACA, 25 June 2020. Web.

Lawton, George. “10 Enterprise Risk Management Trends in 2022.” Tech Target, 2 Feb. 2022. Web.

“Many small businesses vulnerable to cyber attacks.” IBC, 5 Oct. 2021. Web.

Maxwell, Phil. “Why risk-informed decision-making matters.” EY, 3 Dec. 2019. Web.

Natarajan, Aarthi. “The Top 6 Business Risks you should Prepare for in 2022.” Diligent, 11 Dec. 2021. Web.

“Third-party risk is becoming a first priority challenge.” Deloitte, 2022. Web.

Treasury Board Secretariat. “Guide to Integrated Risk Management.” Government of Canada, 12 May 2016. Web.

Wiggins, Perry. “Do you spend enough time assessing strategic risks?,” CFO, 26 Jan. 2022. Web.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Don’t fear IT risks, integrate them.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Authors

Valence Howden

Brittany Lutes

Petar Hristov

Ian Mulholland

Ibrahim Abdel-Kader

Contributors

  • Daisha Penni, IT Risk Management, Oklahoma State University
  • 6 additional anonymous contributors
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019