Technology Risk Management Best Practices for Boards
Every industry uses technology in one form or another and most companies increase the number or sophistication of the digital processes they use a little every year. In some industries, nearly every aspect of the business uses technology, from human resources to operations and everywhere in between. Technology solves many of a company’s problems, but it also invites many risks into the company. Disruptions to due cybersecurity problems can disrupt services with vendors, breach sensitive customer information, and set up denial-of-service attacks.
Most companies are finding that they need to allocate at least 10% of their information technology budget on cybersecurity and increase it every year. When risks turn into crises, the fallout can be devastating and lead to financial loss, reputational loss, and more. According to Bassel II, one of the seven level-one operational risk categories is business disruption and systems failure. While all forms of risk management are complicated, technology risk management best practices can help to set the best course of action for tackling IT risks.
Approaches to Technology Risk Management
Many companies are finding that one cybersecurity expert isn’t enough. They need to form entire IT teams or departments to tend to continual issues like patching holes, maintaining systems, and meeting regulations. Teams are often necessary to factor the wider business implications and operational interdependencies and tackle those vulnerabilities that we don’t yet have regulations for. New risks are emerging every day and IT risk management teams are needed to identify and mitigate them.
How does an interdisciplinary team with an enterprise-wide risk approach manage technology risk? McKinsey gives us six principles that IT teams use as best practices to tackle tough IT risk management problems. The principles are less of a “how-to” and more of a set of guiding principles on creating bests practices for addressing technology risk management. The principles were written for banks, but the principles can apply to any industry.
Six Best Practices for IT Risk Management
Consider the Business First
Boards, management teams and IT teams need to establish a comprehensive picture of the company’s information needs, uses, and risks to identify the most critical business processes and information assets. Consider the types of defenses that you can employ to deal with risks like data breaches, fraud, ransomware, and hacks. Apply the strongest controls to the most valuable IT systems and data. The IT-risk group takes the lead on the assessment program, but management needs to be sure that they have the right priorities as they’re primarily on the hook when things go wrong. Consider what types of remediation efforts are most appropriate such as multi-factor authentication, data loss prevention tools, monitoring, and analytics.
Coordinate Across Sub-Groups of IT Risk Management
Large enterprises may have various groups working on different parts of risk management, but they’re not necessarily connected with each other. Think about groups like vendor and third-party management, project management, change management, development and testing, data governance, IT compliance, etc. Failing to address risks in one area can help to address risks in another area. In not seeing the big picture and how the pieces are connected, it could lead to gaps in risk management or duplication of efforts.
Consider the Three Lines of Defense
The three lines of defense are just as important to IT risks as they are to other types of risks. It’s important for companies to clarify the roles and responsibilities in managing technology risk for each line of defense as there can be some overlap of responsibility and accountability. One approach is to assign the IT risk group with setting policy, providing oversight, and doing assessments and assign security operations to the CIO. For example, disaster recovery incorporates the first and second defenses and both need specific technical expertise. All three lines of defense should be considered before launching new products or services.
Connect Enterprise Risk Management with IT Risk Management
In some companies, IT risk management is disconnected from enterprise risk management, and possible from the operational risk management team. The disconnection between these important teams makes it difficult to prioritize risks and properly allocate funds to manage them. This framework poses additional problems for boards of directors because they lack the comprehensive data they need to make decisions such as balancing the cost of automation against the cost of human error. IT risk managers can be instrumental in developing a risk appetite that reflects the impact of disruption on critical services.
Adjust Performance Incentives for IT Managers
Companies put a lot of pressure on IT managers to deliver projects on time and on budget and without having any system downtime. While these things are necessary and important, placing too much emphasis on them may prevent them from having enough time to work on minimizing business risk exposure. Just as board directors need to be forward-thinking, IT risk managers need the time to identify, detect, and mitigate emerging risks. By tracking the number of major outages, cybersecurity incidents, and recovery times, boards can tie performance to incentives for IT managers.
Enlist and Invest in the Right IT Talent
Critical thinking and hands-on experience in technology, business, and risk are important areas of expertise for IT managers. Finding individuals that have this combination of skills are difficult to find. As a result, this limited number of individuals are deserving of high salaries. It takes this set of skills to effectively challenge IT risk management teams and partner with boards and management teams to guide strategic decisions. Some companies have found that it’s beneficial to partner with universities to develop the kind of talent they need. Other companies develop their own programs for training, development, and upskilling.
In conclusion, risk management occurs in various parts of the business and it’s essential to connect all parts of the risk management process. The second line of defense can only be effective when it has strong insights into the first line of defense. It’s vital for the board and managers to have a shared vision and to understand the specific risks that they face across the entire enterprise and make sure they have a designated plan to manage or remediate all risks and allocate the necessary resources to implement best practices for technology risk management best practices. In addition to protecting their companies from cyber risks, boards also need to protect their communications and work with a BoardEffect board management system.