The IT factor

The new OR&C Intelligence survey shows a big gap in understanding between operational risk and IT executives at most financial services firms. Executives have differing views of the risks they are facing and very different approaches to measuring and managing those risks. These gaps in communication could be creating their own operational risks, say experts.

The survey, sponsored by consulting firm Protiviti, shows 40.7% of IT personnel "infrequently" understand and apply business objectives and risk tolerances to IT risk management processes, according to the survey's respondents.

"We're seeing a very difficult time with IT folks relating to the businesses and vice versa," says Jim Ryan, a director at Protiviti, based in Chicago. "The business perspective has been more formally trained and is getting up to speed with Basel II concepts such as business impact, probability and looking at exposures. The IT people seem to be looking at efficiency and effectiveness of the services they deliver, and it loses that business impact. They are more driven by service level agreements or policies to deliver their services, and so that's where their risk is. They are missing the business impact of it."

When classifying IT risks, firms are using a variety of frameworks, which might lead to differences in understanding the types of risks IT systems face. Some 24.7% of respondents said their firms only use operational risk measurement "risk event" categories to classify their IT risks, while another 29.4% of respondents only use an IT framework, such as CobiT and COSO. It is encouraging that 25.9% use both, but that leaves more than 70% of firms that just use one system or don't know which system they use.

Along similar lines, 29.1% of respondents quantify technology risk using a business risk model, such as Basel II's advanced measurement approach, for operational risk. Another 30.2% of respondents say their firms don't do this but believe they should, while 32.6% don't quantify technology risk in this way at all. Some firms said this was something that was "very much a work in progress" for them.

Firms are also not making use of the information they do have stored about their IT risks. Only 27.4% said their IT loss data is used during IT security assessments or scenario analysis. Twenty-six percent said the data was used sometimes, and 28.6% said the data was not used, although they conceded it should be. Almost 11% said the loss data was not used, and 7.1% admitted loss data was not collected for IT.

"The IT people see the value in understanding risks better, but it's a different challenge," says Ryan. "Their risks are either in the business lines, which makes it hard for them to reach, and they are shared; or they are saying availability is a risk and, if the network isn't up, that is a risk to the institution. So they are taking what is almost a control mindset and they are flipping that into being a risk for them, because it is. But they are then speaking a different language to their business counterparts. For example, the business lines might be talking about fraud, but the IT people aren't talking about fraud – they are probably talking about IT security."

There is also room for improvement in terms of communication between the business lines and the IT department – just 18.6% of respondents said their business lines were "highly involved in the IT risk assessment scoping" at their firms. Another 44.2% say their business lines are "somewhat involved". Meanwhile, almost one-third of respondents said that, at their firms, IT conducts risk assessments independently without business involvement.

It's no surprise that this lack of communication translates into a lack of understanding on certain fronts. For example, respondents were asked if – when conducting risk control self-assessments (RCSAs) – the business lines understood the effectiveness of IT controls that mitigate business risk. Some 54.8% of respondents said their business lines only "somewhat" understood the aim of these controls.

Communication is problematic in other areas as well. When conducting RCSAs, only 25.9% of respondents said their business lines assess IT policies or critical applications when assessing business risk. Another 30.6% said they only do this "when appropriate". Another 14.1% said they did this randomly, while 16.5% admitted they don't do it but they should.

This lack of communication leads to a failure in strategic thinking about IT spending. Respondents were told that IT portfolio management is the ability of a firm to allocate resources to IT projects based on a set of criteria defined by the corporation. They were asked how large investments in IT controls are made. Almost one-third of respondents confessed spending decisions were made on a case-by-case basis, while 27.4% said the investment was made as requested by the business lines. Nearly 24% said the spending was often grouped by some sort of IT risk category view at a macro level, while 7.1% confessed no methodology or process exists.

Some firms are looking to improve their information and strategic thinking around IT risk. Says Ryan, "As the CIOs better understand their risks and can better allocate their resources to their higher risks, there will be a tremendous amount of cost savings in their control expenditures, while they will reduce the organisation's overall exposure." n