The IT factor
This month's OR&C Intelligence survey looks at how well operational risk practitioners are working with their colleagues in information technology to minimise technology risk
The new OR&C Intelligence survey shows a big gap in understanding between operational risk and IT executives at most financial services firms. Executives have differing views of the risks they are facing and very different approaches to measuring and managing those risks. These gaps in communication could be creating their own operational risks, say experts.
The survey, sponsored by consulting firm Protiviti, shows 40.7% of IT personnel "infrequently" understand and apply business objectives and risk tolerances to IT risk management processes, according to the survey's respondents.
"We're seeing a very difficult time with IT folks relating to the businesses and vice versa," says Jim Ryan, a director at Protiviti, based in Chicago. "The business perspective has been more formally trained and is getting up to speed with Basel II concepts such as business impact, probability and looking at exposures. The IT people seem to be looking at efficiency and effectiveness of the services they deliver, and it loses that business impact. They are more driven by service level agreements or policies to deliver their services, and so that's where their risk is. They are missing the business impact of it."
When classifying IT risks, firms are using a variety of frameworks, which might lead to differences in understanding the types of risks IT systems face. Some 24.7% of respondents said their firms only use operational risk measurement "risk event" categories to classify their IT risks, while another 29.4% of respondents only use an IT framework, such as CobiT and COSO. It is encouraging that 25.9% use both, but that leaves more than 70% of firms that just use one system or don't know which system they use.
Along similar lines, 29.1% of respondents quantify technology risk using a business risk model, such as Basel II's advanced measurement approach, for operational risk. Another 30.2% of respondents say their firms don't do this but believe they should, while 32.6% don't quantify technology risk in this way at all. Some firms said this was something that was "very much a work in progress" for them.
Firms are also not making use of the information they do have stored about their IT risks. Only 27.4% said their IT loss data is used during IT security assessments or scenario analysis. Twenty-six percent said the data was used sometimes, and 28.6% said the data was not used, although they conceded it should be. Almost 11% said the loss data was not used, and 7.1% admitted loss data was not collected for IT.
"The IT people see the value in understanding risks better, but it's a different challenge," says Ryan. "Their risks are either in the business lines, which makes it hard for them to reach, and they are shared; or they are saying availability is a risk and, if the network isn't up, that is a risk to the institution. So they are taking what is almost a control mindset and they are flipping that into being a risk for them, because it is. But they are then speaking a different language to their business counterparts. For example, the business lines might be talking about fraud, but the IT people aren't talking about fraud – they are probably talking about IT security."
There is also room for improvement in terms of communication between the business lines and the IT department – just 18.6% of respondents said their business lines were "highly involved in the IT risk assessment scoping" at their firms. Another 44.2% say their business lines are "somewhat involved". Meanwhile, almost one-third of respondents said that, at their firms, IT conducts risk assessments independently without business involvement.
It's no surprise that this lack of communication translates into a lack of understanding on certain fronts. For example, respondents were asked if – when conducting risk control self-assessments (RCSAs) – the business lines understood the effectiveness of IT controls that mitigate business risk. Some 54.8% of respondents said their business lines only "somewhat" understood the aim of these controls.
Communication is problematic in other areas as well. When conducting RCSAs, only 25.9% of respondents said their business lines assess IT policies or critical applications when assessing business risk. Another 30.6% said they only do this "when appropriate". Another 14.1% said they did this randomly, while 16.5% admitted they don't do it but they should.
This lack of communication leads to a failure in strategic thinking about IT spending. Respondents were told that IT portfolio management is the ability of a firm to allocate resources to IT projects based on a set of criteria defined by the corporation. They were asked how large investments in IT controls are made. Almost one-third of respondents confessed spending decisions were made on a case-by-case basis, while 27.4% said the investment was made as requested by the business lines. Nearly 24% said the spending was often grouped by some sort of IT risk category view at a macro level, while 7.1% confessed no methodology or process exists.
Some firms are looking to improve their information and strategic thinking around IT risk. Says Ryan, "As the CIOs better understand their risks and can better allocate their resources to their higher risks, there will be a tremendous amount of cost savings in their control expenditures, while they will reduce the organisation's overall exposure." n
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@risk.net
More on Risk management
SEC leadership change puts Treasuries mandate under scrutiny
FICC clearing models approved, but critics think delay could revive prospects of done-away trading
Markets Technology Awards 2025: Untangling the knots
Vendors jockeying for position in this year’s MTAs, as banks and regulators take aim at counterparty blind spots
Risk Awards 2025: The winners
UBS claims top derivatives prize, lifetime award for Don Wilson, JP Morgan wins rates and credit
An AI-first approach to model risk management
Firms must define their AI risk appetite before trying to manage or model it, says Christophe Rougeaux
BofA sets its sights on US synthetic risk transfer market
New trading initiative has already notched at least three transactions
Op risk data: At Trafigura, a $1 billion miss in Mongolia
Also: Insurance cartels, Santander settlement and TSB’s “woeful” customer treatment. Data by ORX News
Cyber risk can be modelled like credit risk, says Richmond Fed
US supervisors may begin to use historical datasets to assess risk at banks and system-wide
The changing shape of risk
S&P Global Market Intelligence’s head of credit and risk solutions reveals how firms are adjusting their strategies and capabilities to embrace a more holistic view of risk