Tuesday, July 23, 2013

Who is exactly Responsible for Overseeing the level of IT Risk in an Organization?

The CIO does not own the risk, but he/she can (and should ) certainly be tasked with assessing and monitoring the risk on an ongoing basis.

In the age of digitalization, opportunities and risks are co-existing; therefore, the optimal governance and risk management structure is more critical than ever, who is exactly responsible for overseeing the level of IT risk in an organization though?

  • In most large organizations the development of the governance structure (policies, procedures etc.) for managing IT risk is carried out by the CIO and the implementation of such a structure is shared by the whole business. The oversight and management of IT risk sit with the Chief Information Office, this is one of those risk areas where the impact felt, and therefore the impetus to ensure control is in place. 
  • Risk is the responsibility of the entire organization: Most larger organizations will have a department dedicated to the oversight and guidance of risk, and the ownership of the risk resides with both the system owners and the technology department, the entire organization needs to work towards not increasing the corporate risk (beyond the corporate risk threshold) through their actions, activities, and engagements. The responsibility lies with everyone in the organization, it is most critical aspect of the organization and hence bottom-up approach gives healthy environment as the actual responsibility is on the one who deals day to day, on the other side, it should be controlled and monitored by top-down approach as management are the face of the organization.
  • Traditional governance models sit the oversight of activities with the Board: Operational management will often do the oversight and report up to the Board. For the majority of organizations, the accountability for the 'oversight' of risk is ultimately on each individual Director of the organization, but the operational aspects can be delegated. Of course, they will delegate, but they should take the key responsibility for ensuring that whoever is delegated has all the systems and controls, along with the necessary authority, required to manage the risk. The risk aspects include:
-        the risk appetite of the Board; 
-        the risk context of the organization; 
-        the IT risk context factors; 
-        existing delegations of risk management; 
-        the contractual problems often associated with outsourced IT components; 
-        the messy people politics. 

  • There are two aspects to managing risk, assessing it and then evaluating it against acceptable levels (risk appetite.) In this case, there are multiple players. The CIO will generally drive a periodic risk assessment, usually with the help and input of multiple areas. But it is up to board or other governance bodies to determine if the risk level identified is acceptable. The CIO does not own the risk, but he/she can (and should ) certainly be tasked with assessing and monitoring the risk on an ongoing basis.
In some organizations, the overall risk appetite is usually a function within the finance area though with input from other department heads...but not always collaborative in nature...The oversight is affirmed through Audit and control review groups, but this is different based on the industry, country, and focus of the organizations.


Post a Comment