IT risk management: Is your IT risk landscape leaving you exposed?

The adage that the future is uncertain has been made abundantly clear in recent years. Never-seen-before weather patterns, a once-in-a-lifetime pandemic and concerning wars/conflict are just some of the events that nobody could have anticipated a mere five years ago.

The digital world, too, has seen tremendous change. The highest-profile development recently has been the arrival of artificial intelligence (AI) tools such as ChatGPT, whose potential as an asset or a threat is still under review.

But alongside AI, we have seen unprecedented cyber threat complexity and magnitude, geopolitical concerns over the provenance and control of technologies from generative AI, social engineering, data breaches, chipsets to applications, and steady progress towards quantum computing.

The upshot is an IT risk landscape that is far more expansive and dynamic than ever before. For many IT teams, keeping up with known threats is already a full-time job. Tracking emerging risks is harder to devote time to. That’s a problem.

IT risk register concerns

Most large organisations will have an IT risk register listing the potential threat scenarios and their likely impact on operations. Such registers are a basic requirement for addressing risks and yet in many cases they are outdated and have not evolved to be fit for purpose in today’s environment.

As noted above, the range of risks has multiplied and evolved in recent years and many new threats may not have been captured in risk registers that were created some time ago and have not been reviewed.

A second reason is that traditional IT risk registers may be too narrow in scope to fully protect the organisation.

IT risk is often seen as synonymous with compliance and cyber protection, and while these two areas are key, they are no longer the only dimensions in which technology-related risks can arise. At BDO, for example, our assessments review an IT risk universe that spans nine mega-categories:

• IT service delivery (including Application Management Services)
• Physical security for on-premises assets
• IT strategy (including cloud adoption)
• Data architecture and management
• IT portfolio management and programme delivery
• Cyber security
• Operational resilience
• Third-party and supply chain management (including service delivery and downtime)
• Technical skills capability

It is worth considering this list in detail. Does your IT risk register include provision for what would happen if key members of your team should leave, taking with them the knowledge of the systems they have set up? Or what if your third party service provision is leaving you exposed in terms of controls & compliance or a standard / service committed to your customers?

IT Risk Assessment

Even though those nine categories go beyond what most IT risk registers might consider, they are not exhaustive. Hence, our IT risk assessment methodology includes the following unique components.

1a. IT Risk Diagnostic is mapped against common IT governance frameworks such as NIS / CIS / COBIT / ISO and ICOFR so you can see where you are covered and more importantly, where you aren’t!

1b. An ITGC diagnostic to assess your IT control environment in the context of financial reporting either in advance of an external audit or acquisition of a new business.

2. An IT Risk Heatmap is the output from our tool which is delivered via workshops, interviews and evidence based reviews. Not only can we benchmark where your gaps are across an IT risk universe, but we can also compare your exposure against our anonymised data set to support your future investment decisions.

If you are unsure of the level of IT risk your organisation is carrying or whether you have robust and efficient controls in place, get in touch now.

For More Information:

Mark Gee Director mark.gee@bdo.co.uk