Exerting control over critical IT risk
A key requirement for a well-managed organisation is that it has a mechanism for proactively identifying and evaluating risks. Typically this would sit in the first line of defence and include the population and maintenance of risk registers and a governance structure for discussing risk, risk mitigation strategies and risk appetite.
Technology risk forms a critical component of an organisation’s risk profile but can often be overlooked or given insufficient attention. This is sometimes due to a lack of understanding of technology risk or that technology risk remains outside of the more traditional risk themes often recorded in organisation risk registers. With the proliferation of complex technologies in many organisations, proactive management of technology risk should be considered a priority.
BDO has significant experience of guiding organisations on managing IT risk, from review of IT risk registers to providing guidance on how to set up an effective process for IT governance which can be quickly embedded in an existing organisation risk management framework. Central to this is understanding the threat scenarios:
Threat 1: From Good to Bad – The Headline Creators
This scenario has an immediate and critical impact on an organisation, with the following typically the underlying factors:
- A significant security breach leading to theft of critical data, intellectual property or an adverse impact on the integrity of key processes underpinning the business.
- Due to poor IT resilience or inadequate disaster recovery, a major outage of the IT environment leaving the business unable to interface with their customers or provide critical services. This can have a significant reputation impact and incur major costs to remediate
- Loss of key datasets due to weak data management practices, leading to fines from the Information Commissioner and a significant adverse impact of the brand and reputation of the business.
Threat 2: The Strategic Technology and Data Challenges
Inadequate IT strategic leadership, weak project and change management or poor data quality are central to the strategic barriers facing many businesses. Evaluating the practices in place is key to ensuring that the IT solutions and services will support the strategic direction.
Threat 3: The Systemic Issues facing Technology and Data
Typically due to weak risk management and governance, there are several areas where weakness in the IT and Data environments can create systemic issues for a business, such as:
- Significant fraud threats due to weak access management controls
- Fines and penalties due to inadequate management of software licences
- Increased costs on the IT service due to inadequate management of 3rd parties and associated IT contracts
- Ongoing IT problems due to ineffective management and root cause analysis of incidents reported to the service desk
- Weak policies and procedures over card payments leading to sanctions due to a breach of the PCIDSS industry standards.