Busting IT risk myths

Technological threats must be addressed throughout every aspect of business operations

By Paul Kastner

The ability of banks and other financial service organisations to manage risk is a more critical issue now than ever before.  With the introduction of new local and international legislation, many banks have expanded their risk management practices and organisations to formally include operational risk management, which, in the past, was overseen by internal audit or compliance departments.

The Bank for International Settlements (BIS) defines seven categories of operational risk, only one of which mentions IT, business disruptions and system failures. With information technology now underpinning virtually all aspects of business, and with the threats growing in both scope and scale of potential loss, IT risk has become a vital core competence and must be comprehensively integrated into all parts of IT.

Myths and realities

A recent global survey conducted by Symantec (which included more than 80 banks and financial service institutions) indicates that IT risk management is increasingly playing a critical role in businesses. The myths surrounding the management of IT risk stem from an inaccurate perception that IT and its resultant risks can be understood and managed as simply one of many business processes.

Myth 1: IT risk = security risk
IT risk covers much more than simply IT security.
All businesses are faced with the major areas of IT risk to some extent. Today, banks must increasingly manage growing risks from data loss, IT fraud and security breaches, inability to comply with regulations and internal governance, system failures, and inadequate system performance.

Key IT risk areas are summarised in the diagram below.

In the Symantec survey, there were a number of important findings surrounding the reality of this comprehensive definition of IT risk management.

Availability risk was rated the most significant risk area, with 78 per cent of participants viewing this as serious or business-critical for their organisations. We can use 9/11 as a good example.  Banks which foresaw a major loss of IT availability were ready with robust and fully tested business continuity plans and systems. Disruption was minimal for these players, but devastating for their less-prepared peers.

The costs associated with IT risk events are growing. Two thirds of survey respondents expect a major regulatory incident, and 59 per cent a major data loss, at least once every five years. This means the industry as a whole will be facing mounting costs from IT risk events. A key implication of this finding is that the investment to implement stronger IT risk management processes and systems is easily justified by the reduction in potential losses.

The Symantec IT Risk Management Report also delved into the risks associated with data loss, and found that almost half of respondents expect a serious data loss incident at least once every year. In the financial services industry, data loss has very quickly grown to be a major IT risk, so banks need to ensure they have a strong focus on protecting data.

Myth 2: IT risk management is a project
The importance of IT has reinforced the need to implement IT risk management as a controlling and governing framework which is fully integrated into the business.  On average, survey participants anticipate significant IT-based incidents affecting their organisations about once a month. To wait for a semi-annual audit or for the event to actually occur is inviting disaster.

Myth 3: Technology mitigates IT risk
IT risk management takes more than technology. Effective organisations manage IT risks by deploying people and process controls, enabled by underpinning technology.

Banks which manage risk well also have a much higher awareness and sensitivity to risk, and generally make better long-term returns. The survey indicated that those organisations best managing IT risk also had the highest perceived level of risk, but at the same time expected fewer incidents than less effective organisations.

Banks which understand and manage their IT risks well are able to more successfully exploit IT, leading to better business results. For example better use of outsourcing as a result of allowing suppliers secured access to bank systems.

Myth 4: IT risk management is a science
IT risk management brings proven, disciplined processes to the connected world.  The analysis shows that the best practices for IT risk management include risk assessment and scoping, establishing a risk-aware culture by developing people and giving control processes sufficient time to take effect.

Banks which focus on operational risk management experience the benefits of better run operations and lower operational losses.  The best banks understand that IT has become both the major part of operational risk management and a very necessary core competence in itself. As banks increasingly embrace the value of IT, it has become imperative to manage IT risk at a senior and integrated level across the enterprise.

Paul Kastner is director of industry solutions with Symantec, Asia Pacific and Japan