Different functions involved in managing risk: lines of defense

The ITRM activities and processes (e.g., risk assessment, issue management, crisis management) are performed by many different functions in every organization within the several lines of defense. Insight into the processes and activities is provided in the subsequent sections of this article.

IT Risk Management program

1. IT risk governance and compliance monitoring and reporting
2. Business drivers, regulatory requirements and (IT) risk strategy
3. Organization/Risk identification and profiling/Policies and standards
4. Process, risk and control framework
5. Risk processes and operational procedures

A challenge for large companies is how to effectively embed ITRM efforts across the enterprise.

You may need to re-evaluate or readjust your organization's ITRM approach to take into account the current state and future business response to the megatrends.

Today's megatrends in IT

In our survey, we asked executives in which categories of the IT Risk Universe they had experienced the most negative IT-related incidents. The three most commonly experienced incidents were in the categories of (1) security and privacy, (2) infrastructure and (3) data.

We then also asked the participating executives if they planned to spend more or less on the different IT Risk Universe categories.

Their response shows that:

• Security and privacy and infrastructure are recognized as high risk areas and organizations are planning to spend more to mitigate these risks
• Although applications and databases are not immediately a high risk category, organizations plan to spend more (with the potential risk of overspending)
• The risks around data are not yet very high on the corporate agenda (implying a potential risk of underspending)

Taking responsibility for managing IT risk

A challenge for large companies is how to effectively embed ITRM efforts across the enterprise. It is not possible for any one single control, function or organizational layer to mitigate today's complex IT risks. Risks need to be coordinated along the several lines of defense each organization has.

Creating a pro-active ITRM framework

The first step in building an effective and proactive ITRM program is to identify its core components.This is where organizations can leverage their existing risk management framework to ensure consistent coordination, collaboration, risk coverage and risk management across the enterprise.

<< Previous | Next >>

• Download

  Download a PDF
  copy of IT risk landscape
  
  

• Global contacts

  Norman Lonergan
   (Advisory Services Leader, London)
  +44 20 7980 0596
  
  Paul van Kessel
   (IT Risk and Assurance Services Leader, Amsterdam)
  +31 88 40 71271