All Together

Risk management is risk management, right? Not always, according to Bill Barrett, partner and practice leader in the financial services office at Ernst & Young. Some financial services companies have siloed their risk management efforts rather than bring them all together at an enterprise level. "What we're seeing is the need for organizations to recognize they ought to be coordinating these risk management processes across the enterprise rather than dealing with them in isolation," says Barrett.

The topic of IT risk management is the subject of the inaugural global survey of businesses conducted by Ernst & Young called "Managing Information Technology Risk: A Global Survey for the Financial Services Industry."

One particular problem Barrett has observed in the financial services industry is the manner in which companies are approaching IT risk management. "The large financial services organizations generally have multiple IT organizations, and within each of those, there is not always a consistent approach to risk management," he says. "Oftentimes, there is not even a common risk language they are using."

As IT departments have grown both vertically and horizontally over the years, organizations have had to address IT risk related to areas such as information security, business continuity, disaster recovery, problem management, and project management, explains Barrett.

Companies rarely brought these risk management areas together with a holistic approach, though Barrett sees an opening to correct that mistake. "There is an opportunity to take this siloed approach and pull it together and integrate [the approach] into the overall enterprise risk management process," he says.

Another key item for financial services companies to consider in developing a successful approach to risk management is a strong governance policy, which Barrett contends is an integral part of an effective risk management process.

"IT governance over an IT operation has an element of strong risk management," he says. "It really starts with business processes, what the risks associated with those processes are, and how IT helps in mitigating the risk related to those business processes."

In the Ernst & Young survey, Barrett reports the goal of achieving convergence is to design program, organization, and processes that can better manage risk through adequate measures and monitoring methods on a sustainable, consistent, efficient, and transparent basis.

These components should move organizations toward a holistic view of risk management and compliance with the ability to apply consistent principles and processes, suggests Barrett.

Companies can benefit from a good return on investment if they initiate an IT risk management program, he believes. Business processes are one particular area where financial services companies can drive greater efficiencies.

"A number of organizations have multiple control risk assessment processes," he says. "Organizations have different risk languages across their departments. There are opportunities to gain efficiencies and to automate some of these processes with tools."

More effective risk management processes also lead to improved investment decisions in terms of which projects IT is going to invest in. "What kind of processes are [financial services companies] going to have in place?" asks Barrett. "Will they be able to make more strategic business decisions related to those investments? I think it's both an efficiency play and a better investment-decision play."

Ernst & Young has seen financial services companies achieve varying degrees of maturity in addressing IT risk management, according to Barrett. "Some of the larger banking/capital market organizations may be a bit further along [than insurance companies]," he says. "But the larger financial services organizations recognize the importance of IT risk management and are taking steps to move forward by improving the overall processes."

In addition, Barrett deems as important the effective reporting of risk throughout the enterprise. By establishing a common risk language across the enterprise, he believes it ultimately will lead to a common understanding of IT risks and controls throughout the organization.

"By having a more effective [reporting] process, you begin to have a better picture of what IT risks are, and you are able to look at risk across the different IT organizations," says Barrett. "While cost savings can be significant, it's the top-line benefits resulting from actionable risk reporting, strategic investments, and enhanced organizational performance that will be significantly more valuable to organizations as they go forward."