Magazine article Management Review

The Risky Business of Managing IT Risks

Magazine article Management Review

The Risky Business of Managing IT Risks

Article excerpt

One of the most critical issues senior executives face today is managing the risks associated with the proliferation of information technology in their organizations. But even though 84 percent of senior executives view IT as critical to business operations, only 13 percent believe their IT strategy is well-integrated with the business strategy, and only one-third believe IT-related risks are well-understood by their companies.

Those findings come from Managing Business in the Information Age, a comprehensive study conducted by Arthur Andersen and the Economist Intelligence Unit. based on indepth interviews of 150 senior executives in global organizations, the survey found that companies are losing faith in their current approaches to risk management.

Although 61 percent of the respondents have a formal risk-management process, only half are confident that their processes are strong enough to meet the challenges of global business. The reason: few companies have formal processes in place to identify potentially critical risks (36 percent) and assess sources of risk (30 percent).

Russell Gates, managing partner of Arthur Andersen's Computer Risk Management practice in the Americas, says he has consistently observed poor IT risk management among his clients. The common problems, he says, are that companies do not make IT risk management a top priority, link IT risks to the business strategy and put enough effort into anticipating problems. In addition, their risk-monitoring process is limited, ineffective and manual.

Companies face a number of IT-related risks that can have a significant impact on business operations. The best-known of these is security risk - the leaking of confidential information outside the internal systems. Other types include integrity risk (related to incomplete, inaccurate and unauthorized data), availability risk (caused by disruptions to systems) and infrastructural risk (due to the lack of an effective IT infrastructure encompassing hardware, software, networks, people and processes).

Gates calls for an integrated approach to IT risk management: "Understanding and managing the risks associated with information technology should be considered an integral part of an organization's business and IT strategy.... It's easy to see the technological changes. But as part of the whole process of IT risk management, there are people and processes involved. These must be factored in just as much as the technological changes."

James Lam, chief risk officer at Boston-based Fidelity Investments, concurs: "Management can't afford to look at IT as strictly a back-office, operational issue. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.