About BWise


How do IT Risks relate to Enterprise Risks?

September 28, 2015 by
Filed under: Risk Management, IT GRC

Traditionally, IT risk management is treated as a somewhat separate silo in Enterprise Risk Management. This is caused by the organizational allocation of IT Risk, separate from other corporate risks. Another challenge is the risk language that is used in IT risk management, which is different from the language in Enterprise Risk Management. The ISO 31.000 standard for instance doesn't even include the term Vulnerability, whereas vulnerability is a pivotal term in most IT risk management methodologies. ISO 31.000 does use the word threat, once, but only in general terms. Threat is a key term in IT risk management. These terms can be translated to the business world, but they are generally only used in IT risk.

These aspects do not close the gap. Many in IT believe IT risk is the key risk in all companies. Clearly, this is not the case. On the other hand, IT risk is underestimated and largely misunderstood by the other parts of business risk.

Like any other siloed part of risk management (financial reporting risk, FCPA non-compliance risk, safety risk, credit risk, competition risk, tax risk), IT should maintain its own language. However, there is a need for an integrating risk language that enables relating the detailed risks to an enterprise risk. A clear relation needs to be defined between enterprise risks and the underlying risks. This will provide roll-up risk reports that provide the first step of insight, especially when there is a clearly defined relation to assets and business processes as well.

Ideally, one needs to add risk correlations to all of this, and take a more stochastic or non-deterministic approach. The mathematical roll-up methods that are common in basic risk management fall short of taking all sorts of correlations into account. The culture in IT risk is to stay away from the vagueness of the stochastic approach; everything must be defined in crisp model. That is not the way the world works, we need to capture this part of well.

We need to become more precise, by adding uncertainties and statistics. That is a major mind shift in IT GRC.

Tags: Enteprise Risk Management, IT GRC

More Information

Nasdaq Offices

What is GRC?

Read the definition of Governance, Risk and Compliance

Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2016. 

Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.

Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up