How do IT Risks relate to Enterprise Risks?
Traditionally, IT risk management is treated as a somewhat separate silo in Enterprise Risk Management. This is caused by the organizational allocation of IT Risk, separate from other corporate risks. Another challenge is the risk language that is used in IT risk management, which is different from the language in Enterprise Risk Management. The ISO 31.000 standard for instance doesn't even include the term Vulnerability, whereas vulnerability is a pivotal term in most IT risk management methodologies. ISO 31.000 does use the word threat, once, but only in general terms. Threat is a key term in IT risk management. These terms can be translated to the business world, but they are generally only used in IT risk.
These aspects do not close the gap. Many in IT believe IT risk is the key risk in all companies. Clearly, this is not the case. On the other hand, IT risk is underestimated and largely misunderstood by the other parts of business risk.
Like any other siloed part of risk management (financial reporting risk, FCPA non-compliance risk, safety risk, credit risk, competition risk, tax risk), IT should maintain its own language. However, there is a need for an integrating risk language that enables relating the detailed risks to an enterprise risk. A clear relation needs to be defined between enterprise risks and the underlying risks. This will provide roll-up risk reports that provide the first step of insight, especially when there is a clearly defined relation to assets and business processes as well.
Ideally, one needs to add risk correlations to all of this, and take a more stochastic or non-deterministic approach. The mathematical roll-up methods that are common in basic risk management fall short of taking all sorts of correlations into account. The culture in IT risk is to stay away from the vagueness of the stochastic approach; everything must be defined in crisp model. That is not the way the world works, we need to capture this part of well.
We need to become more precise, by adding uncertainties and statistics. That is a major mind shift in IT GRC.