Fewer than 25 percent of organizations regularly review external risks, IT Governance Institute study reveals in part one of research series

Rolling Meadows, IL, USA (13 July 2005)—Fewer than one-quarter of organizations review external risks on a regular basis, according to a study of 200 IT professionals from 14 countries conducted by the IT Governance Institute (ITGI) in conjunction with Lighthouse Global. The study, described in Information Risks—Whose Business Are They?, also reveals that the board of directors or CEO signs off on the IT risk management plan in only one-third of all organizations.

“The lack of attention to external risks and the lack of business involvement in the IT risk management plan are worrying given the extensive reliance on outsourcing and service providers, and the globalized nature of many organizations,” said Gary Hardy, director of IT Winners and the publication’s author

Information Risks is the first installment of ITGI’s IT Governance Domain Practices and Competencies series based on the ITGI study. Each of the publications in the series examines an aspect of one of the domains of IT governance: risk management, value delivery, strategic alignment, performance measurement and resource management. The series begins with one publication on each of the five domains; additional briefings are planned for 2006.

Best practices identified in Information Risks advise that top management should share responsibility with the IT department for IT risks. Results show the opposite is true in most organizations. According to the study, IT risk management is the responsibility of IT management—not the business—in 80 percent of organizations.

“In many organizations, it is the CIO’s job to sign off on IT risk management plans. That puts too much responsibility on the IT function and ignores other key stakeholders,” said Hardy. “An absence of top management accountability for IT risk management can lead to serious risks being ignored, potentially misguided actions and even the waste of costly investments.”

Organizations should form an IT executive committee with representation from all stakeholders to review and approve the risk management plan on behalf of the board, according to the publication.

Information Risks also identifies which risks most concern IT executives and provides a list of best practices to help ensure that IT risks are managed effectively:
· Embed into the enterprise an accountable, effective and transparent IT governance structure.
· Pay attention to IT control failures and weaknesses in internal control, and their actual and potential impact. Also consider whether management acts promptly on them and whether more monitoring is required.
· Establish an audit committee, and ensure that it covers security risks for external audit requirements, including securing annual opinion letters, management control assertions and compliance letters. The audit committee should also determine what the significant IT risks are; assess how they are identified, evaluated and managed; commission IT and security audits; and rigorously follow up with subsequent recommendations.
· Monitor how management determines what IT resources are needed to achieve strategic objectives.

Information Risks—Whose Business Are They? is available at the ISACA Bookstore (www.isaca.org/bookstore) in print for US $30 and as a PDF download for US $20.

About ITGI
The IT Governance Institute® (ITGI) (www.itgi.org) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute developed Control Objectives for Information and related Technology® (COBIT®) and offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.