The article below is part of the overall discussion of the IT organization and was written by an Executive Summary contributor, Rodrigo Ruiz. Rodrigo was the VP of Risk Management for ING Latin America and one of the broadest thinkers I’ve run across on the subject of Risk Management. I hope you enjoy his article and comment liberally.
I would like to share my thoughts around what is the best fit for the Information Risk Management (IRM) function reporting line within an Organization and, hopefully, get feedback from this audience.
Of course, there is no a unique (magic) recipe. In my opinion, it will depend on the size, complexity, risk profile, and regulatiory environment that apply to the business that the Company supports. In smaller and less complex Companies, I have seen the IRM function either non-existing or built within the IT Organization, or in some cases mixed with Information Security Operations function. While in large and complex Companies the IRM function is separated from IT and reports to the Chief Risk Officer (CRO) or to the Chief Financial Officer (CFO).
In Companies that have a matured Risk Management practice, IRM fits within a larger Risk Organization that combines IT Risk with all other Operational Risk functions (like fraud risk, personal and physical security risk, control risk, processing risk, compliance risk, etc) on a more integrated approach.
Usually known as Enterprise Risk Management (ERM), this framework will integrate all Risk Management functions. The Enterprise Risk Management COSO framework (shown below) emphasizes the importance of identifying and managing risks across the enterprise. The COSO framework consists of eight components:
Enterprise Risk Management Model
1. Internal control environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring.
Based on my experience, when a Company moves the IRM Function out of IT, it gains transparency on risk identification and reporting; therefore, making the risk more visible to the Business. IRM, in conjunction with IT, helps the Business Leaders to better understand the business risks associated to specific IT related vulnerabilities, threats, controls effectives issues, etc., so that that business decisions can be made regarding risk acceptance, mitigation, transfer or avoidance.
Please feel free to provide comments or open discussion points.
Rodrigo Ruiz
Rodrigo:
I agree with you that having a separate Risk Management organization can lead to a better, safter company. But I am curious about how to actually blend the Enterprise functions with the IT responsibilities where they overlap. IT is obviously responsible for Quality Assurance of its product (Enterprise Software) and managing change to it (Change and Release Management). Yet those are sources of risk to the organization – both to IT and the larger enterprise. How does IT manage these two risk-functions while enterprise risk is managed by a peer organization?