In my experiences the difference between companies that have an effective risk control function and those that don’t is night and day. Businesses take risks, good businesses take measured risks. The same approach applies to the IT department.
A good risk controller needs to have the confidence of the business combined with complete respect from the IT department. In my view the risk control department should be the interface with external regulators and internal audit such that they retain a single voice amongst many opinions and neutralise the debate with the correct balance of risk.
The impact of a good risk controller is profound and I can highlight organisation A and B from my experiences (these are both real global blue chip organisations). You can guess which one had the effective risk control function:
Organisation A
- Always a struggle to get business approval for changes even in times of significant emergency due to virus threats.
- Information Security always played on the safe side and as a result security was incredibly tight, the environment was by result very hard to operate and harder to change.
- Areas that had been audited had been ‘secured’ with firewalls were operationally left with no patching, virus protection or monitoring.
- External regulators interfaced directly with Information Security and no brokering of solutions was considered to result in a more manageable environment.
- One part of the company interrupted all business operations to apply a critical patch while another part on the same network in a different region did nothing.
Organisation B
- Political differences between IT departments had historically hampered global change.
- Identified risks were first attempted to be mitigated before being resolved by process first, technology second.
- The expectations of global regulators and standards were influential at the start of a project not the end.
- Projects were pushed through when needed and stopped in their tracks depending on business risk.
I think the question is less whether we need an IT Risk Control function, but what the function looks like and how it operates. Most companies I’ve seen operate a 3 line of defence model (Function, independent risk, and audit) but they work to different objectives.
I am a risk controller by profession, and can see real benefit in controlling IT risk with a thorough understanding of the IT Function (CIO) and Business objectives. With these in mind, risk decisions can be taken with a real understanding of the implications such decisions will have on driving the business forward and the trade offs that must be considered. IT Risk is, afterall, Business risk.
However, if IT Risk decisions are taken only considering a single IT risk factor (IT Security say) then the likely implication is that the IT function and business will be constrained in other ways.