Many financial organisations are bundling IT risk management with their risk management programmes and processes, a new Ernst & Young study shows.
"Many financial services organisations are recognising the need to broaden the scope of risk governance and management to include IT," says Marius van den Berg, director, technology and security risk services at Ernst & Young.
"This awareness is growing in the wake of highly publicised identity theft incidents and other security breaches, as well as legislation aimed at better managing financial, market and operational risk exposures."
Carried out by the Economist Intelligent Unit on behalf of Ernst & Young, the "Managing Information Technology Risk" survey was targeted at respondents across a number of global financial services institutions.
Results showed that 77% did have a formal IT risk management function in place already, and most were using an industry standard as a basis of their frameworks.
Fifty-four percent said they felt an integrated approach to risk management contributed to the organisation's success, while approximately 40% felt that performing multiple risk assessments posed a challenge.
Some 36% of the respondents admitted their programmes had no common control library or were not sure if one existed, and 37.2% said there was no common risk language that was broadly accepted and understood throughout the organisation.
"This tends to be typical of siloed approaches, which tend to use different definitions of risk. This leads us to the conclusion that, although there may be frameworks in place, they are missing a common risk language that is a critical programme component to improve the efficiencies and effectiveness needed to achieve a consistent risk framework," Van den Berg concludes.
Share
