How to Strengthen Your IT Risk Management Program

An essential component of any Enterprise Risk Management (ERM) program today is IT risk management. With ever-increasing threats to privacy and information security, companies are looking to strengthen their risk governance processes in many ways.

recent survey by Carnegie Mellon University’s CyLab highlights ten key steps to building a stronger ERM program with a focus on IT Risk. The CyLab 2010 survey is based on results received from 66 respondents at the board or senior executive level from Fortune 1000 companies. Twenty-seven percent of the respondents were board chairmen; 3 percent were outside directors; 47 percent were inside directors; and 50 percent were senior executives but not a board member. Forty-five percent of the participants were from critical infrastructure companies.

The survey revealed that governance of enterprise security is lacking in most corporations, with gaps in critical areas. If boards and senior management take the following ten actions, they can significantly improve their organizations’ security posture and reduce risk:

1. Establish a board risk committee separate from the audit committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with risk and IT governance expertise.

2. Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.

3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives.

4. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities.

5. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.

6. Establish privacy and security requirements for vendors based on key aspects of the organization’s security program, including annual audits or security reviews.

7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the audit committee.

8. Conduct an annual review of the enterprise security program and the effectiveness of controls, to be reviewed by the board risk committee, and ensure that identified gaps or weaknesses are addressed.

9. Require regular reports from senior management on privacy and security risks and review annual budgets for IT risk management.

10. Conduct annual privacy compliance audits and review incident response and security breach notification plans.

These steps should be integrated into a holistic enterprise risk management approach to provide an effective and seamless program that is fully embraced at all levels within the organization. Doing so will not only raise a company’s risk mindfulness level, but also secure positive returns for key investors and stakeholders for years to come.


The Role of IT and Risk Management in the Financial Crisis

Information Technology (IT) continues to play an ever larger role in the overall risk profile for major corporations across the globe.  A recent article in The Economist discusses the role IT played in the recent financial crisis.  While the financial services industry invests massive amounts in IT, the industry still does not invest enough in risk management tools that will help avert future crises.  Here is what the article noted.

No industry spends more on information technology than financial services: about $500 billion globally, more than a fifth of the total (see chart below). Many of the world’s computers, networking and storage systems live in the huge data centres run by banks. “Banks are essentially technology firms,” says Hugo Banziger, chief risk officer at Deutsche Bank. Yet most in the industry agree that its woeful IT systems have, in Mr Banziger’s words, “exacerbated the crisis”. The industry spent billions on being able to trade faster and make more money, but not nearly enough on creating the necessary transparency. “Banks had lots of tools to create leverage, but not many to manage risk,” says Roger Portnoy of Daylight Venture Partners, a venture-capital firm that invests in risk-management start-ups.

Wheelhouse Advisors provides solutions to financial services companies looking to strengthen their risk management practices with better information technology tools.  Together with our strategic partners, Wheelhouse Advisors can deliver cost-effective solutions that can be easily implemented within a complex environment.  Visit, to learn more about our services and our strategic partners.

Keys to Success

A recent article at highlights the keys to a successful implementation of technology in support of an Enterprise Risk Management or Governance, Risk & Compliance (“GRC”) program.  While the keys to success are fairly straightforward, it is surprising how many companies fail to address them prior to selecting a technology solution.   The keys to success are:

  1. Define what ERM or GRC means to your organization.
  2. Survey your organization’s regulatory and compliance landscape.
  3. Determine the most logical entry point and develop a phased approach.
  4. Establish a clear business case, considering both short-term and long-term value.
  5. Determine how success will be measured. 

Interestingly, the author of the article is a representative of one of the major GRC technology vendors.  While some vendors may want companies to rush to a purchase decision, this author agrees it is critical for companies to gain this perspective prior to evaluating solutions.  He states,

“With these steps complete, you will be in a much stronger position to qualify vendors and solutions and to determine the best fit for your organization, based on a well-defined project scope and equally well-defined business requirements and associated benefits.”

Wheelhouse Advisors can provide an independent viewpoint and work with your company to achieve the keys to success.  Visit to learn more.