Research and advisory firm Info-Tech Research Group has published its newest industry blueprint, Build an IT Risk Taxonomy. This data-backed resource aims to help organizations to become more flexible and agile to adapt to changing business conditions, according to the company.
“Managing emerging risks such as climate risk, the impact of digital disruption on internal technology, and the greater use of third parties will require IT leaders to be more disciplined in how they manage and communicate material risks to the enterprise,” says Donna Bales, principal research director at Info-Tech Research Group.
“Establishing a hierarchical common language of IT risks through a taxonomy will facilitate true aggregation and integration of risks, enabling more effective decision making.”
Info-Tech’s blueprint highlights the challenges IT departments face in managing and addressing risks. These challenges include business leaders who are seeking to make informed decisions and expect timely and consistent risk reporting from IT. The constantly evolving threat landscape also adds complexity, requiring IT risk managers to balance the emerging threats while not losing sight of the current risks.
The firm’s research explains that developing a relevant and detailed IT risk taxonomy over time can be particularly challenging and that gaining acceptance and promoting accountability within the organization may pose further obstacles. However, involving business leaders and risk owners in the development of the IT risk taxonomy can enhance organizational acceptance and understanding.
In the new resource, Info-Tech advises that risk management must also mature as technology and digitization continue to advance. To strengthen operational and financial resiliency, organizations must move away from a siloed approach to IT risk management toward an integrated approach.
Without a common IT risk taxonomy, effective risk assessment and aggregation at the enterprise level is not possible. The firm’s blueprint outlines an IT risk taxonomy approach that can provide a common language to enable more efficient risk aggregation and interoperability between IT and the enterprise. The recommended approach includes the following three phases:
- Understand Risk Management Fundamentals: IT departments must take a collaborative approach when developing an IT risk taxonomy to enable greater acceptance and understanding of accountability.
- Set the Organization Up for Success: Risk managers must invest sufficient time in conducting a comprehensive analysis of the existing and future threat landscape when defining level 1 IT risks and consider the causal impact and complex linkages and intersections.
- Structure an IT Risk Taxonomy: IT risk managers must recognize the dynamic nature of the threat landscape and acknowledge that an IT risk taxonomy is a living document that requires regular review and enhancement to ensure its ongoing relevance and effectiveness.
“This holistic, disciplined approach to risk management helps to promote a more sustainable risk culture across the organization while adding greater rigor at the IT control level,” explains Bales.
As the risk landscape continually evolves, there is greater pressure on the risk function to work collaboratively throughout the organization to strengthen operational resilience and minimize strategic, financial, and reputational impact. A successful risk taxonomy is forward-looking and codifies the most frequently used risk language across an organization.
[…] before business became technology and vice versa, the CIO was just the custodian of technology. IT departments were […]