What are some of the best practices for IT risk governance and reporting?

In my experience, the more IT partners with the business strategy, the more straightforward the exercise. Organizations should invest in digitizing workflows for transparency, more accurate reporting, and execution of enterprise risk management.

The best way to understand risk appetite is to ask what role IT plays in the success and failure of a business. How innovative IT should be , how experimental. How much failure could be ok, what's the regulatory environment like, and what could be the cost of failure. All these things become the high level mantras by which your IT lives by and dies by. This should then flow into your strategic planning of different areas which should plan to manage their risk and quality at their own level even as the corporate trues to maintain the big picture.

As I said unless information is your product, I wouldn't necessarily have central IT run a team of risk professional chasing businesses to manage risk. Rather I would manage the risk in three ways. 1) institute cost quality and service metrics and flow them down to all functions. Measure these quarterly and sometimes monthly (e.g. infrastructure) 2) set expectation that every department must know their biggest risks and they can use whatever risk framework they want to use. I would rather hold them to strategic objectives rather than worrying about process. 3) collaborative decision making is critical. e.g. procurement for supplier risk, finance for forex risks/budget shocks/ and unforeseen amortization hits etc. Same w hr compliance etc

This is where governance can go off the rails in my opinion. From good intentions so red tape and meetings with presentations that are about the act and not the purpose. When creating the framework instead think of it like an audit. Is what we are doing preventative (if so what are you seeking to prevent?), rather it is detective (again what?) or is it response to something that had occurred. If you can define the framework as addressing one the the three, you can explain, defend and get value. When you find you cannot, remove that element and somewhere a Dilbert is set free from his cube.

With some help from my AI research assistant (Google Bard) let's focus on the scenario subset when IT Risk and Roles MUST include the SAP environment in scope for audit compliance to IT General Controls (ITGC): ? Who has overall governance responsibility for SAP??are IT & data controls in place? ? How is SAP access controlled? Is there an access provisioning lifecycle? ? How is SAP data secured??e.g. encryption, backup/recovery, data-at-rest vs data-in-transit ? How is SAP monitored? Is SecurityBridge in use for cybersecurity, or other tools for performance)is it automated 24/7? ? How is SAP tested??Should include ITGC Compliance scanning. Asking these questions will help you achieve compliance for ITGC for you SAP environment.

Yes IT must closely work with business stakeholders to manage risks. I would keep the framework part less onerous and focus on strategic business outcomes as a way to manage risk. Risks are better seen in light of an impediment to achieving an objective. In terms of rigor one must calibrate. Business continuity and drp are functions where I would expect extreme rigour. I would refrain from creating dedicated risk managers ( unless again where IT itself is producing product).

In my experience .. process > tools any day of the week As long as you have mature processes , you can run your entire IT risk management program on nothing more than Microsoft Excel. I have seen companies invest millions in complex IT risk applications that never got utilized properly as the fundamentals were simply not there

Yep .. all of this is good and should be part of your regular IT MOS. Don’t build risk bureaucracy. Make risk and quality everybody’s job. Measure business outcomes and manage risk in that light. A lot of the times culture is also driven top down - believe it or not. If the top guys focus too much on business outcomes without asking how things can go wrong then people below too will forget about managing downside .

Regardless your industry, IT Audit is a critical function and must be part of your IT balanced scorecard. Execution is key and in case of risk quality the leadership at the top must ask the right questions to drive right behaviors. That will make all processes and frameworks effective.

Sometimes one can forget to manage stupid risks. I once saw a guy with half a billion budget running across corporate halls to trace down the facilities guys who could fix the electrical issues in data center because rain water came in and short circuited data center equipment. We had to do the entire strategic planning review with the ceo without lights/electricity in the room and with business unit presidents literally calling on our personal cell phones with speaker on !! That’s why it is critical to manage risk not just as a process or tools but also as a culture that must penetrate all levels so that your head of infra doesn’t have to run down the hallway when things go wrong !!

Just to add some evidence to my earlier commentary have a look at Social Security Scotlands programme arrangements as an exemplar. A highly complex, multi-vendor programme serving over 1.8 million clients, ￡5.2 billion in annual payments and over 50 environments, running 5 parallel release streams. They also operate on 90 day continual improvement cycles. With 12 of 17 benefits delivered successfully on time, cost and budget, in a highly visible political programme, the QAT practice governing all parties has been the fulcrum for success and collaboration across all parties.