Do Not Leave IT Risk Management To The CIO, Says Survey From the Economist Intelligence Unit

Information Technology (IT) risk has become one of the most significant corporate threats and a major issue for risk managers, according to a survey of 218 senior risk managers by the Economist Intelligence Unit. The survey, which captures the views

By None

Information Technology (IT) risk has become one of the most significant corporate threats and a major issue for risk managers, according to a survey of 218 senior risk managers by the Economist Intelligence Unit.

The survey, which captures the views of CEOs, CFOs, chief risk officers and other executives responsible for managing risk, indicates that almost 60% of companies incurred significant financial damage as a result of systems failure in the past 12 months, while one-third suffered financial damage as a result of cyber-crime such as hacking and phishing over the same period. Just under half of executives surveyed now see IT risk as a high or very high risk to their business.

The survey results are published today in “Digital risk: The challenge for the CRO, a report by the Economist Intelligence Unit sponsored by ACE, Cisco Systems, Deutsche Bank, IBM and KPMG.” The report covers a range of IT risks including systems failures, cyber-crime and accidental disclosure of data or misuse of systems by employees. The findings are drawn from a new survey of senior executives, 40% of them from companies in the financial services sector. Respondents from 18 other industries also participated in the survey.

The survey found that digital risk is too important to leave to IT management. IT risk is one of the most significant threats posed to companies today, with 48% of senior risk managers saying it represents a high or very high threat to the business. IT is sufficiently important in more than one-third of firms to require close oversight from the chief executive officer.

Although the chief information officer (CIO) remains the primary person responsible for IT risk in most companies, one-third of chief risk officers (CROs) now spend at least 15% of their time addressing technology risks, according to the survey. Nearly half (48%) of respondents say that one of the chief difficulties in managing risk is over-reliance on IT management to control digital risks.

Cyber-criminals are becoming more sophisticated. The biggest challenge companies face in tackling IT risks is the growing sophistication of hackers and other cyber-criminals, according to 55% of survey respondents. One-third of companies suffered significant financial damage as a result of attacks such as hacking and phishing (where customers or employees are tricked into disclosing passwords and account details) over the past 12 months. Companies must now contend with a range of hi-tech attacks orchestrated by well-organized, financially-motivated criminals.

Remote working expands the boundaries of risk. Fully 57% of executives surveyed say the trend towards remote working significantly increases their firm’s exposure to electronic threats. Traditional security solutions, such as electronic firewalls, are becoming less effective as employees interact via open networks and carry sensitive information on portable devices.

CIOs and CROs must collaborate better to address IT risk. There is a grey area between the responsibilities of the chief risk officer and CIO in dealing with IT risk, partly because of the complex nature of technology and the challenge of communicating technical issues. Two-fifths of risk managers rate their understanding of IT risks as moderate, limited or poor, and 42% cite poor communication between the IT and risk functions as a significant difficulty in managing technology-related risks. The report concludes that CIOs and CROs must clearly stake out their roles and responsibilities to ensure that digital risks are properly tracked and managed.

“Digital risk has become too big an issue to leave exclusively to IT managers. Risk managers need to ensure IT threats are addressed as part of their wider strategy for enterprise risk management,” commented Daniel Franklin, editorial director of the Economist Intelligence Unit.

«