IntroductionOrganizations exist to create value for their stakeholders by retaining a balance between achievements of profits by pursuing opportunities, optimizing the use of resources and reducing related and potential risks. In order to so, organizations need first to set clear set of objectives a goals that articulate their mission, value and reason for existence, and then strive to achieve them. While the organizations' goals represent the desired destination, the chosen objectives characterize the road map to get there.
Below some of the organizations’ typical and common goals and objectives
- Increasing sales and market share;
- Improving customer service and retention;
- Strengthening partnerships;
- Hiring talented people and training current staff;
- Minimizing logistic costs; and
- Expanding the organizations' presence...etc.
The alignment usually aims to improve the business value of IT investments and maintain organizations' success by
- Building a trust relationship and facilitating communication between decision-makers and IT managers;
- Flexibility in implementing business plans and Enterprise Architecture;
- Presenting the Enterprise Architecture’s capability and limitations;
- Efficiency in managing organizations budget and resources; and
- Ensuring optimal return of investment (ROI) of IT funds.
Business-IT risk alignmentOrganizations tend to have limited resources and poor considerations in implementing effective enterprise-wide risk management, it’s often to see the organization’s risk profile outdated and not aligned with their goals and objectives, and not focused on top management issues.
In responding to internal and external events, factors and changing business landscape, organization’s objectives and strategic priorities constantly changes over time to keep pace with the environment in which it operates. Unless frequently revised and updated; risk management efforts become responsive and compliance-oriented rather than supportive, and risk appetite and tolerance thresholds became unrealistic and then cannot reflect current organization’s objectives.
Organizations traditionally organize separate meetings for strategic decision-making, planning and risk related initiatives, and thus limit the interaction between these activities which generate ineffective and redundant efforts and result in additional risks. However, the alignment aims reduce such activities and eliminates the gaps in between by integrating risk management with business strategy.
Risk management activities are often limited within IT department by assessing threats and vulnerabilities related to the department’s assets only which narrows risk mitigation and exposes the rest of business to wide range of risks and uncertainties. However, risk practitioners should consider the overall business scope and extends the risk assessment to all the entities, processes and projects supported by IT division as well as external suppliers. Risk practitioner should also study previous incidents and proactively act to prevent similar incidents from occurring in future by implementing appropriate mitigation controls, and so not underestimating any potential risk.
Another key factor in establishing an effective risk alignment is setting up communication channels with top management to facilitate assessing business goals, strategies, priorities and decisions toward embracing emerging technologies, assuring regulatory compliance and covering the overall enterprise end-to-end. Moreover, Risk practitioners should be involved in assessing potential risks related to strategic and confidential plans which produce major impacts such as acquisitions, mergers, changing markets and staff reduction in order to put in place adequate and effective mitigation plans.
One of the best approaches in aligning risks with business objectives is implementing information security frameworks, risk management methodologies and standards such as
- ISO/IEC 27001 - Information security management systems;
- NIST SP 800-39 - Managing Information Security Risk;
- ISO/IEC 27005 - Information Security Risk Management;
- COSO Enterprise Risk Management - Integrated Framework;
- ISO 31000 - Risk Management - Principles and Guidelines; and
- NIST SP 800-30 Revision 1, Guide for Conducting Risk Assessments.
ConclusionsRisk management focuses on constant understanding, alignment and securing the organization’s strategies and objectives by promoting the adequate security controls. Moreover, associated risks can be sometimes overlooked in favor of pursuing opportunities that meet organization’s goals.
Risk practitioners should continually and intelligently advertise and over time cultivate risk culture into people’s mindset, and integrate risk management activities and practices into the overall business strategies and processes.
By admitting that risks impacting the organization can be originated either from the technology in use, the people operating this technology, or from the applied processes; failing to integrate these main sources of risk into the risk profile inevitably puts the organization in great danger.