In the financial services practice, compliance audits and vendor security evaluations are the norm for IT and operations. Our customers must meet standards to participate in the industry, to protect their assets, to protect their customers’ personally identifying information, and to meet their regulatory requirements as a business. When IT organizations take part in completing these instruments for the business, the formal reporting does well to inform the business and its stakeholders about where current operational risk exposures are at the time of the evaluation, but there might be additional factors in the environment that might introduce new exposures or variables. The feedback provided by a more detailed risk assessment is an opportunity for the business to make strategic or tactical changes based on the level of risk they’re willing to take in making those changes, or sometimes, in not making those changes.
While entire enterprise risk assessments could require extended engagements and investigation, our proactive customers that undertake IT projects don’t necessarily feel the need to wait for the enterprise to catch up with their desire to take a closer look at their own practices, programs, people and plans. Many of the internal control concepts and components from the COSO (shorthand for the Treadway Commission Committee of Sponsoring Organizations) and CoBIT (Control Objectives for Information and Related Technology) frameworks can be blended to create a customized risk assessment focused solely on IT operations and its role in the larger organization.
Some of the specific domains for analyzing risk found most notably in the IT department include:
Data & Configuration: Beyond mere compliance, do technical departments have visibility into what new products and features they’re going to be asked to support, and do they have what they need for supporting additional data being collected, used and disseminated? Will new features or rollouts require significant changes to the platform? Does IT have both the implicit and explicit power to influence product strategy to keep well compliant? Do new products get developed with IT and compliance representatives at the table?
Operations, Performance & Availability: Trouble tickets might be getting their responses in short order, but is the current process for ‘keeping the lights on’ able to minimize risks both internal and external? Does IT know enough about both the application architecture to be self-sufficient in servicing what’s running on their platforms, or do they depend on application experts from the business to resolve issues and errors? Does IT have visibility into marketing efforts that might lead to increased demand? Do initiatives have benchmarks for performance that IT will be expected to maintain?
Business Continuity: While there are many continuity controls in audits and evaluations, does the IT department have the ability to actually go beyond the controls and execute some or part of their Business Continuity Program (BCP)/Disaster Recovery (DR) plan in an environment similar to their supported environment? When the environment changes with new functionality and features, is IT part of the team that helps adjust BCP/DR plans for those new features?
The importance of compliance audits and controls to get a snapshot of the IT organization’s current state cannot be understated, but creating a customized risk assessment, whether formal or not, might help to give the business deeper insight into how to adjust to changes in their IT portfolio.