I don’t think there is much of a debate when it comes to getting consensus that organizations are in the business of creating value. After all, enterprises of all sizes, shapes and forms, are becoming increasingly focused on governance, and value creation sits squarely at the forefront, being the primary governance objective of the contemporary organization. At least that’s what COBIT 5, the business framework for governance and management of Enterprise IT, tells us. And I would agree.
Creating value sounds simple enough, doesn’t it? But there are many masters in this marketplace for value. These masters, the stakeholders, are not passive but actively demand value, a return on their investment. And stakeholder needs are not satisfied in an instant, the organization must be infinitely sustainable, creating value over and over and over again. But we all know the adage, ‘the greater the return, the greater the risk’, reminding us of the directly proportionate relationship between risk and return… and ultimately value creation.
It is thus for good reason that with the rise of enterprise governance, so too have we seen the rise of enterprise risk management. They say “Death and Taxes” are the only certainties in this world, but I would argue that in reality the only certainty is uncertainty, in other words, Risk. Risk being the combination of the probability of an event and its consequence – often referred to as exposure. Risk is a constant, tangible and intangible, for every organization that sets about their day to day operations intent on delivering on their mission, and reaching their state of actualization – their vision.
And so the challenge is set for the organization, balancing the demand for value creation with the ‘supply’ of risk in the enterprise. Indeed it is a balancing act for every part of the Enterprise to continuously create value, not least of all when it comes to information technology (IT), which has permeated and integrated itself into all functions and facets of the modern day organization. This integration not only means that the IT organization itself must be intrinsically creating value, but that through the use of IT across the organization, IT must be enabling the creation of value by all of the functions of the organizations which it serves, and the enterprise as a whole.
With this critical value-adding role of Enterprise IT in the organization, it is essential that organizations adopt a business driven framework for governing and managing the IT in their organization, as efficiently and effectively as possible. And this is exactly where COBIT 5 fits the bill. COBIT 5 not only provides a business framework for the governance and management of Enterprise IT, it focuses on realizing benefits, optimizing risk, optimizing cost and maximising value and returns from investments in IT, for internal and external stakeholders.
With IT risk being a subset of Enterprise risk, and given the pervasiveness of technology within the business, optimizing IT risk has a direct and positive effect on the overall risk of the organization. So important is risk optimization of the Enterprise’s IT to the organization that within COBIT 5 there is not one, but two, dedicated processes - ‘Ensure Risk Optimization’ and ‘Manage Risk’.
The Ensure Risk Optimization process is within the Governance area of the COBIT 5 framework and is supported by 3 governance practices and 16 activities. The process ensures that the enterprise’s risk appetite and tolerance are understood and not exceeded by Enterprise IT, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimized. It’s important to note that the alignment of the IT risk strategy to the Enterprise risk strategy is considered as part of this process, demonstrating the interdependence between these.
The Manage Risk process is in the Align, Plan and Organize (APO) domain within the Management area of the COBIT 5 framework and is supported by 6 management practices and over 30 activities. This process continually identifies, assesses and reduces IT-related risk within the levels of tolerance set by the Enterprise. Its purpose is to integrate the management of IT-related enterprise risk with the overall Enterprise Risk Management of the organization, whilst balancing the costs and benefits of managing this risk.
But it doesn’t stop there… All of the processes, practices and activities of the Enterprise have associated risks, and the optimization of risk through governance and management of Enterprise IT is integrated and incorporated throughout COBIT 5. Whereas the Ensure Risk Optimization process ensures that the enterprise stakeholders approach to risk is articulated to direct how risks facing the enterprise will be treated, and the Manage Risk process provides the enterprise risk management arrangements that ensure that the stakeholder direction is followed by the enterprise, all of the other 35 COBIT 5 processes include practices and activities that are designed to deal with IT related risk. Not to mention that COBIT 5 suggests accountabilities and responsibilities for risk related roles in the governance and management structures, like RACI charts, for each process. Risk optimization is clearly and deeply integrated into COBIT 5.
It is evident in our current century, that Enterprise and IT risk are becoming increasingly important to the ability of the organization to create value on a sustainable basis over the long term. Technology drivers are nowadays shaping and enabling enterprise strategy and goals, and stakeholder needs, more than ever before. In markets around the globe, the competitive landscape is tightening exponentially, and organizations need to be in a continuous position of strength to pounce on any opportunities to gain competitive advantage. This position, without doubt in the vast majority of cases, relies on IT. Simultaneously organizations can ill afford to carry exposure above their appetite for enterprise risk, which could not only diminish their chances of seizing opportunities, but render the sustainable future of the enterprise in jeopardy. IT is empowering organizations like never before, but such is the reliance of the organization on information and technology, when things go wrong disaster can quickly follow and optimizing IT risk through governance and management of Enterprise IT is truly mission critical.
While there are a number of Enterprise Risk Management standards in existence, COBIT 5 not only provides a fundamental focus on optimizing IT risk for the Enterprise, but does so as part of a primary governance objective of value creation for the organization. Effective and efficient governance and management of Enterprise IT risk, in fact optimization thereof, is essential to the Enterprise Risk Management of the organization and value creation by the enterprise. Effectively managing IT risk helps drive better business performance by linking information and technology risk to the achievement of strategic enterprise objectives.
In addition to COBIT 5, there is a professional guide published by ISACA namely COBIT 5 for Risk, which defines IT risk as the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. COBIT 5 for Risk provides guidance on how to use - the COBIT 5 framework to establish the risk governance and management functions for the enterprise; the COBIT 5 principles to govern and manage IT risk following a structured approach; and how COBIT 5 for Risk aligns with other relevant standards.
For information on COBIT 5 please visit http://www.isaca.org/COBIT and you can get ISACAs free to download COBIT 5 Toolkit here at http://www.isaca.org/COBIT/Pages/Product-Family.aspx The COBIT 5 for Risk guide is available here http://www.isaca.org/cobit/pages/risk