Business Innovation Homepage > Governance

Governance and risk management, while always a part of corporate due diligence, have take on new meaning in recent years. Growing security threats, the emergence of regulations such as Sarbanes-Oxley, political uncertainties around the world, and other factors have put risk management at the forefront.

Despite all the emphasis on risk management, many organizations are not ready to deal with risk. More than half of 320 multinational companies surveyed in late 2006 and early 2007 by Aon Corp. said they were not prepared for the risk they rated as the most worrisome — damage to reputation, according to a report by Aon, a provider of insurance, risk management, human capital management and other services.

“Multinational corporations are facing increasingly diverse, complex and exotic risks, and may not have all the resources in place to manage them effectively,” Aon's first Global Risk Management Survey states. Not surprisingly, some of the top 10 risk concerns rated by survey respondents relate in some way to IT. These include business interruption, distribution or supply chain failure, and failure of a disaster recovery plan. According to the Aon report, the Americas is the only region where technology failure and loss of data are cited as a major risk concern.

The Web-based survey indicates that “corporate boards recognize the criticality of risk management and are engaged in the review of risk issues. Respondents reported [that] identifying and understanding their risks is a top priority, and many planned to take a more enterprisewide approach to risk within the next two years.”

How can CIOs — already stretched in many directions to help support business processes through technology initiatives — attend to risk-management concerns? One possibility is to use one of the IT risk management and governance services available. Companies such as IBM, Symantec, PricewaterhouseCoopers and Accenture offer various types of risk management services, to help organizations define and mitigate corporate risk.

The key is to determine which risk management service is right for an organization and whether using the service will result in tangible gains. “We see more benefits than potential challenges,” to using risk management services, says Ruben Melendez, CEO of consulting firm Glomark-Governan. “But unfortunately, for most IT professionals, quantifying the benefits of risk management and governance services proves difficult.”

Melendez says analysts at his firm have found that risk management can be quantified in economic terms. “The best way to quantify the economic benefits of risk management is [to] evaluate cost avoidance and revenue protection benefit types,” he says. “There is obviously uncertainty when forecasting the risk benefits' projections in any company.”

However, if IT executives conduct scenario analyses (for example, assessing worst case, most likely and best case scenarios), an organization will find it easier to estimate the economic impacts of not deploying a risk management service.

“If a system is down for one hour, for example, how much can it affect users’ productivity and, in many instances, their lack of revenue generation?” Melendez says. “What would be the cost incurred, if risk prevention [were] not completed, to bring the systems and business processes back to normal operation after a shutdown or disaster? How much revenue would be lost if the steps to examine risk management were completed?”

If IT and business executives jointly discuss and assess these issues, they can clearly justify the economic impacts of investing in risk management services, Melendez says.

Click here for more Governance articles