Business is becoming more in touch with risk, the methods used to identify risks vary. In the past, financial institutions leveraged internal audit staff along with external governance (FDIC, FFIEC, SIPC, OCC and many others) to identify risks and put controls in place to mitigate those risks. Today those same financial institutions are required by GLBA, Sarbanes Oxley, PCI and many other guidelines and regulations, to perform internal risk assessments and have periodic reviews with the leadership teams and all the way to the board.
Other businesses outside of finance are governed in similar ways, but there are many that don’t have regulations to follow which leaves them out in the open and subject to exposure from unknown risks or risks that have not been proactively identified. The focus on IT risks is easily low hanging fruit, but managing IT risk is less about just IT and more about managing risks for the whole business. Get to know the evolving IT risk landscape in your business with an understanding of how business risks fuse with IT risks. To effectively manage risks, organizations need to get a broad and complete view of the entire risk landscape. Developing a risk management program is the first step in the process and you don’t need outside counsel to start the process.