I ask this question after reading Ernst & Young’s 2010 Global Information Security Survey. The survey has some interesting comments on the top IT security risks from new information technology -- including the obvious ones around data leakage, mobile devices, cloud computing and social media. E&Y report good news, while risks are perceived as increasing, nearly half see their IT security budget increasing as well.

Where's Your IT Risk Management Program?

But, the statistic that jumps out for me is this -- only about 42% of the respondents to the survey have an IT risk management program in place.

How do you ensure you protect the organization from IT-related risks without a solid IT risk management program -- preferably integrated with the enterprise risk management program?

How do you allocate resources to address the more significant information security risks without a risk management program?

It’s great that E&Y provided this information. Next, in my opinion, is more thought leadership on the need for an effective IT risk management program as part of the enterprise-wide risk management program.

IT Risk is a Component of Enterprise Risk Management

Why the emphasis on managing IT risk as part of an enterprise-wide program? Because IT risk is better described as the impact on business risk of IT-related activities. The risk is not the failure of IT, for example the network being unavailable for 24 hours. The risk is the impact on the business, in this example the inability of the organization to receive and process orders, to invoice customers or to pay suppliers. (I recommend ISACA’s Risk IT framework for all interested in IT and risk management.)

I recently wrote a blog on the risks to watch in 2011. That post focused on risks across the enterprise, not just those related to IT. But, the top ten risks I described in that blog still hold. The only change I would make to focus more on IT would be to expand the top risk. It would be:

The inability to practice effective enterprise-wide risk management, enabling risk-intelligent decisions, strategies, and actions. This requires the consideration of IT-related risks as part of the enterprise-wide risk management program, not as a separate activity. Addressing IT-related risks without a clear and shared understanding of business strategies, risks to those strategies, and the potential impact of IT-related activities, is a recipe for failure. Addressing business process risks without understanding and including the impact of IT-related activities is similarly flawed.”

What do you think? Is ineffective risk management one of your top IT risks to watch in 2011?