Does your risk management plan include staff requirements solely from within your current IT group? If so, you
should consider looking outside your IT organization for other qualified individuals to tackle your risk management plan.
And while understanding what occurred may require some technical acumen, Adams said, one needs business know-how to interpret the outcome. An ideal risk manager should have an undergraduate degree in computer science and a master's degree in business administration to effectively manage a company's risk management plan.
"IT shouldn't make risk decisions," added Paul Davis, who works at Blue Bell, Pa.-based Unisys Corp. as vice president and program manager for enterprise security, global outsourcing and infrastructure services. "IT is there to deliver services to the business, while assessing risk requires a certain due diligence that's strategically focused on the business."
A company's risk management department should work in conjunction with IT on projects as early as possible to identify potential pitfalls every step of the way, which includes the architectural, engineering, implementation, operation and change or decommissioning phases.
People in those jobs need to be good communicators, technically savvy in multiple areas, business-sensitive, experienced in IT operations, focused on business security, and they should enjoy sleuthing and thrive on long hours, he notes. "It's a fascinating, brilliant job sometimes, but it can be quite boring," Davis said.
Planning for risk can be proactive or reactive, he added, but there should be a discipline around either approach. In his experience, risk assessors commonly work in a security office, rather than in IT, and the department reports to the CIO, director of IT, CFO or some other C-level executive.
Meanwhile, many companies in the financial services sector often augment risk management teams with a unit that handles IT-related assets such as the network, databases, laptops and critical applications.
Steve Suther said he sees chief risk officers (CROs) and those with similar titles emerging to become head of risk management. Suther helped establish the risk management program around compliance at New York-based American Express Co., where he worked for more than a decade before moving to Getronics, where he's senior information risk strategist.
The CRO may report to the CIO, "but more often they are peers," Suther said. "The risk management activity can't happen in the IT silo anymore. It has to happen on the business side and be conducted by people who speak business, understand business processes and can even help map them."
In smaller companies, risk management reporting should happen outside the IT function, Davis said. Employees who are implementing various technologies might not have the proper knowledge around security, regulatory compliance and company policies, so it's vital that risk assessors be independent.
Adams compares the relationship among IT, risk management and the company at large to the three branches of government, each providing checks and balances against the other two.
"Where the risk management organization rolls up within the overall company is critical," Adams said. "A CRO or CSO should be on par with the CIO and CFO. If not, it's like the judiciary is missing."
Matt Bolch is a freelance writer based out of Atlanta.