Assessing and addressing technology risk


One of my frustrations over the years has been the continuing practice of those involved in addressing technology (or IT) risk and related audit of seeing it in a silo.

About 15 years ago, I was on a team of practitioners developing guidance for auditors (the GAIT Methodology, which continues to be recommended guidance by the IIA). One of the team members was Jay Taylor, head of IT Audit for GM at that time (later their CRO). He said something that resonates today:

“There is no such thing as IT risk, only business risk.”

We should not be concerned specifically with risk to systems availability, access, security, etc. or even to information assets. What we should be concerned with is risk to the business and the achievement of its objectives.

Any technology risk assessment should be made in terms of the potential effect on the business, not any effect on IT assets or goals.

Yet, guidance from ISO, NIST, and FAIR continues to focus on the silo not the whole business. It does not enable risks arising from technology-related issues to be measured against technology-related rewards, or other sources of business risk. It doesn’t enable decisions to be made about where scarce resources are best invested: for example, addressing ransomware risks or the possibility of being late to market with new products. After…
