February 15, 2010 23:30 ET

Survey: More Than a Third of IT Professionals in India Say Their Companies Should Take Bigger Risks to Realize Greater Returns

ROLLING MEADOWS, IL--(Marketwire - February 15, 2010) -  Despite the tough economy, one in three IT professionals in India believes that companies should take bigger risks with business projects related to information technology (IT). According to a survey of 463 IT professionals in India, their companies should take on riskier projects that often have a higher return on investment. Conducted by ISACA, a global association of 86,000 IT governance, security and assurance professionals, the survey found that more than one-third (34.4 percent) of respondents believe that their own organizations are too risk-averse and may be missing out on opportunities to increase value.

While more than 85 percent of respondents think their organization effectively integrates IT risk into overall risk management, more than 30 percent say that business lines are not willing to fully engage in risk management. This lack of engagement was reported to be the top hurdle to effectively addressing IT-related business risk, but budget limits (29.6 percent) and uncertainty of how to tailor best practices to the environment (18.1 percent) are also problematic, according to the IT professionals surveyed.

Encouragingly, compliance with governmental regulations is not the top driver for organizations' risk management activities. Instead, ensuring that current functionality is aligned with business needs (41.1 percent) was named the primary reason for risk management programs, with compliance following at a distant second (19.5 percent). Interestingly, fewer than 10 percent of respondents said managing costs was a primary driver.

"These statistics indicate that organizations are realizing that IT risk management is critical to the business, and that it must be incorporated with overall business risk management for the organization to be most successful," said Robert Stroud, CGEIT, international vice president of ISACA. "They are no longer engaging in effective risk management for the sake of compliance, but are doing so because it benefits the enterprise."

Communication continues to be a vital component. The most important action an organization can take to improve risk management, according to 35.4 percent of respondents, is to increase awareness among employees. Additional important steps are:

  • Improve coordination between IT risk management and overall enterprise risk management (31.5 percent).
  • Increase the use of best practices (21.7 percent).
  • Provide executive management with a "single view of risk" as opposed to risk silos (11.4 percent).

"One critical way to get everyone on board with risk management is to use a common framework, such as Risk IT," said Urs Fischer, CISA, CIA, CPA (Swiss), chair of ISACA's Risk IT Task Force. "The Risk IT framework provides a common language for business and IT professionals, and enables organizations to use good practices that have proven to be successful in other organizations so they do not need to reinvent the wheel."

Of ISACA's 86,000 constituents, more than 5,000 work in India. Survey respondents are IT professionals and ISACA members from India.

Strategies to help organizations in India improve risk management will be discussed at the upcoming Asia-Pacific Computer, Audit, Control and Security (CACS) conference held by ISACA from 22-23 February 2010 in Mumbai.

"Asia-Pacific CACS provides a forum for risk, security and assurance professionals to network, enhance their careers by learning the latest IT guidance and share solutions to challenges their organizations have faced," said Stroud. "Attendees can also learn more about the new Certified in Risk and Information Systems Control (CRISC) certification, which will help them stand out in the risk management field."

With more than 86,000 constituents in 160 countries, ISACA® ( is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA also developed and maintains the COBIT®, Val IT™ and Risk IT frameworks.

Contact Information