SOURCE: OpenPages


November 03, 2009 12:45 ET

OpenPages Survey Finds IT Risk Management Evolving

Companies Still Working on Implementing an Integrated, Enterprise-Wide Approach

WALTHAM, MA--(Marketwire - November 3, 2009) -

News Facts

-- OpenPages, the leading provider of integrated risk management solutions for global companies, today unveiled survey results that highlight the current state and future direction of IT risk management in organizations today. The IT Risk Management Survey, which was sponsored and conducted by OpenPages this past month, was distributed to IT risk and compliance management executives from a variety of industries including financial services, energy, government, health care, consumer goods and retail.

-- The survey results show that most organizations are making progress on improving IT risk management but still have room to make progress in the areas of internal leadership and integration with enterprise GRC initiatives. The survey found that overall ownership of IT risk management varies, with no consensus on what part of the organization is responsible for the function. Further, organizations view IT risk as the area with the most room for improvement in delivering effective risk management when compared with regulatory compliance, financial risk and operational risk. Finally, the survey revealed that most organizations still have considerable work to do in converging their IT risk initiative with their overall enterprise GRC initiatives.

Survey Results

Basic IT Risk Management Practices That Are Working Well -- The survey illustrated that companies are managing the basics of IT risk management practices effectively. For instance, participants identified IT security and IT regulatory compliance as two of the most effective areas of risk management today. However, fewer are managing effectively beyond the basics.

-- Communication and culture -- 66% of respondents said their employees can speak openly about IT risk, but less than half are taking active steps to build or maintain a risk-aware culture.

-- Managing the IT foundation -- Approximately 80% of respondents said their IT environment is well-maintained and that they have a business continuity plan in place, while only about half said the level of complexity in their IT environment is appropriate.

-- Risk governance process -- When asked to describe the organization's IT risk program, 51% of respondents reported that they have a formal process for evaluating potential exceptions to IT policy in place, and 43% have guidelines to help individuals assess the magnitude of risks in a consistent way.

-- Automation -- According to respondents, many organizations have automated their risk management processes: 78% reported have automated risk identification, 69% management, and 67% monitoring.

Organizational Structures and Technology Strategies for IT Risk Still Evolving -- The survey found that a consistent organizational structure and leadership model for IT risk management has yet to emerge across responding organizations. Perhaps reflecting this finding about IT risk governance, most companies report managing IT risk with a standalone application and have yet to implement a coordinated effort within their company's overall GRC strategy. According to the survey:

-- When participants were asked who is responsible for IT risk management, the results showed that organizations vary widely in their IT risk management philosophy as 40% of survey respondents reported that the CIO was responsible, while 24% identified the Head of Enterprise Risk or CRO, 7% said the Chief Information Security Officer, 2% the CFO, and 27% selected "other."

-- Regarding the types of technology solutions they use to support IT risk management, the OpenPages survey found that companies still have yet to take a holistic approach to managing IT risks. While 28% of those surveyed indicate using a single, integrated solution, nearly 30% report using point solutions for risk and compliance, and a surprising 43% report that they still rely on spreadsheets.

-- In addition, few respondents have standardized and automated workflows for key risk management processes such as review and approval, remediation and event analysis and escalation.

Investment in IT Risk Management To Increase, Solutions Will Converge with Enterprise GRC -- Looking ahead to 2010, the OpenPages IT Risk Management Survey indicated that organizations will continue to adopt technologies to improve their management of IT risk and to integrate IT risk into overall enterprise GRC initiatives. According to survey respondents:

-- When asked about IT risk management budgets for the coming year, more than 95% of respondents expect that budgets will increase or stay the same in 2010.

-- In a separate survey conducted at the OpenPages European Network (OPEN) Summit this fall, 93% of respondents stated that within 2-3 years, they are likely to converge or coordinate IT Risk and Compliance Management activities with GRC.

Supporting Quote from Gordon Burnes, VP of Marketing, OpenPages

"The results of the IT Risk Management Survey tell us that most companies have in place the basic practices to manage risk effectively within the IT function, however these same organizations aim to do better than that. For instance, companies plan to invest in their IT risk management infrastructure to improve alignment between IT and enterprise risk management initiatives."

Supporting Quote from Dr. George Westerman, Research Scientist - Center for Information Systems Research, MIT Sloan School of Management, OpenPages Board of Advisors Member

"IT and business managers have often operated independently with respect to risk and compliance management. With IT an essential part of today's business operations, it's imperative to overcome that mentality. Incorporating risk into all IT conversations, and linking IT risk to enterprise risk, leads to better management decisions, not just fewer incidents. But until companies can drive internal focus around IT risk management in the context of overall GRC initiatives, they will continue to grapple with the fragmented, approach that is prevalent today."

Supporting Resources

-- Link to OpenPages blog:

-- Follow us on Twitter:

-- Link to OpenPages Flickr page with IT risk survey charts

About OpenPages

OpenPages is the leading provider of integrated risk management solutions for global companies. The OpenPages Governance, Risk and Compliance (GRC) Platform empowers a risk-based approach to identify and manage key business risks across the enterprise. This approach enables companies to focus on what's important and to avoid unexpected outcomes while improving performance. Founded in 1996, the company is headquartered in Waltham, Massachusetts, with international offices in the United Kingdom, distribution partners in Japan and regional offices throughout North America. For more information, please visit

OpenPages is a trademark of OpenPages, Inc. All other trademarks contained herein are the property of their respective owners.

Contact Information

  • Contact:
    Jessica Sutera
    Lois Paul & Partners
    Email Contact
    (781) 782-5789