Joseph Giesken, Vice President, Global Equity Risk Control, Citigroup

Odds Are

Taking the risk out of IT risk management

For Citigroup, the stakes of managing IT risk are high. Losing a few minutes, an hour, or days of financial trading can have huge ramifications. "We have one of the largest and most profitable trading floors in the world," says Joseph Giesken, vice president, global equity risk control, Citigroup, New York City. "The focus on our continuity of business planning efforts revolve around providing continuous service to our clients. If we're out of the market and it's a client trade, we can have an adverse impact on our client's clearing and settlement and reporting functions as well as potential financial liabilities and reputational risks of our own."

Since there's so much variability to potential risks and the costs associated with different ways of mitigating them, creating a good IT risk management plan requires dialogue between IT and business.

While Citigroup's risk mitigation needs might be greater than average based solely on the size of the organization, managing and mitigating IT risk is an increasingly important part of a sound business strategy. For some organizations, it's something that remains more art than science.

"The most difficult part of prioritizing IT risks is that many times it's a guessing game, such as trying to determine how much an organization will lose if it doesn't implement a patch on its router or if its data is breached and the loss becomes public knowledge," says Jan Koster, managing director of UHY Advisors in Boston, Massachusetts, a business and accounting consultancy focused on mid-sized and large companies. "Obviously, the higher the potential loss or impact to the company, the more important it is to implement a risk mitigation procedure."

Some companies think of IT risk management and IT controls as limitations and unproductive costs, since risk mitigation plans often require investments in time, money, or resources. But increasingly, forward-looking organizations are realizing that there's an upside to risk management. With a little planning, it's possible to mitigate risk and obtain a positive return on investment.

"Technology controls are like brakes on a car-they help you steer past lax security, failed continuity, poor project management, and other issues that can get a company into trouble," says Greg Hedges, managing director at Protiviti, an international provider of internal audit and risk consulting services. "Most people think that brakes are on a car to make it stop-they're really there to help you go fast. No one's going to go 100 miles an hour if they don't have good brakes. It's the same with IT risk management. Having the appropriate measures in metrics and controls in IT is really a characteristic of high-performing companies."

Becoming a high-performing company

Efficient IT risk management enables organizations to plan for and help mitigate the wide range of potential risks that can affect not only IT systems but critical business operations. Failure to manage risk can result in the loss of revenues, customers, competitive advantage, and business goals. It can also mean compliance problems.

"A key issue for many companies is that IT risks can undermine the integrity and availability of financial reporting applications," says Protiviti's Hedges. "You can have a material misstatement if the IT risks are not well managed."

Risk mitigation starts with a good understanding of business requirements, the IT environment, and the identification of potential risks. Once risks are identified, they should be quantified (as well as possible), measured (where possible), and managed in an ongoing way so that business leaders can make decisions regarding the appropriate strategies and level of investment required.

In many cases, a good IT risk management strategy can have a positive impact on an organization. "Most people look at risk management as an extra cost," Hedges says. "We help clients see that those risk management controls can allow them to perform much more smoothly in their IT operations."