E-MailCreating a Risk Culture in an IT Environment
Despite the negative cachet of instituting an enterprise risk management and governance (ERM&G) strategy, risk practices have become increasingly important for IT organizations. Because risk management involves informing others of problems, there is a tendency to kill the messenger (that is, the risk manager) and, moreover, to undervalue the importance of a preemptive risk approach. Given mandatory governance legislation such as the US Sarbanes-Oxley Act, as well as the emergence of myriad new security threats, organizations cannot view risk management as optional. Nonetheless, introducing a risk management culture can be disruptive to prevailing IT practices; risk managers and others tasked with implementing a company's risk strategy must challenge an organization's cultural norms and sometimes overcome institutional resistance. In order to establish a healthy organizational risk culture, the language and components of the culture must be defined and implemented with consistency, and risk management practices must be integrated into the day-to-day environment. The accompanying Executive Report discusses the essential changes in organizational culture that must take place to ensure a successful ERM&G strategy.
Cutter Consortium clients, please log in:
If you would like further information about how to become a client, please contact us at +1 781 648 8700 or sales@cutter.com.