SYDNEY, AUSTRALIA: A recent white paper issued by the Australian chapters of global IT association ISACA highlights the potential for security breaches and major technology disasters at leading Australian organisations, with 60 per cent of IT professionals stating they do not believe all IT-related risks are being effectively managed.
Furthermore, 64 per cent of IT professionals believe the risk culture at their organisation is only moderately effective or not effective at all.
"Organisations must relate IT risks to business goals and keep the business engaged to create support and executive involvement. The importance of managing risk cannot be under-estimated and organisations must take responsibility for managing their risks."
The white paper, titled IT Risk Management: Drivers, Challenges and Enablers for Australian Organisations, outlines results from an ISACA Australia-led survey of 111 Australian business and IT professionals and subsequent structured interviews conducted at the end of 2012.
The study was designed to better understand the IT risk management drivers and challenges faced by Australian organisations.
"We are deeply concerned by the lack of importance being placed on managing IT risks. From these results, it is clear that Australian organisations aren't adequately prepared," said Paras Shah, founder and principal consultant at Vital Interacts, and principal author of the white paper.
Shah, who is also a member of ISACA's Framework Committee, will present findings from the white paper at the upcoming Oceania CACS2013 conference, It's a Jungle Out There... Navigating Security, Audit and Governance, this September.
Key findings from the IT Risk Management white paper show:
* 71 per cent of respondents think Australian business teams lack awareness that IT risk management is important to attain business process goals and targets.
* 89 per cent believe that IT risk management activities are generally perceived by business stakeholders as a compliance burden, whether external or internal.
* 23 per cent identified a "major IT-related failure event" as one of the main drivers for their organisation to manage IT risks.
* 26 per cent indicated their IT risk management programs focused too much on IT security risks, rather than considering all IT-related risks.
The majority of survey participants came from the sectors of banking and finance services (35 per cent), energy and utilities (11 per cent), government and defence (11 per cent) and manufacturing and industrials (8 per cent) in organisations located across Australia, and included senior IT and risk management professionals.
This white paper was co-written by David Roche, ISACA Sydney Chapter president, and Anthony Rodrigues, ISACA Melbourne Chapter director.
Commenting on the findings, Rodrigues said, "Organisations must relate IT risks to business goals and keep the business engaged to create support and executive involvement. The importance of managing risk cannot be under-estimated and organisations must take responsibility for managing their risks."
Roche added, "Organisations with a weak risk culture are exposed to inappropriate decisions in strategy, programs and operations. On the other hand, organisations with a mature risk culture have the ability to protect and enable the achievement of their objectives. We urge Australian IT professionals to review and update their IT risk management frameworks to ensure they are sufficiently protected."