Geetha is an IT Governance, IT security, IT risk management and IT professional with over twenty-five years’ experience. Most recently, she has offered consulting, implementation, and advisory services to various organisations in the banking, telecom, health care, manufacturing, government, and insurance sectors while working for a largest Indian IT software company. She is a regular on-site trainer for conducting training through ISACA HQ for certification exam like CRISC and CISA for various multinationals for the last 5 years. In a conversation with Higher Education Digest, Geetha talks about how digital education like certifications in IT field has been completely revamped after pandemic, what are the major trend which is going on for the up skilling and reskilling of IT professionals and how these certificates can help young employees to crack the subject.
According to ISACA’s Risk IT Framework, IT risk encompasses not only the negative impact of operations and service delivery, which can bring destruction or reduction of the value of the organization, but also the benefit-enabling risk associated with missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.
While people, process and technology play a signification role in risk mitigation, it the people behind the process and technology that plays an important part in enabling effective risk management within the organization at all levels.
So, how can an organization enable one of their greatest assets—people—to effectively perform IT risk management? These essentials elements must first be in place.
- The organization’s key objectives should be clear to help define requirements and targets.
- They should assess their governance structure to ensure roles, responsibilities and reporting mechanisms are in place to manage risk.
- They should define their level of commitment, namely allocation of resources, and provide training and continuous support for implementation or maintaining risk management.
To better understand how to prioritize the training of the people involved in an organization’s overall framework of governance of risk management, it is important to first know how they work at three distinct levels.
This includes the strategic level, which covers the overall responsibility, accountability, and authority for the program, some, if not all, of which will lie at board level. The designated board member or members should ensure that the tactical and operational work is understood, and that the organization’s business and cultural contexts are considered. Legal and regulatory compliance issues can become a complex subject, especially in cases where organizations are spread across multiple legal and regulatory jurisdictions where the costs of non-compliance have an adverse impact on the organization’s objective.
Secondly, at the tactical level, the adoption of risk intelligence procedures enables the organization to discover the existence of risks that have either not yet been considered or those that have occurred previously within the organization. This includes overall risk policy management on a day-to-day basis together with their interdependencies.
Finally, at the operational level, there are key activities of the risk management program those of risk assessment, including the identification of threats, vulnerabilities and impacts or consequences, the formulation of the likelihood and subsequent analysis of the risks and, finally, the evaluation of risks and the proposals for risk treatment. A final element of the overall risk program governance will be the need for regular communications and reporting both upwards and downwards through the chain of command, especially in the reporting and logging of new risks and in progress in the treatment of existing risks.
How to Prioritize IT Risk Management Training Resources
While training at all the levels is essential and critical, the investment in terms of time and budget needs to be prioritized based on an organization’s unique needs. This includes the maturity of the organization, or whether the organization is operating in a regulated industry like banking, insurance, or healthcare etc.
Training can be provided based on the levels in the organization’s hierarchy and the maturity of the process and technology adopted and can include supporting employees in pursuing credentials.
At a strategic level / tactical level, understanding governance, legal, regulatory, compliance and overall risk management is essential. So, organizations should offer IT risk management training, including through credentials such as the CGEIT (Certified in the Governance of Enterprise IT) certification.
At a tactical / operational level, there are several IT management certification and programs that can be considered as part of the team member’s training depending on the organization’s needs. These can include ITIL, CISA (Certified Information Systems Auditor), CISM (Certified Information Security Manager), PMP (Project Management Professional), CRISC (Certified in Risk and Information Systems Control), PCI-DSS – Payment Card Industry Data Security Standard, as well as well as vendor-specific trainings, risk management training like ISO 31000 and ISO 27005 and customized IT trainings.
While prioritization of training can happen on a need basis, as it involves budget and time, organizations should commit to conducting regular refresher courses, and “train the trainer” programs, to ensure that the human asset is trained to address IT risks that are continuously evolving.