IT professionals want firms to take bigger risks: says survey

Despite the rough economic climate, one in three IT professionals in India believes that companies should take bigger risks with business projects related to information technology (IT). According to a survey of 463 IT professionals in India, their companies should take on riskier projects that often have a higher return on investment.

Conducted by ISACA, a global association of 86,000 IT governance, security and assurance professionals, the survey found that more than one-third (34.4 percent) of respondents believe that their own organisations are too risk-averse and may be missing out on opportunities to increase value.

While more than 85 per cent of respondents think their organisation effectively integrates IT risk into overall risk management, more than 30 per cent say that business lines are not willing to fully engage in risk management.

This lack of engagement was reported to be the top hurdle to effectively addressing IT-related business risk, but budget limits (29.6 per cent) and uncertainty of how to tailor best practices to the environment (18.1 per cent) are also problematic, according to the IT professionals surveyed.

According to the survey, compliance with governmental regulations is not the top driver for organisations’ risk management activities. Instead, ensuring that current functionality is aligned with business needs (41.1 per cent) was named the primary reason for risk management programmes, with compliance following at a distant second (19.5 per cent). Fewer than 10 per cent of respondents said managing costs was a primary driver.

“These statistics indicate that organisations are realising that IT risk management is critical to the business, and that it must be incorporated with overall business risk management for the organisation to be most successful,” said Robert Stroud, CGEIT, international vice president of ISACA.

“They are no longer engaging in effective risk management for the sake of compliance, but are doing so because it benefits the enterprise.”

Communication, said the survey, continues to be a vital component. The most important action an organisation can take to improve risk management, according to 35.4 per cent of respondents, is to increase awareness among employees.

Additional important steps are improving coordination between IT risk management and overall enterprise risk management (31.5 per cent) and increasing the use of best practices (21.7 per cent).