A white paper issued by the Australian chapters of global IT association ISACA highlights the potential for security breaches and major technology disasters at leading Australian organisations, with 60% of IT professionals stating they do not believe all IT-related risks are being effectively managed.

Furthermore, 64% of Australian IT professionals believe the risk culture at their organisation is either moderately effective or not effective at all.

The white paper, titled IT Risk Management: Drivers, Challenges and Enablers for Australian Organisations, outlines results from an ISACA Australia-led survey of 111 Australian business and IT professionals and subsequent structured interviews conducted at the end of 2012. The study was designed to better understand the IT risk management drivers and challenges currently faced by Australian organisations.

“We are deeply concerned by the lack of importance being placed on managing IT risks. From these results, it is clear that Australian organisations aren’t adequately prepared,” said Paras Shah, founder and principal consultant at Vital Interacts, and principal author of the white paper. Shah, who is also a member of ISACA’s Framework Committee, will present findings from the white paper at the upcoming Oceania CACS2013 conference, It’s a Jungle Out There… Navigating Security, Audit and Governance, this September.

Key findings from the IT Risk Management white paper show:

- 71% of participants think Australian business teams lack awareness that IT risk management is important to attain business process goals and targets.

-   89% of participants believe that IT risk management activities are generally perceived by business stakeholders as a compliance burden, whether external or internal.

-  23% of IT professionals surveyed identified a “major IT-related failure event” as one of the main drivers for their organisation to manage IT risks.

-  26% of participants indicated their IT risk management programs focused too much on IT security risks, rather than considering all IT-related risks.

Commenting on the findings that one in four respondents believe IT risk management programs focus too much on IT security risks rather than considering all IT related risks, Shah added, “There is a common misperception in the industry that IT risks only include security-related IT risks, despite there being a range of different scenarios and potential IT issues that should be considered.”

Details of ISACA frameworks, including COBIT 5 (which incorporates ISACA’s previous Risk IT and Val IT), and the need for such process models, were also examined in the white paper, in relation to the findings. COBIT helps organisations govern and manage their information and technology to drive enterprise value.

The majority of survey participants came from the sectors of banking and finance services (35%), energy and utilities (11%), government and defence (11%) and manufacturing and industrials (8%) in organisations located across Australia, and included senior IT and risk management professionals.

This white paper was co-written by David Roche, ISACA Sydney Chapter president, and Anthony Rodrigues, ISACA Melbourne Chapter director.

Commenting on the findings, Rodrigues said, “Organisations must relate IT risks to business goals and keep the business engaged to create support and executive involvement.  The importance of managing risk cannot be under-estimated and organisations must take responsibility for managing their risks.”

Adding to the analysis, Roche said, “Organisations with a weak risk culture are exposed to inappropriate decisions in strategy, programs and operations. On the other hand, organisations with a mature risk culture have the ability to protect and enable the achievement of their objectives. We urge Australian IT professionals to review and update their IT risk management frameworks to ensure they are sufficiently protected.”

The white paper, IT Risk Management: Drivers, Challenges and Enablers for Australian Organisations, can be downloaded freely at www.isaca.org.au

ISACA, a global association of IT professionals, will hold its Oceania CACS2013 conference at the Adelaide Convention Centre from 23-27 September 2013. http://www.oceaniacacs2013.org/