Risk managers' role in information technology security is becoming clearer as more companies embrace enterprise risk management.

Under the ERM approach, all of a company's risks--whether financial or strategic, liability or regulatory compliance--are examined together with an eye toward their potential consequences for the ongoing operation.

Information technology underlies many processes and core functions, said Baljit Dail, Chicago-based global chief information officer for Aon Corp. and global chief administrative officer for Aon Consulting. "Clearly any risk in IT has a significant impact on the business," Mr. Dail said.

Two key areas closely linked to IT are disaster recovery and business continuity, which overlap with corporate risk management, according to risk managers and consultants.

Additionally, IT risks potentially raise liability issues in other areas of a company. For that reason, even risk managers not involved in ERM are seeing the need to have at least some involvement in IT security.

That is important given at least six major highly publicized data breaches in the past year.

"IT security can be defined as maintaining the confidentiality, integrity and availability of your company's information assets and ensuring compliance with legal, contractual and regulatory constraints," said Jeff Stolle, director of risk management at Career Education Corp. in Hoffman Estates, Ill., and chair of the Risk & Insurance Management Society Inc.'s Technology Advisory Council.

Mitigation or elimination of IT security exposures command a high priority, particularly at technology-based businesses such as Career Education, which runs online universities, Mr. Stolle said.

While the need for risk managers to participate in IT security is evident given ERM as well as the fallout from public and private sector breaches that gained media attention, the technological aspects must remain with the IT staff.

Just as other areas under the ERM umbrella, the risk manager's role is to identify and assess IT risks, said Carol A. Fox, senior director, risk management and business continuity planning at Convergys Corp., a Cincinnati customer and employment management consultant and service provider. Responsibility for designing and implementing IT risk mitigation efforts belongs to "someone with deep technical knowledge," Ms. Fox said.

Mitigation vs. execution

The roles of risk management and IT security "are different but complementary," said Mr. Dail.

Risk management is much more analytic and strives for proactive mitigation, Mr. Dail said. The IT function is focused on "execution around processes working well, monitoring the network and patches in the right places," he said.

Ms. Fox said risk managers "offer the perspective of a broad spectrum of risks and can assess the consequences to the company." The IT staff, on the other hand, may be focused on compliance.

Similar sentiments were offered by Lori S. Nugent, an attorney and chair of the enterprise risks practice at law firm Cozen O'Connor P.C. in Chicago. "I think risk managers are very good at looking at exposures and allocating them or shifting them," Ms. Nugent said. "IT tends to be about fixing problems.

"All risk managers, even those not involved in enterprise risk (management), should be aware of ERM as a risk identification tool and develop an action plan to contain (IT security) exposures. With the kinds of issues arising in enterprise risk, it's very hard for a technical unit operating alone to fully address the liability and reputational risks that arise," Ms. Nugent said. "The best situation is when IT works with others to address not just the IT structural issues but liability and reputational risks as well."

Risk managers bring to IT security not only different skills but also relationships with specialized resources of which the IT staff may be unaware. For example, said Career Education's Mr. Stolle, risk managers may have relationships with consultants that are focused on risk identification.

Perhaps the most important resource is that risk managers often report to top financial officers and, consequently, can offer visibility to the board and help raise funds for IT security, said Ms. Fox. If a company is practicing ERM, the risk manager has access to the board's risk and audit committees, she said.

John Phelps, chair of RIMS' ERM committee and director of risk management for Blue Cross & Blue Shield of Florida Inc. based in Jacksonville, sits on the insurer's technology incident response team in addition to leading its enterprise operations center, which includes representatives from finance, human resources and other areas of the company. When the incident response team is activated, "I'm sitting there knowing I can pull in any of those resources," he said.

Risk managers say a collaborative relationship with IT staff is possible if both groups stay within their areas of expertise. "There tends to be a good working relationship as long as you're not telling them technically what to do," said Mr. Stolle.

Building a relationship

Ms. Fox suggests risk managers can overcome resistance from IT by developing an understanding of its mission and forging personal relationships based on support. "Even taking (an IT executive) out to lunch and talking it over can help build a foundation." Ask questions, she said, particularly those beginning with "Would it help you if...?"

At BCBSF, Mr. Phelps helped overcome differences in perspective between the risk management and IT departments one year ago by teaching ERM concepts to the IT protection and controls staff. They have "aptly applied" that training, he said.

In the financial services arena, "there's a growing trend in demand for a more holistic view of IT risk management," said Mark Steinhoff, a principal with consultant Deloitte & Touche L.L.P. in New York and leader of the national financial services and security and privacy practice.

Factors driving that trend include demand for increased transparency and accountability related to risk and risk control, he said.

"We believe IT risk management needs to connect with and be integrated into the broader ERM program," said Mr. Steinhoff.

More companies in the financial services arena are "hiring, developing or importing an IT risk management officer" with an IT security background, Mr. Steinhoff said.

While corporate structures differ, it is important "to have an effective mechanism in place to identify the overarching responsibility," Ms. Nugent said.

One responsibility that rests with the risk manager is to monitor vendor contracts within the risk management department, whether it is the information systems vendor, a broker or insurer, said Mr. Stolle. Know the vendor's security policies and review the contract language concerning security, he said.

Whatever corporate structure and risk management approach is in place, "All risk managers should understand their company's relationships with business partners and the ways in which data is maintained, shared and secured," said Mr. Steinhoff.

Risk managers also should know how mobile devices affect exposures, Mr. Dail said.

And, said Mr. Phelps, a risk manager cannot participate in the business continuity processes "without having some knowledge of how things plug together."