The main goal of the IT strategy committee after establishing stakeholder desired outcomes should be to ensure IT risk alignment with enterprise risk. IT risk alignment means that the IT risk management program is consistent and integrated with the enterprise risk management (ERM) program, and that the IT risks are identified, assessed, and treated in relation to the enterprise’s objectives, strategies, and risk appetite. IT risk alignment can help the enterprise achieve the following benefits1:
Enhance the value delivery of IT to the business
Improve the decision making and prioritization of IT investments and initiatives
Reduce the likelihood and impact of IT-related incidents and losses
Increase the resilience and agility of IT in responding to changes and disruptions
Strengthen the governance and accountability of IT performance and compliance
To ensure IT risk alignment with enterprise risk, the IT strategy committee should perform the following tasks2:
Define the scope, objectives, and criteria for IT risk management
Establish the roles and responsibilities for IT risk management
Align the IT risk management framework and processes with the ERM framework and processes
Communicate and collaborate with the ERM function and other stakeholders on IT risk issues
Monitor and review the effectiveness and maturity of IT risk management
The other options are not the main goal of the IT strategy committee after establishing stakeholder desired outcomes. Identifying business data that requires protection, performing a risk analysis on key IT processes, and implementing controls to address high risk areas are steps that are part of the IT risk management process, but they are not specific to ensuring IT risk alignment with enterprise risk. These steps should be done by the IT risk management function or team, under the guidance and oversight of the IT strategy committee.
