The Role of Ethics in Risk Management

The Role of Ethics in Risk Management
Author: Rajesh Srivastava, CISA, CGEIT, CRISC, PMP
Date Published: 19 August 2019

Most people are aware of and talking about risk management. However, barring a handful of high-profile and sophisticated IT organizations, for most enterprises, it is more talk vs. the actual implementation of risk management practices. It is a no-brainer that everything in IT should have active risk management practice embedded into it. When done correctly, it ensures service quality and lowers the risk of outages. While authoring my recent ISACA Journal article, “Rethinking Risk: A New Ethics of Enterprise IT,” I conducted an Internet search of “Ethics in IT” to see if it is an issue and to learn whether ethics issues in IT are reported. I only got a few hits and realized that it appears that ethical behavior in IT is neither measured nor reported, except that the “people” factor kept popping up, especially in terms such as “people are our most important asset” and “our people innovate and are best.” However, in my opinion, people are unpredictable and susceptible to political-management pressures, and us-vs.-them and an I/we-have-the-best-solution mind-sets. All these factors do not go well with the overall purpose of IT and are detrimental to our dependency on IT services, which are embedded into our lives. Therefore, there is a need for ethical behavior of IT professionals, and it should be part of overall governance and risk management practices. Also, in my personal observation, people follow processes out of fear or fear of non-compliance, and there might be an opportunity for them to believe in the process or control vs. seeing it as a nuisance.

Depending on which industry one is in, a service issue can be as catastrophic as loss of business to loss of lives. Whenever a catastrophic  event occurs, organization go through lessons learned and perhaps find a technology fix but rarely ever fix behavior.

It would be beneficial if management/consultants/auditors started observing trends in behavior. In my opinion, the only way this can happen is by having an unbiased view of how things are being done. This unbiased view should be insulated from departmental politics and management/executive pressure. I would encourage open dialogue when it comes to ethical behavior risk to processes such as change management, incident management, problem management and architectural-design decisions, not to mention my favorite, bending to vendor/technology pressures. I know this is easier said than done unless management is willing to change itself—hence this process must start at the Risk IT principle “Establish Tone at the Top and Accountability."

Read Rajesh Srivastava's recent Journal article:

Rethinking Risk: A New Ethics of Enterprise IT," ISACA Journal, volume 4, 2019.