This week I am at the ISACA Asia Pacific Conference in Mumbai, India where Audit, Governance and Security professionals are meeting at the sold out event to share information and knowledge.  One of the topics being debated are the results of the survey released by ISACA this week which identified that a third of Indian IT professionals believe their organizations should accept larger risks to realize greater returns. The press release also identified the following;

• 34.4%of respondents believe that their own organizations are too risk-averse and may be missing out on opportunities to increase value
• 41.1% identified that ensuring that current functionality is aligned with business needs was the primary reason for risk management programs
• 10% identified that managing costs was a primary driver
• 35.4% of respondents indentified that to the most important step to improving risk management is to increase awareness among employees

These statistics indicate that organizations are realizing that IT risk management is critical to the business, and that it must be incorporated with overall business risk management for the organization to be most successful. It also shows that there is significant interest in best practices including Risk Management. 

Risk Management often seen as a negative term but risk appetite is a critical component in understanding and linking the business strategy to the IT deliverables. One of the major challenges in the past has been the inability to formally document and accept risk.  To support risk, ISACA recently launched the RISK IT Framework, based on COBIT, which complements the COBIT and VALIT guidance developed by ISACA.  Additionally ISACA has announced the new Certified in Risk and Information Systems Control (CRISC) certification which is intended to recognize a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor, and maintain IS controls to mitigate risk. It is particularly designed for IT professionals who have hands-on experience with risk identification, assessment, and evaluation; risk response; risk monitoring; IS control design and implementation; and IS control monitoring and maintenance.