A new OpenPages survey shows that IT risk management practices are moving in a promising direction.

The survey contains several results that strike me as pleasant surprises … along with a couple of results that point to trouble spots.

First, the happy news: 66 percent of respondents report that their employees can speak openly about IT risk. You can’t manage risk if you don’t measure it, and you can’t measure it if you don’t discuss it. This is a promising step, considering how complicated it can be to discuss IT risk outside the IT department.

Some 80 percent of respondents indicate that their IT environment is well-maintained and that they have a business continuity plan in place. (If you are among the ill-prepared 20 percent, see the guidance on page two of this report.)

More than half of respondents say that they have a formal process in place for evaluating potential exceptions to IT policy, and more than 40 percent have guidelines to help individuals assess the magnitude of risks in a consistent way. These are crucial steps, and I’m encouraged that both figures are this high.

That said, there is plenty of work to be done: Less than half of the responding companies are taking active steps to build or maintain a risk-aware culture.

This is more troubling for finance chiefs: Only 2 percent of respondents indicate that their CFOs are ultimately responsible for IT risk management. While it may be fine for the CIO or a chief risk officer to formally assume the responsibility, CFOs need to maintain a high-level awareness of the state of IT risk management in their organizations. After all, CFOs and CEOs are the ultimate stewards of business assurance. ###