London, 23rd March 2010: Research conducted across Europe, the Middle East and Africa (EMEA) by ISACA, a non-profit association of 86,000 global information technology professionals, has found that a quarter of enterprises that already use cloud computing believe that the risks outweigh the benefits (a fifth in the UK), yet still carry on regardless. This perhaps recognises the relative immaturity of cloud computing usage and the uncertainty of the balance between risk and reward.  Of the more than 1,500 professionals sampled across more than 50 EMEA countries, 33% already use cloud computing (40% in the UK);

According to ISACA’s survey, the IT Risk/Reward Barometer, EMEA, with regard to future use of cloud computing:

•             9.4% of respondents (8.9% in the UK) plan to use cloud computing for mission-critical IT services;

•             8.8 % (9.6% UK) will only use the cloud for low-risk, non-mission-critical IT services;

•             35.6% (31.8% UK) do not plan to use the cloud for any IT services;

•             17.9% (23.6%) have not formalised their plans;

•             28.2% (26.1%) were not aware of any plans for cloud computing.

The survey found that nearly two thirds (63%) of organisations claimed they are willing to take IT-related business risks in anticipation of a return for the business (64.3% UK) and 12.1% would take large risks to maximise business return.

When asked about integrating IT risk management with the organisation’s overall approach to risk management:

•             4.8% admitted they do so without a formal approach to business risk management (3.2% UK);

•             22.2% said they did not effectively integrate IT risk management with their overall approach to risk management (22% UK);

•             24% said they are very effective at managing risk (20% UK);

•             48.7% reported being somewhat effective (54% UK);

ISACA acknowledges that to get ahead in business, there must be an element of risk, but warns it mustn’t be at any price. 

Paul Williams, ISACA Strategy Chair and IT governance adviser to Protiviti advised, “Every day we take calculated risks. Organisations need an integrated risk management approach to identify, assess and prioritise risks, so that they only take appropriate gambles with acceptable consequences or level of reward. Enterprises must never crash and burn because the risk was ignored or misjudged.”

In additional findings from the study, 61% of UK organisations reported that they believe the biggest risk employees pose to their organisations is failing to protect confidential data – although this is slightly lower elsewhere in EMEA, at 58%. In addition, the UK and EMEA both rate an employee’s use of non-approved software or online services second at 32% and 36%, respectively. Considered low risk by 46% of UK IT professionals (42% in EMEA) is an employee checking personal e-mail or visiting social networking sites from a work device. More than half the organisations questioned (56%) across EMEA believe that investments in IT services are not utilised to their full benefit.

Budget limits are an organisation’s greatest hurdle when addressing IT-related business risk, say 34.2% (31.2% in the UK), followed by business lines that are not willing to fully engage in risk management – 28% in the UK and 24.2% in EMEA. Where the UK and EMEA disagree is on what is the most important action an organisation can take to improve IT risk management –UK organisations place emphasis on improved coordination between IT risk management and overall enterprise risk management at 32.5% (29.4% in EMEA), whereas 31.5% in EMEA recommend an increase in risk awareness among employees (28% in the UK).

At ISACA’s EuroCACS Conference held 21-24 March 2010 at the Kempinski Hotel Corvinus, Budapest, Hungary risk management and cloud computing were just two of the many topics covered.  Speakers included Rolf von Roessing, Vice President of ISACA, who identified key technical and organisational challenges associated with cloud computing and Urs Fischer, CISA, chair of ISACA’s Risk IT Task Force, explained how ISACA’s Risk IT framework can help organisations align IT risk management with business risk management.

About the ISACA IT Risk/Reward Barometer, EMEA

The ISACA IT Risk/Reward Barometer survey is based on online polling in March 2010 of 1,529 IT professionals who are ISACA members in Europe, the Middle East and Africa. Responses were received from more than 53 countries. The majority of respondents work in the areas of finance/banking/insurance (30.4%) and technology services/consulting (24.2%). The study was designed to capture insights about how organisations address and manage risk. 

END

About ISACA:

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA offers the Business Model for Information Security (BMIS) and the IT Assurance Framework (ITAF). It also developed and maintains the COBIT®, Val IT™ and Risk IT frameworks, which help IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.