Risk. It’s a word which makes some break out in a sweat, while others welcome the adrenaline rush. It’s the mirror image of opportunity: the greater the opportunity, the greater the risk.
“Risk minus control equals exposure,” says Everett Johnson, international director of computer assurance services for Deloitte & Touche. “If you have a business objective, you want to anticipate the things that will get in the way. These are risks. Controls are what you can do to deal with them. What is left over is exposure. Part of the art is balancing exposure to risk with the cost of implementing controls.”
Johnson was in New Zealand earlier this month for the launch of a new service by Deloitte Touche Tohmatsu (DTT) — enterprise risk services (ERS), designed to help firms address risk and control issues. The new practice unifies three separate DTT services — computer assurance services, co-sourcing and control consulting.
“Historically, people have approached risk in a disconnected way — a bit at a time,” says Johnson. “At ERS we look at business and IT risks in an integrated fashion. If the CEO understands technology risk and its implications on business risk then it will be a much easier sell for the IT manager to get funding.”
Wellington-based Ian Perry, who heads the new practice, says ERS could eventually grow to the size of DTT’s financial audit division, which comprises at least a third of the company’s business.
“Our aim is to help management understand the full spectrum of risk at the strategy, business process and technology levels. We can provide some solutions on managing and monitoring risk but really it’s about helping them to understand.
“At DTT we have an integrated offering. We’ve taken people from various parts of the practice and pulled them into one organisation that can deal with everything from governance, business process and corporate processing, right through to IT. We deploy the same framework consistently through out the organisation.”