Maturity of processes in IT risk management
I have a question. Should process maturity levels determine the effectiveness and efficiency of control, for example, over risks inherent in IT/IS?
As part of your organization's internal control and risk management system, knowing the risks and threats inherent in any process of the organization, including IT and information security, will you take into account the maturity level of the organization and the organization's processes directly when implementing procedures?
For example, you rate the maturity of a random IT process as immature, say on a scale of 1 to 5, the maturity of the process is rated at approximately 3. Will you implement and expect operational effectiveness from the implemented event, control procedure?
Or will you limit yourself to simply implementing the procedure, without expecting it to be performed regularly, without operational efficiency? For example, do something once a year and do it until the next year? Or – implement the procedure, and then the responsibility for its applicability, efficiency, etc. is entirely on the one to whom this procedure was “gifted”?
From my humble observations, very often when managing risks, creating and implementing any control procedures, i.e. procedures aimed at reducing possible risks inherent in IT/IS processes or other business processes of the organization, you can hear – “Our processes are not mature enough…”, “People are not ready…”, etc.
However, many managers forget that after implementation, the implemented procedure must be performed not just once, but proportionately, effectively, regularly and consistently, throughout the entire period of existence of the risk inherent in this area, process. The risk that such a procedure is designed to reduce or eliminate.
For example, it is hard to imagine that someone will be happy that the expected salary will be deposited into your bank account at different intervals, in different amounts… and sometimes not at all. Moreover, the chief accountant will explain this by the insufficient maturity of the process…
What is your experience in reality or advice to colleagues? Will you implement only the design and put all the responsibility on the process owner or something else, without expecting operational efficiency from the procedure?