In a 2004 survey of 200 IT professionals from the Americas, Asia/Pacific and Europe, the IT Governance Institute found that in 80% of organizations, IT management is solely responsible for defining and addressing IT risk impact. This widespread lack of involvement by business unit managers demonstrates a consistent—and alarming—gap in mapping technology risk to the business.
This gap shows that most organizations have inadequate IT risk assessment processes across their enterprises. After all, the consumers themselves—those people that require and use technology services—must share ownership of business-related IT risks with IT management and executive management.
Read this white paper from Computer Associates for the recommendations of the IT Governance Institute.