The transformation of IT risk management in the energy industry

Blog Post created by lyndie.dragomir on Feb 19, 2016

Information Technology (IT) has enabled energy companies to enhance operations through solutions that provide, among others, near real-time visibility, data-driven analysis and decision making, and mobility. While these advances have supported and informed a shift in business models across the value chain, they also increase exposures and require improved IT risk management (ITRM) processes.


Highlights from the report include the following:

• Energy companies face increasing IT risk complexities and regulatory challenges, calling for strategic investment in end-to-end ITRM operating models.

• An energy company’s ITRM function must address a prioritized IT risk profile and better integrate with IT operations in order to stay ahead of the evolving risk curve.

• A robust ITRM function manages and optimizes related processes and tools with a goal of improving risk awareness, operations effectiveness, and financial efficiency.

• Energy companies should establish their overall risk appetite, evaluate the risk inventory on a continual basis, and accordingly tune related strategies to throttle the amount of risk that will or will not be taken.

• Energy companies should involve business and IT leadership to define a line-of-defense model that integrates risk functions to adjust risk appetite over time, maintain the “control blanket,” and share risk information for timely responses and operating model enhancements that stick.

• Now is the time for energy companies to design and operate end-to-end, sustainable ITRM operations that enhance business prospects and are scaled to a company’s risk appetite.


Click here to view the full report.


About the authors

Joshua Galvan is a principal with KPMG in the US leading efforts in KPMG's Emerging Technology Risk practice.

Chris McDonald is a director with KPMG in the US and assists clients in establishing and improving their IT operational processes, IT internal controls, and IT governance structures.