IT risk management is of growing importance in today's business culture. George Westerman and Richard Hunter outline some of the strategies that can help your company keep ahead of the game.
Imagine that you're the CEO (or CFO or CIO) of a large financial services company. For 20 years, the firm has grown rapidly through acquisitions and through the entrepreneurial actions of its seven autonomous business units. Now things are changing.
Because growth is slowing, your team is shifting strategy from product-line growth to cross-selling, up-selling and globalising. Customers and business partners are starting to demand an integrated approach – asking your fiercely independent business units to look and act like a unified team.
Worse, auditors are becoming a problem: your external auditors are paying more attention to IT, your regulators have begun IT-specific audits, and your business partners' auditors are now auditing you too.
REALISING THE RISK
These strategic issues are linked closely to IT risks. You are sure some of the business units (but not all) have nagging availability and access risks that they are not telling you about. Accuracy risk, which is under control within each business unit (or so you're told), is a significant problem now that customers and regulators are demanding accurate enterprise-wide information.
Furthermore, you're having trouble convincing the top managers that they need to change the way they invest and work with IT. After all, each business unit president feels he gets enough agility from his dedicated IT staff and doesn't want to threaten his own unit's results to improve enterprise IT agility. These are just the IT risks you can guess. There are surely more that you should know about but don't.
You know you need to do something about IT risk – fast. But where do you start? Do you bring in a consulting firm to rewrite systems? Implement a strong management process to identify and fix every risk? Educate your business unit colleagues on the importance of IT risk and hope they'll change their own organisations?
IT RISK MANAGEMENT CAPABILITY
Our research has defined a straightforward approach that answers these questions. In the simplest terms, IT risk management capability is built on three core disciplines. The three core disciplines work together as a cohesive whole to improve the enterprise's risk profile and keep it under control. They are:
1) Foundation: a well-structured foundation of IT assets, an installed technology base of infrastructure and application technologies, and supporting personnel and procedures, that is well understood, well managed and no more complex than absolutely necessary.
2) Process: a well-designed and executed risk governance process that provides an enterprise-level view of all risks, so that executives can prioritise and invest appropriately in risk management, while enabling lower-level managers to independently manage most risks in their areas.
3) Awareness: a risk-aware culture in which everyone has appropriate knowledge of risk and in which open, non-threatening discussions of risk are the norm.
DISCIPLINE FOCUS
An enterprise that wants to make the most effective use of its scarce resources in managing IT risks must be competent in all three. But in any particular enterprise, some disciplines are an easier sell than others. Accordingly, many risk managers choose a focal discipline as a rallying point for risk management, using it to make the case for change and to improve all three disciplines over time.
The choice of focal discipline depends on the enterprise's circumstances – including factors such as size, industry and capabilities – and our research shows that successful IT risk management initiatives can begin with any of the three disciplines.
Building the three disciplines does more than help the enterprise manage IT risks better. It also gives executives something that is all too often a luxury in a world of ever-increasing IT threats: confidence.
You gain confidence that you know what your most important risks are, that you have an effective process to make decisions about those risks, and that managers throughout the organisation have the ability to handle those risks effectively. In our study, firms that were more confident in their IT risk management capabilities reported more control over all IT risks, and enjoyed significantly better relationships between the IT organisation and business executives – all while spending only a fraction more than other firms on IT risk management.
THE THREE DISCIPLINES
Imagine the three disciplines as a triangle composed of three equal segments. The disciplines are complementary; improving organisation, technology, procedures and behaviours. Together, they cover all the bases – improving risk management capability and giving business and IT people a language to ensure that IT risks stay under control.
The foundation is the collection of IT assets, procedures, and people that support and enable business processes and decision making. Bringing the foundation to a competent level – knowing what is in the foundation and ensuring that it is managed well – is essential for all enterprises. Many enterprises then work to make the foundation excellent by ensuring that it is only as complex as absolutely necessary.
Risk governance is the set of processes, policies and structures that provide an enterprise-level view of all risks, so that executives can prioritise and invest appropriately in risk management, while it enables lower-level managers to independently manage most risks in their areas.
The risk-awareness discipline builds an enterprise in which everyone, at every level, is aware of risk, discusses risk and takes a personal responsibility for managing it. Risk-aware firms are characterised by a deep expertise in particular aspects of IT risk, which is typically held and used by specialists. They also build a generalised awareness throughout the enterprise of the nature and consequences of risky behaviour, and encourage a culture in which risk is discussed and managed openly.
All three disciplines are necessary, but few enterprises give equal emphasis to all of them. Once dangerous conditions in the foundation are fixed, an enterprise can focus on the discipline that makes the most sense for the business. With that discipline as the driver, all three can be evolved into a stable, cohesive, comprehensive capability.
Our research shows that most firms make either awareness or risk governance the focus of their programmes, though there are good reasons to tackle the foundation first. Whatever the focus, the goal is to embed risk management into the fabric of the enterprise. Effective risk management is achieved when risk management is part of the way that the enterprise does business – procedurally, technologically, organisationally and behaviourally.
Reproduced by permission of Harvard Business School Press. Edited excerpt from IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. Copyright 2007. All rights reserved.
