These strategic issues are linked closely to IT risks. You are sure some of the business units (but not all) have nagging availability and access risks that they are not telling you about. Accuracy risk, which is under control within each business unit (or so you're told), is a significant problem now that customers and regulators are demanding accurate enterprisewide information. For example, it was difficult to certify financial reports for Sarbanes-Oxley, and accurate, up-to-date reporting of all activity with individual clients is more than a year away. Furthermore, you're having trouble convincing the top managers that they need to change the way they invest and work with IT. After all, each business unit president feels he gets enough agility from his dedicated IT staff and doesn't want to threaten his own unit's results to improve enterprise IT agility.
These are just the IT risks you can guess. There are surely more that you should know about but don't. You know you need to do something about IT risk -- fast. But where do you start? Do you bring in a consulting firm to rewrite systems? Implement a strong management process to identify and fix every risk? Educate your business unit colleagues on the importance of IT risk and hope they'll change their own organizations?
Our research has defined a straightforward approach that answers these questions. In the simplest terms, IT risk management capability is built on three core disciplines. The three core disciplines work together as a cohesive whole to improve the enterprise's risk profile and keep it under control. They are:
The three disciplines complement the 4A's [Availability, Access, Accuracy, Agility]. Discussing the 4A's sets a direction for the firm's IT risk management capability by specifying a desired risk profile and appropriate risk trade-offs. The three disciplines implement capabilities that shape the IT risk profile to match the enterprise's preferences on the 4A's. Then, closing the loop, the three disciplines provide information for further discussion and decision making at all levels of the enterprise.
Building the three disciplines does more than help the enterprise manage IT risks better. It also gives executives something that is all too often a luxury in a world of ever-increasing IT threats: confidence. You gain confidence that you know what your most important risks are, that you have an effective process to make decisions about those risks, and that managers throughout the organization have the ability to handle those risks effectively. In our study, firms that were more confident in their IT risk management capabilities reported more control over all four IT risks, were significantly less likely to say they were unaware of important IT risks, and enjoyed significantly better relationships between the IT organization and business executives -- all while spending only a fraction more than other firms on IT risk management.
The disciplines are complementary; each addresses different aspects of the 4A's by improving organization, technology, procedures, and behaviors. Together, they cover all the bases -- improving risk management capability and giving business and IT people a language to ensure that IT risks stay under control.
Let's look at each of the three disciplines in more detail.
Read the rest of Chapter 2 to find out more about "The Three Core Disciplines of IT Risk Management -- Foundation, Risk Governance Process, Risk Awareness" -- from the book IT Risk: Turning Business Threats Into Competitive Advantage, by George Westerman and Richard Hunter.
This was first published in May 2009