Chapter excerpt: The Three Core Disciplines of IT Risk Management

Chapter excerpt: The Three Core Disciplines of IT Risk Management

The following is an excerpt from the book IT Risk: Turning Business Threats Into Competitive Advantage by George Westerman and Richard Hunter.

    Requires Free Membership to View

    Login

    When you become a member, my editorial team will provide you with expert insight for creating and maintaining a manageable compliance infrastructure.  From targeted tips to webcasts and discussion forums, we have you covered.

    Scot Petersen, Editorial Director, SearchCIO-Midmarket.com

    By submitting your registration information to SearchCompliance.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchCompliance.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Get the book
Buy IT Risk: Turning Business Threats Into Competitive Advantage at Harvard Business Publishing
Imagine that you're the CEO (or CFO or CIO) of a large U.S. financial services company. For twenty years, the firm has grown rapidly through acquisitions and through the entrepreneurial actions of its seven autonomous business units. Now things are changing. Because growth is slowing, your team is shifting strategy from product-line growth to cross-selling, up-selling, and globalizing. Customers and business partners are starting to demand an integrated approach -- asking your fiercely independent business units to look and act like a unified team. Worse, auditors are becoming a problem: your external auditors are paying more attention to IT, your regulators have begun IT-specific audits, and your business partners' auditors are now auditing you, too.

These strategic issues are linked closely to IT risks. You are sure some of the business units (but not all) have nagging availability and access risks that they are not telling you about. Accuracy risk, which is under control within each business unit (or so you're told), is a significant problem now that customers and regulators are demanding accurate enterprisewide information. For example, it was difficult to certify financial reports for Sarbanes-Oxley, and accurate, up-to-date reporting of all activity with individual clients is more than a year away. Furthermore, you're having trouble convincing the top managers that they need to change the way they invest and work with IT. After all, each business unit president feels he gets enough agility from his dedicated IT staff and doesn't want to threaten his own unit's results to improve enterprise IT agility.

These are just the IT risks you can guess. There are surely more that you should know about but don't. You know you need to do something about IT risk -- fast. But where do you start? Do you bring in a consulting firm to rewrite systems? Implement a strong management process to identify and fix every risk? Educate your business unit colleagues on the importance of IT risk and hope they'll change their own organizations?

Our research has defined a straightforward approach that answers these questions. In the simplest terms, IT risk management capability is built on three core disciplines. The three core disciplines work together as a cohesive whole to improve the enterprise's risk profile and keep it under control. They are:

  • A well-structured foundation of IT assets -- an installed technology base of infrastructure and application technologies, and supporting personnel and procedures, that is well understood, well managed, and no more complex than absolutely necessary.

  • A well-designed and executed risk governance process that provides an enterprise-level view of all risks, so that executives can prioritize and invest appropriately in risk management, while enabling lower-level managers to independently manage most risks in their areas.

  • A risk-aware culture in which everyone has appropriate knowledge of risk and in which open, nonthreatening discussions of risk are the norm.

    • Firms that were more confident in their IT risk management capabilities reported more control … and enjoyed significantly better relationships between the IT organization and business executives.
    George Westerman and Richard Hunter
    authorsIT Risk: Turning Business Threats Into Competitive Advantage
    An enterprise that wants to make the most effective use of its scarce resources in managing IT risks must be competent in all three. But in any particular enterprise, some disciplines are an easier sell than others. Accordingly, many risk managers choose a focal discipline as a rallying point for risk management, using it to make the case for change and to improve all three disciplines over time. The choice of focal discipline depends on the enterprise's circumstances -- including factors such as size, industry, and capabilities -- and our research shows that successful IT risk management initiatives can begin with any of the three disciplines.

    The three disciplines complement the 4A's [Availability, Access, Accuracy, Agility]. Discussing the 4A's sets a direction for the firm's IT risk management capability by specifying a desired risk profile and appropriate risk trade-offs. The three disciplines implement capabilities that shape the IT risk profile to match the enterprise's preferences on the 4A's. Then, closing the loop, the three disciplines provide information for further discussion and decision making at all levels of the enterprise.

    Building the three disciplines does more than help the enterprise manage IT risks better. It also gives executives something that is all too often a luxury in a world of ever-increasing IT threats: confidence. You gain confidence that you know what your most important risks are, that you have an effective process to make decisions about those risks, and that managers throughout the organization have the ability to handle those risks effectively. In our study, firms that were more confident in their IT risk management capabilities reported more control over all four IT risks, were significantly less likely to say they were unaware of important IT risks, and enjoyed significantly better relationships between the IT organization and business executives -- all while spending only a fraction more than other firms on IT risk management.

    The disciplines are complementary; each addresses different aspects of the 4A's by improving organization, technology, procedures, and behaviors. Together, they cover all the bases -- improving risk management capability and giving business and IT people a language to ensure that IT risks stay under control.

    Let's look at each of the three disciplines in more detail.

    Read the rest of Chapter 2 to find out more about "The Three Core Disciplines of IT Risk Management -- Foundation, Risk Governance Process, Risk Awareness" -- from the book IT Risk: Turning Business Threats Into Competitive Advantage, by George Westerman and Richard Hunter.


    This was first published in May 2009