IT risk management is turning a corner. Just more than half of 2,000 U.S. respondents to a recent ISACA survey of IT professionals reported that improved business performance is the primary driver of IT risk management in their organization. A similar survey in India and Australia/New Zealand reported an even stronger shift to business performance from compliance. By comparison, compliance was identified as the primary driver of risk management by roughly 20% to 28% of respondents, depending on their country.
For IT risk managers, this presents an excellent opportunity to demonstrate more business impact, especially in countries where stress is high due to the economic crisis.
To take advantage of this opportunity, proactive IT risk managers can take the following five steps:
1. Begin with the business. To deliver performance benefits, focus your energy on IT risks as they relate to business objectives.
2. Define a risk evaluation scope. Frame it in terms of business activities that provide offerings to customers, and not in terms of the technology.
3. Search the landscape. Look more broadly for the range of threats to business assets and resources.
4. Make your job easier. Leverage widely adopted methods and techniques to evaluate and respond to risks. Don't reinvent the wheel.
5. Talk the walk. If you are walking with a business focus, make this clear in talking with business leaders. Use business language to clearly express your plans and accomplishments.
Amid the drumbeat of new laws and regulations, and enterprise department names like "compliance and risk," the survey findings are a bit surprising. As strong as compliance pressures are, business leaders straining to seize opportunity are instead behind the business performance emphasis on IT risk management. It's clear from Wall Street reports that cost cutting your way to profitability doesn't satisfy investors looking for revenue growth. Standard & Poor's 500 Index is flat year-to-date. Further, cost cutting adds its own risk.
To expand on the first step, the CEO and chief financial officer's (CFO) focus on growing revenue provides a starting point for the IT risk manager toward becoming an IT business risk manager. Assess the business performance report for your enterprise (or division, depending on your role) and the current IT risk report. Is there a clear link from business performance measures to IT business risk? Performance measures include sales, customer satisfaction, product launch time and success with initiatives such as expansion, acquisition or consolidation.
These are metrics on which business lines, functional and regional executives are evaluated and paid bonuses. Map these tangible measures to what IT must do to enable them. Then determine the IT-related risks to performance. For example, market share growth might depend on new sales and support channels. This may depend on a mobile customer service application that rests on an entire stack of IT.
The foundation for the second step is provided by this dependency analysis of business performance objectives on IT performance, and IT-related risks to that performance. What risk evaluation scope helps you more? Framing risks in technical terms, such as network or data storage? Or, is it more powerful to frame them in terms of market share growth initiative that you can then present to the chief marketing officer, CFO and others who are highly focused on its success?
The third step involves scanning for a broader range of threats to the range of business assets (including the IT stack), used to deliver the business benefit in scope for the risk evaluation. This can be the most difficult shift for IT risk managers who are promoted from managing risk in an IT silo, such as project management, security, recovery or change management. Now, the manager must evaluate threats from natural, malicious, accidental and business volume sources, against the entire IT stack: applications, middleware, servers, data, storage, network, facilities and the IT management processes and software tools.
The fourth step: Make your life easier. Too many enterprises reinvent the wheel with their own risk management framework to address a set of compliance requirements. When the compliance requirements change, hard coding in the risk framework needs to be changed. Alternatively, organizations can leverage a range of open industry practices and guidance provided by professional organizations and standards bodies for each of the IT silos, and for the umbrella management of overall IT risk. The best of these are based on peer review, are frequently updated, include training and have active user communities.
And lastly, to reward you for all your good work in "walking" the business performance path, remember to "talk" business. As you seek business case approval and report results, phrase your comments in terms of the business objectives, mapping from the first step. That same mapping can now make it easier for the executives to understand "what this means to me" and to recognize how your efforts will help them grow revenue.
This was first published in August 2010