For today’s CIOs, there can be little doubt that these are the proverbial “interesting times.” Think about it: we are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex, thus increasing our exposure to all forms of IT risk. The fact is, if we don’t get IT risk under control, we put the entire business at risk. That’s why there has never been a better time for taking a comprehensive approach to IT risk management.


The Way We Work Now


It’s no exaggeration to say that IT-driven innovation has become the engine fueling global commerce. That innovation has opened new markets, established new business models and driven incredible gains in productivity. But those successes haven’t come without consequences. We’ve arrived at a critical juncture where we have become almost entirely dependent on IT. And with IT dependence, comes exposure to IT risks.


What kind of risks are we talking about? Symantec’s IT Risk Management Report, published for the first time in February, examined IT risk based on interviews with more than 500 IT executives and professionals worldwide. Among the report’s findings:


  • 62 percent of organizations expect a regulatory breach and major information loss in the next five years.
  • 66 percent of organizations perceive high/critical operational risk in finance and administration.
  • 61 percent of organizations are not highly effective at governance, compliance, and continuous improvement.
  • 24 percent of IT staff time is devoted to addressing business application performance delays.

Generally speaking, organizations today must address four main types of IT risk:


Security. This is the risk that internal or external threats may result in unauthorized access to information. This includes such things as data leakage, data privacy, fraud and endpoint security. It includes broad external threats, such as viruses, as well as more targeted attacks upon specific applications, specific users and specific information - attacks to steal money and to attack the systems that your people are relying on every day.


Availability. This is the risk that information might be inaccessible due to unplanned system outages. You have a responsibility to customers, employees and stakeholders to keep your business running. As a result, you need to reduce the risk of application or data loss or data corruption. And, in case of a disaster, you need to be able to recover in the times required by your business.


Performance. This is the risk that information might be inaccessible due to scalability limitations or throughput bottlenecks. Your business needs to accommodate volume and performance requirements - even during peak times. As a result, you need to proactively identify performance issues before end users or applications are impacted. And, to minimize costs, you need to optimize resources and avoid unnecessary hardware expenditures.


Compliance. This is the risk of violating regulatory mandates or failing to meet internal policy requirements. Your business needs to comply with federal and state regulations, such as Sarbanes-Oxley, ISO 9000 or the British Standards Institute PAS56 framework.


You need to retain information and provide a highly efficient search and discovery engine to find content in emails as required. In addition, you need to ensure that your employees are meeting your own internal best practices and policies to keep your business operating in the most efficient manner.


But it’s also the case that these four types of IT risk are increasingly interrelated and important to just about everyone in the organization. For example, IT directors and managers are on the front lines when IT failures occur. They see how patches must be rolled out in a compliant manner to protect systems from security threats, or how data protection practices designed to improve availability might impact network performance and create security vulnerabilities if data isn’t encrypted. It’s all connected.


Plus, as IT failures become synonymous with business failures, IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies such as FedEx, P&G, and Home Depot have even established special board committees whose sole purpose is management of IT risk.


Five Steps to Managing IT Risk


The following five-step process can help organizations assess their levels of IT risk, develop remediation roadmaps, and ultimately build effective, continuous IT risk management programs. The cornerstone of the approach is this belief: When an organization successfully manages IT risk, it is better able to use IT to compete and innovate with confidence.


Step 1: Develop Awareness of IT risks.


IT risk mitigation begins with comprehensive discovery, including:


  • Establishing the program’s scope. (How expansive a view of IT risk is appropriate?)
  • Constructing a risk profile for the organization based on its overall priorities.
  • Identifying key areas of IT risk.

Assessment should also consider the organization’s current requirements, capabilities and vulnerabilities. Finally, this stage involves identifying and classifying threats, issues, vulnerabilities and weaknesses, and assigning each a priority according to risk.


Step 2: Quantify Business Impacts.


Quantifying business impacts is typically the most challenging step – and the most important.Until they have quantified the impact, positive or negative, of addressing an area of IT risk, IT leadership may be unable to attract their colleagues’ attention to it, or the funds needed for mitigation.


The key is to build a case that makes sense in the local currency (i.e., lost revenue or sales, negative brand impact or lost productivity).


Quantification of business impacts typically follows a two-phased approach:


  • Prioritize risks based on potential business impacts according to the organization’s risk profile and the ease or difficulty of risk mitigation, measured in time, staff resources and investment.
  • Build detailed business arguments for only those risks identified as high-impact areas.

Step 3: Design Solution.


At this point, the organization knows the scope and components of its risk management program, its current status, and the priority and quantification of each area of IT risk.


The next step is to design a set of remediation solutions across the classic elements of people, process and technology, each with requirements, specifications, goals and functions.


This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organizational goals.


Step 4: Align IT and Business Value; Implement Solution.


Implementation determines whether risk-mitigation initiatives are deployed successfully across people, process and technology, with close involvement of organizational stakeholders, or devolve into local IT projects measured narrowly by software and gear implemented and administrators trained.


Closed-loop measurement and continuous improvement are essential. With a coherent system of metrics and performance management capabilities, organizations set the stage for collection of baseline data, performance tracking and assessment of program effectiveness against the original business case.


Step 5: Build and Manage Unified Capability.


Once implementation of the first wave of IT risk solutions is underway, organizations should institute programs for continuous improvement and ongoing governance of their IT risk management program.


By adapting their efforts as their experience and effectiveness grow toward maturity, organizations can avoid or overcome the most common implementation challenges, such as guesswork, reactive projects and lack of quantifiable progress.


Today’s organizations are more dependent on IT than ever. As IT dependence increases, however, the potential for an IT failure to disrupt business operations becomes a serious management concern. Organizations must find a way to reduce exposure to IT risks, decrease costs and build greater capacity for IT to drive business innovation.


While there is no magic formula for IT risk management, this process can help organizations marshal their resources effectively to achieve real, lasting improvements in IT risk management, often while reducing IT infrastructure and process complexity and cost.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access