!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> Streamline Training & Documentation: Generating Business Value from IT II: Risk Management

Thursday, February 11, 2010

Generating Business Value from IT II: Risk Management

Yesterday's post discussed one aspect of optimizing a company's IT investment, namely, choosing a preferred operating model, which in turn determines IT integration and standardization requirements and, therefore, critical IT and business process capabilities.

MIT's Center for Information Systems Research (CISR), the source of the research on matching IT to a company's operating model, also pushes for careful attention to IT risk management.

In a 2009 working paper (pdf), George Westerman, a research scientist at CISR, and Richard Hunter, an analyst at Gartner, Inc., offer a straightforward framework for assessing and managing IT risk.

There are two basic components to the framework:
  • Categories of IT risk

    • Availability — keeping business processes running

    • Access — providing information to the right people, and keeping it out of the hands of people who shouldn't have it

    • Accuracy — ensuring information is accurate, timely, and complete

    • Agility — making needed business changes with acceptable cost and speed

  • Disciplines for managing risk

    • Establishing a sound foundation — The foundation is a base of infrastructure, applications and supporting personnel, which is well-structured well-managed and, most important of all, no more complex than absolutely necessary.

    • Establishing a sound risk governance process — I.e., procedures and policies that provide an enterprise-level view of all IT risks.

    • Establishing a risk-aware culture — I.e., making sure that everyone has appropriate knowledge of risk, and that non-threatenting discussions about risk are the norm.
Westerman and Hunter provide a list of questions to help managers assess their company's current risk profile. The questions are divided into executive-level and operational-level items. For executives the questions help "convert technical issues into business issues, and IT impacts into business impacts." For operational managers, the questions help in analyzing details of the dimensions and costs of particular risks. Answering the questions ensures that managers at all levels understand "the meaning, potential consequences and relative importance of IT risks."

The questions are organized aaccording to the four categories of IT risk:


Executive-level questions
  • Which of our business processes are most dependent on IT?

  • What consequences are likely if the systems are unavailable?
Operational-level questions
  • What is the cost of a particular process being down for an hour? A day?

  • What are our procedures to recover from interruption?

Executive-level questions
  • What categories of information would be most damaging if released? For example, what is the likely impact of loss or theft of customer data? Product data?

  • What categories of information are most important for our firm's daily success or failure?
Operational-level questions
  • How do we control, protect and monitor access to these types of information?

  • How can we ensure that the right people get access to this information as needed (and then lose access when done)?

Executive-level questions
  • Which processes and categories of information carry the highest consequences for inaccuracy (e.g., inventory information, financial information, etc.)? What would the firm lose if it could not maintain Sarbanes-Oxley certification, for example?

  • What constraints has inaccurate or incomplete information placed upon the organization?

  • What could the firm do if it had better information in some area? For example, how much would the company save if it had better information on global customers?
Operational-level questions
  • How can we improve the way that we gather or manage these types of information?

  • How can we create or obtain valuable new types of information?

Executive-level questions
  • How well does IT currently deliver on new projects, and what does that mean for what the firm is able to do in the future?

  • What major strategic changes (new product launches, new geographies, mergers and acquisitions, global cost-cutting, etc.) are foreseeable?

  • What opportunity costs are entailed in missing a product launch (or other strategic move) by a month due to IT issues?
Operational-level questions
  • How can managers in IT and business units improve project definition and delivery?

  • What processes, skills and supporting systems are needed to support those changes?

  • How should the IT foundation change to improve agility?
Once the current risk profile has been identified, using questions such as those above, managers can proceed to implementing the three core disciplines of effective risk management, taking steps that are in line with agreed priorities and previously analyzed tradeoffs.


Labels: ,