Generating Business Value from IT II: Risk ManagementYesterday's post discussed one aspect of optimizing a company's IT investment, namely, choosing a preferred operating model, which in turn determines IT integration and standardization requirements and, therefore, critical IT and business process capabilities.
MIT's Center for Information Systems Research (CISR), the source of the research on matching IT to a company's operating model, also pushes for careful attention to IT risk management.
In a 2009 working paper (pdf), George Westerman, a research scientist at CISR, and Richard Hunter, an analyst at Gartner, Inc., offer a straightforward framework for assessing and managing IT risk.
There are two basic components to the framework:
- Categories of IT risk
- Availability keeping business processes running
- Access providing information to the right people, and keeping it out of the hands of people who shouldn't have it
- Accuracy ensuring information is accurate, timely, and complete
- Agility making needed business changes with acceptable cost and speed
- Disciplines for managing risk
- Establishing a sound foundation The foundation is a base of infrastructure, applications and supporting personnel, which is well-structured well-managed and, most important of all, no more complex than absolutely necessary.
- Establishing a sound risk governance process I.e., procedures and policies that provide an enterprise-level view of all IT risks.
- Establishing a risk-aware culture I.e., making sure that everyone has appropriate knowledge of risk, and that non-threatenting discussions about risk are the norm.
The questions are organized aaccording to the four categories of IT risk:
- Which of our business processes are most dependent on IT?
- What consequences are likely if the systems are unavailable?
- What is the cost of a particular process being down for an hour? A day?
- What are our procedures to recover from interruption?
- What categories of information would be most damaging if released? For example, what is the likely impact of loss or theft of customer data? Product data?
- What categories of information are most important for our firm's daily success or failure?
- How do we control, protect and monitor access to these types of information?
- How can we ensure that the right people get access to this information as needed (and then lose access when done)?
- Which processes and categories of information carry the highest consequences for inaccuracy (e.g., inventory information, financial information, etc.)? What would the firm lose if it could not maintain Sarbanes-Oxley certification, for example?
- What constraints has inaccurate or incomplete information placed upon the organization?
- What could the firm do if it had better information in some area? For example, how much would the company save if it had better information on global customers?
- How can we improve the way that we gather or manage these types of information?
- How can we create or obtain valuable new types of information?
- How well does IT currently deliver on new projects, and what does that mean for what the firm is able to do in the future?
- What major strategic changes (new product launches, new geographies, mergers and acquisitions, global cost-cutting, etc.) are foreseeable?
- What opportunity costs are entailed in missing a product launch (or other strategic move) by a month due to IT issues?
- How can managers in IT and business units improve project definition and delivery?
- What processes, skills and supporting systems are needed to support those changes?
- How should the IT foundation change to improve agility?