Right now, when the average person thinks about “IT risk,” the jump is instantly made to cyber security risks. But that is only one type of risk that IT faces daily. As Jeremy Bergsman notes in an article for InformationWeek, a cyber-attack has never killed a big business, but unheeded operational risks certainly have. He shares three imperatives to better manage IT risk:
- Start focusing on the right risks.
- Formalize management and governance over IT risk.
- Ensure IT staff understand their role in managing and encouraging informed risk-taking.
A Manageable Approach
To focus on the right IT risks, you must first account for how many different types of risk exist. Bergsman places them into seven categories: IT talent (including contractors), IT capacity, reliability and quality, legal and compliance, security and privacy, delivery, and business enablement. If you can detail how risk exists in each of these areas for the business, you will then have a foundation for managing them as well.
Once that information is collected, a formal structure must be implemented for who will oversee the development of risk management processes. Bergsman elaborates with this:
… ensure that risk decisions are left to the true owners of risk. Professional risk managers help identify risks and define and manage the process to analyze and treat them. But risk managers should not make risk treatment decisions since they lack the necessary understanding of the business context in which these decisions take place. Decisions made by risk managers are often more risk averse than the company’s risk appetite, which in turn slows productivity, agility and innovation. …
[In order to create accountability], processes must include formal acceptance of accountability for risk decisions. Then they must create management practices (such as reporting and incentives) to reinforce accountability.
IT staff must be made to understand that risk is not something to be destroyed. Risk is like the fat in a chicken breast—some of it is okay and even necessary. That is why it is risk management and not risk destruction. You must work with your staff to develop a risk appetite appropriate to the level of ambition in the business. This will involve bottom-up training, performance management, and changes to hiring.
You can view the original article here: http://www.informationweek.com/it-risk-its-not-cyber—its-worse/a/d-id/1329175