Understanding and proactively managing IT risks is a key component of IT Governance. Effective risk management provides senior executives with the visibility needed to make critical business decisions regarding IT investments and the information necessary to determine how IT impacts the business. Risk management does not involve only identifying the negative impacts that IT might have on the business. Assessing IT risks produces the added benefit of identifying positive ways to align IT resources across the enterprise to increase productivity, reduce costs and improve business processes.
Understanding the impact of IT investments and risks can be challenging for some senior executives and business leaders. However, as technology becomes increasingly more complex and organizations adapt to changing regulations regarding information security, customer privacy and breach notifications, the responsibility for responding to these challenges and developing risk mitigation strategies cannot rest solely in the CIO?s office. Management of IT risk is not solely a CIO responsibility.
For IT governance to be effective, senior management should review and approve the risk action plan, agree to priorities and commit the necessary resources to execute the plan effectively. Ultimately it is the business?the user of IT services?that must own business-related risks, including those related to use of IT. The business should set the mandate for risk management, provide the resources and funding to support a risk management plan designed to protect business interests, and monitor whether risks are being managed. – IT Governance Institute
According to a 2002 global study conducted by ITGI, in 80% of the organizations surveyed, IT management, rather than the business, was responsible for defining IT risk impact (business units were responsible in only 37 percent of the responding organizations, reflecting a lack of proper involvement in the risk assessment process by the business process owners).
When performed as part of an ongoing and effective IT Governance process, IT risk management should:
- be a regular topic of meaningful discussion on the senior executive/board agenda
- include senior executive review of major IT investments to ensure that they are aligned with the organization?s business objectives
- involve leadership from business units, general counsel, auditors, and security as well as IT
- include periodic assessments to determine vulnerabilities, threats, potential impacts and probability of occurrence
- provide visibility into the progress of major IT project
In my next post, I’ll take a look at a few common risks and discuss what business leaders have to say about them.