Build a Business-Driven IT Risk Management Program
Hope is not a risk management strategy.
- Risk is an unavoidable part of IT. And what you don't know, can hurt you. The question is, do you tackle risk head-on or leave it to chance?
- Get a handle on risk management quickly using Info-Tech's methodology and reduce unfortunate IT surprises.
1. IT risk is business risk.
Every IT risk has business implications. Create an IT risk management program that shares risk accountability with the business.
2. Risk is money.
It’s impossible to make intelligent decisions about risks without knowing what they’re worth.
3. You don’t know what you don’t know.
And what you don’t know can hurt you – so find out. To find hidden risks, you need a structured approach.
Impact and Result
- Stop leaving IT risk to chance. Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success by 53%.
- Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they happen.
- Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that matter most to the organization.
- Share accountability for IT risk with business stakeholders and have them weigh-in on prioritizing investments in risk response activities.
- Sterling Bjorndahl, Director of IT Operations, eHealth Saskatchewan
- Ken Piddington, CIO and Executive Advisor, MRE Consulting
- Tamara Dwarika, Internal Auditor
- Michael Fossé, Consulting Services Manager, IBM Canada (LGS)
- Steve Woodward, CEO, Cloud Perspectives
- Anne Leroux, Director, ES Computer Training
- Additional interviews were conducted but are not listed due to privacy and confidentiality requirements.
Want to Participate in Our Research?
- Analyst Interviews: Share your best practices, opinions, tools or templates with your peers.
- Webinars: Interactive session to keep us focused on topics you want to tackle.
- Upcoming Workshops: Accelerate your project with an onsite, expert analyst to facilitate a workshop for you. Contact us for more details.
Get the Complete Storyboard
See how all the steps you need to take come together, with tools and advice to help with each task on your list.Download Now
Get to Action
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should build a business-driven IT risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.
Review IT risk fundamentals and governance
Assess the current maturity of IT risk management, identify key stakeholders, and establish a governance framework.
Identify and assess IT risk
Identify and assess all of IT’s risks.
Monitor, communicate, and respond to IT risk
Establish monitoring responsibilities, identify risk responses, and communicate priorities to the business.
Module 1: Establish a Risk Governance Framework and Identify IT Risks
- To assess current risk management maturity, develop goals, and establish IT risk governance.
Key Benefits Achieved
- Identified obstacles to effective IT risk management.
- Established attainable goals to increase maturity.
- Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.
|1.1||Assess current program maturity.||
|1.2||Create a stakeholder map.||
|1.3||Complete RACI chart.||
|1.4||Identify and engage key stakeholders.||
|1.5||Add organization-specific risk scenarios.||
|1.6||Identify risk events.||
Module 2: Identify, Assess, and Prioritize IT Risks
- To identify and assess all IT risks.
Key Benefits Achieved
- Created a comprehensive list of all IT risk events.
- Risk events prioritized according to risk severity – as defined by the business.
|2.1||Identify risk events (continued).||
|2.2||Augment risk event list using COBIT 5 processes.||
|2.3||Determine the threshold for (un)acceptable risk.||
|2.4||Create impact and probability scales.||
|2.5||Select a technique to measure reputational cost.||
|2.6||Risk severity level assessment.||
Module 3: Assess, Prioritize, and Monitor IT Risks and Develop Risk Responses
- To prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.
Key Benefits Achieved
- Risk monitoring responsibilities are established.
- Risk response strategies have been identified for all key risks.
|3.1||Risk severity level assessment.||
|3.2||Document the proximity of the risk event.||
|3.3||Expected cost assessment.||
|3.4||Develop key risk indicators (KRIs) and escalation protocols.||
|3.5||Root cause analysis.||
|3.6||Identify and assess risk responses.||
Module 4: Monitor IT Risks, Develop Risk Responses, and Communicate IT Risk Priorities
- Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.
Key Benefits Achieved
- Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
- Authoritative risk response recommendations can be made to senior leadership.
- A finalized Risk Management Program Manual is ready for distribution to key stakeholders.
|4.1||Identify and assess risk responses.||
|4.2||Risk response cost-benefit analysis.||
|4.3||Create multi-year cost projections.||
|4.4||Review techniques for embedding risk management in IT.||
|4.5||Finalize the Risk Report and Risk Management Program Manual.||
|4.6||Transfer ownership of risk responses to project managers.||
Case Studies and Deliverables
A small university in the American mid-west needed to introduce its IT stakeholders to key risk concepts as part of a new, broader IT governance mission. By gaining a realistic and shared understanding of what risk really means, the IT department was able to build its internal brand as risk experts and start working on risk management initiatives quickly, saving substantial time.
A 20-person IT department in a mid-sized regional grocery retailer received a mandate from its Board of Directors to reapproach and increase its risk management activities. Using Info-Tech’s workshop and featured IT Risk Profile Tool, the grocery retailer was able to identify key areas of risk – Security & Compliance, and IT Governance & Operations – and develop a detailed plan to tackle risk mitigation.
An Asian-headquartered chemical manufacturing organization with an 80-year history and facilities in over 20 countries wants to assess IT risks for its operations in the Americas. The company's American IT team participated in an Info-Tech workshop with the specific goals of becoming more knowledgeable about IT risk management, identifying key issues, planning actions to reduce priority risks, and communicating more effectively about IT risk issues with executive leadership.
Search Code: 58873
Published: June 28, 2013
Last Revised: March 29, 2016