Build a Business-Driven IT Risk Management Program

Hope is not a risk management strategy.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • Risk is an unavoidable part of IT. And what you don't know, can hurt you. The question is, do you tackle risk head-on or leave it to chance?
  • Get a handle on risk management quickly using Info-Tech's methodology and reduce unfortunate IT surprises.

Our Advice

Critical Insight

1. IT risk is business risk.

Every IT risk has business implications. Create an IT risk management program that shares risk accountability with the business.

2. Risk is money.

It’s impossible to make intelligent decisions about risks without knowing what they’re worth.

3. You don’t know what you don’t know.

And what you don’t know can hurt you – so find out. To find hidden risks, you need a structured approach. 

Impact and Result

  • Stop leaving IT risk to chance. Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success by 53%.
  • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they happen.
  • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that matter most to the organization.
  • Share accountability for IT risk with business stakeholders and have them weigh-in on prioritizing investments in risk response activities. 

Build a Business-Driven IT Risk Management Program

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should build a business-driven IT risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.


1

Review IT risk fundamentals and governance

Assess the current maturity of IT risk management, identify key stakeholders, and establish a governance framework.

3

Monitor, communicate, and respond to IT risk

Establish monitoring responsibilities, identify risk responses, and communicate priorities to the business.

Onsite Workshop

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Establish a Risk Governance Framework and Identify IT Risks

The Purpose

  • To assess current risk management maturity, develop goals, and establish IT risk governance.

Key Benefits Achieved

  • Identified obstacles to effective IT risk management.
  • Established attainable goals to increase maturity.
  • Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.

Activities:
Outputs

1.1

Assess current program maturity.

  • Maturity Assessment

1.2

Create a stakeholder map.

  • Stakeholder Map

1.3

Complete RACI chart.

  • Risk Management Program Manual

1.4

Identify and engage key stakeholders.

1.5

Add organization-specific risk scenarios.

1.6

Identify risk events.

Module 2: Identify, Assess, and Prioritize IT Risks

The Purpose

  • To identify and assess all IT risks.

Key Benefits Achieved

  • Created a comprehensive list of all IT risk events.
  • Risk events prioritized according to risk severity – as defined by the business.

Activities:
Outputs

2.1

Identify risk events (continued).

  • Finalized list of IT risk events

2.2

Augment risk event list using COBIT 5 processes.

2.3

Determine the threshold for (un)acceptable risk.

  • Risk Register
  • Risk Management Program Manual

2.4

Create impact and probability scales.

2.5

Select a technique to measure reputational cost.

2.6

Risk severity level assessment.

Module 3: Assess, Prioritize, and Monitor IT Risks and Develop Risk Responses

The Purpose

  • To prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.

Key Benefits Achieved

  • Risk monitoring responsibilities are established.
  • Risk response strategies have been identified for all key risks.

Activities:
Outputs

3.1

Risk severity level assessment.

  • Risk Register

3.2

Document the proximity of the risk event.

3.3

Expected cost assessment.

3.4

Develop key risk indicators (KRIs) and escalation protocols.

  • Risk Event Action Plans

3.5

Root cause analysis.

3.6

Identify and assess risk responses.

Module 4: Monitor IT Risks, Develop Risk Responses, and Communicate IT Risk Priorities

The Purpose

  • Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.

Key Benefits Achieved

  • Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
  • Authoritative risk response recommendations can be made to senior leadership.
  • A finalized Risk Management Program Manual is ready for distribution to key stakeholders. 

Activities:
Outputs

4.1

Identify and assess risk responses.

4.2

Risk response cost-benefit analysis.

  • Risk Report

4.3

Create multi-year cost projections.

4.4

Review techniques for embedding risk management in IT.

4.5

Finalize the Risk Report and Risk Management Program Manual.

  • Risk Management Program Manual

4.6

Transfer ownership of risk responses to project managers.

Member Testimonials

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

$ Saved

Days Saved

Testimonial

Basin Electric Power Cooperative

N/A

N/A

Sumit and Alan were excellent to work with and facilitated the project very well.

Modesto Irrigation District

$459K

60

The facilitator was able to directly relate to everyone in the room. He was right on track with both executive and technical participants. The breadth of information that we worked through in the IT Security & Risk Management Workshop was really good because it focused on the executive first. We wanted to concentrate on the business aspects, and it was expertly handled. By the first full day, our IT technical staff was totally engaged. I had people stopping me in the halls saying, "We really needed to do this, this is excellent." They couldn't wait to come back the next day.

Client

Facilitator(s) effectiveness

INFO & materials effectiveness

Overall experience

Understanding of next steps

Testimonial

Portage College

8.0

8.0

8.0

8.0

Cadillac Fairview

8.5

8.5

8.5

8.0

Paysafe

10.0

8.0

8.0

9.0

Global Partners LP

10.0

8.0

9.0

8.0

DRS Technologies Inc.

10.0

10.0

10.0

9.0

Congressional Federal Credit Union

9.5

9.0

10.0

The workshop gave us that reinforcement, that peace of mind. It was exceptional, intensive, but very beneficial. I'd highly recommend it for an organization that has never done it.