View Storyboard

Contributors
- Sterling Bjorndahl, Director of IT Operations, eHealth Saskatchewan
- Ken Piddington, CIO and Executive Advisor, MRE Consulting
- Tamara Dwarika, Internal Auditor
- Michael Fossé, Consulting Services Manager, IBM Canada (LGS)
- Steve Woodward, CEO, Cloud Perspectives
- Anne Leroux, Director, ES Computer Training
- Additional interviews were conducted but are not listed due to privacy and confidentiality requirements.
Your Challenge
- Risk is an unavoidable part of IT. And what you don't know, can hurt you. The question is, do you tackle risk head-on or leave it to chance?
- Get a handle on risk management quickly using Info-Tech's methodology and reduce unfortunate IT surprises.
Our Advice
Critical Insight
1. IT risk is business risk.
Every IT risk has business implications. Create an IT risk management program that shares risk accountability with the business.
2. Risk is money.
It’s impossible to make intelligent decisions about risks without knowing what they’re worth.
3. You don’t know what you don’t know.
And what you don’t know can hurt you – so find out. To find hidden risks, you need a structured approach.
Impact and Result
- Stop leaving IT risk to chance. Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success by 53%.
- Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they happen.
- Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that matter most to the organization.
- Share accountability for IT risk with business stakeholders and have them weigh-in on prioritizing investments in risk response activities.
Guided Implementations
This guided implementation is an eight call advisory process.
Guided Implementation #1 - Review IT risk fundamentals and governance
Call #1 - Assess current maturity and set risk management program goals.
Call #2 - Engage stakeholders and establish an IT risk council.
Guided Implementation #2 - Identify and assess IT risk
Call #1 - Understand risk categories, scenarios, and identification methodologies.
Call #2 - Review identified risks and establish assessment thresholds and scales.
Call #3 - Prepare for risk assessment by selecting tools and methodologies.
Guided Implementation #3 - Monitor, communicate, and respond to IT risk
Call #1 - Prioritize assessed risks and set up monitoring responsibilities.
Call #2 - Identify and assess risk response actions.
Call #3 - Communicate risk priorities to the business.

Info-Tech Academy
Get Info-Tech Certified
Train your staff and develop a world-class IT team.
An active membership is required to access Info-Tech AcademyNew to Info-Tech Academy? Learn more here
Risk Management
"Hope" is not a risk management strategy.
This course makes up part of the Security & Risk Certificate.
Course information:
- Title: Risk Management
- Number of Course Modules: 4
- Estimated Time to Complete: 2-2.5 hours
- Featured Analysts:
- David Yackness, Sr. Research Director, CIO Practice
- Gord Harrison, SVP of Research and Advisory
- Now Playing: Academy: Risk Management | Executive Brief
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Establish a Risk Governance Framework and Identify IT Risks
The Purpose
- To assess current risk management maturity, develop goals, and establish IT risk governance.
Key Benefits Achieved
- Identified obstacles to effective IT risk management.
- Established attainable goals to increase maturity.
- Clearly laid out risk management accountabilities and responsibilities for IT and business stakeholders.
Activities
Outputs
Assess current program maturity.
- Maturity Assessment
Create a stakeholder map.
- Stakeholder Map
Complete RACI chart.
- Risk Management Program Manual
Identify and engage key stakeholders.
Add organization-specific risk scenarios.
Identify risk events.
Module 2: Identify, Assess, and Prioritize IT Risks
The Purpose
- To identify and assess all IT risks.
Key Benefits Achieved
- Created a comprehensive list of all IT risk events.
- Risk events prioritized according to risk severity – as defined by the business.
Activities
Outputs
Identify risk events (continued).
- Finalized list of IT risk events
Augment risk event list using COBIT 5 processes.
Determine the threshold for (un)acceptable risk.
- Risk Register
- Risk Management Program Manual
Create impact and probability scales.
Select a technique to measure reputational cost.
Risk severity level assessment.
Module 3: Assess, Prioritize, and Monitor IT Risks and Develop Risk Responses
The Purpose
- To prioritize risks, establish monitoring responsibilities, and develop risk responses for top risks.
Key Benefits Achieved
- Risk monitoring responsibilities are established.
- Risk response strategies have been identified for all key risks.
Activities
Outputs
Risk severity level assessment.
- Risk Register
Document the proximity of the risk event.
Expected cost assessment.
Develop key risk indicators (KRIs) and escalation protocols.
- Risk Event Action Plans
Root cause analysis.
Identify and assess risk responses.
Module 4: Monitor IT Risks, Develop Risk Responses, and Communicate IT Risk Priorities
The Purpose
- Assess and select risk responses for top risks and effectively communicate recommendations and priorities to the business.
Key Benefits Achieved
- Thorough analysis has been conducted on the value and effectiveness of risk responses for high severity risk events.
- Authoritative risk response recommendations can be made to senior leadership.
- A finalized Risk Management Program Manual is ready for distribution to key stakeholders.
Activities
Outputs
Identify and assess risk responses.
Risk response cost-benefit analysis.
- Risk Report
Create multi-year cost projections.
Review techniques for embedding risk management in IT.
Finalize the Risk Report and Risk Management Program Manual.
- Risk Management Program Manual
Transfer ownership of risk responses to project managers.
After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.
Client
Experience
Impact
$ Saved
Days Saved
Desert Lime Ltd
Guided Implementation
9/10
$20,500
23
The University of Alabama at Birmingham
Guided Implementation
10/10
$2,546
5
The Government of the Northwest Territories
Workshop
10/10
$22,000
50
University of Exeter
Guided Implementation
9/10
N/A
N/A
City of Carlsbad
Workshop
10/10
N/A
20
Integris Credit Union
Guided Implementation
9/10
$10,000
10
Dropbox
Guided Implementation
8/10
N/A
5
Pegasus Business Intelligence, LP d/b/a Onyx CenterSource
Guided Implementation
10/10
N/A
N/A
UMG RECORDINGS, INC.
Guided Implementation
10/10
N/A
N/A
AARP Inc
Guided Implementation
10/10
N/A
N/A
Fernco Inc
Workshop
10/10
$31,833
20
RPC Inc.
Guided Implementation
10/10
$2,546
10
CFA Institute
Guided Implementation
8/10
N/A
N/A
Central Bank of Trinidad & Tobago
Guided Implementation
9/10
N/A
N/A
Kentucky Housing Corporation
Guided Implementation
10/10
$1,782
5
Trinidad and Tobago Unit Trust Corporation
Guided Implementation
10/10
$3,820
20
Georgia State Accounting Office
Guided Implementation
10/10
$636K
120
South West Water
Guided Implementation
9/10
N/A
5
State Department Federal Credit Union
Guided Implementation
10/10
$5,093
3
Lambton Kent District School Board
Guided Implementation
8/10
$1,000
1
San Francisco Health Plan
Guided Implementation
10/10
N/A
N/A
Zs Associates, Inc.
Guided Implementation
10/10
N/A
N/A
Blommer Chocolate Company
Guided Implementation
9/10
$63,667
20
Apria Healthcare
Guided Implementation
9/10
N/A
N/A
Bernalillo County
Workshop
8/10
$63,667
10
Seattle University
Guided Implementation
10/10
N/A
N/A
Government of New Brunswick
Guided Implementation
10/10
N/A
N/A
ISG Central Services Ltd.
Guided Implementation
8/10
N/A
5
Pharmascience
Guided Implementation
10/10
$10,000
10
Bapco
Guided Implementation
7/10
N/A
10