Identifying and Managing IT Risk
There is no doubt that we live in a world of high risk especially when it comes to the technology that we use in our businesses. I often encourage clients to take steps to manage and mitigate risk so to avoid costly and disruptive issues in the future. I am preparing for a presentation in November where I will be speaking about risk in IT and thought I’d share a few thoughts here.
The first step in beginning to manage & mitigate risk is the ability to identify risk. There are three key areas or categories that you should consider when assessing your own IT environment, which is comprised of people, processes and technology (don’t just focus on the tech or you will undoubtedly miss important risk areas).
When trying to identify risk the three categories of assessment are:
- Failure of Governance – this is where an organization lacks the processes and necessary controls to ensure that their investment in technology is being adequately managed. Once deployed, processes need to be in place to ensure ongoing upkeep, capacity planning and change management.
- Data Recovery / Disaster Recovery – as organizations become more reliant on technology, there needs to be a plan in place to deal with a sudden and potentially catastrophic failure in those systems. How will you recovery data if a single service fails? What if multiple fail? What if your building becomes inaccessible? What if a natural disaster occurs?
- Security of Systems & Data – ensuring that we safeguard our data and systems has become of paramount importance. One only needs to read the newspapers to see the impact of security breaches. Data is compromised, privacy is compromised and your organization’s promise to customers to safeguard their private information is severely damaged.
I would suggest that as a starting point, you create a Risk Inventory within your organization beginning by listing potential risks within those three categories. Once the inventory has been created you should gauge the level of risk impact for each item to assist with future prioritization. In a future post leading up to my presentation I will provide some thoughts around how to mitigate the risks you identify.
Posted on September 20, 2011, in Business & Technology, Strategy and tagged IT Strategy, risk, risk strategy. Bookmark the permalink. 8 Comments.
Very good. Like the article and look forward to seeing the recommendations to deal with risk. Security risk is my primary area of interest. Thank you.
We need to do some risk assessment as I worry about IT in our organization. I look forward to reading your next article to see what approaches can be taken. It is often confusing since as the CFO I don’t always understand the technical aspect and jargon. It is sometime difficult to decide what project should be undertaken.
You should leave to your professional IT people. Am puzzled that IT people often do report to CFO who know nothing about IT.
Often IT groups are too tactical and they don’t do risk planning. that’s why you can’t trust to leave such an important thing to just an IT function. It should be led by the CIO (or head of IT) and involve people from across the organization.
Good topic. Will you post your presentation after you give it?
I would like some information on how to assess risks that have been identified. We have kind of put together an inventory list using excel but we have a lot of computing risk initiatives trying to secure budget. How do you go about creating an overall plan or schedule of risk improvement initiatives?
This is a good topic. I’d be interested in knowing when you are going to post the other risk articles and possibly talking by phone if you were ok with that.
Pingback: Do You Have A Risk Mitigation Strategy in Place? « mip's scan