You may recall that I wrote a piece back in September titled Identifying and Managing IT Risk. That article was well received and sparked some good discussion both here on the blog and amongst my clients. I also polled readers and found that 10% of them had a risk strategy for IT in their organizations, while another 10% had the strategy and were in the process of implementing. Even more encouraging was 30% of respondents who were in the process of developing a strategy now. One of the key points of feedback I got from the 40% that were still in the strategic phase/just starting implementation, was how to get their arms around the long list of risks that had materialized. As I’d suggested pulling together a risk inventory, many of them had done similar exercises, but were now faced with the daunting task of figuring out “where to start”. Time, budget, and resources are all limited and not everything can be started at once. Through the strategic process people begin to ask “What steps do I take in mitigating identified IT risk?”
That’s a great question. It ensures you don’t just run off and start at the top of your list or worse, in some reactive fashion just focusing on the latest fire. In today’s blog post I will provide you with a way to take your identified risks and do some analysis on them.
Based on some of the questions being emailed to me from this morning’s post on Identifying IT Risk, I thought I’d create a quick poll to get some realtime input from readers. So the question is “Does your organization have a risk mitigation strategy in place?”
There is no doubt that we live in a world of high risk especially when it comes to the technology that we use in our businesses. I often encourage clients to take steps to manage and mitigate risk so to avoid costly and disruptive issues in the future. I am preparing for a presentation in November where I will be speaking about risk in IT and thought I’d share a few thoughts here.
The first step in beginning to manage & mitigate risk is the ability to identify risk. There are three key areas or categories that you should consider when assessing your own IT environment, which is comprised of people, processes and technology (don’t just focus on the tech or you will undoubtedly miss important risk areas).