Organizations that treat IT risk management as a technology issue rather than a corporate one will leave themselves exposed to numerous problems that could threaten the health of their entire business. While technology support will be required, IT risk management is just as much an organizational issue that relies on putting the right people in the right roles with the necessary guidance.
Although technology is important, IT risk management should be tackled at a corporate level.
Given that failing to manage IT risks sufficiently poses a serious threat to any organization, it follows that IT risk management efforts should have senior executive sponsorship and form part of the broader corporate risk management initiative, according to a new Butler Group report.
While IT risk management is becoming increasingly critical, the growing complexity of IT systems – including their distributed nature, remote and mobile access, and direct support for access by external users – has made risk management more difficult. At the same time, the degree of dependency on IT services has escalated, with many organizations suffering significant financial penalties after only a short period of unavailability.
Headline incidents detailing the careless loss of sensitive information continue to cause considerable embarrassment to corporate executives, and increasingly lead to direct or indirect financial penalties. Additionally, the IT industry still has a long way to go to improve its track record for delivering IT projects that are on time, on budget and meet the organization’s evolving expectations.
Risk management issues should, therefore, be considered from the early design stage of IT projects, and the actual likelihood of different types of risk occurring should be identified, as should the actual cost of such risks to the organization.
According to Butler Group, businesses can achieve the ultimate aim of becoming risk-aware throughout the enterprise by implementing a number of strategies. However, while utilizing appropriate technology solutions is important, formalizing risk management through senior business executive sponsorship and the creation of dedicated risk management roles within IT is paramount.
Indeed, the majority of problems that get exposed as IT failures actually have their roots in people and process failures and, as such, organizations should take a systemic approach to risk avoidance, as well as adopting appropriate IT technologies and methodologies. Ultimately, only by understanding these variables can the cost of solutions be balanced against the level of business exposure, and the best-fit solution selected.