IT Risk: It's not 'Cyber' - It's Worse - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Data Management // Big Data Analytics
Commentary
6/20/2017
11:00 AM
Jeremy Bergsman
Jeremy Bergsman
Commentary
50%
50%

IT Risk: Itís not 'Cyber' Ė Itís Worse

While hackers haven't put big companies out of business, there are plenty of examples of companies that failed because they were slow to respond to tech-driven market shifts.

In the digital era, IT isn’t part of the business, IT is the business. But as IT’s value has risen, so too has IT risk, and left unmanaged it can easily be the undoing of a company.

Most attention to technology-related risk is focused on information risk, aka “cyber,” but there is a broader set of risks enterprise leaders worry about, best called “IT risk.” IT risk is the potential for unexpected (typically negative) business results associated with the use, ownership and adoption of information technology. No Fortune 1000 company has gone out of business from a cyber-attack or an IT system failure. However, dozens of large companies have disappeared after being too slow to adapt to technology-driven changes in their business models.

IT risk is now a primary focus for assurance functions like enterprise risk management, compliance, legal and internal audit. Additionally, we’re hearing from IT leaders that their boards are asking hard questions about how IT risks are being managed. Unfortunately, most IT leaders do not have good answers to questions about these risks, because they don’t have the right people, governance structures or processes in place to manage IT risks effectively.

CIOs need to get serious about IT risk management. To do so they must internalize three imperatives to ensure that business leaders know how much IT risk they’re exposed to, and help those leaders manage that risk to the right level.

Imperative 1: Start focusing on the right risks

When asked about IT risk, most business leaders immediately think about a cyber-attack. This risk is salient and hence has long had a formal manager, the CISO. However, multiple studies show that data breaches are not material from a cost or long-term stock price perspective. Conversely, few leaders would think of the risks that are most existential in the digital era, risks like IT staff readiness for new roles or insufficient responsiveness to business needs.

To help broaden IT’s risk view, create a taxonomy of IT risks to be managed. This will define the scope of IT risk managers’ responsibilities and help everyone speak the same language about risks. To get started, expand the risks within these seven categories:

  1. IT talent (employees and contractors)
  2. IT capacity
  3. Reliability and quality
  4. Legal and compliance
  5. Security and privacy
  6. Delivery
  7. Business enablement

For example, IT talent risks can be expanded to include “insufficient staff,” “staff are not ready for today’s roles” and “staff are not ready for new roles.”

Imperative 2: Formalize management and governance over IT risk

With the risk taxonomy defined, the first step to formalizing IT risk management is to identify an entity responsible for holistic oversight of IT risks. Whether it’s via a single leadership role or management by committee, the responsible party must formalize risk management processes, ensure accountability for risk decisions and raise awareness of IT risks throughout the enterprise.

Second, ensure that risk decisions are left to the true owners of risk. Professional risk managers help identify risks and define and manage the process to analyze and treat them. But risk managers should not make risk treatment decisions since they lack the necessary understanding of the business context in which these decisions take place. Decisions made by risk managers are often more risk averse than the company’s risk appetite, which in turn slows productivity, agility and innovation.

Third, after shifting responsibility for risk decisions, accountability must follow. For risk management to work, companies must take two steps to create operational discipline around risk accountability. To start, processes must include formal acceptance of accountability for risk decisions. Then they must create management practices (such as reporting and incentives) to reinforce accountability.

Imperative 3: Ensure IT staff understand their role in managing, and encouraging, informed risk-taking

IT staff have long been trained to view risk as a bad thing to be minimized and often see themselves as protecting technology from employees on the business line who “don’t get it.” But risk aversion hinders staff from taking the bold steps necessary to transform IT and the business in the digital era. It also creates friction with corporate functions that are more open to risk.

CIOs need to ensure their staff understand the company’s risk appetite and improve their comfort with risk. Top-down messaging should consistently reinforce an openness to risk taking and failure. CIOs should implement bottom-up training, performance management and adjustments to hiring criteria to improve IT staff’s comfort with risk.

Jeremy Bergsman is an IT practice leader at CEB, now Gartner. Jeremy has overseen dozens of quantitative and qualitative research studies on topics including measuring and changing end-user behavior, risk assessment, roadmapping and planning, business capability modeling and ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Commentary
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
Slideshows
Flash Poll