Risk management, at its core, is a simple concept, but is often extremely difficult to implement and maintain. For information technology managers, it’s an increasingly important skill.
Its key precepts are to identify risks to your business, to assess those risks by determining their potential impact and their likelihood of occurrence, and then to take steps to mitigate the risks to an acceptable level.
Market, credit, and operational risks have traditionally been a part of the corporate decision-making process, as they are easily quantifiable and measurable items. IT risk, however, has often been excluded from the boardroom. That’s due in part to the difficulty of measuring direct financial impact to both IT infrastructure and the business itself.
However, we are now in an age where the processes of capturing, storing, and retrieving information is the foundation upon which most of the world currently operates. Since information is now the dominant force and the most valuable asset for many modern companies, managers can no longer afford to ignore or downplay IT and the risks associated with it.
The U.S. National Institute of Standards and Technology expounds on this newfound importance of IT risk management in a special publication: “The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.”
It’s not just preparing for disaster
IT managers jokingly complain that their departments often get blamed for everything that goes wrong. The stark, modern reality is, however, that infrastructure deployed and maintained by technical professionals is now actively responsible for supporting most business-critical services in just about every industry. This puts IT managers in the mostly unenviable and sometimes untenable position of having to understand nearly every aspect of the businesses they support.
Even the failure of seemingly simple services such as e-mail can have wide-ranging effects across multiple departments. Sales staff may not be able to process an urgent order from a customer. The purchasing department may not receive notification of a shipping delay. A production manager may be unable to request an emergency meeting.
The ability to predict wide-ranging effects of simple changes or failures becomes a necessary part of both an effective IT risk management program and the technology decision-making process as a whole.
Where to get risk management guidance
The good news for IT managers is that several organizations have already expended vast amounts of money and research to provide viable methods for qualitative IT risk management. The Software Engineering Institute at Carnegie Mellon University created one such program: the OCTAVE method.
Globally-recognized, non-profit IS/IT membership organization ISACA (Information Systems Audit and Control Association) also offers its COBIT program, which integrates numerous other frameworks and international standards into one comprehensive solution.
For IT managers, the effectiveness of how they identify and mitigate risk across the corporation now will make more of a difference than pure technical skills. As they learn which essential job functions rely on which infrastructure components and become better at predicting the potential wide-ranging impact of system failures, effective IT managers can often become the key players in the decision-making processes of the organizations they represent.
IT risk management then becomes the cornerstone of one of the most important day-to-day goals in any industry: Keeping the business running.
“Risk” keyboard: VentureBeat.