revive your risk mgmt program with a regular health check
TRANSCRIPT
Info-Tech Research Group 1Info-Tech Research Group 1
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2016 Info-Tech Research Group Inc.
Revive Your Risk Management Program with a Regular Health CheckDon’t get complacent and allow your risk management program to flatline.
Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools
and templates that cover the full spectrum of IT concerns.© 1997 - 2016 Info-Tech Research Group
Info-Tech Research Group 2Info-Tech Research Group 2
Setting up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business is a significant step in your evolution as a strategic and proactive IT leader.
However, the value of your latest risk assessment depreciates rapidly. Continuous monitoring and regular reassessment of your risk portfolio is crucial for ensuring that IT decision making continues to be made through a risk management lens. Risk-conscious decision making creates value for the business that should be measured and communicated.
Follow the steps outlined in this blueprint to perform regular health checks on your IT risk management program and keep pace with IT risk.
Scott Janz,
Consulting Analyst, CIO Advisory
Info-Tech Research Group
IT risk is evolving. Is your risk management program keeping up?
ANALYST PERSPECTIVE
Info-Tech Research Group 3Info-Tech Research Group 3
This Research is Designed For: This Research Will Help You:
This Research Will Assist: This Research Will Help You:
This Research Is Designed For: This Research Will Help You:
This Research Will Also Assist: This Research Will Help Them:
Our understanding of the problem
Any IT Leader responsible for IT risk
management in their organization.
Any CIO mandated to integrate IT risk
management with their organization’s central risk
management function or ERM.
Any IT Director or Manager undertaking a risk
assessment.
Any IT Director or Manager responding to or
preparing for an IT audit.
Routinize a comprehensive IT risk
management program.
Ingrain a strategy for managing and mitigating
risks to meet your organization’s risk appetite.
Quantify risk exposure in meaningful financial
terms.
Maintain business engagement with IT risk
management.
Enterprise Risk Management (ERM)
Senior Leadership
Develop consensus on organizational risk
appetite.
Establish a framework and metrics for
acceptable risk tolerance.
Align business and IT risk management
objectives.
Enable the business to make informed
investments when managing IT risks.
Info-Tech Research Group 4Info-Tech Research Group 4
Resolution
Situation
Complication
Info-Tech Insight
Executive Summary
• You just implemented a formalized IT risk management program that
integrates with the business.
• You successfully identified, assessed, and prioritized IT’s greatest risks,
and communicated your recommendations for IT risk response projects to
senior leadership.
• Because the organization is feeling secure, enthusiasm for the program,
and willingness to participate has waned both within and outside of IT.
• While the IT Risk Council continues to monitor previously identified risks,
it remains unaware of evolving IT threats and vulnerabilities.
• Having crossed IT risk management off of its list, senior leadership no
longer prioritizes the improvement of the program.
• To prevent your IT risk management program from becoming an artifact, follow the steps in this blueprint to conduct
quarterly, biannual, or annual health checks to re-assess your risk portfolio and the health of your program.
• Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior
leadership.
• Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the
potential cost of IT risks and the value created by IT risk projects.
• Get better at identifying and assessing IT risk and measure the improvement.
• Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT.
1. A false sense of security may be your
greatest risk. The IT threat landscape is
evolving rapidly and won’t wait for you to
catch up.
2. Risk management should be seen and
heard. Communicate the dollar value of
risk management to keep the business
engaged.
3. The first health check is pivotal.
Successfully going through the risk
management process the second time
around is the difference between IT risk
management being perceived as a one-off
project and an ongoing program.
Info-Tech Research Group 5Info-Tech Research Group 5
Info-Tech’s risk management health check insights
Info-Tech Insight
Risk management does not mean “checking a box.” Measuring the
effectiveness of your risk management activities is crucial for ensuring that the
program lives up to its mandate. It also allows you to communicate a
compelling value proposition to senior leadership.
Phase 2
Central Insight:
A false sense of security may be your greatest risk. The IT threat landscape
is evolving rapidly and won’t wait for you to catch up. Perform regular health
checks to remain aware of the key risks threatening the business and your
reputation.
Phase 3
Info-Tech Insight
The first health check is pivotal. Business stakeholders often perceive IT risk
management as a project that needs to be completed once. Therefore the
second year is crucial for institutionalizing an active and sustainable program.
By successfully completing these activities a second time, the program gains
momentum, increasing the likelihood of retaining stakeholder engagement in
subsequent years as the program matures.
Info-Tech Insight
Risk management should be seen and heard. Don’t let the business’
enthusiasm and support for IT risk management wane when key risks are
mitigated and avoided. Communicate the dollar value of risk management in a
compelling way to keep the business engaged.
Phase 1
Info-Tech Research Group 6Info-Tech Research Group 6
STRATEGY &
GOVERNANCEAPPS DATA & BI
IT GovernanceApplication Portfolio
Management
Business Intelligence
& Reporting
Effectiveness = 5.7
Importance = 8.3
Effectiveness = 5.4
Importance = 8
Effectiveness = 5.4
Importance = 8.1
IT StrategyIT Management &
PoliciesSecurity Strategy
Enterprise Application
Selection &
Implementation
Data Architecture
Effectiveness = 6
Importance = 8.5
Effectiveness = 6
Importance = 8.3PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3
Importance = 8.7
Effectiveness = 6.1
Importance = 8.3
Effectiveness = 5.6
Importance = 8.2
Performance
MeasurementInnovation
Human Resources
ManagementSecurity Management
Business Process
Controls & Internal
Audit
Application
Development
Throughput
Data Quality
Effectiveness = 5.1
Importance = 7.8
Effectiveness = 5.7
Importance = 7.9
Effectiveness = 6.1
Importance = 8.3
Effectiveness = 6.5
Importance = 8.9
Effectiveness = 5.4
Importance = 7.9
Effectiveness = 5.4
Importance = 7.4
Effectiveness = 5.5
Importance = 8.5
Business Value Stakeholder RelationsIT Organizational
Design
Enterprise
Architecture
Availability & Capacity
ManagementChange Management Risk Management External Compliance
Application
Development QualityPortfolio Management
Effectiveness = 6.2
Importance = 8.4
Effectiveness = 6.2
Importance = 8.7
Effectiveness = 6.3
Importance = 8.3
Effectiveness = 5.7
Importance = 8.2
Effectiveness = 6.2
Importance = 8.4
Effectiveness = 6.1
Importance = 8.5
Effectiveness = 5.9
Importance = 8.3
Effectiveness = 6.4
Importance = 8.3
Effectiveness = 5.6
Importance = 7.7
Effectiveness = 5.4
Importance = 8.1
Cost & Budget
Management
Knowledge
Management
Leadership, Culture &
ValuesService Management Asset Management
Configuration
ManagementRelease Management Business Continuity
Application
MaintenanceProject Management
Effectiveness = 6.7
Importance = 8.4
Effectiveness = 5.8
Importance = 8.4
Effectiveness = 6.5
Importance = 8.5
Effectiveness = 6.1
Importance = 8.4
Effectiveness = 6
Importance = 7.9
Effectiveness = 5.5
Importance = 7.8
Effectiveness = 5.7
Importance = 8.1
Effectiveness = 6.1
Importance = 8.7
Effectiveness = 6
Importance = 8
Effectiveness = 6
Importance = 8.5
Vendor Management Cost OptimizationManage Service
CatalogQuality Management
Operations
ManagementService Desk
Incident & Problem
Management
Disaster Recovery
Planning
Organizational
Change Management
Requirements
Gathering
Effectiveness = 6.4
Importance = 8
Effectiveness = 6.2
Importance = 8.4
Effectiveness = 4.3
Importance = 7.3
Effectiveness = 5.6
Importance = 8.2
Effectiveness = 6.4
Importance = 8.4
Effectiveness = 7
Importance = 8.8
Effectiveness = 6.5
Importance = 8.7
Effectiveness = 6.1
Importance = 8.8
Effectiveness = 5.4
Importance = 8.3
Effectiveness = 5.9
Importance = 8.5
FINANCIAL MANAGEMENT PPM & PROJECTS
Above Average Importance and
Above Average Effectiveness
Below Average Importance and
Above Average Effectiveness
Above Average Importance and
Below Average Effectiveness
Below Average Importance and
Below Average Effectiveness
*Average is based on the overall average
Legend
INFRASTRUCTURE & OPERATIONS
SERVICE PLANNING & ARCHITECTURE
IT Management & Governance Framework
Benchmarking Results for the Management &
Governance Diagnostic
Risk management is a top IT priority
1. Data Quality
2. IT Governance
3. Risk Management
4. Knowledge Management
5. Requirements Gathering
6. Manage Service Catalog
7. Organizational Change
Management
8. Quality Management
9. Performance Measurement
10. Application Portfolio
Management
Info-Tech’s Top 10
IT Improvement Priorities
Info-Tech asked over 2,500 IT professionals to rate on a scale of 1 to 10
the importance of risk management and how effective they were at
managing IT risks.
Importance of
risk management:
Effectiveness of
risk management:
8.3
5.9
Above-average importance
Significantly below-average
effectiveness
Despite an IT environment
that is rapidly changing,
82% of organizations in
North America re-assess their IT
risk portfolio annually or even less
frequently (Protiviti).
82%
Info-Tech Research Group 7Info-Tech Research Group 7
Don’t become complacent and allow your risk management
program to flatline
What type of risk management do you practise?
Ma
turi
ty
Ma
turi
ty
Ma
turi
ty
Time Time Time
One-and-done On-again, off-again Ongoing improvement
Last year You identified the most important IT risks and
implemented projects to protect IT and the business.
Unfortunately, your risk assessment is already outdated. Keep your foot on
the gas and maintain your momentum to avoid wasting all of the hard work you
applied getting the program off the ground.
A recent study found that a
mere 23% of organizations
describe their risk
management processes as
“mature” or “robust.”1
23%
2
1 ERM Initiative 2 PWC
Info-Tech Research Group 8Info-Tech Research Group 8
Why IT risk management programs falter
Without communicating the cost savings stemming from the program, the value created by risk
management is invisible to the business.
The successful management of IT risk is difficult to measure, and therefore, the value it creates for the business can
be hard to see. Merely saying that risk events did not occur is not exactly a powerful motivator for leadership to
continue investing resources into the risk management program and sustain their interest. Executive sponsorship
and the engagement of key stakeholders may dwindle without visceral reminders of how IT risk impacts the
business.
Obtaining business stakeholder participation is not as easy the second time around.
IT risk is business risk. Thus, the participation and engagement of key business stakeholders is integral to the
successful identification and accurate assessment of IT risk. Robust risk management is demanding in terms of the
participation and effort required of key stakeholders both inside and outside of IT. Getting business stakeholders to
invest their time and expertise – even if it’s in their best interest – may be an unexpected roadblock to repeating the
success of your first assessment.
Despite building a strong foundation with a formalized IT Risk Management Council, and
repeatable processes for identifying, assessing, and responding to IT risk, risk management
programs still fail for the following reasons:
Risk management is considered a “checkmark project.”
Two of the most common drivers for establishing an IT risk management program
include compliance and internal/external audit requirements. Even if the CIO is
committed to the program, the support of the rest of the senior leadership team may
nosedive once they feel that IT risk management has been crossed off the list.
1
2
3
Info-Tech Research Group 9Info-Tech Research Group 9
Don’t leave IT risk unmanaged in year 2, or you may need to
update your résumé in year 3
Take luck out of the equation – “Hoping for the best” is not a risk management strategy.
Take control of IT risk and avoid leaving your job security
to chance.
The top four reasons why CIOs lose their jobs:
X
X
X
X
Security Breaches
Project Failures
Disaster Recovery Failures
System Failures
IT Risk Management
When business stakeholders are unaware of top IT threats, blame for project, security, disaster
recovery, and system failures is usually assigned to the CIO and other senior IT managers.
When effectively integrated with business risk management,
IT risk management is your best job security policy.
IT Risk Management
IT Risk Management
IT Risk Management
Source: Silverton Consulting
If I wait until a risk event occurs, I might be out of a job before the business recovers.
– VP of Security and Risk,
Energy Logistics Company
Info-Tech Research Group 10Info-Tech Research Group 10
A false sense of security may be your greatest risk
Use this blueprint to perform ongoing
health checks on your risk
management program:
• Use Info-Tech’s risk identification
methodology to detect new IT risks.
• Reassess and reprioritize previously
identified risks.
• Evaluate the effectiveness of existing risk
response projects and plan new actions to
address top risks.
The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Risk is a moving target that requires
proactive and persistent attention.
Only 60.5% of senior executives believe risks are being effectively monitored and reviewed (Project Management
Institute). Follow the methodology in the blueprint to perform regular health checks to keep your finger on the pulse of the
key risks threatening the business and your reputation.
BEST BEFORE
31 DEC ??As the leader of your organization’s dormant IT risk
management program, you may be the greatest IT risk of all.
12 New risks
One Info-Tech client discovered 12
additional risks during their second IT risk
management workshop with Info-Tech
analysts. The 12 risks included 5 that
were missed the previous year, and 7 that
reflected changes to the organizational
context and threat landscape.
12
IT risk management is not a “checkmark project.” While this can be hard for goal-oriented IT leaders to accept,
the value derived from each risk assessment depreciates rapidly. The good news is that repeating and optimizing
your processes will make risk management more efficient, thereby increasing the value you provide the business
with each iteration.
Risk Register Tool
Info-Tech Research Group 11Info-Tech Research Group 11
Workshop overview
Contact your account representative or email [email protected] for more information.
Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
Ac
tivit
ies
AM: Perform a Risk
Management Retrospective
1.1 Review IT risk fundamentals
1.2 Set workshop goals and
expectations
1.3 Assess risk management
process, and identify
accomplishments and
challenges
AM: Assess Business Context
Changes and Engage
Stakeholders
2.1 Review IT and business context
changes
2.2 Consider how context changes
impact organizational risk tolerance
2.3 Generate tactics to re-engage
business stakeholders
AM: Identify New Risks
3.1 Augment risk event list
with capability maps
3.2 Assess the severity of
newly identified risk events
3.3 Perform an expected cost
assessment
AM: Monitor IT Risks and
Develop Risk Responses
4.1 Identify and assess risk
responses
4.2 Review a risk response cost-
benefit analysis
4.3 Create multi-year cost
projections
PM: Assess Business
Context Changes and Engage
Stakeholders
1.4 Build a Risk Management
Program Improvement Plan
PM: Assess Previously Identified
IT Risks
2.4 Determine if implemented risk
responses were successful
2.5 Re-assess the severity of
previously identified risk events
PM: Monitor IT Risks &
Develop Risk Responses
3.4 Perform a root cause
analysis
3.5 Identify and assess risk
responses
PM: Communicate IT Risk
Priorities
4.4 Customize the IT Risk
Management Executive Brief
Template
4.5 Finalize the Risk Report and
Program Manual
4.6 Transfer ownership of risk
responses to project managers
De
live
rab
les
1. An updated Risk
Management Program
Manual
2. A completed Risk
Management Program
Improvement Plan
1. An updated and complete Risk
Register with all relevant IT risk
events
2. An updated Risk Management
Program Manual
3. A revised stakeholder RACI
1. An updated and complete
Risk Register with all
relevant IT risk events
2. Completed Risk Event
Action Plans
3. An updated Risk
Management Program
Manual
1. A communication guide and
completed IT Risk
Management Executive Brief
Template
2. A detailed Risk Report
3. An updated Risk Management
Program Manual
Info-Tech Research Group 12Info-Tech Research Group 12