Risk Management Isn't Just About IT

Risk management is meant to provide a systemic means to identify threats, assess their probability and impacts, and then track their mitigation and levels of residual risks in such a manner that management decisions can be made.

Unfortunately, a number of groups have attempted to implement a formal risk management process only to find that it does not work – at least not for them. As a result, they have declared that risk management is flawed and not worth pursuing.

This is alarming as the truth is just the opposite – they need risk management, but they must understand that there needs to be supporting measures in place for it to be effective.

Risk management is vital to organizations. As entities confront an increasing number of risks, they must have a means to rank them and identify what needs attention, the current level of residual risk, and so on. To be efficient, it must be at the entity level because in the end, there is only business risk. Information technologies represent threat vectors, but IT is not the business overall and hence doing isolated “IT risk management” will have limited success. What we really are talking about is the need for Enterprise Risk Management (ERM), but we will generically refer to it as “risk management” for now.

Organizations need to optimize risks across functional areas versus an over-emphasis on local optimization that can result in an unbalanced system. For example, IT can unplug all the servers from the networks, turn the power off, lock the doors and post guards. In this absurd scenario the servers are secure but the business overall is placed at risk. For this reason, risks are managed based on business decisions that have inputs from informed stakeholders.

With that said, there are reasons why groups are having problems with risk management. Let’s take a moment and review some considerations at a high level.

Process Design

Risk management is a process that needs to be properly designed and implemented for the organization in question. As such, there are a number of points for consideration:

What is the objective of the process? If you don’t know what is desired then the process design is flawed, if not impossible, from the start.

Who are the stakeholders and what are their requirements?

In order to achieve the process’ objective, what inputs from other areas are needed?

Similarly, what outputs are needed?

How will we calculate risks in a manner meaningful to the stakeholders?

Given the inputs and outputs, what activities are needed?

What are the roles and responsibilities associated with the process?

There are many best practice reference sources that can be used for comparison. How the process is designed and implemented depends on the needs of the organization.

Requires Organizational Change

Implementing any process necessitates organizational change. The Risk Management process is no different. Stakeholders need to be identified, management support given, proper funding allocated, effective training and so on. The “soft” people skills are very much needed to rollout a new process and ensure it is adopted and achieves its intended objectives.