Is IT Risk
Management just
a Fad?
Joerg Fritsch
NATO C3 Agency
21/10/09 | Session ID: GOV-208
Classification: Intermediate

Agenda
IT Risk Management & Technology
‘reductionist’ vs holistic?
A simple IT Risk framework
WIIFM (what’s in it for me?)
2

IT Security “Fads” over the past 15
Business Impact
years
Sectors may have
experienced these
‘fads’ at different
stages
1997 2001 2003 2006 today
Time
3

What are the ‘potential risks’?
Description ITGI 2008 this
sn’t t
Wa ou
Insufficient number of staff 58% ab ogy?
ol
Techn
IT service delivery problems 48%
High cost of IT with low/unproven ROI 41%
Lack of agility/development problems 39%
Staff with inadequate skills 38%
Problems with outsourcers 35%
Problems with document content or knowledge
31%
management
Disconnect between IT strategy and business strategy 29%
Electronic archiving or storage problems 26%
Inadequate desaster recovery or business continuity
26%
measures (DRP/BCP)
Source: IT Governance Global Status Report 2008
4

More about
potential Information Technology Risks
• IT security risk management is a subset of
technology management
• IT risks are side effects of the use of technology
• It is O.K. to understand and communicate
complex technical issues behind a risk
• But what prevents us from doing this?
5

Two possible reasons: stereotypes and
unchallenged assumptions
The following slides
 Will tell a story about Inhibition
stereotypes and
unchallenged
assumptions
 Do not claim to be a
comprehensive
collection of reasons
Stereotypes Assumptions
No one wants to be Systems thinking /
perceived as a holistic thinking is far
technocrat. better than ...
6

Stereotypes that prevent us from
managing technology (risks)
‘Technicians’ have personal issues ‘Technicians’ see Technology as end goal
 Technicians are not interpersonal Personal issu  Technicians see technology as ends and not as
savvy. es means to an end.
 Key communication skills not  Technicians recommend (new) technology
developed very well. Geek speak because they are in love with it.
T. is end goal
Not a fee earner
‘Technicians’ cannot talk business ‘Technicians’ cannot make career
 Technicians and senior management speak  Technology managers cannot make career if
different languages. the output of the firm is not technology related.
 ‘Geek speak’
7

Technology Management?
General
Management Technology
Technology pro-
Business vides information
policies, strategy systems!
& mission Technology
statement. creats wealth.
Interface with the Interface with the
business technology
environment. landscape.
Control of operation, improvement &
Technology
innovation.
Management
Technology forecast.
Alignment of technology platform &
technology strategy with business
policies & mission.
8

Better take pride in being involved with
technology
• Technology provides information systems
• Technology creates wealth
• Technology is a tool
• Technology provides answers
• Technology …
• But technology also poses problems
(management by exception?)
9

Everyone knows that
• Without (Information)
Technology ‘it’ is not
going to fly
• Without IT security ‘it’ is
not going to fly either
• Nor is ‘it’ ever going to fly
without a proper risk
assessment
10

Let’s talk about ‘reductionist’ & holistic
views
(CC), http://www.flickr.com/photos/ananth/2046725823/in/set-72157603700082721
11

‘Reductionist’ & holistic views
(continued)
(CC), http://www.flickr.com/photos/ananth/2047524926/in/
(CC), http://www.flickr.com/photos/ananth/2047522102/ set-72157603700082721
in/set-72157603700082721
12

IT defies compartmentalization:
Back to the primordial ooze?
• Does
compartmentalization
really contradict a holistic
approach?
• Being ‘all over’ is not
equal to not fitting in a
compartment
• Compartments have
human gatekeepers at
the boundaries
13

An example of compartmentalization:
The IT value chain
Business
outcomes
Business Outcomes
 Goal: Positive impact of IT on business.
 Think about some buzzwords for alignment of
business and IT here.
 A representation without direction/orientation
but with links/interfaces.
IT Value Chain
 Compartmentalization is not necessarily
negative.
Strategy Applications Operations  Categorizing & compartmentalizing can be an
essential skill if it is not overly used.
IT
Value chain
14

Did you have beneficial experiences
with compartmentalization recently?
(CC), http://www.flickr.com/photos/toyohara/303600377/
15

IT Risk Framework (Fritsch, 2009)
(CC), http://www.flickr.com/photos/eriwst/2303608353/
16

Proposal: A simple IT Risk Framework
Holistic
Enterprise Risk Management (ERM)
IT Risk Management
BU1 BU2 IT BU3 Business Units
assess their
Risks Risks Risks Risks potential IT Risks
Compartmentalized Communities of
Practice (CoPs)
17

Proposal: A simple IT Risk Framework
(continued 1)
• Compartments build Communities of Practice
(CoPs) all having a stake in IT Risk Management
• IT Risk Management community stretches
across vertical and horizontal organizational
boundaries
• Gatekeepers (Employees) interface between
boundaries, performance dependent on:
• Prior related knowledge
• Organizational culture
18

Proposal: A simple IT Risk Framework
(continued 2)
• Use gatekeepers to integrate RM horizontally
and vertically in the organization
• Risk Management can be integrated into existing
processes
• As consequence of a well integrated risk
management, people often do not know that
they are doing risk management.
19

Storytelling:
positive effects of IT Risk management
• Plenty of methodologies and frameworks but
little
• Living examples
• Authentic, memorable stories
• Story context around past failures and risk
based decisions for current audiences
• Case Studies
• Tell me your story!
20

What’s in it for me?
(CC) http://www.flickr.com/photos/86257563@N00/476500197/
21

WIIFM
• This is a preliminary to a wider discussion. We
can have (part) of that discussion
• Now
• Anytime soon
• Share your experience
• Think about the proposed framework
22

Questions & Answers
Thank you for your attention
joerg.fritsch@nc3a.nato.int
23