Is IT Risk management just a fad?

1,168 views
1,096 views

Published on

Published in: Business, Economy & Finance
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,168
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
51
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Is IT Risk management just a fad?

  1. 1. Is IT Risk Management just a Fad? Joerg Fritsch NATO C3 Agency 21/10/09 | Session ID: GOV-208 Classification: Intermediate
  2. 2. Agenda IT Risk Management & Technology ‘reductionist’ vs holistic? A simple IT Risk framework WIIFM (what’s in it for me?) 2
  3. 3. IT Security “Fads” over the past 15 Business Impact years Sectors may have experienced these ‘fads’ at different stages 1997 2001 2003 2006 today Time 3
  4. 4. What are the ‘potential risks’? Description ITGI 2008 this sn’t t Wa ou Insufficient number of staff 58% ab ogy? ol Techn IT service delivery problems 48% High cost of IT with low/unproven ROI 41% Lack of agility/development problems 39% Staff with inadequate skills 38% Problems with outsourcers 35% Problems with document content or knowledge 31% management Disconnect between IT strategy and business strategy 29% Electronic archiving or storage problems 26% Inadequate desaster recovery or business continuity 26% measures (DRP/BCP) Source: IT Governance Global Status Report 2008 4
  5. 5. More about potential Information Technology Risks •  IT security risk management is a subset of technology management •  IT risks are side effects of the use of technology •  It is O.K. to understand and communicate complex technical issues behind a risk •  But what prevents us from doing this? 5
  6. 6. Two possible reasons: stereotypes and unchallenged assumptions The following slides  Will tell a story about Inhibition stereotypes and unchallenged assumptions  Do not claim to be a comprehensive collection of reasons Stereotypes Assumptions No one wants to be Systems thinking / perceived as a holistic thinking is far technocrat. better than ... 6
  7. 7. Stereotypes that prevent us from managing technology (risks) ‘Technicians’ have personal issues ‘Technicians’ see Technology as end goal   Technicians are not interpersonal Personal issu   Technicians see technology as ends and not as savvy. es means to an end.   Key communication skills not   Technicians recommend (new) technology developed very well. Geek speak because they are in love with it. T. is end goal Not a fee earner ‘Technicians’ cannot talk business ‘Technicians’ cannot make career   Technicians and senior management speak   Technology managers cannot make career if different languages. the output of the firm is not technology related.   ‘Geek speak’ 7
  8. 8. Technology Management? General Management Technology Technology pro- Business vides information policies, strategy systems! & mission Technology statement. creats wealth. Interface with the Interface with the business technology environment. landscape. Control of operation, improvement & Technology innovation. Management Technology forecast. Alignment of technology platform & technology strategy with business policies & mission. 8
  9. 9. Better take pride in being involved with technology •  Technology provides information systems •  Technology creates wealth •  Technology is a tool •  Technology provides answers •  Technology … •  But technology also poses problems (management by exception?) 9
  10. 10. Everyone knows that •  Without (Information) Technology ‘it’ is not going to fly •  Without IT security ‘it’ is not going to fly either •  Nor is ‘it’ ever going to fly without a proper risk assessment 10
  11. 11. Let’s talk about ‘reductionist’ & holistic views (CC), http://www.flickr.com/photos/ananth/2046725823/in/set-72157603700082721 11
  12. 12. ‘Reductionist’ & holistic views (continued) (CC), http://www.flickr.com/photos/ananth/2047524926/in/ (CC), http://www.flickr.com/photos/ananth/2047522102/ set-72157603700082721 in/set-72157603700082721 12
  13. 13. IT defies compartmentalization: Back to the primordial ooze? •  Does compartmentalization really contradict a holistic approach? •  Being ‘all over’ is not equal to not fitting in a compartment •  Compartments have human gatekeepers at the boundaries 13
  14. 14. An example of compartmentalization: The IT value chain Business outcomes Business Outcomes   Goal: Positive impact of IT on business.   Think about some buzzwords for alignment of business and IT here.   A representation without direction/orientation but with links/interfaces. IT Value Chain   Compartmentalization is not necessarily negative. Strategy Applications Operations   Categorizing & compartmentalizing can be an essential skill if it is not overly used. IT Value chain 14
  15. 15. Did you have beneficial experiences with compartmentalization recently? (CC), http://www.flickr.com/photos/toyohara/303600377/ 15
  16. 16. IT Risk Framework (Fritsch, 2009) (CC), http://www.flickr.com/photos/eriwst/2303608353/ 16
  17. 17. Proposal: A simple IT Risk Framework Holistic Enterprise Risk Management (ERM) IT Risk Management BU1 BU2 IT BU3 Business Units assess their Risks Risks Risks Risks potential IT Risks Compartmentalized Communities of Practice (CoPs) 17
  18. 18. Proposal: A simple IT Risk Framework (continued 1) •  Compartments build Communities of Practice (CoPs) all having a stake in IT Risk Management •  IT Risk Management community stretches across vertical and horizontal organizational boundaries •  Gatekeepers (Employees) interface between boundaries, performance dependent on: •  Prior related knowledge •  Organizational culture 18
  19. 19. Proposal: A simple IT Risk Framework (continued 2) •  Use gatekeepers to integrate RM horizontally and vertically in the organization •  Risk Management can be integrated into existing processes •  As consequence of a well integrated risk management, people often do not know that they are doing risk management. 19
  20. 20. Storytelling: positive effects of IT Risk management •  Plenty of methodologies and frameworks but little •  Living examples •  Authentic, memorable stories •  Story context around past failures and risk based decisions for current audiences •  Case Studies •  Tell me your story! 20
  21. 21. What’s in it for me? (CC) http://www.flickr.com/photos/86257563@N00/476500197/ 21
  22. 22. WIIFM •  This is a preliminary to a wider discussion. We can have (part) of that discussion •  Now •  Anytime soon •  Share your experience •  Think about the proposed framework 22
  23. 23. Questions & Answers Thank you for your attention joerg.fritsch@nc3a.nato.int 23

×