Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Revive Your Risk Mgmt Program With a Regular Health Check

177 views

Published on

Your Challenge

Having set up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business, you have taken a significant step in your evolution as a strategic and proactive IT leader.
Unfortunately, your risk assessment is already outdated. Perform regular health checks to stay on top of the key risks threatening the business – and your reputation.
Our project seizes the momentum you created by building a robust IT risk management program, and creates a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT.
Our approach keeps the business on board by stressing the financial impact of IT risks as well as opportunities for calculated risk taking revealed through a deep understanding of how IT-related risk impacts the business.
Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data.
Our Advice

Critical Insight
A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up.
Risk management should be seen and heard. Communicate the dollar value of risk management to keep the business engaged.
The first health check is pivotal. Successfully going through the risk management process the second time around is the difference between IT risk management being perceived as a one-off project and an ongoing program.
Risk management is not checking boxes – you need to be constantly improving. Measuring the effectiveness of your risk management activities is crucial for ensuring that the program lives up to its mandate. It also allows you to communicate a compelling value proposition to senior leadership.
Impact and Result
To prevent your IT risk management program from becoming an artifact, conduct quarterly, biannual, or annual health checks to reassess your risk portfolio and identify new threats and vulnerabilities.
Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior leadership.
Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the potential cost of IT risks and the value created by IT risk projects.
Get better at identifying and assessing IT risk and measure the improvement.
Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Revive Your Risk Mgmt Program With a Regular Health Check

  1. 1. Info-Tech Research Group 1Info-Tech Research Group 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Revive Your Risk Management Program with a Regular Health Check Don’t get complacent and allow your risk management program to flatline. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2016 Info-Tech Research Group
  2. 2. Info-Tech Research Group 2Info-Tech Research Group 2 Setting up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business is a significant step in your evolution as a strategic and proactive IT leader. However, the value of your latest risk assessment depreciates rapidly. Continuous monitoring and regular reassessment of your risk portfolio is crucial for ensuring that IT decision making continues to be made through a risk management lens. Risk-conscious decision making creates value for the business that should be measured and communicated. Follow the steps outlined in this blueprint to perform regular health checks on your IT risk management program and keep pace with IT risk. Scott Janz, Consulting Analyst, CIO Advisory Info-Tech Research Group IT risk is evolving. Is your risk management program keeping up? ANALYST PERSPECTIVE
  3. 3. Info-Tech Research Group 3Info-Tech Research Group 3 This Research is Designed For: This Research Will Help You: This Research Will Assist: This Research Will Help You: This Research Is Designed For: This Research Will Help You: This Research Will Also Assist: This Research Will Help Them: Our understanding of the problem Any IT Leader responsible for IT risk management in their organization. Any CIO mandated to integrate IT risk management with their organization’s central risk management function or ERM. Any IT Director or Manager undertaking a risk assessment. Any IT Director or Manager responding to or preparing for an IT audit. Routinize a comprehensive IT risk management program. Ingrain a strategy for managing and mitigating risks to meet your organization’s risk appetite. Quantify risk exposure in meaningful financial terms. Maintain business engagement with IT risk management. Enterprise Risk Management (ERM) Senior Leadership Develop consensus on organizational risk appetite. Establish a framework and metrics for acceptable risk tolerance. Align business and IT risk management objectives. Enable the business to make informed investments when managing IT risks.
  4. 4. Info-Tech Research Group 4Info-Tech Research Group 4 Resolution Situation Complication Info-Tech Insight Executive Summary • You just implemented a formalized IT risk management program that integrates with the business. • You successfully identified, assessed, and prioritized IT’s greatest risks, and communicated your recommendations for IT risk response projects to senior leadership. • Because the organization is feeling secure, enthusiasm for the program, and willingness to participate has waned both within and outside of IT. • While the IT Risk Council continues to monitor previously identified risks, it remains unaware of evolving IT threats and vulnerabilities. • Having crossed IT risk management off of its list, senior leadership no longer prioritizes the improvement of the program. • To prevent your IT risk management program from becoming an artifact, follow the steps in this blueprint to conduct quarterly, biannual, or annual health checks to re-assess your risk portfolio and the health of your program. • Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior leadership. • Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the potential cost of IT risks and the value created by IT risk projects. • Get better at identifying and assessing IT risk and measure the improvement. • Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT. 1. A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. 2. Risk management should be seen and heard. Communicate the dollar value of risk management to keep the business engaged. 3. The first health check is pivotal. Successfully going through the risk management process the second time around is the difference between IT risk management being perceived as a one-off project and an ongoing program.
  5. 5. Info-Tech Research Group 5Info-Tech Research Group 5 Info-Tech’s risk management health check insights Info-Tech Insight Risk management does not mean “checking a box.” Measuring the effectiveness of your risk management activities is crucial for ensuring that the program lives up to its mandate. It also allows you to communicate a compelling value proposition to senior leadership. Phase 2 Central Insight: A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Perform regular health checks to remain aware of the key risks threatening the business and your reputation. Phase 3 Info-Tech Insight The first health check is pivotal. Business stakeholders often perceive IT risk management as a project that needs to be completed once. Therefore the second year is crucial for institutionalizing an active and sustainable program. By successfully completing these activities a second time, the program gains momentum, increasing the likelihood of retaining stakeholder engagement in subsequent years as the program matures. Info-Tech Insight Risk management should be seen and heard. Don’t let the business’ enthusiasm and support for IT risk management wane when key risks are mitigated and avoided. Communicate the dollar value of risk management in a compelling way to keep the business engaged. Phase 1
  6. 6. Info-Tech Research Group 6Info-Tech Research Group 6 STRATEGY & GOVERNANCE APPS DATA & BI IT Governance Application Portfolio Management Business Intelligence & Reporting Effectiveness = 5.7 Importance = 8.3 Effectiveness = 5.4 Importance = 8 Effectiveness = 5.4 Importance = 8.1 IT Strategy IT Management & Policies Security Strategy Enterprise Application Selection & Implementation Data Architecture Effectiveness = 6 Importance = 8.5 Effectiveness = 6 Importance = 8.3 PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3 Importance = 8.7 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 5.6 Importance = 8.2 Performance Measurement Innovation Human Resources Management Security Management Business Process Controls & Internal Audit Application Development Throughput Data Quality Effectiveness = 5.1 Importance = 7.8 Effectiveness = 5.7 Importance = 7.9 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 6.5 Importance = 8.9 Effectiveness = 5.4 Importance = 7.9 Effectiveness = 5.4 Importance = 7.4 Effectiveness = 5.5 Importance = 8.5 Business Value Stakeholder Relations IT Organizational Design Enterprise Architecture Availability & Capacity Management Change Management Risk Management External Compliance Application Development Quality Portfolio Management Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.2 Importance = 8.7 Effectiveness = 6.3 Importance = 8.3 Effectiveness = 5.7 Importance = 8.2 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.1 Importance = 8.5 Effectiveness = 5.9 Importance = 8.3 Effectiveness = 6.4 Importance = 8.3 Effectiveness = 5.6 Importance = 7.7 Effectiveness = 5.4 Importance = 8.1 Cost & Budget Management Knowledge Management Leadership, Culture & Values Service Management Asset Management Configuration Management Release Management Business Continuity Application Maintenance Project Management Effectiveness = 6.7 Importance = 8.4 Effectiveness = 5.8 Importance = 8.4 Effectiveness = 6.5 Importance = 8.5 Effectiveness = 6.1 Importance = 8.4 Effectiveness = 6 Importance = 7.9 Effectiveness = 5.5 Importance = 7.8 Effectiveness = 5.7 Importance = 8.1 Effectiveness = 6.1 Importance = 8.7 Effectiveness = 6 Importance = 8 Effectiveness = 6 Importance = 8.5 Vendor Management Cost Optimization Manage Service Catalog Quality Management Operations Management Service Desk Incident & Problem Management Disaster Recovery Planning Organizational Change Management Requirements Gathering Effectiveness = 6.4 Importance = 8 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 4.3 Importance = 7.3 Effectiveness = 5.6 Importance = 8.2 Effectiveness = 6.4 Importance = 8.4 Effectiveness = 7 Importance = 8.8 Effectiveness = 6.5 Importance = 8.7 Effectiveness = 6.1 Importance = 8.8 Effectiveness = 5.4 Importance = 8.3 Effectiveness = 5.9 Importance = 8.5 FINANCIAL MANAGEMENT PPM & PROJECTS Above Average Importance and Above Average Effectiveness Below Average Importance and Above Average Effectiveness Above Average Importance and Below Average Effectiveness Below Average Importance and Below Average Effectiveness *Average is based on the overall average Legend INFRASTRUCTURE & OPERATIONS SERVICE PLANNING & ARCHITECTURE IT Management & Governance Framework Benchmarking Results for the Management & Governance Diagnostic Risk management is a top IT priority 1. Data Quality 2. IT Governance 3. Risk Management 4. Knowledge Management 5. Requirements Gathering 6. Manage Service Catalog 7. Organizational Change Management 8. Quality Management 9. Performance Measurement 10. Application Portfolio Management Info-Tech’s Top 10 IT Improvement Priorities Info-Tech asked over 2,500 IT professionals to rate on a scale of 1 to 10 the importance of risk management and how effective they were at managing IT risks. Importance of risk management: Effectiveness of risk management: 8.3 5.9 Above-average importance Significantly below-average effectiveness Despite an IT environment that is rapidly changing, 82% of organizations in North America re-assess their IT risk portfolio annually or even less frequently (Protiviti). 82%
  7. 7. Info-Tech Research Group 7Info-Tech Research Group 7 Don’t become complacent and allow your risk management program to flatline What type of risk management do you practise? Maturity Maturity Maturity Time Time Time One-and-done On-again, off-again Ongoing improvement Last year You identified the most important IT risks and implemented projects to protect IT and the business. Unfortunately, your risk assessment is already outdated. Keep your foot on the gas and maintain your momentum to avoid wasting all of the hard work you applied getting the program off the ground. A recent study found that a mere 23% of organizations describe their risk management processes as “mature” or “robust.”1 23% 2 1 ERM Initiative 2 PWC
  8. 8. Info-Tech Research Group 8Info-Tech Research Group 8 Why IT risk management programs falter Without communicating the cost savings stemming from the program, the value created by risk management is invisible to the business. The successful management of IT risk is difficult to measure, and therefore, the value it creates for the business can be hard to see. Merely saying that risk events did not occur is not exactly a powerful motivator for leadership to continue investing resources into the risk management program and sustain their interest. Executive sponsorship and the engagement of key stakeholders may dwindle without visceral reminders of how IT risk impacts the business. Obtaining business stakeholder participation is not as easy the second time around. IT risk is business risk. Thus, the participation and engagement of key business stakeholders is integral to the successful identification and accurate assessment of IT risk. Robust risk management is demanding in terms of the participation and effort required of key stakeholders both inside and outside of IT. Getting business stakeholders to invest their time and expertise – even if it’s in their best interest – may be an unexpected roadblock to repeating the success of your first assessment. Despite building a strong foundation with a formalized IT Risk Management Council, and repeatable processes for identifying, assessing, and responding to IT risk, risk management programs still fail for the following reasons: Risk management is considered a “checkmark project.” Two of the most common drivers for establishing an IT risk management program include compliance and internal/external audit requirements. Even if the CIO is committed to the program, the support of the rest of the senior leadership team may nosedive once they feel that IT risk management has been crossed off the list. 1 2 3
  9. 9. Info-Tech Research Group 9Info-Tech Research Group 9 Don’t leave IT risk unmanaged in year 2, or you may need to update your résumé in year 3 Take luck out of the equation – “Hoping for the best” is not a risk management strategy. Take control of IT risk and avoid leaving your job security to chance. The top four reasons why CIOs lose their jobs: X X X X Security Breaches Project Failures Disaster Recovery Failures System Failures IT Risk Management When business stakeholders are unaware of top IT threats, blame for project, security, disaster recovery, and system failures is usually assigned to the CIO and other senior IT managers. When effectively integrated with business risk management, IT risk management is your best job security policy. IT Risk Management IT Risk Management IT Risk Management Source: Silverton Consulting If I wait until a risk event occurs, I might be out of a job before the business recovers. – VP of Security and Risk, Energy Logistics Company
  10. 10. Info-Tech Research Group 10Info-Tech Research Group 10 A false sense of security may be your greatest risk Use this blueprint to perform ongoing health checks on your risk management program: • Use Info-Tech’s risk identification methodology to detect new IT risks. • Reassess and reprioritize previously identified risks. • Evaluate the effectiveness of existing risk response projects and plan new actions to address top risks. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Risk is a moving target that requires proactive and persistent attention. Only 60.5% of senior executives believe risks are being effectively monitored and reviewed (Project Management Institute). Follow the methodology in the blueprint to perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation. BEST BEFORE 31 DEC ?? As the leader of your organization’s dormant IT risk management program, you may be the greatest IT risk of all. 12 New risks One Info-Tech client discovered 12 additional risks during their second IT risk management workshop with Info-Tech analysts. The 12 risks included 5 that were missed the previous year, and 7 that reflected changes to the organizational context and threat landscape. 12 IT risk management is not a “checkmark project.” While this can be hard for goal-oriented IT leaders to accept, the value derived from each risk assessment depreciates rapidly. The good news is that repeating and optimizing your processes will make risk management more efficient, thereby increasing the value you provide the business with each iteration. Risk Register Tool
  11. 11. Info-Tech Research Group 11Info-Tech Research Group 11 Workshop overview Contact your account representative or email Workshops@InfoTech.com for more information. Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Activities AM: Perform a Risk Management Retrospective 1.1 Review IT risk fundamentals 1.2 Set workshop goals and expectations 1.3 Assess risk management process, and identify accomplishments and challenges AM: Assess Business Context Changes and Engage Stakeholders 2.1 Review IT and business context changes 2.2 Consider how context changes impact organizational risk tolerance 2.3 Generate tactics to re-engage business stakeholders AM: Identify New Risks 3.1 Augment risk event list with capability maps 3.2 Assess the severity of newly identified risk events 3.3 Perform an expected cost assessment AM: Monitor IT Risks and Develop Risk Responses 4.1 Identify and assess risk responses 4.2 Review a risk response cost- benefit analysis 4.3 Create multi-year cost projections PM: Assess Business Context Changes and Engage Stakeholders 1.4 Build a Risk Management Program Improvement Plan PM: Assess Previously Identified IT Risks 2.4 Determine if implemented risk responses were successful 2.5 Re-assess the severity of previously identified risk events PM: Monitor IT Risks & Develop Risk Responses 3.4 Perform a root cause analysis 3.5 Identify and assess risk responses PM: Communicate IT Risk Priorities 4.4 Customize the IT Risk Management Executive Brief Template 4.5 Finalize the Risk Report and Program Manual 4.6 Transfer ownership of risk responses to project managers Deliverables 1. An updated Risk Management Program Manual 2. A completed Risk Management Program Improvement Plan 1. An updated and complete Risk Register with all relevant IT risk events 2. An updated Risk Management Program Manual 3. A revised stakeholder RACI 1. An updated and complete Risk Register with all relevant IT risk events 2. Completed Risk Event Action Plans 3. An updated Risk Management Program Manual 1. A communication guide and completed IT Risk Management Executive Brief Template 2. A detailed Risk Report 3. An updated Risk Management Program Manual
  12. 12. Info-Tech Research Group 12Info-Tech Research Group 12

×