Log In

Register

• Research Overview
  • Classic Topics
    • Enterprise Architecture
    • IT Governance
    • IT Portfolio Management
    • IT Risk
• Current Projects
  • Strengthening Your Digital Business Model
  • Building Digitized Platforms Can Be Slow: What Are the Alternatives?
  • Digital Innovation: Designing
    Customer-Centric Products and Services
  • Adapting Your Business’ Genome
    to a Digital Ecosystem
  • Case Studies in Social Media Innovations
  • BYOD: Radical Changes to Managing Technology and the People and Processes Relying on It
  • Working Smarter: Seizing the Opportunities Created by Ubiquitous Data
  • Managing Your Firm’s Total Digitization:
    The Next Frontier
  • Business Complexity: Shifting IT
    from Problem to Solution
  • Managing IT Supply and Demand: How to Build a World-Class Service Organization
• Research Briefings
  • 2012 Research Briefings
  • 2011 Research Briefings
  • 2010 Research Briefings
  • 2009 Research Briefings

Introduction

MIT CISR research into IT risk management has identified the importance and implications of crossing silos in risk management–uniting across elements of risk management and uniting risk management with other elements of IT management. We view the language of risk as a fundamental element of effective IT/business alignment conversations. IT executives can use the key elements of MIT CISR research to discuss IT risk considerations in business terms. Further, we find that risk management is most effective when the risk governance process is used to drive improvements in the firm’s IT foundation and risk aware culture. IT executives can use risk to justify important investments that might not have a clear financial return. By incorporating risk into management conversations, IT and business managers become more comfortable discussing risk and more able to understand how to manage it. And, when conducting risk reviews, IT managers often discover ways to improve IT and business processes instead of just protecting inefficient ones. In other words, companies that manage IT risk well also find ways to manage IT well. We emphasize the following key concepts in our research:

1. Four As: IT managers can improve alignment and understanding, both in IT and the business, by discussing IT risk considerations in terms of four key enterprise risks: Availability, Access, Accuracy and Agility. The four As can be the basis for effective IT/business alignment conversations, for evaluating risk implications of new investments, and for categorizing operational risks identified through more specialized risk management techniques.

2. Three disciplines: Organizations build effective IT risk management capability through three disciplines:

a. Foundation: A base of infrastructure, applications and supporting personnel which is well-structured, well-managed, and no more complex than absolutely necessary.

b. Risk governance process: Procedures and policies that provide an enterprise-level view of all IT risks, so that managers can prioritize risks and invest appropriately.

c. Risk aware culture: A culture in which everyone has appropriate knowledge of risk, and in which open, non-threatening discussions of risk are the norm.

3. Risk management as an opportunity not just to protect the firm, but to drive improvements in IT management and business outcomes.