MIT CISR research into IT risk management has identified the importance and implications of crossing silos in risk management–uniting across elements of risk management and uniting risk management with other elements of IT management. We view the language of risk as a fundamental element of effective IT/business alignment conversations. IT executives can use the key elements of MIT CISR research to discuss IT risk considerations in business terms. Further, we find that risk management is most effective when the risk governance process is used to drive improvements in the firm’s IT foundation and risk aware culture. IT executives can use risk to justify important investments that might not have a clear financial return. By incorporating risk into management conversations, IT and business managers become more comfortable discussing risk and more able to understand how to manage it. And, when conducting risk reviews, IT managers often discover ways to improve IT and business processes instead of just protecting inefficient ones. In other words, companies that manage IT risk well also find ways to manage IT well. We emphasize the following key concepts in our research:
1. Four As: IT managers can improve alignment and understanding, both in IT and the business, by discussing IT risk considerations in terms of four key enterprise risks: Availability, Access, Accuracy and Agility. The four As can be the basis for effective IT/business alignment conversations, for evaluating risk implications of new investments, and for categorizing operational risks identified through more specialized risk management techniques.
2. Three disciplines: Organizations build effective IT risk management capability through three disciplines:
a. Foundation: A base of infrastructure, applications and supporting personnel which is well-structured, well-managed, and no more complex than absolutely necessary.
b. Risk governance process: Procedures and policies that provide an enterprise-level view of all IT risks, so that managers can prioritize risks and invest appropriately.
c. Risk aware culture: A culture in which everyone has appropriate knowledge of risk, and in which open, non-threatening discussions of risk are the norm.
3. Risk management as an opportunity not just to protect the firm, but to drive improvements in IT management and business outcomes.
|Winning With IoT: It’s Time to Experiment||Wixom, Barbara H.||Research Briefing||2016-11-17|
|Working With Your Board on Digital Disruption?||Weill, Peter|
Woerner, Stephanie L.
|Data Value Assessment: Recognizing Data as an Enterprise Asset||Wixom, Barbara H.|
Markus, M. Lynne
|IT Risk||Westerman, George||Video||2010-10-15|
|Developing a Common Language About IT Risk Management||Westerman, George|