09/07: Riskit or Not? (Part II)
Category: Risk Management
» Posted by: rvenczel
» Discuss: view comments
» Views: 958
In Part I of this post I examined Dr. Jyrki Kontio's Riskit method and how he connected the achievement of business goals to the concept of estimated utility loss and to decision making based on risk.
In Part II of this post I will examine how the model evolved over time, specifically the improvements brought about by the ISACA Risk IT Framework for Management of IT Related Business Risks .
Although, over time, a significant number of standards and frameworks in the area of IT-related risk management have been developed (e.g., ISO/IEC 27005:2008; ISO/IEC, ISO/FDIC 31000: 2009; AS/NZS 4360: 2004; etc.), for a more in-depth review, I selected ISACA's Risk IT Framework instead because I consider it – in conjunction with the COBIT Framework for IT Governance and Control – one of the more comprehensive models out there that emphasizes the effective enterprise governance and management of IT risk and also considers business risk as they relate to the use of IT.
Tags: Risk IT
First of all, let us take a look at the six guiding principles for effective management of IT risk that the ISACA framework was built upon:
• Always connect to business objectives;
• Alight the management of IT-related business risk with overall Enterprise Risk Management (ERM);
• Balance the costs and benefits of managing IT risk;
• Promote fair and open communication of IT risk;
• Establish the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels; and
• Are a continuous process and part of daily activities.
Although, the Riskit method presented in Part I of this post touched on the importance of linking back to business goals, given its more narrow focus (i.e. to give project managers a tool they can work with to record, analyze and mitigate risks ensuring that they manage the latter in a systematic and consistent way) the connection back to the “big picture” was quite sketchy. Not so with the ISACA framework. Building on COBIT, which provides a “comprehensive framework for the control and governance of business-driven information-technology-based (IT-based) solutions and services” Risk IT not only is designed to assist in management of IT-related risk (i.e., use, ownership, operation, involvement, influence and adoption of IT within an enterprise) but it also integrates with IT governance, IT strategy and, last but not least, with the enterprise strategy. More so, as described in the first two principles listed above, it emphasizes the need for a constant connection with business values and objectives, and it aligns with major ERM frameworks applying their principles to the IT domain. I would like to also mention that, although it is not specifically part of the subject of this post, the Val IT Framework for Business Technology Management developed by ISACA, completes the circle by describing how to progress and maximise the return on IT investment (Note: this subject will be addressed in a future post to Crossroads Blog).
One of the key premises of the Risk IT process model and good practice guidance is the fact that IT risk is a component of the overall risk universe of the enterprise. More specifically, that “it is a business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise”.
In addition, it makes it clear that IT exists to support the business and, therefore, business management become implicitly the key stakeholders for any IT initiative meant to support specific business objectives (e.g., improve efficiency and access to relevant information, reduce costs, increase quality, reduce project delivery times, etc.).
Without listing here the details of the Risk IT Framework, I would like to mention a couple key “ingredients” that differentiate it from previously developed models, guidance, methods, etc. The Risk IT Framework:
• Integrates IT risk management with other risk management processes within the enterprise;
• Emphasizes the importance of studying the dependencies between various IT projects, and between IT and non-IT projects;
• Defines clearly stakeholders’ risk appetite and risk tolerance;
• Clarifies the role IT controls play in managing IT risk and why a proper cost-benefit analysis is necessary before investing in building a control framework;
• Includes periodical monitoring and testing of IT controls as key elements determining the quality and effectiveness of risk mitigation in the organization; and
• Explains why it is essential to define clear responsibilities and accountability for IT risk management, ensure continuous and appropriate communication, and provide adequate training for the IT risk processes to run smoothly and allow for further progress on the risk management maturity scale.
Besides being very “systematic” about describing the Risk IT process model (i.e., three domains, each with a domain goal and its process; and each of the nine processes with their process goals and key activities) one the major contributions that this particular framework brings to IT risk management is a significant improvement in terms of a detailed approach to IT risk scenario analysis (see Chapter 5 of The Risk IT Practitioner Guide) and the link back to business objectives.
By applying the IT risk management practices described in the Risk IT framework both private sector and public organizations will be able to generate a series of tangible business benefits from it such as, “fewer operational surprises and failures, increased information quality, greater stakeholder confidence, reduced regulatory concerns, and innovative applications supporting new business initiatives.” Also, by balancing the risk and rewards of a specific opportunity, the use of the framework helps management to make risk-aware decisions with its positive consequences in terms of the bottom line.
In Part III, the last one of this post I will be answering the question “Is IT risk analysis feasible and necessary?”, and I’ll be looking at the pitfalls of not having a risk management framework in place for information technology (IT) development and implementation.
, Val IT
, risk management
There are no comments yet. You can be the very first to leave your opinion about this article.