Playing Russian Roulette with Enterprise IT Risks

Bruce Skaistis

ISSUE/CHALLENGE

Russian roulette is a very dangerous game. Put one bullet in a revolver, spin the cylinder, put the gun to your head, and pull the trigger. Since most revolvers have six or more chambers in the cylinder, the odds are in your favor that nothing will happen when you pull the trigger. If something does happen Ė youíre dead!

Some companies are playing a similar game with enterprise IT risks. Instead of taking steps to eliminate or mitigate certain risks, they are playing the odds that the risk wonít hit them. If a risk hits, the consequences might not be as serious as losing at Russian roulette, but ignoring enterprise IT risks could cost a company a lot of money.

From my experience, there are two reasons why some critical enterprise IT risks are not being addressed. First, some companies donít recognize certain enterprise IT risks as risks. Network security and Sarbanes-Oxley related risks are pretty well understood Ė but other critical IT risks are being overlooked.

Second, itís hard to explain the potential impact of some enterprise IT risks. If a non-IT, C-level executive hears ďitís almost impossible to predict the probability of this risk occurring or the financial impact of the risk,Ē itís a good bet the C-level executive isnít going to take the risk very seriously.

SOLUTION

Whether companies are doing it intentionally or unintentionally, itís time to quit playing Russian roulette with critical enterprise IT risks. Here are some suggestions for more effectively addressing enterprise IT risks.

Elevate Enterprise IT Risk Management
Enterprise IT risks cannot be effectively addressed behind closed doors in the IT function. IT risks affect the entire company and need to be addressed on a company-wide basis.

If you already have a company-wide enterprise IT governance structure in place, you can address enterprise IT risks under the existing IT governance structure.

Many companies have already recognized the importance of effectively managing critical risks and have embraced the Enterprise Risk Management (ERM) concept. If a company has an ERM program in place, another option is to address enterprise IT risks under the ERM umbrella.

If you donít have a company-wide IT governance or ERM structure in place, you can create an enterprise IT risk management structure. This structure should include senior enterprise IT leaders as well as senior leaders from critical business functions, finance, and internal audit. This structure wonít work if it is delegated to mid-tier managers.

Identify Critical Enterprise IT Risks
Next, you need to identify critical enterprise IT risks that need to be addressed. Enterprise IT risks can be grouped into four broad categories:

IT management risks include alignment risks (doing the wrong things with enterprise IT resources), performance risks (IT resources not performing as expected), adaptability risks (not being able to quickly redirect enterprise IT resources in response to changing requirements or competitive conditions), project risks (major IT initiatives running into problems or not producing targeted benefits), technology risks (selecting and using inappropriate technology), and outsourcing risks (unsuccessful outsourcing relationships).

Quantify Potential Impact of Risks
Now the fun starts. You canít determine the criticality of risks unless you quantify the potential impact of the risks. I keep reading about how difficult it is to quantify enterprise IT risks. I disagree. It takes some thinking, but it really isnít that hard.

First you need to estimate the potential financial impact of the risk. What is the potential financial impact of your network being breached or your company suffering a major business interruption? You also have to estimate the financial impact of a failed outsourcing relationship or IT resources being used to do the wrong things.

From my perspective, there is no such thing as an intangible risk. If you canít put a financial impact on the risk, itís going to be almost impossible to convince non-IT, C-level executives that itís a risk.

After estimating the financial impact, you need to estimate the probability of the risk materializing within a certain timeframe. I recommend using the same timeframe your company uses to evaluate other IT investment.

If your company uses a three-year timeframe for evaluating IT investments, then you need to estimate the probability of a particular risk occurring within three years. Is the probability of a serious network breach within the next three years 5%, 25% or 100%? Estimating the probability of IT management risks is tougher, but you have to do it.

Multiply the financial impact of a risk by the probability of the risk occurring and you have quantified the potential risk. A risk with a potential impact of $50,000,000 and a probability of 10%, is a $5,000,000 risk. Another risk with a potential impact of $25,000,000 and a probability of 30% is a $7,500,000 risk.

Once you put a meaningful number on the risk, the risk is a lot easier to understand Ė and itís a lot easier to get resources to address the most critical risks.

Track Risk Mitigation Efforts
Companies spend a lot of money addressing enterprise IT risks, but many companies donít track the results. Your risk mitigation efforts will have a lot more credibility if you can show what has been done to address critical enterprise IT risks and what has been accomplished.

The impact of your risk mitigation efforts is easy to measure when you quantify the potential impact of the risks. Using the example of the $25,000,000 risk, if your company spends $1,000,000 to address the risk, you want to be able to show the potential financial impact of the risk or the probability of the risk has been reduced significantly. In other words, you need to prove your company got its moneyís worth in addressing the risk.

You also need to track the financial impact of enterprise IT risks that bite you. Tracking actual impacts will provide a basis for better understanding the potential impact of enterprise IT risks Ė and will hopefully show you are effectively addressing critical risks.

Reassess Potential Risks
Enterprise IT risks are a moving target because of risk mitigation efforts, new information about potential risks and other factors that can affect risks. You should reassess enterprise IT risks and update the potential impact of risks on an annual basis.

MORAL OF THE STORY

Public scrutiny and compliance regulations are forcing companies to actively track and address certain enterprise IT risks, but some companies continue to play the odds with other critical enterprise IT risks. Companies need to take a more proactive approach with all of their enterprise IT risks Ė particularly IT management risks.


About the Author
Bruce Skaistis is the founder of eGlobal CIO. He began his career as a consultant with Arthur Andersen and was CIO of a large bank group before forming his own management services firm. He has extensive enterprise IT management, process optimization, and action facilitation experience. Building on its ongoing research of enterprise IT best practices, eGlobal CIO provides knowledge resources and specialized support to help companies maximize the value and performance of enterprise IT resources and develop high performance enterprise IT leaders.


© Copyright ©2006 eGlobal CIO, Inc. All rights reserved.


Back