Risk management is part of any management science. (period) Any good project managers do have a risk management plan of a project, team, organization and etc . Risk management plan is part of any management science (yes, I’m repeating myself to stress the point).

CIO‘s are part of the management team and any good (or even an ordinary) CIOs do have a risk management plan for the over all IT organization.

It is a basic principle of business, more risk more profit. At the same time, business is not pure gambling and some time it is calculated gambling. When it comes to gambling, it is taking the chances. When you take the chances blindly, then it is gambling and when you take chances after your due diligence then it is business. May be, I’m over simplifying it but that is the simple definition. If a bank wants to AVOID risk, the ONLY best way to avoid risk 100% is NOT to do business. That is, not performing steps towards their organization goal, mission and vision. Philosophical interpretation is, if you want no complaints then be nothing and do nothing.

Are we not take chances every day? Yes, we take chances every minute. I know some one do not agree what I’m saying. There is a risk of rejection from someone. To avoid it, the best approach is to stop expressing myself. By doing so, I can completely avoid the risk of rejection of my opinions but I can not accomplish my mission (Blog as much I can). The point I’m trying to make is, risk is part of any management science and it should be managed better.

How to manage IT risk better?

Residual risk matrix (RRM) for an IT organization risk is one of key metrics a CIO should have to have a clear picture on probability of exposure. Before I jump into the RRM, let me explain what are the key components of enterprise IT risk management?

Components of enterprise IT Risk management

• Compliance Risk
• Infrastructure risk (including data center and business locations)
• Project Risk
• Security Risk
• Financial Risk
• Technology Risk
• Process Risk
• Competency Risk
• Vendor Risk (service providers like infra service, right sourcing, etc)
• License Risk
• Open source Risk
• Business Risk

Steps to create an enterprise IT residual risk matrix (IT RRM)

• Identify the known & known unknown risk for each components of the IT risk management
• Device a mitigation plan for each identified risk
• Identify the cost of the mitigation plan
• Identify the probability of the risk occurrence
• Calculate the risk at exposure (risk exposed to the organization after the mitigation plan)

IT Residual Risk Matrix provides an elevated view to the executive management on the exposed IT risk.