IT Risk Management – An Elevated view

Risk management is part of any management science. (period) Any good project managers do have a risk management plan of a project, team, organization and etc . Risk management plan is part of any management science (yes, I’m repeating myself to stress the point).

CIO‘s are part of the management team and any good (or even an ordinary) CIOs do have a risk management plan for the over all IT organization.

It is a basic principle of business, more risk more profit. At the same time, business is not pure gambling and some time it is calculated gambling. When it comes to gambling, it is taking the chances. When you take the chances blindly, then it is gambling and when you take chances after your due diligence then it is business. May be, I’m over simplifying it but that is the simple definition. If a bank wants to AVOID risk, the ONLY best way to avoid risk 100% is NOT to do business. That is, not performing steps towards their organization goal, mission and vision. Philosophical interpretation is, if you want no complaints then be nothing and do nothing.

Are we not take chances every day? Yes, we take chances every minute. I know some one do not agree what I’m saying. There is a risk of rejection from someone. To avoid it, the best approach is to stop expressing myself. By doing so, I can completely avoid the risk of rejection of my opinions but I can not accomplish my mission (Blog as much I can). The point I’m trying to make is, risk is part of any management science and it should be managed better.

How to manage IT risk better?

Residual risk matrix (RRM) for an IT organization risk is one of key metrics a CIO should have to have a clear picture on probability of exposure. Before I jump into the RRM, let me explain what are the key components of enterprise IT risk management?

Components of enterprise IT Risk management

  • Compliance Risk
  • Infrastructure risk (including data center and business locations)
  • Project Risk
  • Security Risk
  • Financial Risk
  • Technology Risk
  • Process Risk
  • Competency Risk
  • Vendor Risk (service providers like infra service, right sourcing, etc)
  • License Risk
  • Open source Risk
  • Business Risk

Steps to create an enterprise IT residual risk matrix (IT RRM)

  • Identify the known & known unknown risk for each components of the IT risk management
  • Device a mitigation plan for each identified risk
  • Identify the cost of the mitigation plan
  • Identify the probability of the risk occurrence
  • Calculate the risk at exposure (risk exposed to the organization after the mitigation plan)

IT Residual Risk Matrix provides an elevated view to the executive management on the exposed IT risk.

Advertisements

4 Responses

  1. […] About me IT Risk Management – An Elevated view […]

  2. Hi Praba,

    Maybe you can elaborate on the components of enterprise IT Risk Management. This will probably turn into a very interesting series.

  3. […] Posted on January 24, 2009 by prabasiva IT vendor risk management is a component of over all IT risk management. In my previous blog on over all IT risk management, there is a comment from pmhut  to expand […]

  4. Dear PM Hut,

    Please see my comments on IT vendor risk management..
    I will expand other components one by one..

    https://blog.prabasiva.com/2009/01/24/it-vendor-risk-management/

    Thank you
    -Praba

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: