CIOs are frequently asked, "What are our IT risks?" Unfortunately, this question is too generic, since there are multiple kinds of risk. Before starting any risk assessment, IT needs to understand both the concern prompting the request and which risks need to be assessed. Moreover, everyone needs to understand that nearly all risks that affect an IT organization affect the entire business.
Risks fall into four categories that require different mitigation tools:
Business operations risk. An assessment determines the risks involved in addressing or ignoring a particular competitive threat. Analyzing competitive threats helps the company decide whether to invest the resources necessary to combat the threat.
Determining appropriate responses to competitive threats from nontraditional sources can be particularly difficult. For example, many high-tech corporations initially dismissed Microsoft as just a bunch of Harvard dropouts. They paid dearly for underestimating that risk.
The appropriate mitigation tool is a good business case that evaluates all associated risks. For new business opportunities, a thorough risk assessment may be as important to success as accurate financial projections.
Program risk. For approved or existing programs, management concerns focus on whether the program or project will be delivered on time, within budget and with high quality. Risk is mitigated by effective project management and regular monitoring.
Business interruption risk. This type of risk affects the company's ability to continue operating under difficult circumstances. Scenarios span the gamut from a failed server to a destroyed building. In most cases, a failed server causes minor problems for certain people. In contrast, a destroyed building can bring all company operations to a halt.
Risk is mitigated by a continuity of operations (COOP) plan that describes how the business will function in the event of various difficulties. Most organizations start with an IT disaster recovery plan (DRP) for the data centre. Eventually, the DRP needs to be broadened to focus on restoring business processes and evolve into a full-blown COOP.
Market risk. This category is divided into geopolitical and industry-specific risks. Geopolitical risks include war, terrorism and epidemics, as well as nationalization and import restrictions. These risks vary depending on the country, the complexity of the corporate supply chain and the importance of the industry to political leadership. Industry-specific risks also vary. For example, financial services must contend with credit squeezes and meltdowns of collateralized debt obligations and structured investment vehicles. Consumer product makers may be plagued by "flash mobs" trashing their products via social networks.
Scenario planning mitigates risk by developing responses to various unlikely events. Most important, it attempts to discover previously unknown risks, because the most dangerous risk is often the one you don't identify.
Outsourcing endeavours -- particularly offshore -- have increased risks in each category. Risk assessments for these must address specialized concerns like communication and logistical difficulties, supplier viability and intellectual property rights.
Before embarking on any risk assessment, clarify which types of risk are of concern to your executive management. Then select the appropriate mitigation tools to address potential difficulties. Depending on the financial consequences, risk insurance may be warranted.
Thorough risk assessments leverage creative thinking into constructive preparations for addressing potential threats, and they're essential to success. As the old adage goes, "Forewarned is forearmed."
Bart Perkins is managing partner at Leverage Partners in the US, which helps organizations invest well in IT. Contact him at BartPerkins@LeveragePartners.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.