{"id":5687,"date":"2017-06-20T22:39:07","date_gmt":"2017-06-20T21:39:07","guid":{"rendered":"http:\/\/healthmedicinet.com\/business\/it-risk-its-not-cyber\/"},"modified":"2017-06-20T22:39:07","modified_gmt":"2017-06-20T21:39:07","slug":"it-risk-its-not-cyber","status":"publish","type":"post","link":"http:\/\/healthmedicinet.com\/business\/it-risk-its-not-cyber\/","title":{"rendered":"IT Risk: It&#8217;s not &#8216;Cyber&#8217;"},"content":{"rendered":"<header \/><span class=\"strong black\">While hackers haven&#8217;t put big companies out of business, there are plenty of examples of companies that failed because they were slow to respond to tech-driven market shifts.<\/span><\/p>\n<p class=\"\">In the digital era, IT isn\u2019t part of the business, IT <em>is<\/em> the business. But as IT\u2019s value has risen, so too has IT risk, and left unmanaged it can easily be the undoing of a company.<\/p>\n<p>Most attention to technology-related risk is focused on information risk, aka \u201ccyber,\u201d but there is a broader set of risks enterprise leaders worry about, best called \u201cIT risk.\u201d IT risk is the potential for unexpected (typically negative) business results associated with the use, ownership and adoption of information technology. No Fortune 1000 company has gone out of business from a cyber-attack or an IT system failure. However, dozens of large companies have disappeared after being too slow to adapt to technology-driven changes in their business models.<\/p>\n<p>IT risk is now a primary focus for assurance functions like enterprise risk management, compliance, legal and internal audit. Additionally, we\u2019re hearing from IT leaders that their boards are asking hard questions about how IT risks are being managed. Unfortunately, most IT leaders do not have good answers to questions about these risks, because they don\u2019t have the right people, governance structures or processes in place to manage IT risks effectively.<\/p>\n<p>CIOs need to get serious about IT risk management. To do so they must internalize three imperatives to ensure that business leaders know how much IT risk they\u2019re exposed to, and help those leaders manage that risk to the right level.<\/p>\n<p><strong>Imperative 1: Start focusing on the right risks<\/strong><\/p>\n<p>When asked about IT risk, most business leaders immediately think about a cyber-attack. This risk is salient and hence has long had a formal manager, the CISO. However, multiple studies show that data breaches are not material from a cost or long-term stock price perspective. Conversely, few leaders would think of the risks that are most existential in the digital era, risks like IT staff readiness for new roles or insufficient responsiveness to business needs.<\/p>\n<p>To help broaden IT\u2019s risk view, create a taxonomy of IT risks to be managed. This will define the scope of IT risk managers\u2019 responsibilities and help everyone speak the same language about risks. To get started, expand the risks within these seven categories:<\/p>\n<ol>\n<li>IT talent (employees and contractors)<\/li>\n<li>IT capacity<\/li>\n<li>Reliability and quality<\/li>\n<li>Legal and compliance<\/li>\n<li>Security and privacy<\/li>\n<li>Delivery<\/li>\n<li>Business enablement<\/li>\n<\/ol>\n<p>For example, IT talent risks can be expanded to include \u201cinsufficient staff,\u201d \u201cstaff are not ready for today\u2019s roles\u201d and \u201cstaff are not ready for new roles.\u201d<\/p>\n<p><strong>Imperative 2: Formalize management and governance over IT risk<\/strong><\/p>\n<p>With the risk taxonomy defined, the first step to formalizing IT risk management is to identify an entity responsible for holistic oversight of IT risks. Whether it\u2019s via a single leadership role or management by committee, the responsible party must formalize risk management processes, ensure accountability for risk decisions and raise awareness of IT risks throughout the enterprise.<\/p>\n<p>Second, ensure that risk decisions are left to the true owners of risk. Professional risk managers help identify risks and define and manage the process to analyze and treat them. But risk managers should not make risk treatment decisions since they lack the necessary understanding of the business context in which these decisions take place. Decisions made by risk managers are often more risk averse than the company\u2019s risk appetite, which in turn slows productivity, agility and innovation.<\/p>\n<p>Third, after shifting responsibility for risk decisions, accountability must follow. For risk management to work, companies must take two steps to create operational discipline around risk accountability. To start, processes must include formal acceptance of accountability for risk decisions. Then they must create management practices (such as reporting and incentives) to reinforce accountability.<\/p>\n<p><strong>Imperative 3: Ensure IT staff understand their role in managing, and encouraging, informed risk-taking<\/strong><\/p>\n<p>IT staff have long been trained to view risk as a bad thing to be minimized and often see themselves as protecting technology from employees on the business line who \u201cdon\u2019t get it.\u201d But risk aversion hinders staff from taking the bold steps necessary to transform IT and the business in the digital era. It also creates friction with corporate functions that are more open to risk.<\/p>\n<p>CIOs need to ensure their staff understand the company\u2019s risk appetite and improve their comfort with risk. Top-down messaging should consistently reinforce an openness to risk taking and failure. CIOs should implement bottom-up training, performance management and adjustments to hiring criteria to improve IT staff\u2019s comfort with risk.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>While hackers haven&#8217;t put big companies out of business, there are plenty of examples of companies that failed because they were slow to respond to tech-driven market shifts. In the digital era, IT isn\u2019t part of the business, IT is the business. But as IT\u2019s value has risen, so too has IT risk, and left [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5687","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/posts\/5687","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/comments?post=5687"}],"version-history":[{"count":0,"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/posts\/5687\/revisions"}],"wp:attachment":[{"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/media?parent=5687"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/categories?post=5687"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/healthmedicinet.com\/business\/wp-json\/wp\/v2\/tags?post=5687"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}