SlideShare uma empresa Scribd logo

Revive Your Risk Mgmt Program With a Regular Health Check

Transferir como PPTX, PDF
Info-Tech Research Group
Info-Tech Research Group

Your Challenge Having set up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business, you have taken a significant step in your evolution as a strategic and proactive IT leader. Unfortunately, your risk assessment is already outdated. Perform regular health checks to stay on top of the key risks threatening the business – and your reputation. Our project seizes the momentum you created by building a robust IT risk management program, and creates a process for conducting periodic health checks and embedding ongoing risk management into every aspect of IT. Our approach keeps the business on board by stressing the financial impact of IT risks as well as opportunities for calculated risk taking revealed through a deep understanding of how IT-related risk impacts the business. Our focus is on using data to make IT risk assessment less like an art and more like a science. Ongoing data-driven risk management is self-improving and grounded in historical data. Our Advice Critical Insight A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Risk management should be seen and heard. Communicate the dollar value of risk management to keep the business engaged. The first health check is pivotal. Successfully going through the risk management process the second time around is the difference between IT risk management being perceived as a one-off project and an ongoing program. Risk management is not checking boxes – you need to be constantly improving. Measuring the effectiveness of your risk management activities is crucial for ensuring that the program lives up to its mandate. It also allows you to communicate a compelling value proposition to senior leadership. Impact and Result To prevent your IT risk management program from becoming an artifact, conduct quarterly, biannual, or annual health checks to reassess your risk portfolio and identify new threats and vulnerabilities. Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior leadership. Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the potential cost of IT risks and the value created by IT risk projects. Get better at identifying and assessing IT risk and measure the improvement. Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT.

Tecnologia
1 de 12
Info-Tech Research Group 1Info-Tech Research Group 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Revive Your Risk Management Program with a Regular Health Check Don’t get complacent and allow your risk management program to flatline. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2016 Info-Tech Research Group
Info-Tech Research Group 2Info-Tech Research Group 2 Setting up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business is a significant step in your evolution as a strategic and proactive IT leader. However, the value of your latest risk assessment depreciates rapidly. Continuous monitoring and regular reassessment of your risk portfolio is crucial for ensuring that IT decision making continues to be made through a risk management lens. Risk-conscious decision making creates value for the business that should be measured and communicated. Follow the steps outlined in this blueprint to perform regular health checks on your IT risk management program and keep pace with IT risk. Scott Janz, Consulting Analyst, CIO Advisory Info-Tech Research Group IT risk is evolving. Is your risk management program keeping up? ANALYST PERSPECTIVE
Info-Tech Research Group 3Info-Tech Research Group 3 This Research is Designed For: This Research Will Help You: This Research Will Assist: This Research Will Help You: This Research Is Designed For: This Research Will Help You: This Research Will Also Assist: This Research Will Help Them: Our understanding of the problem Any IT Leader responsible for IT risk management in their organization. Any CIO mandated to integrate IT risk management with their organization’s central risk management function or ERM. Any IT Director or Manager undertaking a risk assessment. Any IT Director or Manager responding to or preparing for an IT audit. Routinize a comprehensive IT risk management program. Ingrain a strategy for managing and mitigating risks to meet your organization’s risk appetite. Quantify risk exposure in meaningful financial terms. Maintain business engagement with IT risk management. Enterprise Risk Management (ERM) Senior Leadership Develop consensus on organizational risk appetite. Establish a framework and metrics for acceptable risk tolerance. Align business and IT risk management objectives. Enable the business to make informed investments when managing IT risks.
Info-Tech Research Group 4Info-Tech Research Group 4 Resolution Situation Complication Info-Tech Insight Executive Summary • You just implemented a formalized IT risk management program that integrates with the business. • You successfully identified, assessed, and prioritized IT’s greatest risks, and communicated your recommendations for IT risk response projects to senior leadership. • Because the organization is feeling secure, enthusiasm for the program, and willingness to participate has waned both within and outside of IT. • While the IT Risk Council continues to monitor previously identified risks, it remains unaware of evolving IT threats and vulnerabilities. • Having crossed IT risk management off of its list, senior leadership no longer prioritizes the improvement of the program. • To prevent your IT risk management program from becoming an artifact, follow the steps in this blueprint to conduct quarterly, biannual, or annual health checks to re-assess your risk portfolio and the health of your program. • Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior leadership. • Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the potential cost of IT risks and the value created by IT risk projects. • Get better at identifying and assessing IT risk and measure the improvement. • Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT. 1. A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. 2. Risk management should be seen and heard. Communicate the dollar value of risk management to keep the business engaged. 3. The first health check is pivotal. Successfully going through the risk management process the second time around is the difference between IT risk management being perceived as a one-off project and an ongoing program.
Info-Tech Research Group 5Info-Tech Research Group 5 Info-Tech’s risk management health check insights Info-Tech Insight Risk management does not mean “checking a box.” Measuring the effectiveness of your risk management activities is crucial for ensuring that the program lives up to its mandate. It also allows you to communicate a compelling value proposition to senior leadership. Phase 2 Central Insight: A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Perform regular health checks to remain aware of the key risks threatening the business and your reputation. Phase 3 Info-Tech Insight The first health check is pivotal. Business stakeholders often perceive IT risk management as a project that needs to be completed once. Therefore the second year is crucial for institutionalizing an active and sustainable program. By successfully completing these activities a second time, the program gains momentum, increasing the likelihood of retaining stakeholder engagement in subsequent years as the program matures. Info-Tech Insight Risk management should be seen and heard. Don’t let the business’ enthusiasm and support for IT risk management wane when key risks are mitigated and avoided. Communicate the dollar value of risk management in a compelling way to keep the business engaged. Phase 1
Info-Tech Research Group 6Info-Tech Research Group 6 STRATEGY & GOVERNANCE APPS DATA & BI IT Governance Application Portfolio Management Business Intelligence & Reporting Effectiveness = 5.7 Importance = 8.3 Effectiveness = 5.4 Importance = 8 Effectiveness = 5.4 Importance = 8.1 IT Strategy IT Management & Policies Security Strategy Enterprise Application Selection & Implementation Data Architecture Effectiveness = 6 Importance = 8.5 Effectiveness = 6 Importance = 8.3 PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3 Importance = 8.7 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 5.6 Importance = 8.2 Performance Measurement Innovation Human Resources Management Security Management Business Process Controls & Internal Audit Application Development Throughput Data Quality Effectiveness = 5.1 Importance = 7.8 Effectiveness = 5.7 Importance = 7.9 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 6.5 Importance = 8.9 Effectiveness = 5.4 Importance = 7.9 Effectiveness = 5.4 Importance = 7.4 Effectiveness = 5.5 Importance = 8.5 Business Value Stakeholder Relations IT Organizational Design Enterprise Architecture Availability & Capacity Management Change Management Risk Management External Compliance Application Development Quality Portfolio Management Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.2 Importance = 8.7 Effectiveness = 6.3 Importance = 8.3 Effectiveness = 5.7 Importance = 8.2 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.1 Importance = 8.5 Effectiveness = 5.9 Importance = 8.3 Effectiveness = 6.4 Importance = 8.3 Effectiveness = 5.6 Importance = 7.7 Effectiveness = 5.4 Importance = 8.1 Cost & Budget Management Knowledge Management Leadership, Culture & Values Service Management Asset Management Configuration Management Release Management Business Continuity Application Maintenance Project Management Effectiveness = 6.7 Importance = 8.4 Effectiveness = 5.8 Importance = 8.4 Effectiveness = 6.5 Importance = 8.5 Effectiveness = 6.1 Importance = 8.4 Effectiveness = 6 Importance = 7.9 Effectiveness = 5.5 Importance = 7.8 Effectiveness = 5.7 Importance = 8.1 Effectiveness = 6.1 Importance = 8.7 Effectiveness = 6 Importance = 8 Effectiveness = 6 Importance = 8.5 Vendor Management Cost Optimization Manage Service Catalog Quality Management Operations Management Service Desk Incident & Problem Management Disaster Recovery Planning Organizational Change Management Requirements Gathering Effectiveness = 6.4 Importance = 8 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 4.3 Importance = 7.3 Effectiveness = 5.6 Importance = 8.2 Effectiveness = 6.4 Importance = 8.4 Effectiveness = 7 Importance = 8.8 Effectiveness = 6.5 Importance = 8.7 Effectiveness = 6.1 Importance = 8.8 Effectiveness = 5.4 Importance = 8.3 Effectiveness = 5.9 Importance = 8.5 FINANCIAL MANAGEMENT PPM & PROJECTS Above Average Importance and Above Average Effectiveness Below Average Importance and Above Average Effectiveness Above Average Importance and Below Average Effectiveness Below Average Importance and Below Average Effectiveness *Average is based on the overall average Legend INFRASTRUCTURE & OPERATIONS SERVICE PLANNING & ARCHITECTURE IT Management & Governance Framework Benchmarking Results for the Management & Governance Diagnostic Risk management is a top IT priority 1. Data Quality 2. IT Governance 3. Risk Management 4. Knowledge Management 5. Requirements Gathering 6. Manage Service Catalog 7. Organizational Change Management 8. Quality Management 9. Performance Measurement 10. Application Portfolio Management Info-Tech’s Top 10 IT Improvement Priorities Info-Tech asked over 2,500 IT professionals to rate on a scale of 1 to 10 the importance of risk management and how effective they were at managing IT risks. Importance of risk management: Effectiveness of risk management: 8.3 5.9 Above-average importance Significantly below-average effectiveness Despite an IT environment that is rapidly changing, 82% of organizations in North America re-assess their IT risk portfolio annually or even less frequently (Protiviti). 82%
Info-Tech Research Group 7Info-Tech Research Group 7 Don’t become complacent and allow your risk management program to flatline What type of risk management do you practise? Maturity Maturity Maturity Time Time Time One-and-done On-again, off-again Ongoing improvement Last year You identified the most important IT risks and implemented projects to protect IT and the business. Unfortunately, your risk assessment is already outdated. Keep your foot on the gas and maintain your momentum to avoid wasting all of the hard work you applied getting the program off the ground. A recent study found that a mere 23% of organizations describe their risk management processes as “mature” or “robust.”1 23% 2 1 ERM Initiative 2 PWC
Info-Tech Research Group 8Info-Tech Research Group 8 Why IT risk management programs falter Without communicating the cost savings stemming from the program, the value created by risk management is invisible to the business. The successful management of IT risk is difficult to measure, and therefore, the value it creates for the business can be hard to see. Merely saying that risk events did not occur is not exactly a powerful motivator for leadership to continue investing resources into the risk management program and sustain their interest. Executive sponsorship and the engagement of key stakeholders may dwindle without visceral reminders of how IT risk impacts the business. Obtaining business stakeholder participation is not as easy the second time around. IT risk is business risk. Thus, the participation and engagement of key business stakeholders is integral to the successful identification and accurate assessment of IT risk. Robust risk management is demanding in terms of the participation and effort required of key stakeholders both inside and outside of IT. Getting business stakeholders to invest their time and expertise – even if it’s in their best interest – may be an unexpected roadblock to repeating the success of your first assessment. Despite building a strong foundation with a formalized IT Risk Management Council, and repeatable processes for identifying, assessing, and responding to IT risk, risk management programs still fail for the following reasons: Risk management is considered a “checkmark project.” Two of the most common drivers for establishing an IT risk management program include compliance and internal/external audit requirements. Even if the CIO is committed to the program, the support of the rest of the senior leadership team may nosedive once they feel that IT risk management has been crossed off the list. 1 2 3
Info-Tech Research Group 9Info-Tech Research Group 9 Don’t leave IT risk unmanaged in year 2, or you may need to update your résumé in year 3 Take luck out of the equation – “Hoping for the best” is not a risk management strategy. Take control of IT risk and avoid leaving your job security to chance. The top four reasons why CIOs lose their jobs: X X X X Security Breaches Project Failures Disaster Recovery Failures System Failures IT Risk Management When business stakeholders are unaware of top IT threats, blame for project, security, disaster recovery, and system failures is usually assigned to the CIO and other senior IT managers. When effectively integrated with business risk management, IT risk management is your best job security policy. IT Risk Management IT Risk Management IT Risk Management Source: Silverton Consulting If I wait until a risk event occurs, I might be out of a job before the business recovers. – VP of Security and Risk, Energy Logistics Company
Info-Tech Research Group 10Info-Tech Research Group 10 A false sense of security may be your greatest risk Use this blueprint to perform ongoing health checks on your risk management program: • Use Info-Tech’s risk identification methodology to detect new IT risks. • Reassess and reprioritize previously identified risks. • Evaluate the effectiveness of existing risk response projects and plan new actions to address top risks. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Risk is a moving target that requires proactive and persistent attention. Only 60.5% of senior executives believe risks are being effectively monitored and reviewed (Project Management Institute). Follow the methodology in the blueprint to perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation. BEST BEFORE 31 DEC ?? As the leader of your organization’s dormant IT risk management program, you may be the greatest IT risk of all. 12 New risks One Info-Tech client discovered 12 additional risks during their second IT risk management workshop with Info-Tech analysts. The 12 risks included 5 that were missed the previous year, and 7 that reflected changes to the organizational context and threat landscape. 12 IT risk management is not a “checkmark project.” While this can be hard for goal-oriented IT leaders to accept, the value derived from each risk assessment depreciates rapidly. The good news is that repeating and optimizing your processes will make risk management more efficient, thereby increasing the value you provide the business with each iteration. Risk Register Tool
Info-Tech Research Group 11Info-Tech Research Group 11 Workshop overview Contact your account representative or email Workshops@InfoTech.com for more information. Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Activities AM: Perform a Risk Management Retrospective 1.1 Review IT risk fundamentals 1.2 Set workshop goals and expectations 1.3 Assess risk management process, and identify accomplishments and challenges AM: Assess Business Context Changes and Engage Stakeholders 2.1 Review IT and business context changes 2.2 Consider how context changes impact organizational risk tolerance 2.3 Generate tactics to re-engage business stakeholders AM: Identify New Risks 3.1 Augment risk event list with capability maps 3.2 Assess the severity of newly identified risk events 3.3 Perform an expected cost assessment AM: Monitor IT Risks and Develop Risk Responses 4.1 Identify and assess risk responses 4.2 Review a risk response cost- benefit analysis 4.3 Create multi-year cost projections PM: Assess Business Context Changes and Engage Stakeholders 1.4 Build a Risk Management Program Improvement Plan PM: Assess Previously Identified IT Risks 2.4 Determine if implemented risk responses were successful 2.5 Re-assess the severity of previously identified risk events PM: Monitor IT Risks & Develop Risk Responses 3.4 Perform a root cause analysis 3.5 Identify and assess risk responses PM: Communicate IT Risk Priorities 4.4 Customize the IT Risk Management Executive Brief Template 4.5 Finalize the Risk Report and Program Manual 4.6 Transfer ownership of risk responses to project managers Deliverables 1. An updated Risk Management Program Manual 2. A completed Risk Management Program Improvement Plan 1. An updated and complete Risk Register with all relevant IT risk events 2. An updated Risk Management Program Manual 3. A revised stakeholder RACI 1. An updated and complete Risk Register with all relevant IT risk events 2. Completed Risk Event Action Plans 3. An updated Risk Management Program Manual 1. A communication guide and completed IT Risk Management Executive Brief Template 2. A detailed Risk Report 3. An updated Risk Management Program Manual
Info-Tech Research Group 12Info-Tech Research Group 12

Recomendados

Select and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionSelect and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionInfo-Tech Research Group
 
Create a Winning BPI Playbook
Create a Winning BPI PlaybookCreate a Winning BPI Playbook
Create a Winning BPI PlaybookInfo-Tech Research Group
 
Master Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleMaster Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleInfo-Tech Research Group
 
Optimize Change Management
Optimize Change ManagementOptimize Change Management
Optimize Change ManagementInfo-Tech Research Group
 
Improve IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapImprove IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapInfo-Tech Research Group
 
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramBuild a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramInfo-Tech Research Group
 
Standardize the Service Desk
Standardize the Service DeskStandardize the Service Desk
Standardize the Service DeskInfo-Tech Research Group
 
Optimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationOptimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationInfo-Tech Research Group
 

Recomendados

Select and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionSelect and Implement a Next Generation Endpoint Protection Solution
Select and Implement a Next Generation Endpoint Protection SolutionInfo-Tech Research Group
 
Create a Winning BPI Playbook
Create a Winning BPI PlaybookCreate a Winning BPI Playbook
Create a Winning BPI PlaybookInfo-Tech Research Group
 
Master Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleMaster Contract Review and Negotiation For Software Agreements-sample
Master Contract Review and Negotiation For Software Agreements-sampleInfo-Tech Research Group
 
Optimize Change Management
Optimize Change ManagementOptimize Change Management
Optimize Change ManagementInfo-Tech Research Group
 
Improve IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapImprove IT Business Alignment With An Infrastructure Roadmap
Improve IT Business Alignment With An Infrastructure RoadmapInfo-Tech Research Group
 
Build a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramBuild a Business-Driven IT Risk Management Program
Build a Business-Driven IT Risk Management ProgramInfo-Tech Research Group
 
Standardize the Service Desk
Standardize the Service DeskStandardize the Service Desk
Standardize the Service DeskInfo-Tech Research Group
 
Optimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationOptimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationInfo-Tech Research Group
 
Modernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureModernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureInfo-Tech Research Group
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating ModelInfo-Tech Research Group
 
Info-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Research Group
 
Define an EA Operating Model
Define an EA Operating ModelDefine an EA Operating Model
Define an EA Operating ModelInfo-Tech Research Group
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIOInfo-Tech Research Group
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsInfo-Tech Research Group
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security StrategyInfo-Tech Research Group
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration StrategyInfo-Tech Research Group
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyInfo-Tech Research Group
 
Implement an enterprise service bus revised
Implement an enterprise service bus revisedImplement an enterprise service bus revised
Implement an enterprise service bus revisedInfo-Tech Research Group
 
Implement a Shared Services Model
Implement a Shared Services ModelImplement a Shared Services Model
Implement a Shared Services ModelInfo-Tech Research Group
 
Assess and Optimize EA Capability
Assess and Optimize EA CapabilityAssess and Optimize EA Capability
Assess and Optimize EA CapabilityInfo-Tech Research Group
 
Survive an Impending Audit
Survive an Impending AuditSurvive an Impending Audit
Survive an Impending AuditInfo-Tech Research Group
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsInfo-Tech Research Group
 
Fast track critical leadership skills
Fast track critical leadership skillsFast track critical leadership skills
Fast track critical leadership skillsInfo-Tech Research Group
 
Enterprise mobility management
Enterprise mobility managementEnterprise mobility management
Enterprise mobility managementInfo-Tech Research Group
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery planInfo-Tech Research Group
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureInfo-Tech Research Group
 
Decode the Corporate Strategy
Decode the Corporate StrategyDecode the Corporate Strategy
Decode the Corporate StrategyInfo-Tech Research Group
 
Manage a Minimum-Viable PMO
Manage a Minimum-Viable PMOManage a Minimum-Viable PMO
Manage a Minimum-Viable PMOInfo-Tech Research Group
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 

Mais conteúdo relacionado

Mais de Info-Tech Research Group

Modernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureModernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureInfo-Tech Research Group
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsInfo-Tech Research Group
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyInfo-Tech Research Group
 
Implement an enterprise service bus revised
Implement an enterprise service bus revisedImplement an enterprise service bus revised
Implement an enterprise service bus revisedInfo-Tech Research Group
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsInfo-Tech Research Group
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery planInfo-Tech Research Group
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureInfo-Tech Research Group
 

Mais de Info-Tech Research Group (20)

Modernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration InfrastructureModernize Communications and Collaboration Infrastructure
Modernize Communications and Collaboration Infrastructure
 
Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating Model
 
Info-Tech Membership Overview
Info-Tech Membership OverviewInfo-Tech Membership Overview
Info-Tech Membership Overview
 
Define an EA Operating Model
Define an EA Operating ModelDefine an EA Operating Model
Define an EA Operating Model
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIO
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration Strategy
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management Strategy
 
Implement an enterprise service bus revised
Implement an enterprise service bus revisedImplement an enterprise service bus revised
Implement an enterprise service bus revised
 
Implement a Shared Services Model
Implement a Shared Services ModelImplement a Shared Services Model
Implement a Shared Services Model
 
Assess and Optimize EA Capability
Assess and Optimize EA CapabilityAssess and Optimize EA Capability
Assess and Optimize EA Capability
 
Survive an Impending Audit
Survive an Impending AuditSurvive an Impending Audit
Survive an Impending Audit
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
 
Fast track critical leadership skills
Fast track critical leadership skillsFast track critical leadership skills
Fast track critical leadership skills
 
Enterprise mobility management
Enterprise mobility managementEnterprise mobility management
Enterprise mobility management
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery plan
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise Architecture
 
Decode the Corporate Strategy
Decode the Corporate StrategyDecode the Corporate Strategy
Decode the Corporate Strategy
 
Manage a Minimum-Viable PMO
Manage a Minimum-Viable PMOManage a Minimum-Viable PMO
Manage a Minimum-Viable PMO
 

Último

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Revive Your Risk Mgmt Program With a Regular Health Check

  • 1. Info-Tech Research Group 1Info-Tech Research Group 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Revive Your Risk Management Program with a Regular Health Check Don’t get complacent and allow your risk management program to flatline. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2016 Info-Tech Research Group
  • 2. Info-Tech Research Group 2Info-Tech Research Group 2 Setting up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business is a significant step in your evolution as a strategic and proactive IT leader. However, the value of your latest risk assessment depreciates rapidly. Continuous monitoring and regular reassessment of your risk portfolio is crucial for ensuring that IT decision making continues to be made through a risk management lens. Risk-conscious decision making creates value for the business that should be measured and communicated. Follow the steps outlined in this blueprint to perform regular health checks on your IT risk management program and keep pace with IT risk. Scott Janz, Consulting Analyst, CIO Advisory Info-Tech Research Group IT risk is evolving. Is your risk management program keeping up? ANALYST PERSPECTIVE
  • 3. Info-Tech Research Group 3Info-Tech Research Group 3 This Research is Designed For: This Research Will Help You: This Research Will Assist: This Research Will Help You: This Research Is Designed For: This Research Will Help You: This Research Will Also Assist: This Research Will Help Them: Our understanding of the problem Any IT Leader responsible for IT risk management in their organization. Any CIO mandated to integrate IT risk management with their organization’s central risk management function or ERM. Any IT Director or Manager undertaking a risk assessment. Any IT Director or Manager responding to or preparing for an IT audit. Routinize a comprehensive IT risk management program. Ingrain a strategy for managing and mitigating risks to meet your organization’s risk appetite. Quantify risk exposure in meaningful financial terms. Maintain business engagement with IT risk management. Enterprise Risk Management (ERM) Senior Leadership Develop consensus on organizational risk appetite. Establish a framework and metrics for acceptable risk tolerance. Align business and IT risk management objectives. Enable the business to make informed investments when managing IT risks.
  • 4. Info-Tech Research Group 4Info-Tech Research Group 4 Resolution Situation Complication Info-Tech Insight Executive Summary • You just implemented a formalized IT risk management program that integrates with the business. • You successfully identified, assessed, and prioritized IT’s greatest risks, and communicated your recommendations for IT risk response projects to senior leadership. • Because the organization is feeling secure, enthusiasm for the program, and willingness to participate has waned both within and outside of IT. • While the IT Risk Council continues to monitor previously identified risks, it remains unaware of evolving IT threats and vulnerabilities. • Having crossed IT risk management off of its list, senior leadership no longer prioritizes the improvement of the program. • To prevent your IT risk management program from becoming an artifact, follow the steps in this blueprint to conduct quarterly, biannual, or annual health checks to re-assess your risk portfolio and the health of your program. • Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior leadership. • Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the potential cost of IT risks and the value created by IT risk projects. • Get better at identifying and assessing IT risk and measure the improvement. • Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT. 1. A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. 2. Risk management should be seen and heard. Communicate the dollar value of risk management to keep the business engaged. 3. The first health check is pivotal. Successfully going through the risk management process the second time around is the difference between IT risk management being perceived as a one-off project and an ongoing program.
  • 5. Info-Tech Research Group 5Info-Tech Research Group 5 Info-Tech’s risk management health check insights Info-Tech Insight Risk management does not mean “checking a box.” Measuring the effectiveness of your risk management activities is crucial for ensuring that the program lives up to its mandate. It also allows you to communicate a compelling value proposition to senior leadership. Phase 2 Central Insight: A false sense of security may be your greatest risk. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Perform regular health checks to remain aware of the key risks threatening the business and your reputation. Phase 3 Info-Tech Insight The first health check is pivotal. Business stakeholders often perceive IT risk management as a project that needs to be completed once. Therefore the second year is crucial for institutionalizing an active and sustainable program. By successfully completing these activities a second time, the program gains momentum, increasing the likelihood of retaining stakeholder engagement in subsequent years as the program matures. Info-Tech Insight Risk management should be seen and heard. Don’t let the business’ enthusiasm and support for IT risk management wane when key risks are mitigated and avoided. Communicate the dollar value of risk management in a compelling way to keep the business engaged. Phase 1
  • 6. Info-Tech Research Group 6Info-Tech Research Group 6 STRATEGY & GOVERNANCE APPS DATA & BI IT Governance Application Portfolio Management Business Intelligence & Reporting Effectiveness = 5.7 Importance = 8.3 Effectiveness = 5.4 Importance = 8 Effectiveness = 5.4 Importance = 8.1 IT Strategy IT Management & Policies Security Strategy Enterprise Application Selection & Implementation Data Architecture Effectiveness = 6 Importance = 8.5 Effectiveness = 6 Importance = 8.3 PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3 Importance = 8.7 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 5.6 Importance = 8.2 Performance Measurement Innovation Human Resources Management Security Management Business Process Controls & Internal Audit Application Development Throughput Data Quality Effectiveness = 5.1 Importance = 7.8 Effectiveness = 5.7 Importance = 7.9 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 6.5 Importance = 8.9 Effectiveness = 5.4 Importance = 7.9 Effectiveness = 5.4 Importance = 7.4 Effectiveness = 5.5 Importance = 8.5 Business Value Stakeholder Relations IT Organizational Design Enterprise Architecture Availability & Capacity Management Change Management Risk Management External Compliance Application Development Quality Portfolio Management Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.2 Importance = 8.7 Effectiveness = 6.3 Importance = 8.3 Effectiveness = 5.7 Importance = 8.2 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.1 Importance = 8.5 Effectiveness = 5.9 Importance = 8.3 Effectiveness = 6.4 Importance = 8.3 Effectiveness = 5.6 Importance = 7.7 Effectiveness = 5.4 Importance = 8.1 Cost & Budget Management Knowledge Management Leadership, Culture & Values Service Management Asset Management Configuration Management Release Management Business Continuity Application Maintenance Project Management Effectiveness = 6.7 Importance = 8.4 Effectiveness = 5.8 Importance = 8.4 Effectiveness = 6.5 Importance = 8.5 Effectiveness = 6.1 Importance = 8.4 Effectiveness = 6 Importance = 7.9 Effectiveness = 5.5 Importance = 7.8 Effectiveness = 5.7 Importance = 8.1 Effectiveness = 6.1 Importance = 8.7 Effectiveness = 6 Importance = 8 Effectiveness = 6 Importance = 8.5 Vendor Management Cost Optimization Manage Service Catalog Quality Management Operations Management Service Desk Incident & Problem Management Disaster Recovery Planning Organizational Change Management Requirements Gathering Effectiveness = 6.4 Importance = 8 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 4.3 Importance = 7.3 Effectiveness = 5.6 Importance = 8.2 Effectiveness = 6.4 Importance = 8.4 Effectiveness = 7 Importance = 8.8 Effectiveness = 6.5 Importance = 8.7 Effectiveness = 6.1 Importance = 8.8 Effectiveness = 5.4 Importance = 8.3 Effectiveness = 5.9 Importance = 8.5 FINANCIAL MANAGEMENT PPM & PROJECTS Above Average Importance and Above Average Effectiveness Below Average Importance and Above Average Effectiveness Above Average Importance and Below Average Effectiveness Below Average Importance and Below Average Effectiveness *Average is based on the overall average Legend INFRASTRUCTURE & OPERATIONS SERVICE PLANNING & ARCHITECTURE IT Management & Governance Framework Benchmarking Results for the Management & Governance Diagnostic Risk management is a top IT priority 1. Data Quality 2. IT Governance 3. Risk Management 4. Knowledge Management 5. Requirements Gathering 6. Manage Service Catalog 7. Organizational Change Management 8. Quality Management 9. Performance Measurement 10. Application Portfolio Management Info-Tech’s Top 10 IT Improvement Priorities Info-Tech asked over 2,500 IT professionals to rate on a scale of 1 to 10 the importance of risk management and how effective they were at managing IT risks. Importance of risk management: Effectiveness of risk management: 8.3 5.9 Above-average importance Significantly below-average effectiveness Despite an IT environment that is rapidly changing, 82% of organizations in North America re-assess their IT risk portfolio annually or even less frequently (Protiviti). 82%
  • 7. Info-Tech Research Group 7Info-Tech Research Group 7 Don’t become complacent and allow your risk management program to flatline What type of risk management do you practise? Maturity Maturity Maturity Time Time Time One-and-done On-again, off-again Ongoing improvement Last year You identified the most important IT risks and implemented projects to protect IT and the business. Unfortunately, your risk assessment is already outdated. Keep your foot on the gas and maintain your momentum to avoid wasting all of the hard work you applied getting the program off the ground. A recent study found that a mere 23% of organizations describe their risk management processes as “mature” or “robust.”1 23% 2 1 ERM Initiative 2 PWC
  • 8. Info-Tech Research Group 8Info-Tech Research Group 8 Why IT risk management programs falter Without communicating the cost savings stemming from the program, the value created by risk management is invisible to the business. The successful management of IT risk is difficult to measure, and therefore, the value it creates for the business can be hard to see. Merely saying that risk events did not occur is not exactly a powerful motivator for leadership to continue investing resources into the risk management program and sustain their interest. Executive sponsorship and the engagement of key stakeholders may dwindle without visceral reminders of how IT risk impacts the business. Obtaining business stakeholder participation is not as easy the second time around. IT risk is business risk. Thus, the participation and engagement of key business stakeholders is integral to the successful identification and accurate assessment of IT risk. Robust risk management is demanding in terms of the participation and effort required of key stakeholders both inside and outside of IT. Getting business stakeholders to invest their time and expertise – even if it’s in their best interest – may be an unexpected roadblock to repeating the success of your first assessment. Despite building a strong foundation with a formalized IT Risk Management Council, and repeatable processes for identifying, assessing, and responding to IT risk, risk management programs still fail for the following reasons: Risk management is considered a “checkmark project.” Two of the most common drivers for establishing an IT risk management program include compliance and internal/external audit requirements. Even if the CIO is committed to the program, the support of the rest of the senior leadership team may nosedive once they feel that IT risk management has been crossed off the list. 1 2 3
  • 9. Info-Tech Research Group 9Info-Tech Research Group 9 Don’t leave IT risk unmanaged in year 2, or you may need to update your résumé in year 3 Take luck out of the equation – “Hoping for the best” is not a risk management strategy. Take control of IT risk and avoid leaving your job security to chance. The top four reasons why CIOs lose their jobs: X X X X Security Breaches Project Failures Disaster Recovery Failures System Failures IT Risk Management When business stakeholders are unaware of top IT threats, blame for project, security, disaster recovery, and system failures is usually assigned to the CIO and other senior IT managers. When effectively integrated with business risk management, IT risk management is your best job security policy. IT Risk Management IT Risk Management IT Risk Management Source: Silverton Consulting If I wait until a risk event occurs, I might be out of a job before the business recovers. – VP of Security and Risk, Energy Logistics Company
  • 10. Info-Tech Research Group 10Info-Tech Research Group 10 A false sense of security may be your greatest risk Use this blueprint to perform ongoing health checks on your risk management program: • Use Info-Tech’s risk identification methodology to detect new IT risks. • Reassess and reprioritize previously identified risks. • Evaluate the effectiveness of existing risk response projects and plan new actions to address top risks. The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Risk is a moving target that requires proactive and persistent attention. Only 60.5% of senior executives believe risks are being effectively monitored and reviewed (Project Management Institute). Follow the methodology in the blueprint to perform regular health checks to keep your finger on the pulse of the key risks threatening the business and your reputation. BEST BEFORE 31 DEC ?? As the leader of your organization’s dormant IT risk management program, you may be the greatest IT risk of all. 12 New risks One Info-Tech client discovered 12 additional risks during their second IT risk management workshop with Info-Tech analysts. The 12 risks included 5 that were missed the previous year, and 7 that reflected changes to the organizational context and threat landscape. 12 IT risk management is not a “checkmark project.” While this can be hard for goal-oriented IT leaders to accept, the value derived from each risk assessment depreciates rapidly. The good news is that repeating and optimizing your processes will make risk management more efficient, thereby increasing the value you provide the business with each iteration. Risk Register Tool
  • 11. Info-Tech Research Group 11Info-Tech Research Group 11 Workshop overview Contact your account representative or email Workshops@InfoTech.com for more information. Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Activities AM: Perform a Risk Management Retrospective 1.1 Review IT risk fundamentals 1.2 Set workshop goals and expectations 1.3 Assess risk management process, and identify accomplishments and challenges AM: Assess Business Context Changes and Engage Stakeholders 2.1 Review IT and business context changes 2.2 Consider how context changes impact organizational risk tolerance 2.3 Generate tactics to re-engage business stakeholders AM: Identify New Risks 3.1 Augment risk event list with capability maps 3.2 Assess the severity of newly identified risk events 3.3 Perform an expected cost assessment AM: Monitor IT Risks and Develop Risk Responses 4.1 Identify and assess risk responses 4.2 Review a risk response cost- benefit analysis 4.3 Create multi-year cost projections PM: Assess Business Context Changes and Engage Stakeholders 1.4 Build a Risk Management Program Improvement Plan PM: Assess Previously Identified IT Risks 2.4 Determine if implemented risk responses were successful 2.5 Re-assess the severity of previously identified risk events PM: Monitor IT Risks & Develop Risk Responses 3.4 Perform a root cause analysis 3.5 Identify and assess risk responses PM: Communicate IT Risk Priorities 4.4 Customize the IT Risk Management Executive Brief Template 4.5 Finalize the Risk Report and Program Manual 4.6 Transfer ownership of risk responses to project managers Deliverables 1. An updated Risk Management Program Manual 2. A completed Risk Management Program Improvement Plan 1. An updated and complete Risk Register with all relevant IT risk events 2. An updated Risk Management Program Manual 3. A revised stakeholder RACI 1. An updated and complete Risk Register with all relevant IT risk events 2. Completed Risk Event Action Plans 3. An updated Risk Management Program Manual 1. A communication guide and completed IT Risk Management Executive Brief Template 2. A detailed Risk Report 3. An updated Risk Management Program Manual
  • 12. Info-Tech Research Group 12Info-Tech Research Group 12