Download - Is IT Risk management just a fad?
![Page 1: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/1.jpg)
Is IT Risk Management just a Fad?
Joerg Fritsch NATO C3 Agency 21/10/09 | Session ID: GOV-208
Classification: Intermediate
![Page 2: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/2.jpg)
2
Agenda
‘reductionist’ vs holistic?
IT Risk Management & Technology
A simple IT Risk framework
WIIFM (what’s in it for me?)
![Page 3: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/3.jpg)
3
IT Security “Fads” over the past 15 years
Time
Bus
ines
s Im
pact
1997 today 2006 2001 2003
Sectors may have experienced these ‘fads’ at different stages
![Page 4: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/4.jpg)
Wasn’t this
about
Technology?
4
What are the ‘potential risks’?
Description ITGI 2008
Insufficient number of staff 58%
IT service delivery problems 48%
High cost of IT with low/unproven ROI 41%
Lack of agility/development problems 39%
Staff with inadequate skills 38%
Problems with outsourcers 35%
Problems with document content or knowledge management
31%
Disconnect between IT strategy and business strategy 29%
Electronic archiving or storage problems 26%
Inadequate desaster recovery or business continuity measures (DRP/BCP)
26%
Source: IT Governance Global Status Report 2008
![Page 5: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/5.jpg)
5
More about potential Information Technology Risks
• IT security risk management is a subset of technology management
• IT risks are side effects of the use of technology
• It is O.K. to understand and communicate complex technical issues behind a risk
• But what prevents us from doing this?
![Page 6: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/6.jpg)
6
Two possible reasons: stereotypes and unchallenged assumptions
The following slides
Will tell a story about stereotypes and unchallenged assumptions
Do not claim to be a comprehensive collection of reasons
No one wants to be perceived as a technocrat.
Systems thinking / holistic thinking is far better than ...
Stereotypes Assumptions
Inhibition
![Page 7: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/7.jpg)
7
Stereotypes that prevent us from managing technology (risks)
Technicians are not interpersonal savvy.
Key communication skills not developed very well.
‘Technicians’ have personal issues
Technicians and senior management speak different languages.
‘Geek speak’
‘Technicians’ cannot talk business
Technicians see technology as ends and not as means to an end.
Technicians recommend (new) technology because they are in love with it.
‘Technicians’ see Technology as end goal
Technology managers cannot make career if the output of the firm is not technology related.
‘Technicians’ cannot make career
Personal issues
Geek speak
T. is end goal
Not a fee earner
![Page 8: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/8.jpg)
8
Technology Management?
Business policies, strategy & mission statement. Interface with the business environment.
Technology pro- vides information
systems! Technology
creats wealth. Interface with the
technology landscape.
Control of operation, improvement & innovation. Technology forecast. Alignment of technology platform & technology strategy with business policies & mission.
General Management Technology
Technology Management
![Page 9: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/9.jpg)
9
Better take pride in being involved with technology
• Technology provides information systems
• Technology creates wealth
• Technology is a tool
• Technology provides answers
• Technology …
• But technology also poses problems (management by exception?)
![Page 10: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/10.jpg)
10
Everyone knows that
• Without (Information) Technology ‘it’ is not going to fly
• Without IT security ‘it’ is not going to fly either
• Nor is ‘it’ ever going to fly without a proper risk assessment
![Page 11: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/11.jpg)
11
Let’s talk about ‘reductionist’ & holistic views
(CC), http://www.flickr.com/photos/ananth/2046725823/in/set-72157603700082721
![Page 12: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/12.jpg)
12
‘Reductionist’ & holistic views (continued)
(CC), http://www.flickr.com/photos/ananth/2047524926/in/set-72157603700082721 (CC), http://www.flickr.com/photos/ananth/2047522102/
in/set-72157603700082721
![Page 13: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/13.jpg)
13
IT defies compartmentalization: Back to the primordial ooze?
• Does compartmentalization really contradict a holistic approach?
• Being ‘all over’ is not equal to not fitting in a compartment
• Compartments have human gatekeepers at the boundaries
![Page 14: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/14.jpg)
14
An example of compartmentalization: The IT value chain
Goal: Positive impact of IT on business. Think about some buzzwords for alignment of
business and IT here. A representation without direction/orientation
but with links/interfaces.
Business Outcomes
Compartmentalization is not necessarily negative.
Categorizing & compartmentalizing can be an essential skill if it is not overly used.
IT Value Chain
Strategy Applications Operations
Business outcomes
IT Value chain
![Page 15: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/15.jpg)
15
Did you have beneficial experiences with compartmentalization recently?
(CC), http://www.flickr.com/photos/toyohara/303600377/
![Page 16: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/16.jpg)
16
IT Risk Framework (Fritsch, 2009)
(CC), http://www.flickr.com/photos/eriwst/2303608353/
![Page 17: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/17.jpg)
17
Proposal: A simple IT Risk Framework
IT Risk Management
Risks Risks Risks Risks
BU1 BU2 IT BU3
Enterprise Risk Management (ERM)
Business Units assess their potential IT Risks
Compartmentalized
Holistic
Communities of Practice (CoPs)
![Page 18: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/18.jpg)
18
Proposal: A simple IT Risk Framework (continued 1)
• Compartments build Communities of Practice (CoPs) all having a stake in IT Risk Management
• IT Risk Management community stretches across vertical and horizontal organizational boundaries
• Gatekeepers (Employees) interface between boundaries, performance dependent on:
• Prior related knowledge
• Organizational culture
![Page 19: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/19.jpg)
19
Proposal: A simple IT Risk Framework (continued 2)
• Use gatekeepers to integrate RM horizontally and vertically in the organization
• Risk Management can be integrated into existing processes
• As consequence of a well integrated risk management, people often do not know that they are doing risk management.
![Page 20: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/20.jpg)
20
Storytelling: positive effects of IT Risk management
• Plenty of methodologies and frameworks but little
• Living examples
• Authentic, memorable stories
• Story context around past failures and risk based decisions for current audiences
• Case Studies
• Tell me your story!
![Page 21: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/21.jpg)
21
What’s in it for me?
(CC) http://www.flickr.com/photos/86257563@N00/476500197/
![Page 22: Is IT Risk management just a fad?](https://reader034.vdocuments.net/reader034/viewer/2022051609/546c1c60b4af9f662c8b4f99/html5/thumbnails/22.jpg)
22
WIIFM
• This is a preliminary to a wider discussion. We can have (part) of that discussion
• Now
• Anytime soon
• Share your experience
• Think about the proposed framework