SlideShare ist ein Scribd-Unternehmen logo
1 von 12
Downloaden Sie, um offline zu lesen
Info-Tech Research Group 1Info-Tech Research Group 1
Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.
Info-Tech’s products and services combine actionable insight and relevant advice with
ready-to-use tools and templates that cover the full spectrum of IT concerns.
© 1997-2016 Info-Tech Research Group Inc.
Build a Business-Driven IT Risk Management
Program
Hope is not a risk management strategy.
Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools
and templates that cover the full spectrum of IT concerns.© 1997 – 2016 Info-Tech Research Group
Info-Tech Research Group 2Info-Tech Research Group 2
When most CIOs and IT leaders think of risk, their minds immediately jump to
the latest security threat making headlines.
While security is an important part of IT risk, it is only one component. Risk
across IT requires a holistic perspective, driven by the needs and priorities of
the business. Failing to understand the true business ramifications of IT risk
exposes the business to IT-related threats, or leads to overspending on low-
priority initiatives. Like good leadership, risk management must be proactive,
dynamic, and constantly improving. In the modern IT risk environment, hoping
for the best is not an acceptable strategy for managing risk – and the line
between optimism and negligence is razor thin.
Use this blueprint to build a right-sized, business-driven risk management
program with minimal effort.
Scott Janz,
Consulting Analyst, CIO Advisory
Info-Tech Research Group
A good security practice is not enough to manage IT risk.
ANALYST PERSPECTIVE
Info-Tech Research Group 3Info-Tech Research Group 3
This Research is Designed For: This Research Will Help You:
This Research Will Assist: This Research Will Help You:
This Research Is Designed For: This Research Will Help You:
This Research Will Also Assist: This Research Will Help Them:
Our understanding of the problem
Any IT Leader responsible for IT risk
management in their organization.
Any CIO mandated to integrate IT risk
management with their organization’s central risk
management function or Enterprise Risk
Management (ERM).
Any IT Director or Manager undertaking a risk
assessment.
Any IT Director or Manager responding to or
preparing for an IT audit.
Establish a comprehensive IT risk
management program that exposes your IT
risks.
Create a strategy for managing and mitigating
risks to meet your organization’s risk appetite.
Quantify risk exposure in meaningful financial
terms.
Build business buy-in and shared
accountability for business-impacting IT risks.
Enterprise Risk Management
Senior Leadership
Develop consensus on organizational risk
appetite.
Establish a framework and metrics for
acceptable risk tolerance.
Align business and IT risk management
objectives.
Enable the business to make informed
investments when managing IT risks.
Info-Tech Research Group 4Info-Tech Research Group 4
Resolution
Situation
Complication
Info-Tech Insight
Executive Summary
• Risk is unavoidable. Without a formal program to manage IT risk, you may
be unaware of your severest IT risks.
• 66% of organizations do not formally manage IT risk.1
• IT risk is business risk – however, IT is often left to manage risk
independently.
• Reacting to risks AFTER they occur can be costly and crippling, yet is
one of the most common tactics used by IT departments.
• Security risk receives such a high profile that it often eclipses other
important IT risks, leaving the organization vulnerable.
• Failing to include the business in IT risk management leaves IT leaders
too accountable; the business must have accountability as well.
• Stop leaving IT risk to chance. Transform your ad hoc IT risk management processes into a formalized, ongoing program
and increase risk management success by 53%.2
• Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they
occur and have serious implications.
• Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that
matter most to the organization.
• Share accountability for IT risk with business stakeholders and have them weigh-in on prioritizing investments in risk
response activities.
1. IT risk is business risk.
Every IT risk has business implications.
Create an IT risk management program
that shares accountability with the
business.
2. Risk is money.
It’s impossible to make intelligent
decisions about risks without knowing
what their financial impact will be.
3. You don’t know what you don’t know.
And what you don’t know can hurt you.
To find hidden risks, you must utilize a
structured risk identification method.
1: ESI International
2: Info-Tech Research Group, 2013, N=76
Info-Tech Research Group 5Info-Tech Research Group 5
Poor IT risk management is expensive
The Wall Street Journal
The Wall Street Journal
The Washington Post
BBC
Computer Business Review
The Guardian
IT RISK IS HEADLINE NEWS
The Wall Street Journal
The Australian
Info-Tech Research Group 6Info-Tech Research Group 6
STRATEGY &
GOVERNANCE
APPS DATA & BI
IT Governance
Application Portfolio
Management
Business Intelligence
& Reporting
Effectiveness = 5.7
Importance = 8.3
Effectiveness = 5.4
Importance = 8
Effectiveness = 5.4
Importance = 8.1
IT Strategy
IT Management &
Policies
Security Strategy
Enterprise Application
Selection &
Implementation
Data Architecture
Effectiveness = 6
Importance = 8.5
Effectiveness = 6
Importance = 8.3
PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3
Importance = 8.7
Effectiveness = 6.1
Importance = 8.3
Effectiveness = 5.6
Importance = 8.2
Performance
Measurement
Innovation
Human Resources
Management
Security Management
Business Process
Controls & Internal
Audit
Application
Development
Throughput
Data Quality
Effectiveness = 5.1
Importance = 7.8
Effectiveness = 5.7
Importance = 7.9
Effectiveness = 6.1
Importance = 8.3
Effectiveness = 6.5
Importance = 8.9
Effectiveness = 5.4
Importance = 7.9
Effectiveness = 5.4
Importance = 7.4
Effectiveness = 5.5
Importance = 8.5
Business Value Stakeholder Relations
IT Organizational
Design
Enterprise
Architecture
Availability & Capacity
Management
Change Management Risk Management External Compliance
Application
Development Quality
Portfolio Management
Effectiveness = 6.2
Importance = 8.4
Effectiveness = 6.2
Importance = 8.7
Effectiveness = 6.3
Importance = 8.3
Effectiveness = 5.7
Importance = 8.2
Effectiveness = 6.2
Importance = 8.4
Effectiveness = 6.1
Importance = 8.5
Effectiveness = 5.9
Importance = 8.3
Effectiveness = 6.4
Importance = 8.3
Effectiveness = 5.6
Importance = 7.7
Effectiveness = 5.4
Importance = 8.1
Cost & Budget
Management
Knowledge
Management
Leadership, Culture &
Values
Service Management Asset Management
Configuration
Management
Release Management Business Continuity
Application
Maintenance
Project Management
Effectiveness = 6.7
Importance = 8.4
Effectiveness = 5.8
Importance = 8.4
Effectiveness = 6.5
Importance = 8.5
Effectiveness = 6.1
Importance = 8.4
Effectiveness = 6
Importance = 7.9
Effectiveness = 5.5
Importance = 7.8
Effectiveness = 5.7
Importance = 8.1
Effectiveness = 6.1
Importance = 8.7
Effectiveness = 6
Importance = 8
Effectiveness = 6
Importance = 8.5
Vendor Management Cost Optimization
Manage Service
Catalog
Quality Management
Operations
Management
Service Desk
Incident & Problem
Management
Disaster Recovery
Planning
Organizational
Change Management
Requirements
Gathering
Effectiveness = 6.4
Importance = 8
Effectiveness = 6.2
Importance = 8.4
Effectiveness = 4.3
Importance = 7.3
Effectiveness = 5.6
Importance = 8.2
Effectiveness = 6.4
Importance = 8.4
Effectiveness = 7
Importance = 8.8
Effectiveness = 6.5
Importance = 8.7
Effectiveness = 6.1
Importance = 8.8
Effectiveness = 5.4
Importance = 8.3
Effectiveness = 5.9
Importance = 8.5
FINANCIAL MANAGEMENT PPM & PROJECTS
Above Average Importance and
Above Average Effectiveness
Below Average Importance and
Above Average Effectiveness
Above Average Importance and
Below Average Effectiveness
Below Average Importance and
Below Average Effectiveness
*Average is based on the overall average
Legend
INFRASTRUCTURE & OPERATIONS
SERVICE PLANNING & ARCHITECTURE
IT Management & Governance Framework
Benchmarking Results for the Management &
Governance Diagnostic
Risk management is a top IT priority
1. Data Quality
2. IT Governance
3. Risk Management
4. Knowledge Management
5. Requirements Gathering
6. Manage Service Catalog
7. Organizational Change
Management
8. Quality Management
9. Performance
Measurement
10. Application Portfolio
Management
Info-Tech’s Top 10
IT Improvement Priorities
Info-Tech asked over 2,500 IT professionals to rate, on a scale of 1 to
10, the importance of risk management and how effective they were at
managing IT risks.
Importance of
risk management:
Effectiveness of
risk management:
8.3
5.9
Above average importance
Significantly below average
effectiveness
For more information, see Info-Tech’s IT Management &
Governance Diagnostic.
Info-Tech Research Group 7Info-Tech Research Group 7
66% of organizations lack a formal risk management program
Ad hoc risk management is often reactionary.
Ad hoc risk management is often focused
only on IT security.
Ad hoc risk management lacks alignment
with business objectives.
• Increased business risk exposure caused
by a lack of understanding of the impact of
IT risks on the business.
• Increased IT non-compliance, resulting in
costly settlements and fines.
• IT audit failure.
• Ineffective management of risk caused by
poor risk information and wrong risk
response decisions.
• Increased unnecessary and avoidable IT
failures and fixes.
If you are like the majority of IT departments, you do not have a consistent and comprehensive
strategy for managing IT risk.
1
2
• Without formalized procedures for managing IT risk, risk events
are often “managed” after they have occurred.
• IT departments that spend most of their time putting out fires
receive the lowest ratings for satisfaction and perceived value by
business stakeholders.
• Organizations must respond to the entire spectrum of IT risk.
• A client who recently completed Info-Tech’s methodology for risk
identification and assessment found that only 15 of the 135 IT
risks identified were related to security and compliance.
3 • Many IT risk assessments fail to communicate IT risks in a way
that compels the business to take action.
• 63% of CEOs indicate they want IT to provide better risk
metrics (CIO-CEO Alignment survey data, Info-Tech Research Group).
Ad hoc approaches to managing risk fail because… The results:
Most IT departments aren’t thinking
about formal risk management, and if
they are, it’s back-of-the-napkin
planning.
Ken Piddington, CIO & Executive Advisor,
MRE Consulting
1
1: ESI International
Info-Tech Research Group 8Info-Tech Research Group 8
Unmanaged IT risk isn’t just bad for the organization, it’s also
bad for your career
Take luck out of the equation – “Hoping for the best” is not a risk management strategy.
Take control of IT risk and avoid leaving your job security
to chance.
The top four reasons why CIOs lose their jobs:
X
X
X
X
Security Breaches
Project Failures
Disaster Recovery Failures
System Failures
IT Risk Management
When business stakeholders are unaware of top IT threats, blame for project, security, disaster recovery, and
system failures is usually assigned to the CIO and other senior IT managers.
When effectively integrated with business risk management,
IT risk management is your best job security policy.
IT Risk Management
IT Risk Management
IT Risk Management
Source: Silverton Consulting
If I wait until a risk
event occurs, I might
be out of a job before
the business recovers.
– VP of Security and Risk,
Energy Logistics Company
Info-Tech Research Group 9Info-Tech Research Group 9
Ensure that your greatest IT risks are on your radar
CASE STUDY
Focusing on internal IT security risks may not be enough to protect your organization from a breach. Learn from these
organizations whose security breaches all originated from third-party vendors.
IT vendor risks may be your greatest business
risks.
“AT&T data breaches
revealed: 280K US
customers exposed”1
1: CNBC 2: Fortune 3: Forbes 4: KrebsOnSecurity
“Home Depot faces dozens
of data breach lawsuits”2
“868,000 Payment Cards,
330 Stores Hit in Goodwill
Credit Card Breach”3
Employees at an IT service provider
stole customer names and SSNs to
request unlock codes for stolen
phones. In 2015, AT&T agreed to
settle with the FCC and pay a $25 M
fine.
Hackers stole credentials from a third-
party vendor to gain access to Home
Depot’s network, stealing data from 56
million credit cards, as well as 53
million email addresses.
Hackers breached the system of a
cloud-based card processing service
vendor, with the intrusion lasting more
than 18 months.4
Info-Tech Research Group 10Info-Tech Research Group 10
Formalize risk management to increase your likelihood of
success by 53%
Survey: Info-Tech Research Group, N = 76
Risk Management Success:
Formal Strategy vs. Ad Hoc Approach
53%
81%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Ad-hoc Approach Formal Strategy
RiskManagementSuccess(%)
53% Increase
Organizations that adopted formal risk programs increased their risk management success by 53%.
Risk management is a business enabler.
Line managers often see risk management as an impediment to their
day-to-day function. But, in fact, the opposite is true. By identifying areas
of risk exposure and creating solutions proactively, obstacles can be
removed or circumvented before they become a real problem.
A certain amount of risk is healthy and can stimulate innovation.
A formal risk management strategy doesn’t mean trying to mitigate every
possible risk; it means exposing the organization to the right amount of
risk. Taking a formal risk management approach allows an organization to
thoughtfully choose which risks it is willing to accept. Organizations with
high risk management maturity will vault themselves ahead of competition
because they will be aware of which risks to prepare for, which risks to
ignore, and which risks to take.
Taking the initiative pays off. A security manager in the energy
industry saved over $80,000 by developing an IT risk management
program in-house instead of bringing in external consultants.
Info-Tech Research Group 11Info-Tech Research Group 11
You don’t know what you don’t know…
…and what you don’t know can hurt you!
Developed and tested directly with our clients, Info-Tech’s Risk
Register Tool allows you to document and track a comprehensive list
of IT risk events that may affect your organization.
• Assess risk severity using acceptability thresholds developed in
collaboration with senior leadership.
• Identify and manage the top IT risks impacting the organization.
So find out using Info-Tech’s risk identification and risk assessment methodology.
Use Info-Tech’s Risk Costing Tool to put a price on your top risks.
• Calculate the expected cost of anticipated risk events.
• Calculate the expected cost of alternative risk response actions.
• Project the costs of risk response actions over multiple years to
inform risk response decisions.
• Conduct cost-benefit analyses for your top risks and select a risk
response that offers the greatest value to the organization.
Risk is money. It’s impossible to make intelligent decisions about risks without knowing how much they cost.
Use Info-Tech’s Risk Costing Tool to calculate and present the expected costs associated with accepting and
responding to high-priority risk events.
Info-Tech Research Group 12Info-Tech Research Group 12
Info-Tech Research Group Helps IT Professionals To:
 Quickly get up to speed
with new technologies
 Make the right technology
purchasing decisions – fast
 Deliver critical IT
projects, on time and
within budget
 Manage business expectations
 Justify IT spending and
prove the value of IT
 Train IT staff and effectively
manage an IT department
Toll Free: 1-888-670-8889

Weitere ähnliche Inhalte

Was ist angesagt?

Optimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationOptimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationInfo-Tech Research Group
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsInfo-Tech Research Group
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and RoadmapAndrew Byers
 
COBIT 4.0
COBIT 4.0COBIT 4.0
COBIT 4.0bluekiu
 
establish an effective it steering committee
establish an effective it steering committeeestablish an effective it steering committee
establish an effective it steering committeeInfo-Tech Research Group
 
Creating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsCreating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsScottMadden, Inc.
 
Info-Tech Research Group & Boardroom Events Value Prop Presentation
Info-Tech Research Group & Boardroom Events Value Prop PresentationInfo-Tech Research Group & Boardroom Events Value Prop Presentation
Info-Tech Research Group & Boardroom Events Value Prop PresentationHilary Carney Badoian
 
IT Governance Overview
IT Governance OverviewIT Governance Overview
IT Governance OverviewJim Sutter
 
It governance 13 may20102
It governance 13 may20102It governance 13 may20102
It governance 13 may20102James Sutter
 
Transforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EYTransforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EYNatalya Copeland
 
EFFECTIVE IT GOVERNANCE presentation
EFFECTIVE IT GOVERNANCE presentationEFFECTIVE IT GOVERNANCE presentation
EFFECTIVE IT GOVERNANCE presentationS L
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops  IT governance by Erik Guldentops
IT governance by Erik Guldentops CONFENIS 2012
 
IT Investment Process and Value Assessment
IT Investment Process and Value AssessmentIT Investment Process and Value Assessment
IT Investment Process and Value AssessmentJulie Cavanna-Jerbic
 
Business Cases And Benefits Management
Business Cases And Benefits ManagementBusiness Cases And Benefits Management
Business Cases And Benefits ManagementAlan McSweeney
 
Creating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsCreating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsScottMadden, Inc.
 
Maximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureMaximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureAlan McSweeney
 
IT Governance Concept
IT Governance ConceptIT Governance Concept
IT Governance Conceptitgproduct
 
IT Investment Management
IT Investment ManagementIT Investment Management
IT Investment ManagementBill Wimsatt
 
Cybersecurity in Shared Services Organizations
Cybersecurity in Shared Services OrganizationsCybersecurity in Shared Services Organizations
Cybersecurity in Shared Services OrganizationsScottMadden, Inc.
 

Was ist angesagt? (20)

Optimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and PrioritizationOptimize Project Intake Approval and Prioritization
Optimize Project Intake Approval and Prioritization
 
Become a Transformational CIO
Become a Transformational CIOBecome a Transformational CIO
Become a Transformational CIO
 
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize BenefitsCraft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
Craft an End-to-End Data Center Consolidation Strategy to Maximize Benefits
 
Define an IT Strategy and Roadmap
Define an IT Strategy and RoadmapDefine an IT Strategy and Roadmap
Define an IT Strategy and Roadmap
 
COBIT 4.0
COBIT 4.0COBIT 4.0
COBIT 4.0
 
establish an effective it steering committee
establish an effective it steering committeeestablish an effective it steering committee
establish an effective it steering committee
 
Creating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsCreating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment Decisions
 
Info-Tech Research Group & Boardroom Events Value Prop Presentation
Info-Tech Research Group & Boardroom Events Value Prop PresentationInfo-Tech Research Group & Boardroom Events Value Prop Presentation
Info-Tech Research Group & Boardroom Events Value Prop Presentation
 
IT Governance Overview
IT Governance OverviewIT Governance Overview
IT Governance Overview
 
It governance 13 may20102
It governance 13 may20102It governance 13 may20102
It governance 13 may20102
 
Transforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EYTransforming the Global HR Contact Center at EY
Transforming the Global HR Contact Center at EY
 
EFFECTIVE IT GOVERNANCE presentation
EFFECTIVE IT GOVERNANCE presentationEFFECTIVE IT GOVERNANCE presentation
EFFECTIVE IT GOVERNANCE presentation
 
IT governance by Erik Guldentops
IT governance by Erik Guldentops  IT governance by Erik Guldentops
IT governance by Erik Guldentops
 
IT Investment Process and Value Assessment
IT Investment Process and Value AssessmentIT Investment Process and Value Assessment
IT Investment Process and Value Assessment
 
Business Cases And Benefits Management
Business Cases And Benefits ManagementBusiness Cases And Benefits Management
Business Cases And Benefits Management
 
Creating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment DecisionsCreating IT Value-A Better Way to Make IT Investment Decisions
Creating IT Value-A Better Way to Make IT Investment Decisions
 
Maximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise ArchitectureMaximising The Value and Benefits of Enterprise Architecture
Maximising The Value and Benefits of Enterprise Architecture
 
IT Governance Concept
IT Governance ConceptIT Governance Concept
IT Governance Concept
 
IT Investment Management
IT Investment ManagementIT Investment Management
IT Investment Management
 
Cybersecurity in Shared Services Organizations
Cybersecurity in Shared Services OrganizationsCybersecurity in Shared Services Organizations
Cybersecurity in Shared Services Organizations
 

Ähnlich wie Build a Business-Driven IT Risk Management Program

IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE360 BSI
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014ArmeniaFED
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?Eryk Budi Pratama
 
Info sec 2011 julen c mohanty
Info sec 2011   julen c mohantyInfo sec 2011   julen c mohanty
Info sec 2011 julen c mohantyJulen Mohanty
 
Info sec 2011 julen c mohanty
Info sec 2011   julen c mohantyInfo sec 2011   julen c mohanty
Info sec 2011 julen c mohantyJulen Mohanty
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeCareer Communications Group
 
Roles and Responsibilities of Board Members in IT Risk Assessment
Roles and Responsibilities of Board Members in IT Risk AssessmentRoles and Responsibilities of Board Members in IT Risk Assessment
Roles and Responsibilities of Board Members in IT Risk Assessment360factors
 
Innovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdfInnovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdfAbdulbasit Almauly
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015
Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015
Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015Leon Kappelman
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in ManufacturingWilliam McBorrough
 

Ähnlich wie Build a Business-Driven IT Risk Management Program (20)

IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAEIT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
IT Risk Management & Leadership 30 March - 02 April 2014 Dubai UAE
 
IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014IT Governance in Banks, May, 2014
IT Governance in Banks, May, 2014
 
IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?IT Governance - Governing IT: Do or Die?
IT Governance - Governing IT: Do or Die?
 
Info sec 2011 julen c mohanty
Info sec 2011   julen c mohantyInfo sec 2011   julen c mohanty
Info sec 2011 julen c mohanty
 
Info sec 2011 julen c mohanty
Info sec 2011   julen c mohantyInfo sec 2011   julen c mohanty
Info sec 2011 julen c mohanty
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
Gtag 1 information risk and control
Gtag 1 information risk and controlGtag 1 information risk and control
Gtag 1 information risk and control
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
 
Roles and Responsibilities of Board Members in IT Risk Assessment
Roles and Responsibilities of Board Members in IT Risk AssessmentRoles and Responsibilities of Board Members in IT Risk Assessment
Roles and Responsibilities of Board Members in IT Risk Assessment
 
2015 IA survey - Protiviti
2015 IA survey - Protiviti2015 IA survey - Protiviti
2015 IA survey - Protiviti
 
Cybersecurity report-vol-8
Cybersecurity report-vol-8Cybersecurity report-vol-8
Cybersecurity report-vol-8
 
IT Governances
IT GovernancesIT Governances
IT Governances
 
Innovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdfInnovation connections quick guide managing ict risk for business pdf
Innovation connections quick guide managing ict risk for business pdf
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015
Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015
Requirements Capabilities, Alignment, and Software Success - Kappelman ASEE 2015
 
Managing Security Risks in Manufacturing
Managing Security Risks in ManufacturingManaging Security Risks in Manufacturing
Managing Security Risks in Manufacturing
 
Business-IT Alignment
Business-IT AlignmentBusiness-IT Alignment
Business-IT Alignment
 
Gill_Pat.2016.Resume.CISO.1
Gill_Pat.2016.Resume.CISO.1Gill_Pat.2016.Resume.CISO.1
Gill_Pat.2016.Resume.CISO.1
 

Mehr von Info-Tech Research Group

Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyInfo-Tech Research Group
 
Implement an enterprise service bus revised
Implement an enterprise service bus    revisedImplement an enterprise service bus    revised
Implement an enterprise service bus revisedInfo-Tech Research Group
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsInfo-Tech Research Group
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery planInfo-Tech Research Group
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureInfo-Tech Research Group
 
How to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS EnvironmentsHow to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS EnvironmentsInfo-Tech Research Group
 
Develop a Resource Management Strategy for the New Reality
Develop a Resource Management Strategy for the New RealityDevelop a Resource Management Strategy for the New Reality
Develop a Resource Management Strategy for the New RealityInfo-Tech Research Group
 

Mehr von Info-Tech Research Group (19)

Optimize the IT Operating Model
Optimize the IT Operating ModelOptimize the IT Operating Model
Optimize the IT Operating Model
 
Define an EA Operating Model
Define an EA Operating ModelDefine an EA Operating Model
Define an EA Operating Model
 
Build and Information Security Strategy
Build and Information Security StrategyBuild and Information Security Strategy
Build and Information Security Strategy
 
Build an Application Integration Strategy
Build an Application Integration StrategyBuild an Application Integration Strategy
Build an Application Integration Strategy
 
Develop a Project Portfolio Management Strategy
Develop a Project Portfolio Management StrategyDevelop a Project Portfolio Management Strategy
Develop a Project Portfolio Management Strategy
 
Implement an enterprise service bus revised
Implement an enterprise service bus    revisedImplement an enterprise service bus    revised
Implement an enterprise service bus revised
 
Implement a Shared Services Model
Implement a Shared Services ModelImplement a Shared Services Model
Implement a Shared Services Model
 
Assess and Optimize EA Capability
Assess and Optimize EA CapabilityAssess and Optimize EA Capability
Assess and Optimize EA Capability
 
Survive an Impending Audit
Survive an Impending AuditSurvive an Impending Audit
Survive an Impending Audit
 
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App TrendsStay on Top of Today’s and Tomorrow’s Mobile App Trends
Stay on Top of Today’s and Tomorrow’s Mobile App Trends
 
Fast track critical leadership skills
Fast track critical leadership skillsFast track critical leadership skills
Fast track critical leadership skills
 
Enterprise mobility management
Enterprise mobility managementEnterprise mobility management
Enterprise mobility management
 
Create a right sized disaster recovery plan
Create a right sized disaster recovery planCreate a right sized disaster recovery plan
Create a right sized disaster recovery plan
 
The 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise ArchitectureThe 10 Principles of Enterprise Architecture
The 10 Principles of Enterprise Architecture
 
Decode the Corporate Strategy
Decode the Corporate StrategyDecode the Corporate Strategy
Decode the Corporate Strategy
 
Manage a Minimum-Viable PMO
Manage a Minimum-Viable PMOManage a Minimum-Viable PMO
Manage a Minimum-Viable PMO
 
How to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS EnvironmentsHow to Secure Your IaaS and PaaS Environments
How to Secure Your IaaS and PaaS Environments
 
Manage an Agile Portfolio
Manage an Agile PortfolioManage an Agile Portfolio
Manage an Agile Portfolio
 
Develop a Resource Management Strategy for the New Reality
Develop a Resource Management Strategy for the New RealityDevelop a Resource Management Strategy for the New Reality
Develop a Resource Management Strategy for the New Reality
 

Kürzlich hochgeladen

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 

Kürzlich hochgeladen (20)

AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 

Build a Business-Driven IT Risk Management Program

  • 1. Info-Tech Research Group 1Info-Tech Research Group 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2016 Info-Tech Research Group Inc. Build a Business-Driven IT Risk Management Program Hope is not a risk management strategy. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 – 2016 Info-Tech Research Group
  • 2. Info-Tech Research Group 2Info-Tech Research Group 2 When most CIOs and IT leaders think of risk, their minds immediately jump to the latest security threat making headlines. While security is an important part of IT risk, it is only one component. Risk across IT requires a holistic perspective, driven by the needs and priorities of the business. Failing to understand the true business ramifications of IT risk exposes the business to IT-related threats, or leads to overspending on low- priority initiatives. Like good leadership, risk management must be proactive, dynamic, and constantly improving. In the modern IT risk environment, hoping for the best is not an acceptable strategy for managing risk – and the line between optimism and negligence is razor thin. Use this blueprint to build a right-sized, business-driven risk management program with minimal effort. Scott Janz, Consulting Analyst, CIO Advisory Info-Tech Research Group A good security practice is not enough to manage IT risk. ANALYST PERSPECTIVE
  • 3. Info-Tech Research Group 3Info-Tech Research Group 3 This Research is Designed For: This Research Will Help You: This Research Will Assist: This Research Will Help You: This Research Is Designed For: This Research Will Help You: This Research Will Also Assist: This Research Will Help Them: Our understanding of the problem Any IT Leader responsible for IT risk management in their organization. Any CIO mandated to integrate IT risk management with their organization’s central risk management function or Enterprise Risk Management (ERM). Any IT Director or Manager undertaking a risk assessment. Any IT Director or Manager responding to or preparing for an IT audit. Establish a comprehensive IT risk management program that exposes your IT risks. Create a strategy for managing and mitigating risks to meet your organization’s risk appetite. Quantify risk exposure in meaningful financial terms. Build business buy-in and shared accountability for business-impacting IT risks. Enterprise Risk Management Senior Leadership Develop consensus on organizational risk appetite. Establish a framework and metrics for acceptable risk tolerance. Align business and IT risk management objectives. Enable the business to make informed investments when managing IT risks.
  • 4. Info-Tech Research Group 4Info-Tech Research Group 4 Resolution Situation Complication Info-Tech Insight Executive Summary • Risk is unavoidable. Without a formal program to manage IT risk, you may be unaware of your severest IT risks. • 66% of organizations do not formally manage IT risk.1 • IT risk is business risk – however, IT is often left to manage risk independently. • Reacting to risks AFTER they occur can be costly and crippling, yet is one of the most common tactics used by IT departments. • Security risk receives such a high profile that it often eclipses other important IT risks, leaving the organization vulnerable. • Failing to include the business in IT risk management leaves IT leaders too accountable; the business must have accountability as well. • Stop leaving IT risk to chance. Transform your ad hoc IT risk management processes into a formalized, ongoing program and increase risk management success by 53%.2 • Take a proactive stance against IT threats and vulnerabilities by identifying and assessing IT’s greatest risks before they occur and have serious implications. • Involve key stakeholders including the business senior management team to gain buy-in and to focus on IT risks that matter most to the organization. • Share accountability for IT risk with business stakeholders and have them weigh-in on prioritizing investments in risk response activities. 1. IT risk is business risk. Every IT risk has business implications. Create an IT risk management program that shares accountability with the business. 2. Risk is money. It’s impossible to make intelligent decisions about risks without knowing what their financial impact will be. 3. You don’t know what you don’t know. And what you don’t know can hurt you. To find hidden risks, you must utilize a structured risk identification method. 1: ESI International 2: Info-Tech Research Group, 2013, N=76
  • 5. Info-Tech Research Group 5Info-Tech Research Group 5 Poor IT risk management is expensive The Wall Street Journal The Wall Street Journal The Washington Post BBC Computer Business Review The Guardian IT RISK IS HEADLINE NEWS The Wall Street Journal The Australian
  • 6. Info-Tech Research Group 6Info-Tech Research Group 6 STRATEGY & GOVERNANCE APPS DATA & BI IT Governance Application Portfolio Management Business Intelligence & Reporting Effectiveness = 5.7 Importance = 8.3 Effectiveness = 5.4 Importance = 8 Effectiveness = 5.4 Importance = 8.1 IT Strategy IT Management & Policies Security Strategy Enterprise Application Selection & Implementation Data Architecture Effectiveness = 6 Importance = 8.5 Effectiveness = 6 Importance = 8.3 PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3 Importance = 8.7 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 5.6 Importance = 8.2 Performance Measurement Innovation Human Resources Management Security Management Business Process Controls & Internal Audit Application Development Throughput Data Quality Effectiveness = 5.1 Importance = 7.8 Effectiveness = 5.7 Importance = 7.9 Effectiveness = 6.1 Importance = 8.3 Effectiveness = 6.5 Importance = 8.9 Effectiveness = 5.4 Importance = 7.9 Effectiveness = 5.4 Importance = 7.4 Effectiveness = 5.5 Importance = 8.5 Business Value Stakeholder Relations IT Organizational Design Enterprise Architecture Availability & Capacity Management Change Management Risk Management External Compliance Application Development Quality Portfolio Management Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.2 Importance = 8.7 Effectiveness = 6.3 Importance = 8.3 Effectiveness = 5.7 Importance = 8.2 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 6.1 Importance = 8.5 Effectiveness = 5.9 Importance = 8.3 Effectiveness = 6.4 Importance = 8.3 Effectiveness = 5.6 Importance = 7.7 Effectiveness = 5.4 Importance = 8.1 Cost & Budget Management Knowledge Management Leadership, Culture & Values Service Management Asset Management Configuration Management Release Management Business Continuity Application Maintenance Project Management Effectiveness = 6.7 Importance = 8.4 Effectiveness = 5.8 Importance = 8.4 Effectiveness = 6.5 Importance = 8.5 Effectiveness = 6.1 Importance = 8.4 Effectiveness = 6 Importance = 7.9 Effectiveness = 5.5 Importance = 7.8 Effectiveness = 5.7 Importance = 8.1 Effectiveness = 6.1 Importance = 8.7 Effectiveness = 6 Importance = 8 Effectiveness = 6 Importance = 8.5 Vendor Management Cost Optimization Manage Service Catalog Quality Management Operations Management Service Desk Incident & Problem Management Disaster Recovery Planning Organizational Change Management Requirements Gathering Effectiveness = 6.4 Importance = 8 Effectiveness = 6.2 Importance = 8.4 Effectiveness = 4.3 Importance = 7.3 Effectiveness = 5.6 Importance = 8.2 Effectiveness = 6.4 Importance = 8.4 Effectiveness = 7 Importance = 8.8 Effectiveness = 6.5 Importance = 8.7 Effectiveness = 6.1 Importance = 8.8 Effectiveness = 5.4 Importance = 8.3 Effectiveness = 5.9 Importance = 8.5 FINANCIAL MANAGEMENT PPM & PROJECTS Above Average Importance and Above Average Effectiveness Below Average Importance and Above Average Effectiveness Above Average Importance and Below Average Effectiveness Below Average Importance and Below Average Effectiveness *Average is based on the overall average Legend INFRASTRUCTURE & OPERATIONS SERVICE PLANNING & ARCHITECTURE IT Management & Governance Framework Benchmarking Results for the Management & Governance Diagnostic Risk management is a top IT priority 1. Data Quality 2. IT Governance 3. Risk Management 4. Knowledge Management 5. Requirements Gathering 6. Manage Service Catalog 7. Organizational Change Management 8. Quality Management 9. Performance Measurement 10. Application Portfolio Management Info-Tech’s Top 10 IT Improvement Priorities Info-Tech asked over 2,500 IT professionals to rate, on a scale of 1 to 10, the importance of risk management and how effective they were at managing IT risks. Importance of risk management: Effectiveness of risk management: 8.3 5.9 Above average importance Significantly below average effectiveness For more information, see Info-Tech’s IT Management & Governance Diagnostic.
  • 7. Info-Tech Research Group 7Info-Tech Research Group 7 66% of organizations lack a formal risk management program Ad hoc risk management is often reactionary. Ad hoc risk management is often focused only on IT security. Ad hoc risk management lacks alignment with business objectives. • Increased business risk exposure caused by a lack of understanding of the impact of IT risks on the business. • Increased IT non-compliance, resulting in costly settlements and fines. • IT audit failure. • Ineffective management of risk caused by poor risk information and wrong risk response decisions. • Increased unnecessary and avoidable IT failures and fixes. If you are like the majority of IT departments, you do not have a consistent and comprehensive strategy for managing IT risk. 1 2 • Without formalized procedures for managing IT risk, risk events are often “managed” after they have occurred. • IT departments that spend most of their time putting out fires receive the lowest ratings for satisfaction and perceived value by business stakeholders. • Organizations must respond to the entire spectrum of IT risk. • A client who recently completed Info-Tech’s methodology for risk identification and assessment found that only 15 of the 135 IT risks identified were related to security and compliance. 3 • Many IT risk assessments fail to communicate IT risks in a way that compels the business to take action. • 63% of CEOs indicate they want IT to provide better risk metrics (CIO-CEO Alignment survey data, Info-Tech Research Group). Ad hoc approaches to managing risk fail because… The results: Most IT departments aren’t thinking about formal risk management, and if they are, it’s back-of-the-napkin planning. Ken Piddington, CIO & Executive Advisor, MRE Consulting 1 1: ESI International
  • 8. Info-Tech Research Group 8Info-Tech Research Group 8 Unmanaged IT risk isn’t just bad for the organization, it’s also bad for your career Take luck out of the equation – “Hoping for the best” is not a risk management strategy. Take control of IT risk and avoid leaving your job security to chance. The top four reasons why CIOs lose their jobs: X X X X Security Breaches Project Failures Disaster Recovery Failures System Failures IT Risk Management When business stakeholders are unaware of top IT threats, blame for project, security, disaster recovery, and system failures is usually assigned to the CIO and other senior IT managers. When effectively integrated with business risk management, IT risk management is your best job security policy. IT Risk Management IT Risk Management IT Risk Management Source: Silverton Consulting If I wait until a risk event occurs, I might be out of a job before the business recovers. – VP of Security and Risk, Energy Logistics Company
  • 9. Info-Tech Research Group 9Info-Tech Research Group 9 Ensure that your greatest IT risks are on your radar CASE STUDY Focusing on internal IT security risks may not be enough to protect your organization from a breach. Learn from these organizations whose security breaches all originated from third-party vendors. IT vendor risks may be your greatest business risks. “AT&T data breaches revealed: 280K US customers exposed”1 1: CNBC 2: Fortune 3: Forbes 4: KrebsOnSecurity “Home Depot faces dozens of data breach lawsuits”2 “868,000 Payment Cards, 330 Stores Hit in Goodwill Credit Card Breach”3 Employees at an IT service provider stole customer names and SSNs to request unlock codes for stolen phones. In 2015, AT&T agreed to settle with the FCC and pay a $25 M fine. Hackers stole credentials from a third- party vendor to gain access to Home Depot’s network, stealing data from 56 million credit cards, as well as 53 million email addresses. Hackers breached the system of a cloud-based card processing service vendor, with the intrusion lasting more than 18 months.4
  • 10. Info-Tech Research Group 10Info-Tech Research Group 10 Formalize risk management to increase your likelihood of success by 53% Survey: Info-Tech Research Group, N = 76 Risk Management Success: Formal Strategy vs. Ad Hoc Approach 53% 81% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Ad-hoc Approach Formal Strategy RiskManagementSuccess(%) 53% Increase Organizations that adopted formal risk programs increased their risk management success by 53%. Risk management is a business enabler. Line managers often see risk management as an impediment to their day-to-day function. But, in fact, the opposite is true. By identifying areas of risk exposure and creating solutions proactively, obstacles can be removed or circumvented before they become a real problem. A certain amount of risk is healthy and can stimulate innovation. A formal risk management strategy doesn’t mean trying to mitigate every possible risk; it means exposing the organization to the right amount of risk. Taking a formal risk management approach allows an organization to thoughtfully choose which risks it is willing to accept. Organizations with high risk management maturity will vault themselves ahead of competition because they will be aware of which risks to prepare for, which risks to ignore, and which risks to take. Taking the initiative pays off. A security manager in the energy industry saved over $80,000 by developing an IT risk management program in-house instead of bringing in external consultants.
  • 11. Info-Tech Research Group 11Info-Tech Research Group 11 You don’t know what you don’t know… …and what you don’t know can hurt you! Developed and tested directly with our clients, Info-Tech’s Risk Register Tool allows you to document and track a comprehensive list of IT risk events that may affect your organization. • Assess risk severity using acceptability thresholds developed in collaboration with senior leadership. • Identify and manage the top IT risks impacting the organization. So find out using Info-Tech’s risk identification and risk assessment methodology. Use Info-Tech’s Risk Costing Tool to put a price on your top risks. • Calculate the expected cost of anticipated risk events. • Calculate the expected cost of alternative risk response actions. • Project the costs of risk response actions over multiple years to inform risk response decisions. • Conduct cost-benefit analyses for your top risks and select a risk response that offers the greatest value to the organization. Risk is money. It’s impossible to make intelligent decisions about risks without knowing how much they cost. Use Info-Tech’s Risk Costing Tool to calculate and present the expected costs associated with accepting and responding to high-priority risk events.
  • 12. Info-Tech Research Group 12Info-Tech Research Group 12 Info-Tech Research Group Helps IT Professionals To:  Quickly get up to speed with new technologies  Make the right technology purchasing decisions – fast  Deliver critical IT projects, on time and within budget  Manage business expectations  Justify IT spending and prove the value of IT  Train IT staff and effectively manage an IT department Toll Free: 1-888-670-8889