CIOs must manage IT risk as business risk, says Gartner
1 min read
While IT has become increasingly central to manufacturing business success, many companies have not adjusted their processes for IT decision making, or risk management – and that needs to change, says analyst Gartner.
“IT risk has changed,” says Richard Hunter, group vice-president and Gartner fellow in Gartner Executive Programmes, and also co-author of ‘IT Risk :Turning Business Threats into Competitive Advantage’, published by Harvard Business School Press. His point: the fact that manufacturers are now so dependent on the smooth functioning of IT has amplified the business impact of IT risk incidents.
“IT risk incidents harm constituencies within and outside companies. They damage corporate reputations and expose weaknesses in companies’ management teams. Most importantly, uncontrolled IT risk dampens an organisation’s ability to compete,” says Hunter.
Hunter’s book, co-written with George Westerman, research scientist in the Center for Information Systems Research at the MIT Sloan School of Management, examines how IT risks impact business performance, and advises business executives on how they can manage IT risk as business risk.
The authors define IT risk as a threat to any of four interrelated business objectives: availability, access, accuracy and agility.
“No enterprise can be completely free of IT risk,” observes Hunter. “Like any other risk, IT risk is something to be managed, not eliminated. Management means making trade-offs between risk and return, between the perils a company can bear and the risks it would rather avoid. But until now, business managers have lacked the tools and disciplines to manage IT risk in these ways.”
Hunter advocates three disciplines to manage IT risk effectively. First is a solid foundation of IT assets, people, and supporting processes and controls that enable executives to manage the right risks in the right order. Second is a well-designed risk governance structure and process, integrating IT risk management into every business decision to identify, prioritise and track risks. And third is building a risk-aware culture, nurtured from the top, that attunes people to the causes and solutions for IT risks and that increases vigilance across the organisation.
“The most dangerous risks are the ones that are never considered, or considered too late,” warns Hunter. “IT risk management is working the way it should when it is simply part of the way the company does business.”
