Johannesburg, 28 Sep 2005
"Technology failure incidents are no longer private, back-office events. They`re public, and they`re a business risk, not just an IT risk," says Richard Hunter, Gartner VP and research fellow.
Hunter addressed a seminar organised by the international research firm in Johannesburg and Cape Town recently.
"Runaway IT risk can affect revenue, stock price, public and shareholder perception, and regulatory action. These effects go well beyond the IT organisation."
Hunter`s comments and the seminar come after the Institute of Directors of Southern Africa released its Information Security Best Practice Guide, which emphasises the mitigation of risk through computer security.
Consensus reached at the seminar was that IT is an area of fundamental business risk for the modern corporation, and the ability to control and manage the risk does not depend on how much is spent, but rather on how management approaches it.
Attitude is everything
In his presentation, Hunter pointed out several key strategies to risk management, the most important being that attitude to risk is a lot more important in managing it than big budgets or complex tools.
He said this is demonstrated by the results of a study by the Massachusetts Institute of Technology`s Sloan Centre for Information Systems Research. It found that companies that regard themselves as "high confidence" risk managers spent 6% of their IT budget on risk management. Companies that were "low confidence" risk managers spent almost 5%.
"Bad things happen to good companies. Even if you play conservatively, circumstances can conspire against you. A risk-aware organisation can manage risk, and even develop an appetite for managed risk to become more flexible and competitive," Hunter said.
The challenge for IT managers and CIOs, he added, is to make the rest of the management team understand that technology risk is risk to the entire business.
Scare tactics
Gartner`s recommendation is for an organisation to focus on three areas: have defined processes to identify, analyse, plan, track and control risk; tap experts within the organisation to identify and fix risky systems; and simplify systems to create more bullet-proof architectures and applications.
"An organisation must be really good in one of these approaches, and 'good enough` in the other two," Hunter noted.
"Many companies have excellent risk management capabilities using only a spreadsheet or word processor. It`s the act of recording and commenting on risk that is important, not the sophistication of the tools used."
He suggested that IT managers regularly clip examples from newspapers of companies getting into trouble because of calamitous IT problems, and send the clippings to the CEO and CFO until they get the idea.
"Make sure to focus on the incidents that are relevant to your industry, and especially on the incidents that represent problems you can actually do something about. There`s no point scaring management about risks that are utterly beyond your control. But most IT risks are controllable, and many enterprises can control risk much more effectively than they do now. It mainly takes focus and attention, not more money."
Related story:
Corporate IT security guidelines released
Share