IT and information risk management are increasingly becoming key competencies for IT and security professionals, according to Gartner. It adds, however, that various risk management pitfalls and 'bad practices' can result in failure to engage, or even produce animosity, among colleagues.
Speaking at the IT Web SMEXA conference in Bryanston, last week, Gartner research vice-president Tom Scholtz said individuals' experiences, values and goals have a significant impact on the way they interpret and accept different risks.
“Risk appetite is a personality trait that differs widely between people. Not everyone in the organisation shares the same enthusiasm about a risk-based approach, hence companies should make these considerations when implementing IT risk management,” said Scholtz.
He explained that in some instances security managers view risk management as the 'silver bullet', which will automatically result in the business embracing information security as an important discipline.
But Scholtz added that with some exceptions, most business leaders do not see IT risk management as any more of a 'value-add' activity than information security, and that over-emphasising risk can be a turn-off for many business leaders.
“If the organisation has taken a top-down, executive-sponsored enterprise-wide approach to risk management, the IT department is expected to be part of the same culture. If not, then IT risk managers need to recognise that the business will have a limited appetite for the topic”, he said.
The other pitfall, noted Scholtz, was attempting to identify, document and track all possible risks. He said rather than acting as a helpful tool, this practice can act as a distraction to others. “The content of the risk catalogue should be guided and prioritised based on the context of the risks.”
He also said some IT risk managers often neglect treating the asset, project or process owner as the actual risk manager in their organisations. “The person or entity that expects to derive advantage or utility from an activity or asset needs to understand that they own the associated risk.
“If they don't, then they will always underestimate the level of risk, and will make the assumption that whoever provides the IT service 'has them covered' for the risk," Scholtz explained.
Some IT risk managers, he added, treat risk assessment as an objective science, rather than inherently intuitive and dependent on the organisational culture, as well as the personality and experiences of the individuals involved.
He added that people who have no opportunity to gain from a risky activity that could affect them will have a tendency to overestimate the level of risk.
Scholtz also noted that some managers fail to properly qualify the type of risk. “Any individual's definition of a given risk will depend on his or her professional perspective. For example, a factory manager will have a different interpretation of the term 'operations risk' than the CIO.”
Finally, Scholtz pointed out that IT risk managers should not see assessment as a once-off activity for any given resource. “Risk management is a continuous process that should be executed throughout the asset, project or process life cycle”.
Related story:
IT a risk factor, says King
Share