CIPS (Canadian Information Processing Society) has accepted, in principle, that risk management is important for IT professionals. What happens next? How do we move from principle to practice? In this article, I sketch my view of what risk management should mean for IT professionals. This is a personal view that I would be pleased were CIPS to adopt.
Many of us have a basic idea of what risk management is about. There's risk attached to all activities. Unmanaged risks can creep up on you and cause considerable harm. Managing risk should reduce the negative impact of unplanned events, (and may increase their positive impact). That's great as a high level description, but it's not easy to see how that can be translated into practice.
A number of groups throughout the world have published best practice guides for risk management and IT risk management. The financial community has been doing risk management for a long time. There are a number of financial risk management best practice standards. Canada has its own Risk Management Guideline for Decision-Makers (CAN/CSA-Q850-97). It addresses financial risk management concerns, but is not exclusively focused on those concerns.
The Institute of Electrical and Electronic Engineers (IEEE) has a Software Life Cycle Risk Management Standard (IEEE Std. 1549-2001). The Software Engineering Institute (SEI) of Carnegie-Mellon University has published a number of best practice documents on IT development, acquisition, and operations risk management. COBIT, from the IT Governance Institute, is one of the more interesting best practice guides that covers IT risk management.
For me, the attraction of the COBIT approach to IT risk management is that it provides a full "context". COBIT is about overall best practices for IT Governance. Its starting point is to recognize five key IT Governance focus areas: Strategic Alignment; Value Delivery; Resource Management; Performance Measurement; and Risk Management.
In greater detail, COBIT divides the IT universe into four domains and 34 processes. Specifically, within the Plan and Organize domain, it identifies Assess and Manage IT Risks (PO9) as one of the critical 34 processes. COBIT is made freely available by the IT Governance Institute (www.itgi.org); is in use by thousands of organizations throughout the world; and is now up to version 4.0 (published in late 2005).
From the IT professional's point of view, one of the interesting features of COBIT is the inclusion of "RACI" charts which lay out the Responsible, Accountable, Consulted, and Informed roles for key players within IT. The COBIT RACI chart for Assess and Manage IT Risks is a practical guide for who should be doing what with respect to IT risk management:
COBIT provides a good starting point when the IT professional asks, "What responsibility and accountability should I have for IT risk management?" COBIT further refines the IT risk management by recognizing that a "maturity level" can be attached to each of its 34 key processes. Maturity models are both useful and popular as a way of providing simple "box scores" that organizations can work to improve. The Software Engineering Institute played a major role in popularizing the idea.
The maturity models used by COBIT and SEI are in alignment. My approximate translation of the model for risk management is:
Many organizations, today, are not much advanced from the Initial level. IT professionals who have project or process responsibility should make sure they are among the IT risk management heroes, and work to help their organizations move up the IT risk management maturity scale. It's the professional thing to do. It's also good for your career and your organization's future.
End Note: The material from COBIT is used by permission. Source: COBIT 4.0 © 1996, 1998, 2000, 2005 IT Governance Institute. All rights reserved.
reprinted from
with permission
September 15, 2006