You may associate “risky business” with your favorite alcoholic beverage* or Tom Cruise dancing in his skivvies while lip-synching to Bob Seger’s “Old Time Rock and Roll.”
But real risky business is when you put the business at risk by not having an effective IT risk management practice in place. For effectiveness – and efficiency – IT risk management should be tightly integrated with your enterprise architecture (EA), IT portfolio manenteragement and IT planning practices.
Why is this? One reason is because the EA team has a reliable database of all of the elements that make up the business and IT landscape. This includes applications, projects, data, systems, business processes, organizations, locations and more. These are all maintained and readily available for risk assessments without having to cull the organization for needed information every time an auditor appears at the door.
Further, with an integrated IT portfolio management practice you can understand how an at-risk element in one portfolio (for example, an application) can impact other portfolios (for example, your portfolio of critical business processes). The ability to scope the architecture in order to organize risk assessment and management activities according to a particular regulation (e.g. SOX, HIPAA, Basel II or GDPR) or critical business area that could be crippled by the damage caused by a threat is very important for focusing risk management efforts in an otherwise amorphous environment.
Further along the line of targeting particular risks and vulnerabilities is the need to understand exactly what those risks are and quantify the amount of damage they can cause and their probability of occurrence. Portfolio management allows the elements that make up the IT portfolios to be evaluated with relevant risk criteria to understand how serious a threat could be. These KRIs (key risk indicators) can be aggregated from the various interdependent objects according to rules so as to ascertain the true amount of risk a business is exposed to.
Another reason for aligning risk management with EA, portfolio management and IT planning is that the IT landscape is always changing. How can an organization ensure that new applications and new versions adhere to previously defined risk mitigation measures without some sort of lifecycle management and baselining? With baselining, an organization can implement stage gates at particular lifecycle phases at which points risk controls can be added. This ensures that the risk assessment for a particular process or application is reviewed before the application becomes operational.
Lastly, businesses evolve – in particular now with the push toward digitalization. By using EA as a foundation for risk management, and tying it to IT portfolio management and IT planning, you have a solid basis for risk-aware transformation. This will give you and your business colleagues the confidence to charge ahead in business innovation while enjoying a risky business (the drink) and not fear that you are headed into one.
Click below to watch our webinar: "Business confidence from reduced IT risk."
* Two parts rum, one part whiskey, four fluid ounces of coke, and four fluid ounces of a fruity drink of your choice.