5.4 UnderstandIdentify and Communicate Risk | IT Services: Costs, Metrics, Benchmarking and Marketing (paperback) (Enterprise Computing Series)

5.4 Understand/Identify and Communicate Risk

Setting appropriate expectations is essential, but also identifying and communicating what happens when something is critical.

An Arthur Andersen survey ^[4] of CEOs, presidents , board members , and CFOs at more than 150 global companies reveals the need to look more carefully at IT risk:

^[4] "Managing Business Risks in the Information Age," a study by Arthur Andersen and the Economist Intelligence Unit Ltd. (EIU), 1998.

One in three senior executives does not have any IT risk management process in place; only half of those who do are confident the processes are strong enough.
Two out of three executives say their companies do not understand IT- related risks well enough.
Only 13 percent of executives believe IT strategy is well integrated with business strategy.
Technology professionals are responsible for the daily management of IT-related risk at 51 percent of the companies.

An element of developing the services that will constitute the portfolio of integrated services to support the enterprise should be an assessment of the risk. The risk associated with the delivery of the individual service and the impact on the overall service portfolio should be considered .

Elements of risk that should be included in the assessment are represented in the Andersen survey described above:

Integrity Risk ”

This risk encompasses all of the risks associated with the authorization, completeness, and accuracy of transactions as they are entered into, processed , summarized, and reported on by the various application systems deployed by an organization.

Relevance Risk ”

Relevance risk relates to the usability and timeliness of information that is either created or summarized by an application system. Relevance risk ties directly to the information for decision-making risk, as it is the risk associated with not getting the right data/information to the right person/process/system at the right time to allow the right action to be taken.

Access Risk ”

Access risk focuses on the risk associated with inappropriate access to systems, data, or information. It encompasses the risks of improper segregation of duties , risks associated with the integrity of data and databases, and risks associated with information confidentiality, etc.

Infrastructure Risk ”

This risk is that the organization does not have an effective information technology infrastructure (hardware, networks, software, people, and processes) to effectively support the current and future needs of the business in an efficient, cost-effective , and well-controlled fashion. These risks are associated with the series of IT processes used to define, develop, maintain, and operate an information processing environment (e.g., computer hardware, networks, etc.) and the associated application systems (e.g., customer service, accounts payable, etc.). ^[4]

The risk associated with the service delivery should be communicated in conjunction with the negotiation of the service level agreement. If risk is to be reduced, there may be additional costs associated with maintaining the lowest level of risk possible. Redundant servers, highly available storage and dual networks are all components of a risk-mitigating environment.

Once risk has been identified, assessed and managed accordingly , when an event occurs that is outside acceptable parameters, the problem must be managed. An effective problem management system should be in place to quickly identify out-of-tolerance situations, initiate corrective action, communicate and track resolution activities, and produce a causal analysis.

How quickly and responsively problems are addressed and resolved, despite the existence of a thorough risk management program, will build significant credibility throughout the enterprise.