Friday, June 28, 2013

"Something for us to take to heart!" - How to Have the IT Risk Conversation


by George Westerman  |  10:00 AM June 28, 2013
I run a course at the MIT Sloan School called Essential IT for Non-IT Executives. Every time my colleagues and I come to the end of the course, we ask people what they considered the most important thing they learned. Surprisingly, many people say it was "how to have the IT risk conversation."
As one CFO told me, the phrase "IT Risk" contains two dirty words. The word risk makes him feel uncomfortable. And the word IT makes him feel incompetent. Not a good way to feel ready for a productive dialogue. But being able to talk about IT risk is essential if you are going to make the right decisions about how you use technology in your business.
Fortunately, there is a way to talk about IT risk — and understand risk — in terms that make sense to every manager. If you can remember four A's, you have the framing for a productive conversation with your IT counterparts. You can come to common understanding about what IT risks are most important, what causes them, and what you'll do about them.
From a business standpoint, IT risks affect four key objectives:

  • Availability: Keeping business processes running, and recovering from failures within acceptable timeframes

  • Access: Providing information to the right people while keeping it away from the wrong people

  • Accuracy: Ensuring information is correct, timely, and complete

  • Agility: Changing business processes with acceptable cost and speed
If you're like managers in most companies, you tend to have conversations about these four A's in silos, if at all. You never talk about all four together. That means experts in each risk silo tend to focus on optimizing their own risks, not optimizing across risks.
For example, ask yourself: do your security people think about agility risks? When security people veto your requests, they really mean that you're introducing unacceptable or unnecessary risks. But their veto can slow or stop the changes you need. If you don't talk about all four risks, then how do you know what risks are really acceptable?
In the best companies, security people think about all four A's. They consider agility as well as access risks. They will suggest ways that you can do what you want more safely. They'll even work with other silos — IT operations, application development, compliance, legal, HR, etc. — so they're ready for you when you want to do new things.
When your security people focus on all four A's, you can move quickly to adopt new mobile devices, launch digital businesses, or exploit social media. But unfortunately, too many security people focus only on the risks that matter to them. In protecting against access failures, they fail to help the company move forward.
Getting Started on the Risk Conversation
When you don't explicitly talk about the four A's, people make assumptions about what's most important. Those assumptions will vary from person to person. Conversely, when you talk openly about the four A's, you can fix false assumptions, and you can make better decisions. But you have to start the conversation.
Try the following exercise: Find your favorite IT person. Tell him how important each of the four risks is for your part of the business. Tell him how you think he's doing at managing those risks. Then listen. I guarantee that you'll both learn something.
If your experience is typical, you'll find that you and your IT people place different importance on the four A's. For example, in a global survey of 258 executives, IT and business executives agree on the relative importance of availability and access risks. But business execs put far more importance on agility and accuracy risks than IT execs do.
What's going on? Why don't IT people share your love of accuracy and agility? It's easy to think it's an incentive problem. IT people get the blame when systems go down or hackers succeed. But when projects move too slowly or you don't have a unified view of your customers, you may feel more pain than them. But this incentive answer is only partially correct, if at all.
The real cause of this misalignment lies much deeper; a legacy of risk-unaware decisions and poor communication across silos. Improving agility and accuracy typically requires cleaning up a spaghetti-like mess of systems and processes built up over decades. They can't be fixed just by buying a new device or devising a new procedure. When your IT people seem to value agility and accuracy less than you, they may have simply given up hope of fixing them. The solution may lie beyond their sphere of influence. Or they may be so busy keeping things running that greater agility feels like a pipe dream.
This is where communication matters. You can only fix the legacy problem by jointly understanding the risks that matter now, the risk tradeoffs in each decision, and the actions required to resolve your risks. Discussing IT risk does more than help you make better project decisions. It also helps you understand when it's time to rework some of the mess your organization has accumulated over the years.
So, make IT risk part of your conversations every day. Discuss the four A's whenever you make a big IT decision. If your security people talk only about security, they're missing important risks — and useful opportunities. But when you ask for unnecessary exceptions, or ask your IT people to move too fast, you're inappropriately favoring agility over the other three risks— and setting yourself up for trouble later.
One thing is sure. If you don't talk about IT risk, you only make your risks worse. How do youmanage your IT risk conversations?

No comments:

Post a Comment