Info-Tech Research Group 1Info-Tech Research Group 1

Info-Tech Research Group, Inc. is a global leader in providing IT research and advice.

Info-Tech’s products and services combine actionable insight and relevant advice with

ready-to-use tools and templates that cover the full spectrum of IT concerns.

© 1997-2016 Info-Tech Research Group Inc.

Revive Your Risk Management Program with a Regular Health CheckDon’t get complacent and allow your risk management program to flatline.

Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools

and templates that cover the full spectrum of IT concerns.© 1997 - 2016 Info-Tech Research Group

Info-Tech Research Group 2Info-Tech Research Group 2

Setting up an IT risk management program that successfully mitigates key risks and raises the profile of IT risk in the eyes of the business is a significant step in your evolution as a strategic and proactive IT leader.

However, the value of your latest risk assessment depreciates rapidly. Continuous monitoring and regular reassessment of your risk portfolio is crucial for ensuring that IT decision making continues to be made through a risk management lens. Risk-conscious decision making creates value for the business that should be measured and communicated.

Follow the steps outlined in this blueprint to perform regular health checks on your IT risk management program and keep pace with IT risk.

Scott Janz,

Consulting Analyst, CIO Advisory

Info-Tech Research Group

IT risk is evolving. Is your risk management program keeping up?

ANALYST PERSPECTIVE

Info-Tech Research Group 3Info-Tech Research Group 3

This Research is Designed For: This Research Will Help You:

This Research Will Assist: This Research Will Help You:

This Research Is Designed For: This Research Will Help You:

This Research Will Also Assist: This Research Will Help Them:

Our understanding of the problem

Any IT Leader responsible for IT risk

management in their organization.

Any CIO mandated to integrate IT risk

management with their organization’s central risk

management function or ERM.

Any IT Director or Manager undertaking a risk

assessment.

Any IT Director or Manager responding to or

preparing for an IT audit.

Routinize a comprehensive IT risk

management program.

Ingrain a strategy for managing and mitigating

risks to meet your organization’s risk appetite.

Quantify risk exposure in meaningful financial

terms.

Maintain business engagement with IT risk

management.

Enterprise Risk Management (ERM)

Senior Leadership

Develop consensus on organizational risk

appetite.

Establish a framework and metrics for

acceptable risk tolerance.

Align business and IT risk management

objectives.

Enable the business to make informed

investments when managing IT risks.

Info-Tech Research Group 4Info-Tech Research Group 4

Resolution

Situation

Complication

Info-Tech Insight

Executive Summary

• You just implemented a formalized IT risk management program that

integrates with the business.

• You successfully identified, assessed, and prioritized IT’s greatest risks,

and communicated your recommendations for IT risk response projects to

senior leadership.

• Because the organization is feeling secure, enthusiasm for the program,

and willingness to participate has waned both within and outside of IT.

• While the IT Risk Council continues to monitor previously identified risks,

it remains unaware of evolving IT threats and vulnerabilities.

• Having crossed IT risk management off of its list, senior leadership no

longer prioritizes the improvement of the program.

• To prevent your IT risk management program from becoming an artifact, follow the steps in this blueprint to conduct

quarterly, biannual, or annual health checks to re-assess your risk portfolio and the health of your program.

• Develop and track metrics to measure the success of IT risk management and illustrate the value of the program to senior

leadership.

• Create consultant-quality deliverables that inform senior leadership about IT’s risk recommendations, highlighting the

potential cost of IT risks and the value created by IT risk projects.

• Get better at identifying and assessing IT risk and measure the improvement.

• Institutionalize the IT risk management program by consistently engaging key stakeholders within and outside of IT.

1. A false sense of security may be your

greatest risk. The IT threat landscape is

evolving rapidly and won’t wait for you to

catch up.

2. Risk management should be seen and

heard. Communicate the dollar value of

risk management to keep the business

engaged.

3. The first health check is pivotal.

Successfully going through the risk

management process the second time

around is the difference between IT risk

management being perceived as a one-off

project and an ongoing program.

Info-Tech Research Group 5Info-Tech Research Group 5

Info-Tech’s risk management health check insights

Info-Tech Insight

Risk management does not mean “checking a box.” Measuring the

effectiveness of your risk management activities is crucial for ensuring that the

program lives up to its mandate. It also allows you to communicate a

compelling value proposition to senior leadership.

Phase 2

Central Insight:

A false sense of security may be your greatest risk. The IT threat landscape

is evolving rapidly and won’t wait for you to catch up. Perform regular health

checks to remain aware of the key risks threatening the business and your

reputation.

Phase 3

Info-Tech Insight

The first health check is pivotal. Business stakeholders often perceive IT risk

management as a project that needs to be completed once. Therefore the

second year is crucial for institutionalizing an active and sustainable program.

By successfully completing these activities a second time, the program gains

momentum, increasing the likelihood of retaining stakeholder engagement in

subsequent years as the program matures.

Info-Tech Insight

Risk management should be seen and heard. Don’t let the business’

enthusiasm and support for IT risk management wane when key risks are

mitigated and avoided. Communicate the dollar value of risk management in a

compelling way to keep the business engaged.

Phase 1

Info-Tech Research Group 6Info-Tech Research Group 6

STRATEGY &

GOVERNANCEAPPS DATA & BI

IT GovernanceApplication Portfolio

Management

Business Intelligence

& Reporting

Effectiveness = 5.7

Importance = 8.3

Effectiveness = 5.4

Importance = 8

Effectiveness = 5.4

Importance = 8.1

IT StrategyIT Management &

PoliciesSecurity Strategy

Enterprise Application

Selection &

Implementation

Data Architecture

Effectiveness = 6

Importance = 8.5

Effectiveness = 6

Importance = 8.3PEOPLE & RESOURCES SECURITY & RISK Effectiveness = 6.3

Importance = 8.7

Effectiveness = 6.1

Importance = 8.3

Effectiveness = 5.6

Importance = 8.2

Performance

MeasurementInnovation

Human Resources

ManagementSecurity Management

Business Process

Controls & Internal

Audit

Application

Development

Throughput

Data Quality

Effectiveness = 5.1

Importance = 7.8

Effectiveness = 5.7

Importance = 7.9

Effectiveness = 6.1

Importance = 8.3

Effectiveness = 6.5

Importance = 8.9

Effectiveness = 5.4

Importance = 7.9

Effectiveness = 5.4

Importance = 7.4

Effectiveness = 5.5

Importance = 8.5

Business Value Stakeholder RelationsIT Organizational

Design

Enterprise

Architecture

Availability & Capacity

ManagementChange Management Risk Management External Compliance

Application

Development QualityPortfolio Management

Effectiveness = 6.2

Importance = 8.4

Effectiveness = 6.2

Importance = 8.7

Effectiveness = 6.3

Importance = 8.3

Effectiveness = 5.7

Importance = 8.2

Effectiveness = 6.2

Importance = 8.4

Effectiveness = 6.1

Importance = 8.5

Effectiveness = 5.9

Importance = 8.3

Effectiveness = 6.4

Importance = 8.3

Effectiveness = 5.6

Importance = 7.7

Effectiveness = 5.4

Importance = 8.1

Cost & Budget

Management

Knowledge

Management

Leadership, Culture &

ValuesService Management Asset Management

Configuration

ManagementRelease Management Business Continuity

Application

MaintenanceProject Management

Effectiveness = 6.7

Importance = 8.4

Effectiveness = 5.8

Importance = 8.4

Effectiveness = 6.5

Importance = 8.5

Effectiveness = 6.1

Importance = 8.4

Effectiveness = 6

Importance = 7.9

Effectiveness = 5.5

Importance = 7.8

Effectiveness = 5.7

Importance = 8.1

Effectiveness = 6.1

Importance = 8.7

Effectiveness = 6

Importance = 8

Effectiveness = 6

Importance = 8.5

Vendor Management Cost OptimizationManage Service

CatalogQuality Management

Operations

ManagementService Desk

Incident & Problem

Management

Disaster Recovery

Planning

Organizational

Change Management

Requirements

Gathering

Effectiveness = 6.4

Importance = 8

Effectiveness = 6.2

Importance = 8.4

Effectiveness = 4.3

Importance = 7.3

Effectiveness = 5.6

Importance = 8.2

Effectiveness = 6.4

Importance = 8.4

Effectiveness = 7

Importance = 8.8

Effectiveness = 6.5

Importance = 8.7

Effectiveness = 6.1

Importance = 8.8

Effectiveness = 5.4

Importance = 8.3

Effectiveness = 5.9

Importance = 8.5

FINANCIAL MANAGEMENT PPM & PROJECTS

Above Average Importance and

Above Average Effectiveness

Below Average Importance and

Above Average Effectiveness

Above Average Importance and

Below Average Effectiveness

Below Average Importance and

Below Average Effectiveness

*Average is based on the overall average

Legend

INFRASTRUCTURE & OPERATIONS

SERVICE PLANNING & ARCHITECTURE

IT Management & Governance Framework

Benchmarking Results for the Management &

Governance Diagnostic

Risk management is a top IT priority

1. Data Quality

2. IT Governance

3. Risk Management

4. Knowledge Management

5. Requirements Gathering

6. Manage Service Catalog

7. Organizational Change

Management

8. Quality Management

9. Performance Measurement

10. Application Portfolio

Management

Info-Tech’s Top 10

IT Improvement Priorities

Info-Tech asked over 2,500 IT professionals to rate on a scale of 1 to 10

the importance of risk management and how effective they were at

managing IT risks.

Importance of

risk management:

Effectiveness of

risk management:

8.3

5.9

Above-average importance

Significantly below-average

effectiveness

Despite an IT environment

that is rapidly changing,

82% of organizations in

North America re-assess their IT

risk portfolio annually or even less

frequently (Protiviti).

82%

Info-Tech Research Group 7Info-Tech Research Group 7

Don’t become complacent and allow your risk management

program to flatline

What type of risk management do you practise?

Ma

turi

ty

Ma

turi

ty

Ma

turi

ty

Time Time Time

One-and-done On-again, off-again Ongoing improvement

Last year You identified the most important IT risks and

implemented projects to protect IT and the business.

Unfortunately, your risk assessment is already outdated. Keep your foot on

the gas and maintain your momentum to avoid wasting all of the hard work you

applied getting the program off the ground.

A recent study found that a

mere 23% of organizations

describe their risk

management processes as

“mature” or “robust.”1

23%

2

1 ERM Initiative 2 PWC

Info-Tech Research Group 8Info-Tech Research Group 8

Why IT risk management programs falter

Without communicating the cost savings stemming from the program, the value created by risk

management is invisible to the business.

The successful management of IT risk is difficult to measure, and therefore, the value it creates for the business can

be hard to see. Merely saying that risk events did not occur is not exactly a powerful motivator for leadership to

continue investing resources into the risk management program and sustain their interest. Executive sponsorship

and the engagement of key stakeholders may dwindle without visceral reminders of how IT risk impacts the

business.

Obtaining business stakeholder participation is not as easy the second time around.

IT risk is business risk. Thus, the participation and engagement of key business stakeholders is integral to the

successful identification and accurate assessment of IT risk. Robust risk management is demanding in terms of the

participation and effort required of key stakeholders both inside and outside of IT. Getting business stakeholders to

invest their time and expertise – even if it’s in their best interest – may be an unexpected roadblock to repeating the

success of your first assessment.

Despite building a strong foundation with a formalized IT Risk Management Council, and

repeatable processes for identifying, assessing, and responding to IT risk, risk management

programs still fail for the following reasons:

Risk management is considered a “checkmark project.”

Two of the most common drivers for establishing an IT risk management program

include compliance and internal/external audit requirements. Even if the CIO is

committed to the program, the support of the rest of the senior leadership team may

nosedive once they feel that IT risk management has been crossed off the list.

1

2

3

Info-Tech Research Group 9Info-Tech Research Group 9

Don’t leave IT risk unmanaged in year 2, or you may need to

update your résumé in year 3

Take luck out of the equation – “Hoping for the best” is not a risk management strategy.

Take control of IT risk and avoid leaving your job security

to chance.

The top four reasons why CIOs lose their jobs:

X

X

X

X

Security Breaches

Project Failures

Disaster Recovery Failures

System Failures

IT Risk Management

When business stakeholders are unaware of top IT threats, blame for project, security, disaster

recovery, and system failures is usually assigned to the CIO and other senior IT managers.

When effectively integrated with business risk management,

IT risk management is your best job security policy.

IT Risk Management

IT Risk Management

IT Risk Management

Source: Silverton Consulting

If I wait until a risk event occurs, I might be out of a job before the business recovers.

– VP of Security and Risk,

Energy Logistics Company

Info-Tech Research Group 10Info-Tech Research Group 10

A false sense of security may be your greatest risk

Use this blueprint to perform ongoing

health checks on your risk

management program:

• Use Info-Tech’s risk identification

methodology to detect new IT risks.

• Reassess and reprioritize previously

identified risks.

• Evaluate the effectiveness of existing risk

response projects and plan new actions to

address top risks.

The IT threat landscape is evolving rapidly and won’t wait for you to catch up. Risk is a moving target that requires

proactive and persistent attention.

Only 60.5% of senior executives believe risks are being effectively monitored and reviewed (Project Management

Institute). Follow the methodology in the blueprint to perform regular health checks to keep your finger on the pulse of the

key risks threatening the business and your reputation.

BEST BEFORE

31 DEC ??As the leader of your organization’s dormant IT risk

management program, you may be the greatest IT risk of all.

12 New risks

One Info-Tech client discovered 12

additional risks during their second IT risk

management workshop with Info-Tech

analysts. The 12 risks included 5 that

were missed the previous year, and 7 that

reflected changes to the organizational

context and threat landscape.

12

IT risk management is not a “checkmark project.” While this can be hard for goal-oriented IT leaders to accept,

the value derived from each risk assessment depreciates rapidly. The good news is that repeating and optimizing

your processes will make risk management more efficient, thereby increasing the value you provide the business

with each iteration.

Risk Register Tool

Info-Tech Research Group 11Info-Tech Research Group 11

Workshop overview

Contact your account representative or email Workshops@InfoTech.com for more information.

Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4

Ac

tivit

ies

AM: Perform a Risk

Management Retrospective

1.1 Review IT risk fundamentals

1.2 Set workshop goals and

expectations

1.3 Assess risk management

process, and identify

accomplishments and

challenges

AM: Assess Business Context

Changes and Engage

Stakeholders

2.1 Review IT and business context

changes

2.2 Consider how context changes

impact organizational risk tolerance

2.3 Generate tactics to re-engage

business stakeholders

AM: Identify New Risks

3.1 Augment risk event list

with capability maps

3.2 Assess the severity of

newly identified risk events

3.3 Perform an expected cost

assessment

AM: Monitor IT Risks and

Develop Risk Responses

4.1 Identify and assess risk

responses

4.2 Review a risk response cost-

benefit analysis

4.3 Create multi-year cost

projections

PM: Assess Business

Context Changes and Engage

Stakeholders

1.4 Build a Risk Management

Program Improvement Plan

PM: Assess Previously Identified

IT Risks

2.4 Determine if implemented risk

responses were successful

2.5 Re-assess the severity of

previously identified risk events

PM: Monitor IT Risks &

Develop Risk Responses

3.4 Perform a root cause

analysis

3.5 Identify and assess risk

responses

PM: Communicate IT Risk

Priorities

4.4 Customize the IT Risk

Management Executive Brief

Template

4.5 Finalize the Risk Report and

Program Manual

4.6 Transfer ownership of risk

responses to project managers

De

live

rab

les

1. An updated Risk

Management Program

Manual

2. A completed Risk

Management Program

Improvement Plan

1. An updated and complete Risk

Register with all relevant IT risk

events

2. An updated Risk Management

Program Manual

3. A revised stakeholder RACI

1. An updated and complete

Risk Register with all

relevant IT risk events

2. Completed Risk Event

Action Plans

3. An updated Risk

Management Program

Manual

1. A communication guide and

completed IT Risk

Management Executive Brief

Template

2. A detailed Risk Report

3. An updated Risk Management

Program Manual

Info-Tech Research Group 12Info-Tech Research Group 12