Our article titled Risky business looks at an emerging approach to help IT departments better deal with the onerous task of deciding how many resources to throw at problems that pose risks to the enterprise, and where to throw those resources. The problem in question is one that has dogged corporations for as long as the concept of a free-market economy has existed.
Today, however, with large and medium-sized firms stratified into so many different departments and divisions, with each of them often giving the appearance of a small company unto themselves, the question of resource allocation has grown more complicated than at any other time in history.
Hence, the emergence of numerous vendor tools, as well as other industry benchmark guidelines such as the OCTAVE methodology. These tools bring together data sets from throughout an organization and, once coalesced, attempt to give decision-makers a clear understanding of what group needs more resources and why. By approaching the problem in such a scientific way, the models hope to deliver a rational, clearly measured set of reasons why a certain amount of money should go to one area and not another.
Collectively, they represent a positive and potentially revolutionary way of looking across an organization and determining the best way to dole out funds to maximize growth.
The organizations putting forth models for risk assessment should be commended for their efforts to help make the process of resource allocation easier for companies trying to arrive at the most effective way to spend their money on tackling risk throughout the organization.
However, it appears that for now, at least, in order for the concepts to truly pay off, any company that implements them will have to have their house in order for them to have any significant degree of positive effect. That means the existence of open, constructive communication between department heads, the executive level and, of course, the IT department. It requires that all individuals involved in the process have the time to devote to the implementation of the models’ tenets, as well as the commitment to “spreading the gospel” around their worth and eventual payoffs.
It appears that the most likely early adopters of risk assessment models are, as in most other cutting-edge technology implementations, financial institutions. For smaller outfits in other vertical markets, the process will probably continue to be an ad-hoc one, with inexact and often unsatisfying results.