This was not agood year for taking risks.
After lastyear’s financial meltdown, everyone was focused on being as cautious aspossible in terms of the investments they made, IT and otherwise. That doesn’tmean anyone in IT thought their organization could afford to become lax aboutspending on security, however. If downtime or data loss could hurt a businessin the boom times, it could be utterly catastrophic in a year like 2009. Andyet, I seemed to hear more and more experts in this area, particularly at lastweek’s GovSym event, acknowledging that risk is a fact of life and it would benaïve to try and eliminate it entirely.
That’s why it’sexciting to see ISACA, a global organization that centres around IT governance,announce the launch of its Risk IT framework today. I first wrote about thislast year, when I interviewed SwissLife risk management exec Urs Fischer abouthis efforts to lead a committee that would put together best practices aroundwhat he called a “risk register” of potential dangers facing the enterprise.
ISACA, ofcourse, is best known for Control Objectives for Business and InformationTechnology, or COBIT, which provides a framework for overall IT governance.Risk is certainly in there, but it was more about mitigating it. Risk IT, onthe other hand, seems to treat risk as just another area where controls need tobe applied. Fischer described it to me as a complementary tool, but it will beinteresting to see where adoption begins.
I could seeorganizations that have used COBIT, for example, tapping into Risk IT as theytry to build upon their previous governance efforts. I could also see someorganizations – perhaps in financial services or the public sector – where RiskIT might be a good sort of point framework, for lack of a better term, to dealwith the particular concerns they might have from an IT security standpoint.
There is also athird possibility, which is that Risk IT will be ignored. I actually talk to ITexecutives about COBIT fairly regularly, and I typically hear the same thingover and over again. Nobody denies that COBIT is a great framework. It’s justreally comprehensive, and figuring out what elements of it are applicable to agiven organization can be time-consuming and exhausting. Some IT executiveshave complained they don’t have enough IT staff to really make COBIT work.Others suggest that adoption won’t improve until we have these kind offrameworks become a part of post-secondary curriculum.
Whatever happensto Risk IT, I find it encouraging it’s becoming a more specialized part of ITgovernance. If nothing else, this might mean we begin to have more meaningfuldiscussions about what kind of risk is acceptable and even necessary, and howthis affects the way roles, policies and procedures within knowledge-basedsystems and companies are determined. Risk is related to IT security, but as welearned during the recession, not all risks are IT security risks. Sometimesyou don’t lose data. You just lose money. Or you lose employees and customers.Sometimes you bring on more of a workload than your organization caneffectively handle. As Risk IT matures, that risk register will need to get alot longer.
