If you were to ask the CIO, "Do you know the high risk areas in your IT organization?, the majority of CIOs would answer, "Sure I know!" How do they know? For many, it is based on experience, knowledge of their organization and potentially just a gut feeling. In today's world where IT services are integral threads that weave throughout the organization to support almost all business processes, just "knowing" is not good enough to run the business, especially from the Board of Directors' perspective. Organizations need to manage risk, assure business continuity and compliance, protect assets and in general manage both operational business and IT risk.

In the past, most organizations have been reactive in firefighting mode. Today, since many of the regulatory requirements for business have a significant impact on IT, most organizations have begun to proactively implement and manage controls. Although the emphasis on controls has raised the level of awareness within IT organizations, there still is additional work required to reduce duplication of effort, improve operational efficiency as well as identify risk exposures. In the future, organizations will need to work toward attaining holistic risk management - in real time.

So, what does this really mean for the CIO? How does the CIO credibly quantify the risk levels to the Board of Directors and other senior management? The CIO needs to step up to the podium and take leadership for holistically managing IT risk and compliance. In addition to the IT organization, the CIO needs to work with the business to enable enterprise risk management across the organization by leveraging technology to proactively define, monitor, measure and improve business risk and compliance.

In order to manage risk, there are multiple levels of capability that an organization needs to develop before it can attain the optimal and appropriate level of risk and compliance for IT. And, prior to initiating a risk management program, various organizational requirements need to be addressed. To manage an entire program, a person needs to be assigned accountability for the program. In larger organizations, the VP of IT Compliance may be responsible for risk. Another more recent trend may be to assign an IT risk officer. However, as the leader of IT risk, the CIO should be willing to accept responsibility for IT risk management. As part of the initial organizational challenges, the company must also define its acceptable risk appetite or tolerance. Previously, risk ignorance may have been acceptable; today, risk awareness is required and needs to be quantifiable. What level is the company willing to accept: an outage for 30 seconds, 10 minutes or the entire day? Based on major risk categories, what is the acceptable action: avoid risk, mitigate risk, accept the risk or transfer/insure the risk?

The IT Risk Management Program

Managing risk is a complex problem that needs to be handled in acceptable phases based on the needs of the organization, as depicted below:

As an organization moves along this continuum in the risk management process, each phase has activities and milestones that need to be achieved as dependencies to the next phase. For example, risk assessment profiles defined in the first phase are intended to identify the highest priority risks and provide the types of risks and controls that should be highest priority for automation in the next phase. The automation of controls will provide efficiency as well as the capability to automatically collect the appropriate metrics to deliver key risk indicators. As an organization matures in its risk management practices, the aggregation of IT risk metrics across IT services and eventually the integration with the business risk systems will enable the CIO to be more proactive and quantitatively answer the appropriate questions regarding the status of risk management for IT. Looking at risk management across the complete maturity cycle is essential in order for companies to avoid costly rework and ensure incremental value at each level.

In summary, everything in an organization has a risk, but no company in the world can manage all risks equally. Based on your risk policy, your qualitative assessment of what risk is important and the key controls of your organization, the cycle of activities within the maturity model will be different for each company. You may approach your program working across all areas of your IT organization within one level before you move to the next level, which will require many sub-project iterations within each level. Another approach would be to select a segment of the organization such as the controls protecting your assets and develop the program from level 1 to level 4. Each company needs to define risk in digestible projects so that the program is continuous and increasing in level of maturity. To achieve holistic integrated risk and compliance requires dedication to understanding risk and a willingness to move beyond managing it from experience or intuition based on a gut feeling.

Margaret Brooks is Vice President Strategic Solutions, HQ Research at CA, 901-433-2572; email: margaret.brooks@ca.com; web: www.ca.com.