“Organizations looking at ITIL as guidance for defining overall IT services should also consider the underlying risk management benefits of the approach”

Risk Management in Information Technology has focused on data security and privacy for many years. However, while security breaches and data losses fuel the headlines, other parts of the information technology infrastructure can conceal risks that, over the long term, can pose similar dangers to the organization. This issue is no different than the risks posed in everyday life. People protect their homes from fire, natural disasters, and theft with insurance and security systems. However, it is the leaking faucets and the poorly insulated windows in their houses that slowly drain their bank accounts with little notice. Information Technology leaders are faced with the same challenges; large issues get mindshare and attention while smaller issues fester. These smaller issues can negatively impact the organization in many ways, including excessive costs, project delays, and poor internal reputation.

Organizations have begun to address these issues by looking at ways to rein in inefficiencies in IT processes. The Information Technology Infrastructure Library (ITIL) published by the Office of Government Commerce is a major source of guidance for the development of IT services. ITIL approaches technology management in the form of defined services that are managed similar to business offerings. With these “services,” the IT department designs products or offerings for the organization with the end customers in mind, thus building the infrastructure necessary to meet business needs. While Risk Management is not explicitly outlined in ITIL as a service, IT services designed with an ITIL approach certainly implement controls that are well suited to manage those hidden risks that plague an organization and become part of the fabric of IT service delivery.

ITIL in this manner can be looked upon as much as a risk management framework as other popular guidance such as COBIT, published by the IT Governance Institute, or ISO:27000, the international information security standard. To unlock the potential of ITIL, though, it is necessary to understand the subtle yet effective risk management practices integrated in the approach. Throughout the methodology presented in ITIL, key points of controls are included in critical IT processes, such as application development and project management. Additionally, the IT operations processes outlined in ITIL include critical points of risk management such as event, incident and problem management, service desk activities, and access management.

Organizations looking at ITIL as guidance for defining overall IT services should also consider the underlying risk management benefits of the approach. Companies are finding that adopting ITIL approaches is improving not only the end deliverables of the IT organization but also their risk and governance methods. Cutting through the varied IT services in ITIL will reveal many control points within the organization. Translating the practices within these services into corporate risk management policies will build a foundation to move beyond security and data privacy to broader, more effective risk management and governance practices. Through integrating ITIL approaches and risk management concepts, organizations can improve the overall governance of IT practices, reduce business risks, and address many of those costly hidden hazards.

Steve Schlarman, CISSP, CISM, is Chief Compliance Strategist at Brabeion Software, 703-752-9300 x767; email: steven.schlarman@brabeion.com;
web: www.brabeion.com.