Article : Integrating IT Risk Management With The Business
Businesses are now so reliant on technology that many simply couldn’t operate without it. IT has become such an integral part of business that IT risk management is an imperative for all organisations. Gone are the days when risk management was only practiced by a specialist department, now risk management touches every part of the business, especially IT. With its central database of assets, people and processes, Service Management software is uniquely positioned to manage risk within IT. Neil Penny, Product Director at Sunrise Software explains.
Technology is ubiquitous, no business of any size can operate without it. Risk management is also becoming more mainstream as organisations realise that risk needs to be an enterprise-wide concern. Indeed, due out later this year, ISO9001:2015, introduces a new approach to the international quality standard which is soon to be underpinned by ‘risk-based thinking’, bringing the concept of risk management to a much wider audience.
Risk management for the IT department isn’t simply limited to ‘keeping the lights on’, it is now underpinning the entire business. IT risk management is moving much higher up the corporate agenda as there are increasing instances where IT outages can result in loss of reputation, loss of business and in some cases, significant financial penalties from regulators.
There are many inherent risks that the IT department manages every day, probably without even thinking about it. For example:
Keeping the Infrastructure and Online Services Running - rolling out new systems, services and replacing/refreshing existing technology. Ensuring software licenses are kept up to date, and that legacy code and operating systems are maintained. Each of these activities needs to be planned, and all dependencies carefully mapped, so that when one thing is changed, the knock on effects are suitably managed, with no ‘surprises’ that could increase down time.
Cyber Security - managing threats both external and from within, vulnerability and patch management, controlling and eradicating malware, managing data loss, controlling the perimeter. A key part of security is also educating the user base and enforcing corporate security policies, particularly if sensitive client/citizen data or commercially valuable intellectual property is handled.
BYOD/CYOD (Bring Your Own Device/Choose Your Own Device) - managing consumer devices that may connect to the network with or without authorisation and the resulting threats. There may be productivity gains to be considered here as well – risk management is also about managing positive opportunities.
Physical Risks to IT equipment and Business Continuity - power outage, fire, flood, pandemic. What happens if the organisation needs to close down, or re-locate at short or no notice?
Most organisations have plans for these sort of eventualities and having a formal IT risk management function ensures that they remain visible.
Having looked at internal risk, Service Providers in particular also need to manage third party and supply chain risk. This is potentially a much larger and more complex area of risk management because while their reputation may well be reliant on good service from third parties, they don’t necessarily have much control over it.
Despite its importance, many organisations still use spreadsheets to manage risk. The dangers of using spreadsheets are well documented, but none the less, they still seem to be the method of choice in many organisations. Disadvantages include:
- Difficult to collate multiple spreadsheets to assess overall risk
- No standard template
- No provenance or audit trail, and no version control
Importantly, randomly managed spreadsheets are not linked to IT real estate, so it is difficult to equate theoretic IT risk with the actual situation on the ground. Your Service Management tool already likely has a database of IT assets and users, so it makes a lot of sense to link IT risk management to your Service Management capabilities.
The benefits of a purpose built IT risk management solution that integrates with your Service Management tools are wide reaching. It provides a central repository for tracking all IT risk information, including risks and owners, allocation actions, assessing risk scores, details of risk controls and mitigation activities, with full audit trails and history.
A central system provides visibility of risk that could affect the running of the business, and affect service provision to customers. It highlights issues within the supply chain and can identify risks that have a potential impact on other areas of the business. In addition, such an integrated system can be linked to project risk, department operational risk and supply chain risk, rolling up all risk information to an enterprise level (where used).
For the IT department integration with existing CMDB (Configuration Management Database), asset registers, user information/accounts, through an attractive, easy to use interface that the department is already familiar with shortens learning curves and aids user adoption.
Finally, recognising and quantifying IT risk also helps to identify opportunities. An organisation that knows its own risk appetite can choose which opportunities they can take advantage of, in order to grow and develop the business, while keeping within their stated risk parameters.
Today's Tip of the Day - Expect Shrinkage
More Editorial From Sunrise Software
About Sunrise Software:
Sunrise was founded in 1994 and is an independent provider of Service Management solutions for internal and external facing IT service operations. In 2003 they launched Sostenuto, a process driven, entirely browser based solution. Their customer base includes blue chip and public sector organisations.
About PR Artistry:
Provide PR and Marketing Services to the contact centre and IT Industries
Published: Wednesday, August 12, 2015
Genesys® powers 25 billion of the world’s best customer experiences each year. Our success comes from connecting employee and customer conversations on any channel, every day. Over 10,000 companies in...
TeleTech is a geographically diverse global providers of technology-enabled business process outsourcing solutions. TeleTech and its subsidiaries have a 28-year history of designing, implementing, and...
At Alorica, we only do one thing – we make lives better. How? By creating insanely great experiences for customers — online, on the phone and through social media. From acquisition and sales to custom...
|Turkcell Global Bilgi|
Turkcell Global Bilgi was established as a Turkcell Group company in 1999. It provides services from a total of 18 locations, 14 in Turkey, 4 in Ukraine with over 12.000 employees with a seat capacity...