Information security has become a critical concern in all corporations. A major data breach or violation of regulations such as Sarbanes-Oxley can have serious consequences. Despite this, companies often focus so intently on the details of security management that they don't see the big picture of how security and its flip side - risk - affect business operations. If you can take a broad view and then use it to change the way you manage IT, you can turn IT risk into significant competitive advantage.
That's the conclusion of IT Risk: Turning Business Threats into Competitive Advantage, co-written by George Westerman and Richard Hunter. Westerman is a research scientist in the Center for Information Systems Research at the MIT Sloan School of Management, and Hunter is group vice president and Gartner Fellow in Gartner Executive Programs, a division of Gartner, Inc. Satori interviewed Westerman to uncover ways businesses can approach IT risk strategically.
"When we started writing the book, we were looking at risk management as a way to avoid problems," says Westerman. But as they studied how various companies handled risk management, the authors learned that the successful ones have a different attitude - they embed risk management into every conversation between IT and the business, he says. "When you start to do that, you can use this as a capability that creates value."
The four types of risk
The book outlines the four "A's" of IT risk:
- Availability
- Access
- Accuracy
- Agility
Start with availability: conduct audits, perform business continuity planning, implement controls, and then fix any problems you discover. As you do this, you not only reduce availability and access risk, but also start to reduce the risks related to accuracy and agility. You may find, for example, that you can't get accurate and timely data because your infrastructure or architecture is too complex, says Westerman. Sometimes, systems aren't integrated, which increases access risk and also makes it difficult to get all the data in one place and ensure it is accurate. He cites as an example a government agency that had 65 different systems to make grants. "That makes it very difficult to understand how many grants they've made to any particular group, for example. It also makes it difficult to control access to data."
Standardizing processes
Standardizing and simplifying business processes, systems and applications not only fixes availability and access problems but also reduces accuracy and agility risks.
While some companies cited in the book made dramatic changes, for example ripping out and replacing whole systems, most do it gradually. "They tend to surf the waves slowly to get to where they need to go," Westerman says. Viewing each new IT project as an opportunity for change, they may start by simplifying infrastructure, then later move on to business processes and applications.
Once systems and processes are rationalized, integrated and streamlined, you can manage data faster and more effectively, which will help your firm be innovative and agile. These are two qualities that will increasingly separate winners from losers in the future, says Westerman. "Firms that make IT risk management a true capability, rather than an afterthought, become more agile. They can put the right capability in the right place and go after new opportunities that their competitors just won't be able to go after."
Learn more about IT Risk: Turning Business Threats into Competitive Advantage, from Harvard Business School Press.
 |
 |
