Abstract
Businesses are exceedingly dependent on the use of information systems and related technology (IT) for their competitive well-being. Successfully managing the plethora of risks associated with the acquisition, design, implementation, and operation of these systems is therefore of paramount importance. Successfully managing IT risks, however, requires a unified approach be used, one where all the diverse types of risk involved—financial, technical, strategic, political, operational, and so on—are addressed in an active, holistic fashion across the total life cycle of the information system. This requires using both systematic and systemic risk analysis and management processes; decision makers who are open to reversing their previous decisions; an organization communication structure that allows assessing and controlling of diverse types of risk concurrently, as well as the flow of risk up, down, and across the organization; and, finally, an organization that embraces a risk-taking ethic. By actively managing IT risks holistically, not only can the downside risk consequences to a business be better controlled, but also new sources of opportunity can be created for the business. Risk in this organizational environment in effect becomes a corporate asset to be exploited. Organizations with a risktaking persona are the most successful at leveraging risk into profit. Furthermore, by applying active risk management, organizations developing or using IT are in a better position to take responsibility for the risks they may encounter or produce. It other words, it allows them to be aware of what IT-related risks are facing them, as well as what IT-related risks they pose to others. Thus, proactive IT risk management is useful for three separate, but tightly coupled, purposes: cost or loss management, innovation and opportunity enhancement, and achieving increased ethical responsibility. Given the benefits of proactively managing IT risks, it is surprising to discover that risk management is not often used in IT projects. Unfortunately, there exist numerous strong incentives against implementing a proactive approach to managing risk. These include fear of being seen as “unprofessional,” fear of getting blamed for problems that currently exist, and a lack of personal rewards for doing risk management. Overcoming these disincentives is key to implementing risk management successfully. The preceding issues and others are explored in depth in this article. The article begins by examining the fundamental concepts underpinning IT-related risk and its management. It then turns to investigating the mechanics of IT risk assessment and risk management. Third, it surveys current risk management practice and the disincentives to implementing risk management, and discusses how to put risk management successfully into IT organizational practice using a “forest and trees” approach. The article ends by examining IT risk management’s limitations and then hypothesizing where it is headed in the future in relation to information systems and its related technology.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call