Feeling a touch nostalgic last night, I listened to Adam Sandler’s 1993 comedic album, “They’re All Going to Laugh at You”. The title purportedly comes from a repeated phrase in the 1976 horror movie Carrie. On the album, Sandler’s character keeps screaming, “Nooooo!! They’re all going to laugh at you!!” much to the anger and disappointment of other characters in the skit. Obviously, Sandler’s character was very risk-adverse no matter the situation. As funny as it was, my mind wandered back to work and I started thinking about how companies (particularly their IT departments) approach risk.
According to an ESI International study, “66% of organizations lack a formal risk management program”. If you are in the majority of IT departments, you do not have a consistent and comprehensive strategy for managing risk. Perhaps your approach to managing IT risk is reactionary? This fails for a number of reasons:
- IT departments that spend too much time putting out fires are perceived as unorganized. Doesn’t the risk in itself determine how it should be handled? This can’t help but be unorganized if risks are not quantified, discussed with appropriate stakeholders, or how remediation will happen.
- Reactionary risk management does not align to business objectives. Many IT risk assessments fail to compel the business to take action.
- Reactionary risk is usually focused on IT security alone. What about vendor or supplier interaction, project risks, loss of qualified personnel?
Reactionary risk management increases business risk exposure due to a lack of understanding of the impact of IT risks on the business. This can also have a negative impact on costs and reputation for non-compliance. Lastly, who wants to look bad in an IT audit failure?
Bottom line …
- IT risk is business risk. They are one in the same. A risk management program must share accountability with the business.
- Risk is money. A risk management program must quantify the financial impact of risks in order to make intelligent decisions on remediation.
- What you don’t know can hurt you. To find hidden risks and be comprehensive in your approach, you need to utilize a structured and methodical risk identification method.
EDCi can help you develop a formal risk management program that illuminates, quantifies, and brings IT and the business together. Let us show you how.