Thoughts on IT Risks

I’ve found that IT risks can best be thought of in three high level categories (I’ve rather negatively called these failures but after all failure is what we are trying to avoid)

• Failures to invest
• Investment failures
• Operational failures impacting the confidentiality, integrity and availability of information and information systems

Categories like these help us organize our thoughts but more importantly they help us with risk identification. Identification of risks usually involves some form of brainstorming and categories can help us ensure that we have covered the ground.

Examples of failures to invest include airlines that ignored the advent of on-line reservation systems, book store chains who brushed off the impact of the web and delivery companies that did not invest in bar coding and route planning software. The best defense against these risks is a well thought out IT strategy that follows a thorough scan of the external business environment. A useful model for framing competitive threats is Porter’s (see Porter’s Five Forces on Wikipedia)

Investment failures on the other hand involve failed projects: an ERP or CRM abandoned after tens or hundreds of millions of dollars, projects that run over budget or are late, initiatives that never deliver their benefits. Good project management practices can help. Organizational change management is crucial. Once investments are approved budget and schedule too often become the focus at the sacrifice of benefits.

(Also beware if you have put your project costs on the balance sheet using put into use rules. If you abandon your project the entire amount may flow as an expense in the current year rather than being depreciated over the useful life of the system — a very ugly surprise.)

Remember CIA — confidentiality, integrity and availability. These are three useful categories within operational risks and the popular press is replete with failures in each of these areas (Target anyone?). While these are risks to operations the real story begins with investment decisions and project management. Do organizations recognize the need to invest in protecting their information assets? Are these risks mitigated during planning and design of projects and IT infrastructure? Does the organizational culture and human resource practices reinforce the need to protect information and systems.

I hope thinking in these categories helps you avoid the fate of others.