The Importance of Quantifying IT Risk
November’s theme is RISK, and this week’s article is:
Kevin Campbell | November 16, 2020
In last week’s article I spoke of the importance of discussing IT risk in the same language of the Board and of the business. I also put out a plea that we should stop using Traffic-Light reports when we talk about risk! My hope is you agree with both...
This week let us discuss some results of quantifying IT risk. How would you respond to these questions about you and your organization:
If your organization uses a common risk identification and quantification tool then you are above the average curve. Common tools either internally developed or third-party provided are an essential aspect of any risk management program. These types of tools force all of the participants into a common set of terms with common definitions. But these tools also force all the participants to use and understand a common ranking scale. Having a common scale gives clarity to executive management and to the Board on the greatest threat that lies before them.
But the Board’s obvious next question is, “How do we address the risk and how much will it cost?”
Whatever line of business your organization is in the pressure to financially quantify the risk and then financially quantify the cost of mitigating that risk is increasing. The dollar is the ultimate and common yardstick by which business measures both risk and value. That is the bottom line. Of the two aspects of risk quantification, the first part is the most difficult.
It is up to each CIO to adequately translate the impact of any risk found within a technology, a system, a process, a component, etc. into a single financial number whose value represents the exposure to the company if the risk is left unaddressed. Given the numerous unknowns that may surround any singular risk, this task to justify this number should never be taken lightly. “If X happens the impact could be $Y,” -- it is the $Y number that CEOs and Board Members will always remember!
Two items to underscore when it comes to mitigation plans:
Without the first you never really get the opportunity to affect the second. …and it is the second where the true benefits lie.
Broad grand multi-phase plans with committees, new systems, checkpoints, reports, liaison representatives, etc. very rarely bring short-term value. It is difficult for the average employee to grasp such endeavors. Error on the side of a series of small, simple, and highly actionable efforts to reach the final goal. Employees can more easily understand such steps and will quickly identify the results. That enables them to change their personal behavior. Organizational behavioral change follows soon after.
Actionable insights beget behavioral change.
Next week I provide some thoughts on the positive effect of a governance program on risk management. Stay tuned.
ProgramsSIM National Contact us
Society for Information Management
1120 Route 73, Ste 200
Mount Laurel, NJ 08054-5113
800.387.9746 - Fax 856.439.0525