IT Risk: Turning Business Threats Into Competitive Advantage by George Westerman and Richard Hunter (Cambridge, MA: Harvard Business School Press, 2007)
As many authors in recent years have spelled out, IT has become increasingly central to business success – but many enterprises haven’t adjusted their processes for IT decision making and risk management. The result? The authors of IT Risk posit that IT risk incidents carry a much higher price tag than they used to. They harm constituencies within and outside companies. They damage corporate reputations. They expose weaknesses in firms’ management teams, and they rob profits and dampen competitive advantage.
George Westerman from the Center for Information Systems Research at the MIT Sloan School of Management and Richard Hunter of Gartner Executive Programs joined forces on a new book that sets out to demonstrate that IT risk matters more than ever. Using a number of examples from the front pages and trade media, the authors try to connect the fiduciary responsibility of business executives with the capabilities of IT specialists in order to manage IT risk:
- Failed software implementation at a pharmaceutical manufacturer leads to a company’s bankruptcy
- Data theft at CardSystems Solutions prompts the firm’s two largest customers – Visa and Master Card – to defect
- Errors in a tax-credit management system at the UK Inland Revenue (in 2003, under the watch of EDS) leads the organization to pay out over 2 billion pounds in erroneous tax credits
- Complexity of IT systems impairs a high-tech manufacturer’s ability to buy and sell businesses
The authors build a framework for IT risk in two dimensions that centers the book nicely. There are four types of IT risk: availability, access, accuracy and agility, each with their own chapter and company examples to illustrate the points in the “real world.” The second dimension is introducted in the form of “three disciplines that enterprises must master to manage IT risk efficiently:”
- A solid foundation of IT assets, people and supporting processes and controls that enable executives to manage the right risks in the right order
- A well-designed risk governance process – incuding oversight by high-level executives – that allows companies to identify, prioritize and track risks
- A risk-aware culture, nurtured from the top, that attunes people to the causes and solutions for IT risks and creates increased vigilance across the organization
All in all, IT Risk is a solid effort to bridge the gap between the board room and the data center, and the credibility that MIT and Gartner enjoy in most c-suite’s today make this a noble endeavor indeed. The book is grounded in a number of surveys and one-on-one interviews with IT executives around the world, and leads to a number of “five key practices” or “ten ways executives can improve IT risk management” sections which can be taken out of the book and refined for an individual organization or team in a different context (offsite meeting, Powerpoint deck for a team meeting, etc.). Think of it an early form of SOA/plug and play for a business book – you do have to buy the whole book, but IT Risk is more modular than your average business tome, and that can make it a compelling read for your client or prospect’s business executives.
This reader will leave you with two of my favorite “sections” to think about on your own and how you have seen this play out (or not) inside your client organizations:
Five Key Practices of an Effective IT Risk Governance Process:
1. Appoint a single person to be in charge of the process
2. Identify formal risk categories
3. Create a risk register
4. Develop consistent methods to assess risk
5. Use specialized best practices
Ten Ways Business Executives Can Improve IT Risk Management
1. Treat IT as a business risk
2. Consider risks in terms of the 4 A’s (availability, access, accuracy and agility) for both the long term and short term
3. Plug the holes in the dike, and be ready for more floods
4. Simplify the foundation
5. Create risk governance structures and process; embed IT risk management into every other business process and decision
6. Give every employee appropriate awareness of the risks, vulnerabilities and policies that matter most to them
7. Create a risk-aware culture
8. Measure effectiveness
9. Look forward
10. Lead by example
IT Risk is a somewhat dry but thorough and insightful book loaded with useful best practices for improving organizational resilience and agility. It sends a wake-up call by demonstrating how IT risks directly impact business performance and offers practical guidance on integrating IT risk management into daily business processes. Some of the high-profile lawsuits and bankruptcies resulting from IT risk run amok may seem like they can’t happen within your client’s organization (or our own!). Westerman and Hunter go a long way in proving otherwise – and reveal the dangers of clinging to that assumption.