IT Brief New Zealand - Technology news for CIOs & IT decision-makers
Story image
The risky business
Sun, 1st Nov 2009
FYI, this story is more than a year old

Risk management is an ongoing  task that needs to be shared,  for everyone’s benefit.In tough times, the punishment for making the wrong decision is more severe when resources are scarce. Traditionally this is where risk management plans, governance and compliance assist the business by  minimising the possibilities of mistakes.In the current economic climate there has been a spotlight firmly placed on compliance and governance within organisations. This is a period of time when crisis management plans are being brought out and instigated. Unfortunately many of them were done years ago, in the boom times, and may not be suitable for today's environment. Where return on investment (ROI) used to be what the decisions of risk mitigation hinged upon, in the current climate it is more about survivability.This is an excellent time to be honest with yourself and re-evaluate your decision making processes. So how can you get the best from your risk management plans? Read on.Identify and assess the risks: There is no such thing as too much identification of risks. Categories of risks can include market, credit,   health and safety, regulatory, operational, reputation and even political. Don't be afraid to spend time looking at all areas. Make it a company-wide exercise on identification and be prepared to reassess often, particularly when you make significant changes to your strategy or operations. Make decisions and assess the risk/return ratio: Once you have identified those risks you need to make decisions and trade-offs. Often risks are not singular but interrelated. You need to assess the likelihood of a risk against a potential return. Some of the poor risk management plans correctly identify all their risks but fail to rank them in importance. Commit adequate resources: Be prepared to spend time and money on getting the right tools to enable you to quantify the risk. After all, if you can't measure it you can't manage it. The right tools will enable you to gather the risks, measure them, rank them in order of magnitude and most importantly, change them as your circumstances change. Create a risk-aware culture: Risk management should not just sit on the shoulders of the executives or even senior management. Governance starts with the board and needs to extend throughout the company. Everybody in the business needs to be looking for risks and there should be the freedom in the culture to highlight those risks without penalty. Make sure that everybody is focused on outcomes. Collaborate at executive level to share risk: Just because you are developing a risk management plan for IT does not mean you alone, as CIO or CTO, have to shoulder the responsibility. In fact you may find opening your world, sharing and educating others will actually help you. Other people may see risks you weren't able to identify and, better yet, may have strategies to mitigate that you didn't know about. The last thing you want is to create silos. Educate people: The more transparent your processes and the more educated everybody is, the better the processes are likely to be followed. This means fewer exceptions will be needed, which lowers your process overheads. Educating people throughout the business makes it more likely they will become your supporters and help to enhance and refine your processes. Good governance helps manage a crisis situation in a controlled way. It helps by improving operations and protects against waste. It uses your limited resources in the most efficient manner. Your governance and risk management practices must be transparent, agile, informed and accountable. Don't be afraid to use the right tools to take a good, hard, honest look at your current plans and change them if necessary to suit the current conditions.