by Rachel Curran

Knowing where the line is in IT risk management

Mar 29, 2021
IT StrategyRisk Management

Not all risk is a raging fire. Technology projects should be weighed against your organization’s broader risk appetite.

Every organization should have an agreed understanding of risk, what that means for the company, and where the line of acceptability is (threshold). Knowing where this line is, and using it as a driving force for decision making within IT, can dramatically maximize resources and decrease costs. 

Decision making

Risk Management sometimes has the unfortunate nickname of being titled the Business Prevention Unit (BPU), but actually, that name couldn’t be further from the truth. Robust and mature risk management ideally acts as a catalyst for decision making and resource management within any department. Risk management is a tool that, when understood, enables technology leaders to make decisions that drive the department and therefore the business forward. 

For anyone new to the risk game, the objective is to look at what can go wrong and what is the likelihood of that scenario occurring. In an IT department, this can range from services outages to data breaches to application malfunction. From there, you can ask how much impact you are willing to accept, aka your risk appetite and the threshold you do not wish to go over.

Understanding the organization’s risk matrix and risk appetite will help IT leaders make clearer decisions surrounding resource application and initiations of work. 

In my experience, IT teams have a tendency to communicate control gaps or exposures within IT as flaming red fires that need to be put out immediately or the consequences will be DIRE! However, if the decision maker takes the time to take the emotion out of the subject, and asks questions to understand how this gap could Impact the firm (in business terms), and what is the likelihood of this impact occurring, I would bet that most of the time, the gap that is expressed as VERY HIGH RISK is actually more of a moderate or minor risk, once it’s considered in business terms. 

Once this level of understanding is in place, there can then be a more practical conversation about whether the risk falls in or out of tolerance, and the potential impact costs for the firm versus the financial cost required to mitigate the identified risk. In some cases, when the likelihood and impact, including financial impact, to the business are considered it may become clear that it would cost more to mitigate the risk. This approach can lead to resource maximization, because you’re not applying time and people resources to mitigate what is actually an acceptable risk. 

Maximized resources and decreased spend

The more IT decision makers can understand their firm’s risk matrix, and use it in conversations regarding different IT projects, the more CIOs can ensure resources are being effectively applied across the department.  Instead of treating every risk as if the world is falling down, it’s better to stop and ask about business impact in business terms, and examine what the likelihood is. Through these conversations, when you take the risk from technical terms to business terms, it becomes abundantly clear the real weight of the risk held, which will better inform the course of action.