The world around us is ever more complex and connected at almost every level, and in our organisational lives great economic, political, and climatic change ultimately impacts us all.
The challenge of managing the risks arising from this complex environment also requires connectedness, and we are seeing responses at every level from international cooperation, governments, industry bodies, companies, the public sector, and customer themselves.
One question we should be asking is whether, as IT professionals with organisational and broader societal responsibilities, we are doing enough to back up this overall need to manage risk.
IT’s responsibilities are strongly in the spotlight
In many areas of IT, the obvious potential or actual impact of risk has brought about better focus on the important issues.
For example, cyber-security now has ubiquitous board-level attention, and has brought realignment to the IT security sector.
In addition, business continuity is more often addressed at a high level, having matured from relying on “hot” technology swaps.
Project risks are also usually better recognised and managed, and the scale of historical disasters more often avoided.
However, there are numerous areas in which there is much more that should be done within many organisations.
• Supply-chain risk associated with as-a-service delivery (especially where individuals are allowed to adopt software usage via “shadow IT”).
• Security being built into all levels of software, and being visible, within development and other software lifecycle processes.
• Failure to treat as strategic the use of services such payments systems, which Ovum research has identified may be chosen over integration capabilities as a result of developer choice, rather than an analysis of process-level issues and due diligence.
• Lack of an architectural approach to IT-related change, which can lead to failure to address risks early and can drive up the resulting cost.
IT is so central to business operations and processes that risk management in IT is a critical enterprise capability.
IT managers must honestly evaluate weaknesses in their approach to managing risk, across all their capabilities and services (home-grown and bought-in), and must focus attention and investment to make improvements first in areas that could allow any substantial damage.
Unless this is done, the prospect of damage avoidance, and of success in maximising the organisation’s benefit from technology opportunities (particularly those upcoming, such as the Internet of Things), is likely to be substantially reduced.
The reward of IT’s high profile is a place in the spotlight, but where light shines things can be seen better.
Risk is also much higher profile than ever before, and there will be no place to hide if anti-risk measures that should be taken in the IT domain are left until unfortunate headlines are made and an inquest is being held.
By Alan Rodger - Research analyst, Ovum