The myth of IT risk
People talk all the time about “IT risk”.
But, is this a useful term? Or can it lead people astray?
As my good friend Jay Taylor has said, I believe that “there is no such thing as IT risk, only [IT-related] business risk”.
Why the distinction?
What matters is the effect of a potential situation or event on the achievement of organizational objectives – not the effect on the IT function’s objectives (ok, it may matter to IT’s management, but how much should it matter to the board and executives?)
The investment that should be made by in addressing so-called IT risks should depend on its significance to the achievement of organizational objectives. Any “IT risk” should be assessed in those terms.
That is why I prefer to talk about IT-related business risks (although I am amending that, as explained later).
ISACA got it right in their RiskIT methodology (now consolidated into COBIT): “IT Risk is Business risk associated with the use, ownership, operation involvement, influence and adoption of IT within an enterprise. It consists of IT related events that could potentially impact the business.”
A few reasons why this is important:
- A technology-related risk may be only one of several that could affect the achievement of a corporate objective. All risks related to an objective need to be considered as, when considered together, they may, in aggregate but not individually, indicate a need for action. IT management may consider the risk acceptable, but when considered in combination with other risks to an objective, it is not acceptable to the organization as a whole.
- Some technology-related risks may seem significant to IT and other technical staff, but when considered within the context of business objectives pale in comparison to other risks. Executives and boards have limited capital and resources and they cannot afford to invest them based on the assessment by a silo within the organization.
- There is only too often a disconnect between those in technical functions and those in the executive suite and on the board – due to the technical people talking in technical terms and not being able to explain an issue in business terms. Talking about technology-related business risk forces the discussion to address how the business will be affected.
I have amended my thinking on this in the last year or so. Instead of talking about “IT-related business risk”, I now talk about “technology-related risk”.
- Technology is no longer the sole domain of the IT function. For years, other parts of some organizations (such as the engineering function or similar) have owned specialized technologies. Now, the advent of cloud has enabled every organization to acquire software, often without the need for IT support or capital. I am not sure that the IT department even knows about all the technology deployed across their organization.
- It’s about the use, deployment, etc. of technology broadly across the extended enterprise, which is a clear business issue, not just an IT issue. In addition, many risks are affected by actions and decisions made by the business.
- Not all technology is information technology. While I know some disagree, I don’t consider robots, process control systems or the like “information technologies”.
A recent report from the IIA talks about technology risks. That’s better, but not as good or clear as “technology-related business risks”.
Do you agree? Is there a risk (pun intended) of assessing (and of auditing) risk in silos?