Manage Risk

The economic world is global and open. It is almost impossible to fathom all aspects of how technology and openness of information can manifest risk to the business. The CIO is faced with enormous pressure to manage IT risk for the business. In fact there are many different kinds of risk the CIO and the Office of the CIO are forced to deal with, for example:

• Security risk
• Disaster recovery
• Infrastructure
• Financial
• Service Delivery
• Regulatory
• Compliance/Standards

“The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.” Source - Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, NIST Special Publication 800-30

IT Complexity

While this might seem like a relatively easy and straightforward matter, in practice it’s enormously complex and difficult. The very nature of how IT has historically been implemented from the bottoms up to automate specific business processes, coupled with the fact IT is a complex heterogeneous environment with a conglomerate of mismatched tools, redundant people, processes and technology, virtually makes the ability of gaining holistic transparency to IT virtually impossible. IT management has become large multidimensional optimization problem. The IT environment is not going to become less complex anytime soon. In fact if there is one thing you can count on, it’s increased complexity as new technology and IT innovations are introduced to improve various aspects of operational efficiency.

How is this accomplished today?

So how does the Office of the CIO (OCIO) accomplish managing risk of day to day business operations and manage risk through large scale transformations? Technology is purchased to try and enforce aspects of risk related to assets. IT organizations are formed with the sole function of assessing risk, instantiating best practice methodologies throughout the organization in an attempt to automate process and thereby minimize risk. These organizations attempt to provide oversight and act as a steering committee for risk management.

So what’s the problem?

Typical approaches are very much a bottom’s up approach and without context and priority to business strategy and objectives. Existing approaches are absolutely valid approaches to manage risk, but they need to be considered with context to the business and in context with existing services provided to the business and their associated relevance and value. Only when the IT management team has transparency holistically across all service operations and across initiatives with context to business goals and strategy, can they derive a more complete understanding of the risk to the business.

How do I solve this?

What the OCIO needs is an authoritative IT system that takes a “Top Down” approach to the matter. That system should understand and prioritize the risk associated with existing IT services for the business. That system should also capture and understand the risk associated to new business strategies and initiatives, and the impact of those transformations to planned business delivery.

Only when the OCIO has the complete understanding of risk relative to existing IT operations, and an understanding of risk impact associated with IT Transformation initiatives, can they derive the entire IT landscape that must be considered for managing risk for business execution. That system then has the relevant information with contextual understanding of the business to model alternative IT models and through advanced algorithms provide optimized delivery models with clarity to impact and risk. Only with that derived transparency can the OCIO have the ability to provide ongoing risk management for the business.

What does “Emerald City” look like?

IT and the business will work from a common business model, and speak a common language. IT will have transparency of services and understand relevance and risk associated to those services. IT will work with the business on understanding operational or transformational goals, agree upon priority and relevance of services, and with that knowledge IT can produce various alternative risk and impact models of services to the business. IT will then share and collaborate with the business upon various risk optimization models, and IT will manage the transformation execution with ongoing measurement of performance of delivery and results achieved.

That day is upon us!

With Gravitant the CIO and the OCIO have that system to unify Business and IT. IT decisions to manage risk can be optimized from a top down approach to achieve optimized IT service delivery back for the business. With Gravitant, IT and the Business will speak a common language and work from a common business model. Intent to manage risk and protect the organization will be implicitly managed through normal service operations and with transformation for the business. Gravitant empowers the business with IT Management transparency to monitor, plan and govern ongoing risk to the business.

Learn more about how Gravitant can unify business and IT:

Gravitant Solutions

IT Management for Project Management Office (IT PMO)

IT Management for Network Service Operations (IT NSO)

IT Management for Vendor Management Office (IT VMO)