How to handle the business risks associated with IT risks

books:


	• IT Risk: Turning Business Threats into Competitive Advantage George Westerman, Richard Hunter Harvard Business School Press, 2007 - 221 pages average customer review:based on 8 reviews view larger image
	for more information click here

highly recommended

Finally, a practical book on IT risk assessment...

Finally... a book on Information Technology risk that didn't put me to sleep or infuriate me to no end... IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. This book and approach makes sense, and weighs options in conjunction with the business rather than in an ivory tower.

Contents:
IT Risk and Consequences; The 4A Risk Management Framework; The Three Core Disciplines of IT Risk Management; Fixing the Foundation - Strengthening the Base of the Pyramid; Fixing the Foundation - Simplifying the Installed Base; Developing the Risk Governance Process; Building a Risk-Aware Culture; Bringing the Three Disciplines Up to Speed; Looking Ahead; Ten Ways Executives Can Improve IT Risk Management; Notes; Index; About the Authors

I'm a software developer, and I'm paid to design and build solutions for our organization. I love what I do, and I *do* realize that there are risks inherent in the choices I make in terms of design. Where I get frustrated is when numerous people review code or designs, and come up with an endless list of "risks" that are posed by your particular design. But at some point, choices need to be made as to what's an acceptable risk and what isn't. And that's where the process often fails. It's safer to discuss and do nothing than to assess risk and choose a path. The 4A framework proposed by the authors help get to this point. The four A's are Availability, Access, Accuracy, and Agility. These areas make up the risk profile for an organization, and allow both the business and IT to talk about risk from the same angle... what benefits the business, what could harm the business, and what are the tradeoffs. These areas are framed against three core disciplines of risk management... the process, an awareness of risk, and the foundation of the IT base. Again, the explanations of these disciplines are clear and concise, and deal with practical reality rather than a theoretical elimination of any and all risk to an enterprise. Because as any IT person will tell you, there is no way to eliminate all risk.

I could see this book being useful for a company that hasn't really addressed a structured risk management process for their IT assets. Time spent here will save you plenty of time, money, and headaches down the road. And for those IT departments who seem to be paralyzed with fear, this could help you break the logjam and start dealing from an angle of practicality.

for more information click here

Invaluable for IT Risk Management teams

When I was asked to design an IT Risk Management program beyond just data security for an IT department of a Fortune 100 company, I performed a significant amount of research of existing material. After engaging both internal and external research departments, then reading dozens of books and hundreds of articles and white papers, I decided to...on a Saturday after a surfeit of information overload and blurred vision...search in Amazon.com.

And I happened upon this book.

Since I was designing the framework and governance, I needed practical models. Westerman and Hunter provided many, of which I have applied several which work well in a large and complex company. As an example, applying the 4A's provided clear snapshot insight in one page for our executives.

My copy of this book is so dog-earred, tabbed and highlighted, but even as beat-up as it appears, it remains on top of my desk as a quick reference. I certainly hope Westerman and Hunter come out with a sequel.

for more information click here

How to handle the business risks associated with IT risks

Have you ever had your business disrupted because some aspect of your IT systems stopped working? The reality is that many of the critical processes of your business and many key capacities are based on computers and software. Any IT risk you face is also a business risk and you have to manage them accordingly.

This book provides a framework for making your IT risks visible. They call them the 4A framework (availability, access, accuracy, agility). During your discussions, the tradeoffs involved will become clear and can be actively declared and chosen. The other alternative is to make choices based on politics and expediency until something blows up and the blame game begins.

The authors then discuss the three disciplines: building a solid and smaller foundation of systems, rationalizing your processes, and building a risk-aware culture. As you do that, some of your assumptions in the 4As will likely have to be revisited and the new understanding can be iteratively added in.

I enjoyed this book and think the discussions would be good for any company to have. The examples of how real life businesses handled (or suffered for not handling) these issues are well chosen. I also appreciated the real world advice the authors give. For example, they warn you that your real world track record in handling big initiatives will matter in pulling off a project such as this.

Also, if this project doesn't matter to your CEO and is not strongly led by senior management, getting this done will be very difficult. And the discussion of the trade-offs of doing this kind of transformation quickly (a few years) versus a deliberate and conservative pace (a decade) are enlightening. The point of handling vulnerabilities first rather than fretting about threats of attack is spot on.

The book is quite helpful, easy to read (not full of jargon), and the topic is important to modern businesses.

Reviewed by Craig Matteson, Ann Arbor, MI

for more information click here

An awesome read!

For my graduate degree, I've done a lot of research on goverance, risk and compliance and I found this book to be an awesome read for anyone looking to simplify their approach to enterprise risk management. The concept of the 4a's makes sense and the impact each has on the tiers above them is very powerful understanding. If you're looking for mathematical equations to prioritize risk, this book is not for you. However, if you're looking for places to start assessing risk within your company, buy the book.

I also liked the three disciplines of risk management and felt it to be very compatible for most small, medium, and large organizations. Like most of the other comments about this book, I believe this book to be at the perfect depth for any C-level executive.

Of all the books out there that I've read on enterprise risk management, this book is by far the most capable of applying conceptual ideas into real life implementable practices to fit any business scenario.

I definitely give it 5 stars!

for more information click here

reviews: page 1, 2

Are you exposing your business to IT risk, and leaving profit opportunities on the table? You might be if you are managing your IT risk using more traditional approaches. IT Risk, a new book based on research conducted by MIT s Center for Information Systems Research and Gartner, Inc., helps companies focus on the most pressing risks and leverage the upside that comes with vigilance.

Traditionally, managers have grouped technology risk and funding into silos. IT Risk outlines a new model for integrated risk management, which identifies three core areas you can develop to eliminate the problems that silo strategies create. The authors also offer specific ways to make the most of your new found advantage. And because IT risk is the responsibility of all senior executives not just CIOs this book describes the tools and practices in language that general managers can understand and use.

Named a top-ten managerial book of 2007 by CIO Insight magazine

for more information click here

hot