Aligning IT Risks to Business – Part Two, Risk Assessment Criteria

by Gary Alterson

In my last post, I spoke about the importance of defining a risk universe in helping align your IT risk program in a manner business executives understand.   Another tool to achieve alignment is to define and evaluate risks in a way that is meaningful to your business and provides the intelligence necessary for executives to compare risks and make decisions concerning competing priorities.

In the February 2011 Information Week Analytics Report “Risk Avengers” Erik Bataller and I outline a practical approach to establishing and unlocking the value within an IT Risk Management program.   One of the recommendations, defining common risk criteria, can go a long way to facilitating business decisions concerning risk.

By establishing common multiple equivalent criteria for risk analysis, or a common risk taxonomy, organizations can start to align different risks and build a common language for expressing the relative values of different risks.  In other words, facilitate apples-to-apples comparisons between risks so that your business can appropriately prioritize.

For example, develop  a “catastrophic impact”  category by defining multiple impact type such as regulatory impact (regulator takeover), customer impact (places greater than 25% of customer base at risk), business continuity impact (business interruption of > 5 days), or manufacturing impact (productivity decrease of 15%).    Doing so will allow you to better categorize and compare risks and facilitate more informed business decisions about risk.

Aligning IT Risks to Business – Part One, Risk Universe

by Gary Alterson

Many IT risk and information security analysts are at a loss to explain risk to business executives. Part of the reason for this is that they are unable to align their risk terminology to vocabulary that their business leaders understand. However, there is a solution to this problem. In the February 2011 Information Week Analytics Report “Risk Avengers” Erik Bataller and I outline a practical approach to establishing and unlocking the value within an IT Risk Management program. In it we outline the concept of establishing an IT Risk Universe. Establishing a business relevant IT Risk Universe and categorizing your risks according to that universe is one of the key tools to aligning with your executives. All too often we see risk universe categorized along technical silos such as “network vulnerabilities” or “application security”. While useful in helping you assign ownership within IT, this categorization does little to help executives understand those risks. Instead, build categories that help business executives understand how the risk relates to them. Build categories around business impact. At Neohapsis, we’ve built a common risk universe framework around five high level categories. We call this the A5E framework as we build risk universes around 5 top level risks – Alignment, Agility, Accuracy, Availability, Access, and Efficiency. We then build subcategories under this that are relevant to our clients. We’ve found that by building a risk universe that executives understand we can facilitate alignment and communication between our client IT risk and information security staff and their business executives. Defining a risk universe is a great way to evolve your risk program and build in alignment mechanisms that facilitate business understanding and ultimately better decision making.