The IT Risk Paradox
April 28, 2009 Leave a comment
Companies working to integrate and improve their Information Technology (“IT”) applications are also inadvertently increasing the risk level across the entire enterprise. Two professors from Carnegie Mellon University discuss this paradox in an article written this month for the Harvard Business Review. Here is what they have to say about the problem.
Standard risk-management strategies are too outmoded to help companies contain catastrophic IT-linked risks. These strategies tend to assume that the risks are well understood and that the possibility of extreme events is tiny. As a result, organizations typically concentrate on ensuring that they have good policies and procedures for managing known risks and are using high-quality processes for creating and operating IT. But this old-fashioned focus can prevent firms from seeing new risks.
How do you identify events that, by definition, are hard to anticipate? Start by instilling from the top down an organizational culture that encourages employees to take ownership of risks and weigh their potential rewards and hazards. This means modeling risks and analyzing their business impact and, even more important, making the process integral both to corporate risk management systems and to every stage of IT system development. The culture must encourage employees to bring concerns about risk forward early, particularly when IT is being applied in new ways.
Developing the proper organizational culture is critical not only for managing IT risks, but for all risks. Wheelhouse Advisors can help your company develop the frameworks and methodologies to create the optimal risk management culture. Visit www.WheelhouseAdvisors.com to learn more.