James Bond—otherwise known as 007—likes taking risks. In books and movies, living on the edge and pushing danger to the limit is what takes to get his “job” done.
However, it’s another story when it comes to corporate IT. Putting James Bond in charge of IT risk management would probably not be a wise decision by a corporate hiring manager. And with today’s regulatory and compliance environment, it’s a move that might even bring trouble to a company’s board of directors.
Luckily, as far as I know, no companies have so far offered Mr. Bond a cushy desk job in IT—whether it’s a regular old IT management job or a potentially more natural job as an IT risk management director. That’s a good thing—I think we can all feel safer, and perhaps more entertained, with Mr. Bond continuing to pursue his current career calling.
For the rest of us, though, IT risk management is an increasingly important part of the corporate world. As we’re too well aware of, the risks that organizations, corporate applications and corporate data face are greater than they ever have been before. While we’ve had security measures, intrusion detection, anti-virus and other security and threat-management technologies available for years, the need for organizations to take a rational and strategic approach to IT risk management has never been higher.
Of course, we still face the same type of basic hardware and software failures that we’ve faced in the past, though customers, supply chains and business timetables are less forgiving than ever before when problems do happen. But we’ve also seen a dramatic rise in the importance of planning for compliance and auditing requirements and managing the risks associated with potential breaches of security. Over the years, organizations have grown ever more dependant on their IT systems and ready access to data, so that any interruption—from access to email to order entry systems—quickly becomes a critical and significant event.
Part of the reason is that disruptions to IT systems have become increasingly visible—to everyone from customers to partners to auditors. Small failures such as a security breach can cascade into important business crisis that can damage reputations, create compliance liabilities, and impact business.
Not only is the anticipation of potential problems important, but the speed with which an organization can recover from problems when they do occur is critical. How fast can you get an important server back up and functioning if it’s brought down by a hardware failure? How fast can you failover to a hot site if one of your data centers is off line. How quickly can you get your traders back up and trading if your main office building (and all their specialized trading systems) is hit by an unexpected power failure? The faster you can recover from incidents like these, the less impact they have on the business.
These types of questions continue to be important ones for the IT department to manage. But today’s IT groups also need to consider a wide range of other, risk management-related questions. How quickly can you create an audit trail for changes that occurred to a specific server? Can you provide verification that your IT environment has remained consistent and that security or administrative settings to servers, databases, or applications haven’t changed?
The clear directive from regulators and corporate management over the past few years has been for IT groups to increase their focus on risk management and risk mitigation.
However, when considering these types of issues, the challenge that many companies face is how to balance these risk mitigation requirements with their on-going project requirements and do it within a limited budget. Unlike James Bond’s special gadgets and cool tools department which seems to enjoy unlimited financial resources for coming up with unique “solutions,” most corporate IT groups have a limited budget for security and risk management.
But there is hope. Both large and small organizations can put a rational (and reasonable) risk management plan in place and build on it over time. The place to start is by building bridges between business manager and IT, since risk management is a cooperative process that involves both IT and business managers. A good IT risk management plan requires a dialog between IT and business, since there’s so much variability to potential risks and the costs associated with different ways of mitigating them.
About the Author
David Kelly - With twenty years at the cutting edge of enterprise infrastructure,
David A. Kelly is ebizQ's Community Manager for Optimizing Business/IT Management. This category includes IT governance, SOA governance,and compliance, risk management, ITIL, business service management,registries and more.
As Community Manager, David will blog and podcast to keep the ebizQ
community fully informed on all the important news and breakthroughs
relevant to enterprise governance. David will also be responsible for
publishing press releases, taking briefings, and overseeing vendor
submitted feature articles to run on ebizQ. In addition, each week,
David will compile the week's most important news and views in a
newsletter emailed out to ebizQ's ever-growing Governance community.
David Kelly is ideally suited to be ebizQ's Governing the
Infrastructure Community Manager as he has been involved with
application development, project management, and product development
for over twenty years. As a technology and business analyst, David has
been researching, writing and speaking on governance-related topics
for over a decade.
David is an expert in Web services, application development, and
enterprise infrastructures. As the former Senior VP of Analyst
Services at Hurwitz Group, he has extensive experience in translating
the implications of new application development, deployment, and
management technologies into practical recommendations for enterprise
customers. He's written articles for Computerworld, Software Magazine,
the New York Times, and other publications, and spoken at conferences
such as Comdex, Software Development, and Internet World. With
expertise ranging from application development to enterprise
management to integration/B2B services to IP networking and VPNs,
Kelly can help companies profit from the diversity of a changing
ebizQ is the insider’s guide to next-generation business process management. We offer a growing collection of independent editorial articles on BPM trends, issues, challenges and solutions, all targeted to business and IT BPM professionals.
We cover BPM standards, governance, technology and continuous process improvement, as well as process discovery, modeling, simulation and optimization, among many other areas. We follow case management, decision management, business rules management, operational intelligence, complex event processing and other related topics. We closely track important trends such as the rise of social BPM, mobile BPM and BPM in the cloud. We also explore BPM’s use in functional areas, such as supply chain and customer management, and in key verticals, such as financial services, health care, insurance and government.
ebizQ's other BPM-oriented content includes podcasts, webcasts, webinars, white papers, a variety of expert blogs, a lively online forum and much more.