The concept of IT as a service has been around for quite awhile, but risk isn't really on the radar screen yet in most IT departments. This is unfortunate, since risk management can be a powerful tool for decision makers within IT as well as in top management.
Life is full of risks, naturally, and in IT particularly; security risks, risk of not reaching stated project goals or deadlines (a big issue in the context of change management), project cost overrun - all these are clear and present dangers. On the other hand, risk management is already an accepted part of overall strategic and operational planning in other areas. So why not in IT?
In fact, risk assessment is starting to crop up more frequently in many areas of IT. A good example is the recent proliferation of tools that measure risks associated with system access or in the realm of business-IT alignment, where risk management plays an increasing role in many ERP projects. In the first case, the focus is on business controls, whereas in IT it's more about the sort of controls described in COBIT.
A risk-based approach is desirable for many reasons. For one thing, it makes it possible to evaluate risks and possible countermeasures before a problem actually occurs. Risk management is also central to proper project portfolio management, especially with regard to IT security. Here, it is always advisable to address risks centrally due to the prohibitive cost of risk mitigation. Risk management is also important for developing a comprehensive authentication strategy. Determining how much security is really necessary requires a good understanding of the risks involved.
For IT services, on the other hand, the need for risk management is growing in areas such as ITIL (IT infrastructure) Web Services, SOA, and SaaS (Software as a Service), where an all- too narrow view has been prevalent in the past. Here, cloud computing is driving a shift towards increased awareness of the issues at hand.
Cloud technology is forcing IT to become more service-oriented. It clears the way for improved supply chain management as a service by enabling companies to choose between various providers. The new focus on services will be especially felt in areas like resource planning and procurement, and it will inevitably lead to new billing models for IT. The idea of "ERP for IT" is just a step away (and high time, too!).
Incidentally, service-orientation and risk management are actually two sides of the same coin. After all, fulfillment or non-fulfillment of service level agreements both hinge on how certain risks are handled.
IT managers who concentrate on service management while at the same time addressing the question of risk are actually killing two birds with one stone. They also have their fingers on the two biggest control issues in IT today. Not that this is trivial; far from it. There are no simple solutions. But the arguments in favor of such as approach are convincing. And the further you proceed along this path, the easier it gets, because it enables those in charge of corporate IT to identify the risks associated with providing closely-defined services, and to address those risks in a mature and responsible fashion.
Created: 26.01.10, modified: 13.02.10