PUTERSCHOOL.COM
welcome to my space
X
Article search:  
NAVIGATION: Home >>

Why Risk It?

Published by: jack 2008-07-19

IT departments face an eternal dilemma: There always will be more work than resources. But what if IT had the funds to do everything it wanted? Wouldnt that be great?

Not really.

The truth is, if IT did have an unlimited budget, it almost certainly would waste money, if only because other departments with higher priorities than ITs latest pet project wouldnt be getting those resources.

Thus, management has classic economic opportunity costs associated with doing some things at the expense of others. And in making decisions about proper resource allocation, organizations must factor in risk.

The Positive and the Negative

First, there are two types of risks.

There are negative risks, with which most of us are familiar. For example, there is the risk of having a hacker compromise your SQL Server and access proprietary data.

There also are positive risks, or opportunities, that could benefit an organization, such as launching a project that may help land new business.

Lastly, there are events that can have both positive and negative impacts. Your project may indeed be successful, with new business resulting. However, on-time delivery could suffer and your Web server farm may need to be upgraded to handle increased traffic.

TV.com Forums - Felon Martha Stewart on Ugly Betty? Why risk it?::
Why risk it? | 11/14/2006 6:15pm. Why put Martha Stewart on the show? Why risk it? | 11/17/2006 10:05pm. Martha Stewart was hilarious.
http://www.tv.com/ugly-betty/show/58486/felon-martha-stewart-on-ugly-betty--why-risk-it/topic/76742-575243/msgs.htmlHOME
Risks have two basic dimensions: probability and impact. Probability is the likelihood of an event happening. I recommend that firms use a 1-5 Likert scale and define what each level means. A probability of 1 may mean that an event is very unlikely and has less than 25 percent chance of happening in one year.

The impact score attempts to identify the extent of the consequences. Again, I recommend a 1-5 Likert scale with each point defined with subjective and quantitative descriptors. For example, a 1 might mean the event will impact one department and/or impact the firm by $10,000.

If you multiply the probability by the impact, you can get a raw risk score, plus you can readily chart the risks on a Cartesian coordinate chart with 1 to 5 marked on each axis -- one axis for probability and one for impact. This serves to really highlight risks in a graphical manner.

The point of this simple exercise is to establish a basic formal means to document and review risks. IT must recognize and manage this domain -- indeed, the whole organization should. Through formal discussions about risk, mitigation strategies, where to invest, and a review of efforts, organizations can begin to manage their risk environment.

Will the approach be perfect? No, it never will be. The intent must be to start the risk management process, learn and continuously improve. If you do, the system you have for discovering, scoring and tracking risk will look very different in a year.

Mitigation

One thing to bear in mind is that the goal is not to eliminate risk, but to manage it. Spend only the money needed to move the risks probability to an acceptable level. Trying to move the probability to zero for negative risks or to 100 percent for a positive risk (or opportunity) may not be reasonable. Let the risk drive the behavior -- not emotion or politics.

Why Risk Management is Like Eating Lettuce « Mark Curphey ::
Is basic risk management. People with a higher profile or with more money will be at a greater risk and so appropriate controls should be applied.
http://securitybuddha.com/2008/01/30/why-risk-management-is-like-eating-lettuce/HOME
Page 1 MEDIA RELEASE Thursday 13 May 2004 Lady Killer, why risk it ::
File Format: PDF/Adobe Acrobat - View as HTMLThe Lady Killer - why risk it? campaign is timely as female smoking rates in Australia are. declining at a rate more slowly than male smoking rates.
http://www.cancerinstitute.com.au/cancer_inst/news/pdfs/LadyKillerMedRel1.pdfHOME
The reason we want to do this is to increase predictability. The renowned quality scholar W. Edwards Deming noted that one goal of management must be to control variation in order to create predictable results. This is as true for IT as anywhere else and is one of the reasons why risk management is a foundation control. Without it, the organization can be blindsided repeatedly by unforeseen risks. The goal is to reduce this unplanned variation and hence increase predictability.

The process can begin with IT, but should evolve to have an enterprise perspective for risks to be considered across the organization.

Heres a good way to get started:

1. Identify the stakeholders. To start, keep it small;
2. Work with management to defined the probability and impact scores for each of the five levels;
3. Determine the process by which to collect risks and report them to management;
4. Work with management to define when risk management meetings will be held, how theyd like the risks presented, what the agenda will be and so on. Be clear that formal decisions will be one of the outcomes;
5. Make the risk communications two-way -- both up to management as well as back down to the operations, and
6. Start small and grow. Your goal should be to sell the value of risk management to the organization overall, not just IT.

Neither IT nor the organization will ever have the resources to do everything or the means to eliminate every risk. Instead, start with a basic risk management process to increase predictability in the organization and ensure that resources are deployed correctly.




Pre-Article:11/30: Jabbit-A Virus Infects HTML Files
Next-Article:11/30: Mugly-A Worm Executes Second Worm

PRINT Add to favorites
Recent articles
 Homepage | Add to favorites | Contact us | Exchange links | LOGIN | Site map | 
Copyright© 2008 puterschool.com        Site made:CFZ