Find Resources and
Connect with members on topics that interest you.
Please sign in to see your topics.
You must be logged in and be a member of this group* to participate. *After logging in click "Join this Community" to the right and then return to this page by clicking the back button. As a member of this topic you can now view this and other discussions from the topic homepage.
Hi Gary!First of all, let me say thank you for “starting the ball rolling” with such an extensive opener; it's nice to know that at least one other person has read the article :) I'm glad you liked, and got, the key message. To be honest, I would happily have taken out a full-page ad that simply read "IT Risk IS Business Risk – Now get over it and move on!" and left it at that, but apparently more padding is required in articles these days...You make some excellent points and clarifications on semantics, thank you. I immediately put my hands up and admit that I, perhaps lazily, allow(ed) terminology to become intertwined (though this particular message is aimed squarely at IT Security and Controls professionals, via COBIT Focus / ISACA).
That said, I do truly believe that terms, phrases, lingo, “buzz-words”, processes, tools, methodologies, and the “See section DSS.0.x and / or A.y.z” type discussions are often key distractions to folks outside this space, and they switch off, truly they do, which is one of the key points I'm making.
When I go into boardrooms to discuss risk status, at that level, we get straight into a service continuity / cost vs. benefit discussion, in the purest form: "How long will my business process likely be interrupted for? How much will this interruption cost the business? What's the likelihood of this really happening? How much would it cost to mitigate? Are there any other treatment options other than mitigation available?” – It’s that simple, and a basic spread sheet usually hits the spot nicely.
Clearly though, I’m not denouncing the need for frameworks, processes, tools and methodologies, that would be self-destructive madness, any vehicle that lends itself to addressing risk is fair game to be used. For me, it’s about translation of risk into plain language, business terms. I tend to use whatever “tool” is already in use by my clients, whether that has an ISACA flavour to it, ISO-based - I’m really not too fussy.
So, I think we are in violent agreement on the first point, and this discussion itself will hopefully lead to improvements in understanding all round.
With regards to the second point, again I completely agree, we could happily drop any reference to technology and improve communication ten-fold; at senior level, frankly, there is no interest in the details around password controls or server patching issues, simply that those issues may lead to business interruption, lost sales, reputational damage, ethical issues, etc.
Third-point, on RiskIT, I’ll let the creators of the framework chip-in and fill in the detail (and there should be a few of them on here), but at a high level, it attempts to pull together IT Risk (I know you don’t like that term) with Business Risk under key activity RG2.2 (< I broke my own rule about cross-referencing!). OK, it doesn’t actually DO the work for you, but it does have a trigger point close to the start of the process that forces the issue to be addressed and resolved.
In addition to your excellent points, I do think the phrase “IT” has become something altogether different over the years, what with smartphones, tablet PCs, social networking, etc. blurring the lines, and potentially opening up new “technical” risk channels.
The term “Information assets” certainly works for me, and I’m already seeing that kind of terminology emerge from the ISO 31000 arena, and to be fair, COBIT5 and RiskIT do infer this, even if not with outright use of that precise phrase.
Provocative is good, anything that advances discussions and process improvements on risk management is healthy, in my opinion!
I’ve probably not answered all your points, but generally speaking, I think we are in agreement. Let me know if I’ve skipped anything though.
Good to talk!
You must login to leave a comment.
You must be a logged in to start a discussion.