menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Browse By Category
Browse By Topic
eLibrary
Search
My Order History
Book Reviews
Ordering Information
Shipping Information
spacer image
Print this page
spacer image

Home Bookstore Book Reviews

IT Risk: Turning Business Threats Into Competitive Advantage

By George Westerman and Richard Hunter
Reviewed by Reynaldo J. de la Fuente, CISA, CISM

Order Book

This book fills an existing gap, addressing IT risk in a friendly way, making it possible to tackle the subject without having to cope with tough and complex risk quantifications. It provides the necessary knowledge and focus on risk management to support the study of domain four of the Certified in the Governance of Enterprise IT™ (CGEIT™) certification job practice for those considering the CGEIT exam.

The book approaches IT risk not as a technical issue, but as a business and management one. It can be thought of as being split in three parts. Part one is about the framework and the overall approach to risk management. Part two concentrates on the actionable management steps business and technology executives can use to manage risk. Part three looks at the future and proposes improvements to risk management.

Part one includes the following chapters:

  • Chapter 1: The 4A Risk Management Framework—The authors introduce here a framework of four A’s that looks at risk from a business perspective, rather than an assurance or compliance perspective. The four A’s that define IT risk are:
    – Availability—Keeping business processes and information flowing through the business
    – Access—Ensuring that the appropriate people, including customers and suppliers, can get the information and functionality they need to be effective
    – Accuracy—Concentrating on providing timely and complete information to meet operating and oversight needs
    – Agility—The ability to change with managed cost and speed
  • Chapter 2: The Three Core Disciplines of IT Risk Management—These are:
    – A well-structured foundation of IT assets, an installed technology base of infrastructure and application technologies, and supporting personnel and procedures
    – A well-designed and well-executed risk governance process that provides an enterprise-level view of all risks
    – A risk-aware culture in which everyone has appropriate knowledge of risk
Part two includes the following chapters:
  • Chapter 3: Fixing the Foundation—Strengthening the base of the pyramid; the importance of infrastructure in risk management
  • Chapter 4: Fixing the Foundation—Simplifying the base of the pyramid; about how complexity drives risk, cost and performance levels. The authors make a critical point when they show how change in infrastructure is IT change, while change in applications is business change.
  • Chapter 5: Developing the Risk Governance Process— Covering how to manage and make decisions regarding IT and business risks
  • Chapter 6: Building a Risk-aware Culture—The authors make an important connection between risk and culture, and a critical distinction between being risk-aware and risk-averse.
  • Chapter 7: Bringing the Three Disciplines up to Speed—Concentrates on the program and patterns for effective implementation

With the tools of chapter four and the scenarios of chapter six, the authors have built a good example of a midsized company finding its legacy applications—and the lack of agility in them—to be a key risk, and the need to invest in replacing and upgrading systems to make maintenance and evolution easier and less risky.

Part three includes the following chapters:
  • Chapter 8: Looking Ahead—Talks about how to incorporate risk management as a positive force in planning and strategy setting
  • Chapter 9: Ten Ways Executives Can Improve IT Risk Management—The book closes with a brief reminder of different ways executives can improve IT risk management. Some of these ways are:
    – Treat IT risk as business risk.
    – Simplify the foundation.
    – Give to every employee an appropriate awareness of the risks, vulnerabilities and policies that matter most to them.
    – Measure effectiveness.
    – Lead by example.

Overall, this is a must-read for chief information officers and IT risk management and IT governance professionals. It is also recommended reading for chief executive officers (CEOs) and others who want to understand how to manage IT risk.

Reynaldo J. de la Fuente, CISA, CISM
is CEO of Datasec (www.datasec-soft.com), an IT governance, security and assurance company in Uruguay specializing in ad hoc software development. He was recognized with ISACA’s 2005 John W. Lainhart IV Award for outstanding contribution to developing the profession’s common body of knowledge. He has served in several ISACA chapter and international positions since 1993.

Editor’s Note:

IT Risk: Turning Business Threats Into Competitive Advantage is available from the ISACA Bookstore. For information, see the ISACA Bookstore Supplement in this Journal, visit www.isaca.org/bookstore, e-mail bookstore@isaca.org or telephone +1.847.660.5650.


nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2010 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA