ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > The Balanced Scorecard and IT Risk Management

The Balanced Scorecard and IT Risk Management

| Published: 9/27/2010 8:00 AM | Permalink | Email this Post | Comments (2)
Rajesh Kapur, CISA, FIETE, MIE
Risk management in an enterprise is essentially about how to deal with the occurrence of a perceived vulnerability. The controls, metrics gathering, validations, costing and consequent inferences, etc., are all almost ritualistic actions to ensure that everything goes according to plan. In spite of our efforts, however, unforeseen events do occur, and our plans do get impacted adversely. This is especially true of high-value IT projects; IT, even though it is in the DNA of almost every enterprise business process, is still viewed as a specialist activity.
How do we ensure that our technology risk management efforts are effective? The fundamental challenge is to accrue sustained business value in the face of uncertainty and try to forecast the approximate business impact of exploitation of an organizational vulnerability. We can lower the inherent uncertainty by making sure that our controls, activities and IT investments are aligned with stakeholder expectations.
How are stakeholder expectations to be ascertained? One can always look toward the vision and mission of an enterprise; these, however, are rarely altered in reaction to a crisis in the business environment. I have found the balanced scorecard (BSC) to be an effective alternative indicator of enterprise stakeholder objectives—especially those of top management. There are some additional actions that are necessary if the BSC approach is to succeed:
  • It must be regularly reviewed and the latest priorities periodically updated by top management.
  • The chief information officer (CIO) must be clear about the mapping of the business goals to IT objectives and activities. Security is not the only issue here; other nonfunctional requirements including scale-up, interoperability and response time must be taken into account. Resources for implementing these in applications and all change or maintenance efforts have to be earmarked. The effect of IT initiatives corresponding to a BSC must be continually monitored, tweaked and analyzed for subsequent reference.
  • All employees who must implement and comply with the controls (not only the IT staff) must be aware and cooperative.
Finally, we must remember that risk management is probabilistic in nature. Even after all policies and mechanisms are in place, there is still a residual risk, which ultimately has to be accepted. The good thing is that we know it is there. Through planning and management, we can minimize the adverse impact. Neglecting to plan for and manage risk can be catastrophic!
Read Rajesh Kapur’s recent Journal Article:
Use of the Balanced Scorecard for IT Risk Management,” ISACA Journal, volume 5, 2010


Balancing stakeholder delight

I agree with you that stakeholders interest have to be kept in mind. Do you have a template to define "stakeholder"? I find that this is a term that used almost without thinking. Would you like to consider the following as acceptable dimensions of stakeholders- associates (all employees and others working in the team), investors (all those who have invested in your team-employers, superiors), customers (who consume your services/products) and society (the general society at large that has an interest in your and team's; as well as your inverstors and customers' well being)?
Sudarshan046 at 9/28/2010 10:57 AM


Dear Sudarshan,

Thanks for your comment.

You are quite right; any one having an interest in the products/services that an organization produces/delivers is a legitimate stakeholder.

The relevance and influence of each stakeholder must however be prioritized. Who has control? Who is in a position to deploy controls? Who bears the maximum risk? Who bears the main responsibility?

To that extent, for the pupose of IT risk management in an enterprise, the shareholders and (through them) the board of directors are the 'most relevant'. They hire executives and employees to execute their vision; and it is the job of the executives to implement that vision in letter and spirit. 

The balanced score card is an effective tool to help executives ascertain what the top management really wants at a specific instance of time.  
Kapur at 9/30/2010 5:22 AM