Understanding IT Risks

What are the Sources of Risks?

According to a Harvard and Gartner “IT risk” research report, “Most IT risks arise not from technical or low-level people issues but from the failure of the enterprise’s oversight and governance processes for IT. Such failures produce a series of poor decisions and badly structured IT assets that are manifested as ineffective IT governance, uncontrolled complexity, and inattention to risk. Many of the risk factors are symptoms of common condition, ineffective implementation of IT governance.”

Risk and Return Relationship

Figure 1. Click to enlarge.

Figure 1. Click to enlarge.

Everyday decisions that managers make commit their organizations to different levels of risk for which they must seek appropriate rewards. Figure 1 (above) reflects the positive correlation between risk and return in four stages:

  • The (X) line represents the value over time, and the (Y) represent the investment size.
  • When the risk curve is low, and the return curve is at safe investment, this frame is called “low return and low risk,” the expectations from the IT project is “low value.”
  • While the risk curve starts to rise to mid-point, the return curve rise proportionally to reach the point of optimum investment, this frame is called “med return and med risk,” the expectations from the IT project is “med value.”
  • When the risk reach the high point, the return curve rise proportionally to reach the risky investment, this frame is called “high risk and high reward”, the expectations from the project is “high value.”
  • Finally the two curves converse, at this point, the risk factors are two great in some or parts and will destroy the value of the project.

Each accepted project will increase or decrease the overall risk of the organization by quantities that may appear insignificant in the larger context, but aggregate to determine the overall risk of the organization. Holistically, this drives the entire organization up or down the risk and reward curves.

IT needs to Align with the Organization’s Risk Portfolio

Effective implementation of enterprise IT projects requires alignment of IT management decisions with the organization business strategy, and risk governance. Overall, governance achieves three goals: effective use of IT by people, IT decisions properly processed among various IT departments, and tracking and reporting projects in a structure. IT governance, governs what decisions must be made based on the organization appetite to risk, who should make the decisions, this provides checks and balances, and finally, structuring how decisions are made.

Turn Risk into Competitive Advantage

An IT risk incident has the potential to produce substantial business consequences that touch a wide range of stakeholders. Once an organization starts to invest wisely in IT, it will turn IT into competitive-advantage weapon, but equally, it will grow its dependency on IT. As a result, IT becomes part of the organization fabric of business risk; therefore. It’s required that, when IT executives make decisions they need to understand the organization’s risk portfolio and the organization’s appetite to risk. In short, IT risks matters—now more than ever.

Please note the opinions expressed here are those of the author and do not reflect those of his employer.

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.


1 Harvard Business School, Turning Business Threat Into Competitive Advantage 2007.

Pages: 1 2

Add Your Comments

  • (will not be published)