Changepoint
Home / Solutions / Changepoint / FAQs /
Press & Analyst Coverage
Webcasts On-Demand
White Papers
IT Executive Coach
Changepoint in Action
Podcasts

Portfolio and Investment Planning
Application Portfolio Management
Project Portfolio Management
Project and Budget Management
Demand Management
Resource Management
Time Tracking
Client Management
Performance Management
Knowledge Management
Financial Management
Workflow Management
Survey Management
Supply and Demand Accelerator

Focus on
Getting Started
Management Visibility
Technology
Globalization
Mobility
Third-Party Integration
ASP Solutions
Services and Support


IT Governance - Support

Changepoint Support
Visit our support portal.

Contact Us
Register for IT Management News

Register for IT Management Newsletter
 

How can IT organizations more effectively assess and manage risk?

Balancing risk and business value is a constant in IT. In a fast moving, technology reliant organization there is risk in almost every aspect of IT service delivery. Within effective IT governance and portfolio management frameworks, risk is a critical an element in evaluating almost every IT decision. Effective risk assessment can be a challenge. Many organizations that have formalized the IT decision making process and have included risk as a key element do a sub standard job of actually assessing true risk. An inaccurate view of risk can significantly skew IT decision making when weighing risk and business value.

A key starting point is the categorization of risk. The most common risk attributes including security, business continuity, compliance and customer impact are obvious but organizations must also consider the risks that are unique to their industry, business and IT operation.

Within each of these risk categories it is necessary to determine the supporting elements. For example within business continuity key considerations and drivers include financial impact, damage to reputation, loss of valuable assets, delay in decision making etc.

Once the framework for risk elements are established organizations must determine how to gather the key inputs for proper assessment. Risk assessment committee's are common means for gathering this information. These committees can be quite effective if they include enough of a cross section of the organization and enough levels but it is not a structure that can scale to cover a large variety of IT activity. Each initiative in IT may require a different set of risk evaluators making committee level risk assessment difficult if not impossible.

Risk can also be assessed by examining metrics from IT process management systems. For example, a quality index from the software quality assurance process is an excellent contributor to the risk profile of a development project. Similarly, the amount of unit testing that has been conducted on a development project can also be an indicator of risk. Metrics of this type can be automatically drawn from development and QA environments.

Risk assessment procedures can scale and be effective if a standard process for gathering input from across project teams, management, and IT lifecycle management systems is implemented and automated. Workflows that gather critical risk assessment information or surveys that ask key project team members for risk opinion on a regular basis can provide more accurate risk profiles on a frequent basis. Combining "opinion" metrics with data from within specific IT lifecycles such as software development enables a more accurate picture of risk.

Once a common means for assessing risk is established, these metrics can be applied with confidence within IT portfolio management decision making frameworks where business value is weighed against risk.