Risk management is important for IT. Too many development projects fail to meet expectations and virtually all online systems face a growing array of threats. IT professionals need to pay attention to risk. CIPS (Canadian Information Processing Society) has formally recognized the importance of conducting risk assessment at the beginning of assignments and continuing with risk management during assignments.

Most of us have a basic appreciation for what is involved in risk management. Any activity we undertake faces a number of threats, all of which can lead to unplanned outcomes. There’s risk in everything that we do. Unmanaged risk can creep up and present you with outcomes that are distinctly unwelcomed. Managing risk should reduce the negative impact of unplanned events, and may increase their positive impact.

That’s a reasonable high level description, but it’s not always easy to see how that should be translated into practice. There are a large number of risk management best practice guides, and several specialized IT risk management best practice guides. Canada has its own Risk Management Guideline for Decision-Makers (CAN/CSA-Q850-7). It’s a reasonable practice guide developed by a committee many of whom came from the world of finance.

There are specialized IT risk management best practice guides and standards. The Institute of Electrical and Electronic Engineers has a Software Life Cycle Risk Management Standard (1549-2001) and the Software Engineering Institute of Carnegie-Mellon University has published best practice risk management guides for IT development, acquisition, and operations. The challenge is figuring out which guide to follow and how it fits with everything else that needs to be done.

CobiT provides a tested framework that covers all of the processes in IT. It is an IT governance best practice guideline, now in version 4.0, that was developed by the IT Governance Institute (of the Information Systems Audit and Control Association). In the beginning (version 1.0), it focused on how to control IT. Now it provides a field proven governance model for each of the 34 processes that make up IT.

The starting point for CobiT is the recognition that there are five key IT governance focus areas: Strategic Alignment; Value Delivery; Resource Management; Performance Management; and Risk Management. “These IT governance focus areas describe the topics that executive management needs to address to govern IT. … CobiT provides a generic process model that represents all the processes normally found in IT functions, providing a common reference model.”

This model begins with 4 domains which are then broken down into 34 processes. There is a Plan and Organize domain; an Acquire and Implement domain; a Deliver and Support domain, and a Monitor and Evaluate domain. In a companion to the guideline, a mapping is provided which relates CobiT to several other widely used IT guidelines, e.g. ITIL ISO 17799, PMBOK, CMMI, and TOGAF. The Deliver and Support domain maps well into ITIL.

Risk is one of the five focus areas. It’s also one of the 34 processes, specifically PO9 - Assess and Manage IT Risks found within the Plan and Organize domain. CobiT is structured to provide useful supporting information for each of its 34 processes. One of the more useful features is their “RACI” chart that lists who is Responsible, Accountable, Consulted, and Informed for each of the 10 activities required by the Assess and Manage IT Risks process.

The ten risk activities are:

1. Determine risk management alignment
2. Understand relevant strategic business outcomes
3. Understand relevant business process objectives
4. Identify internal IT objectives and establish risk context
5. Identity events associated with objectives (business and IT oriented)
6. Assess risk associated with events
7. Evaluate risk responses
8. Prioritize and plan control activities
9. Approve and ensure funding for risk action plans
10. Maintain and monitor a risk action plan

For each activity, there is a RACI line describing the role of the CEO, CFO, Business Executive, CIO, Business Senior Management, Head Operations, Chief Architect, Head Development, Head IT Administration, PMO, and Compliance/Audit. CobiT provides a solid first-level answer to the question of who should have what IT risk management responsibilities. CobiT also provides a useful maturity model for each of its 34 IT processes.

My informal translation of CobiT identifies five risk management maturity levels:

1. Initial - Risk management gets done, but it takes a “hero” to make it happen.
2. Repeatable - Risk management is done, but mostly for the “important” stuff
3. Defined - There are enforced and employed risk management standards
4. Measured - There are risk management measures covering everything important
5. Optimized - Risk management is automatically being refined and improved

My sense is that many Canadian organizations have moved to the Initial level, but not all that far beyond level one. “Risk” is no longer a four letter word. Risk management is recognized as a good thing, but the level of commitment isn’t high. Heroes are required. IT professionals should step up to the challenge. Help your organization move up the IT risk management maturity scale. It’s the professional thing to do. It’s also good for your career and for your organization’s future.