Getting Started On An IT FrameworkWith the huge push by organizations to implement governance and improve performance, IT pros are scrambling to learn how to implement the frameworks that exist. Whether you are looking at COBIT, ISO 17799, or ITIL, there is a lot of work to be done.
The question that invariably comes up with any of them is, "Where do I start?" Immediately after this question gets asked, there is a mad dash to web sites, consultants, books and magazines! However, what people must realize is that the answer does not reside in any one place and a great deal of the answer exists uniquely in the organization. That's because any of these frameworks should be implemented with the risks confronting the organization taken into account.
There is a very large body of documentation about risk as it is a field of study unto itself. For the purposes of this article, let's define total risk as a collection of all positive or negative effects that may impact the attainment of objectives. Now, if we look at that statement, we are identifying that risk is comprised of elements that may or may not occur and if they do, the outcomes could be positive or negative.
Positive risks often confuse people. Some choose to call positive risks "opportunities." These are risks that the organization should take. For example, if a new market opens up, there is a positive risk associated with exploring, or not exploring, that market.
Negative risks, what most traditionally term "risks," are uncertain events that will hinder the attainment of an objective. For example, if you were counting on a new law to be passed a certain way and instead, special interest groups sway the final law in a competitor's favor. That outcome then negatively impacts the attainment of your objective.
Please note that the word "objective" is repeated over and over. If you don't have firm objectives in mind, you cannot readily identify your risks! In other words, yes, there are risks -- there always are risks. The important question is "What risks exist in relation to our stated objectives?"
Every group, be they within IT, or anywhere in the organization, should have clearly defined objectives that support the organization's objectives. This alignment of objectives is key for the attainment of efficiency within the organization. For example, if the firm wants to expand into Asia such that the first years sales are $10 million, then what must IT do in order to support that goal?
Risk assessments are the same way. Without knowing where the organization is headed, there isn't an effective means to identify and prioritize risks. Yes, risks can be brainstormed and listed, but is the list comprehensive and, more important, accurately prioritized.
For example, IT alone may think that providing real-time reports to a certain customer isn't very important relative to other perceived issues. However, if the company views that customer as critical and that feature is vital to the customer's satisfaction, then IT's view must be corrected!
Risk Assessments Must Involve Stakeholders
One important point to note based on the just mentioned example: Risk assessments must not be done in a vacuum. In other words, IT alone should not perform a risk assessment. The risks must be identified by involving the relevant stakeholders as well. As the cliche goes, IT affects everyone. With such a broad statement, it is hard to imagine that IT understands all of the risks faced by the various stakeholders and the means to manage the risks to acceptable levels.
What's the Point?
The point of this article is that the order in which IT implements any of the various frameworks depends on the risks it faces in the attainment of objectives required to support the organization. Risks must be holistically identified, prioritized and then overlaid on the framework(s) being used such that an implementation roadmap is developed accordingly. For example, if system availability is exceedingly important and many of the current problems involve configuration management on key servers, then that is one of the key areas to initially focus on.
In short, there are no magic roadmaps that will tell every organization how to successfully implement operational improvements, governance, etc. The best means to implement the various frameworks is to assess the risks confronting each organization, their tolerance for the risks and then create an implementation plan that is appropriately prioritized to address those risks.