Achieving Business Goals by Managing IT · PDF fileAchieving Business Goals by Managing IT...

© 2012 IBM Corporation

IBM Business Resilience Consulting Services

Achieving Business Goals by Managing IT Risk Arjan Mooldijk, IBM Consulting


IBM Global Technology Services – ITS – Business Resilience Consulting

The Reputational Risk study revealed three key observations concerning IT’s impact on reputational risk.

2 2

#1 IT risks have a major impact on a company’s reputation

#2 Companies have rising IT risk concerns related to emerging technology trends

#3 Companies are integrating IT risk and reputational risk management, with strongest focus on threats to data and systems

“IT and reputational risk management and mitigation are… key success factors of our business and must be given due emphasis.”

C-level executive, Malaysian agriculture and agribusiness company



ISACA – Information Systems Audit & Control Association

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise

3

International best practice such as ISACA, COSO and ISO31000 clearly link operational risk to the business objectives BUT most companies still manage risks based on incurred costs/losses.

IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM

COSO – Enterprise Risk Management Framework

Enterprise risk management, which incorporates Information Risk Management, is defined by COSO as a process, … , to provide reasonable assurance regarding the achievement of entity objectives.

ISO 31000

Shifts from an event to the effect risk and risk management have on an organization’s objectives ... and put the emphasis squarely on risk management as a strategic discipline for making risk-adjusted decisions, rather than a compliance-based function.



To thoroughly identify the business risks associated with the use of IT, the analysis should be extended beyond the “rearview mirror”, by performing a “What if” predictive scenario planning across the “IT Risk SpectrumTM”

4

IT

Ris

k Sp

ectr

um™

Availability & Recoverability

What if IT does not keep systems running and, if necessary, recover from interruptions in line with business expectations ?

Security & Data Protection

What if IT does not provide the appropriate access controls while protecting the businessʼ information and resources ?

Agility & Appropriateness

What if IT does not respond in a timely manner with the correct new or modified IT Service in support of changes in business requirements ?

Scalability & Performance

What if IT does not maintain acceptable performance based on business needs and appropriately accommodate changes in business service volume ?

Accuracy & Timeliness

What if IT does not provide accurate data, to the right people, at the right time to make informed business decisions ?"



IBM Global Technology Services – ITS – Business Resilience Consulting Adopting a top down approach is critical to success. By linking quantified strategic business initiatives to execution and measurable KPI’s you can determine how IT risks affect your business performance

Align Strategic Goals with Value of IT Services

Strategic Business Initiative (SBI) Increase competitive advantage by introducing new products and services faster than competitors ($100M revenue impact)

Associated Business KPIs 1.  Time to market for new product/

service development projects 2.  Cost of design and develop

products/services 3.  Etc.

Recovery & Avail

Agile & Timely

Scalable & Performing

Access, Security, & Info Protection

Accurate & Appropriate

BC / PG 1

KPI KPI KPI KPI KPI

BC / PG 2

KPI KPI KPI KPI KPI

Recovery & Avail

Agile & Timely

Scalable & Performing

Access, Security, & Info Protection

Accurate & Appropriate

BC / PG 1

KPI KPI KPI KPI KPI

BC / PG 2

KPI KPI KPI KPI KPI

IT Risk Spectrum 1 2 3 4 5

BC / PG 1

IT KPI

IT KPI

IT KPI

IT KPI

IT KPI

BC / PG 2

IT KPI

IT KPI

IT KPI

IT KPI

IT KPI

Establish measurable IT KRI (S) IT/Bus strategy review = 6 mos (P) Equip purchase = 30 day, (AD) App dev is < = 2 months (S) Security product review cycle <2 wks (T) SAN ports < = 80% (F) DC Capacity < = 90%

Impose IT KPIs per SBI and business group (AD) Average time in months to fulfill a business need with relevant IT solutions

Bus

ines

s G

roup

1. Identify Business’ Strategic Initiatives against which to manage and exploit IT capabilities

2. Map strategic initiatives to Business and IT services with measurable indicators and estimated impact to initiatives

3. Establish IT performance metrics against the IT Risk Spectrum and Resilience Framework.



6

IBM has developed industry specific Business Process and KPI maps aligned with the cross-industry APQC’s Process Classification Framework (PCF)TM used by nearly 2000 organizations globally

Cross-Industry APQC’s Process Classification Framework (PCF)TM

Industry Specific Business Process and KPI Maps




The benefit of this forward looking risk management approach is twofold: it allows enterprises to anticipate IT risks and keep IT risk management aligned with Strategic Business Initiatives

  The “Top Down” approach – ensures you remain aligned with Strategic Business

Initiatives (SBI), and –  improves efficiency to do more with less resources

  Root Cause Analysis allows to define leading KRI’s, as early warning indicators

  Scenario Planning allows to mitigate risks by anticipation

7 IT Risk Management | Assessment approach | CFO round table - by Corporate Leaders & IBM



8

Thank you

for your interest


Date post:	30-Jan-2018
Category:	Documents
Upload:	nguyenmien
View:	218 times
Download:	0 times

Achieving Business Goals by Managing IT · PDF fileAchieving Business Goals by Managing IT...

Documents