Slide 1 Managing Risk in IT
Richard D. Wollenberger Jay L. Seagren
Managing Risk in IT
#12NTCRISK
Slide 2 Managing Risk in IT
Each entry is a chance to win an NTEN engraved iPad!
or Online using <#NTC12RISK> at www.nten.org/ntc/eval
Evaluate This Session!
Slide 3 Managing Risk in IT
Managing IT Risk in a small-
medium sized organization
Slide 4 Managing Risk in IT
Managing Risk in IT
• Introductions
• What is risk management?
• Budgets
• Integration with business needs
• Managing Staff
• Managing the computing environment
Slide 5 Managing Risk in IT
Who are we?
Richard Wollenberger
Director of Information Technology Parents as Teachers national office [email protected]
Jay Seagren
Senior Manager, Enterprise Systems, The Pew Charitable Trusts [email protected]
Slide 6 Managing Risk in IT
Who’s here today
• Organization size?
• Accidental techie?
• # of IT staff?
Slide 7 Managing Risk in IT
IT Resources
Slide 8 Managing Risk in IT
What is Risk Management?
• Origins of risks
– From the ancient Italian word riscare
– The study of risk began during the
Renaissance
– Daniel Bernoulli
– Harry Markowitz
Slide 9 Managing Risk in IT
What does this have to do with IT?
• Every decision you make is about
managing some kind of risk
– Which AV system will protect your staff?
– Which backup system will be easy to use
(restore from) during an emergency situation?
– MS vs. Google?
– Voice/data connections
– Firewall
Slide 10 Managing Risk in IT
Budgets
• Every penny you spend in IT is NOT spent
on your mission
– Track every expense related to:
• Computer hw/sw
• Internet connectivity
• Telephone & fax
• Printing & copying
• Training
– end user
– Tech staff (yes, you need ongoing training)
Slide 11 Managing Risk in IT
Budget Resources
• www.itlever.com
– (search for budget or budgeting)
• IT Management
– (http://itmanagerinstitute.com/free-ebook)
• Tech Republic
– (link in slide show)
Slide 12 Managing Risk in IT
Integration with the business
• You have to sit at the table
• Strategic planning
• You are there to support them
• You are there to improve processes and
make it easier
• You are there to look for cost efficiencies
– Hard and soft dollar
• Business continuity (disaster planning)
Slide 13 Managing Risk in IT
Sit at the table
• Be a partner with the business
• Have a Service Level Agreement (SLA) so your “customers” know what to expect
Slide 14 Managing Risk in IT
Strategic planning
• Why is this important?
– Strategic planning drives the business, and
you need to be helping steer.
Slide 15 Managing Risk in IT
Who they gonna call?
Slide 16 Managing Risk in IT
What do you need to do?
• Improve business processes
• Find hard and soft dollar cost efficiencies
Slide 17 Managing Risk in IT
Staffing
• Are you an
“Accidental Techie?”
• Do you manage
other IT staff?
Slide 18 Managing Risk in IT
Slide 19 Managing Risk in IT
Outsourcing vs. Insourcing
Services
• Office and Collaboration
• Help desk
• Constituent Management
• Security
• Server and Network
Slide 20 Managing Risk in IT
Office and Collaboration
• Google Apps (Low Risk)
– Free for non-profits <3000 users
– Now online and offline (Chrome)
– Bonus: Postini spam filter
Slide 21 Managing Risk in IT
Office and Collaboration
• Office 365 (Medium Risk)
– Requires desktop client
– Per seat costs ($6-$27/user/month)
– Bonus: SharePoint
Slide 22 Managing Risk in IT
Help Desk
• (low risk – it’s free)
• (med risk - about $20/seat/month)
• (med risk – new version
not available yet – check for pricing with Techsoup.org)
Slide 23 Managing Risk in IT
Constituent Management
• (low risk)
– $200 - $475/month
• (medium risk)
– 10 licenses free, >10 80% discount
– Nonprofit Starter pack (free)
Slide 24 Managing Risk in IT
Security
• Virus protection
– Symantec ($25/yr)
– McAfee ($30/yr)
– Microsoft System Essentials
• Free for <10 PCs
– Microsoft Forefront Endpoint
($20/seat)
Slide 25 Managing Risk in IT
Disaster Planning
• This is not good:
Slide 26 Managing Risk in IT
Disaster Planning and Recovery
• Disaster Planning
– Scope of plan
• Room, building, city, region
• Disaster Recovery
– Online backup and recovery
– Pricing terms
– Amazon Web Services • (http://media.amazonwebservices.com/AWS
_Pricing_Overview.pdf)
Slide 27 Managing Risk in IT
Server and Network
• Specs
– What you want vs. what you need
• Tools
– Is the cloud right for your organization?
• Processes
• Procedures
• Change management
• Regulation and law compliance
Slide 28 Managing Risk in IT
Server and Network – cont.
• Duplicate and mirrored services
• 2 separate data centers
• Different geographic and power grid
zones
• Carbon copying between the two
• 3rd Party DNS can route to different data
centers upon failure
Slide 29 Managing Risk in IT
3rd Party Providers
Slide 30 Managing Risk in IT
3rd Party Providers
• Financial pressure and offsite delivery
model drive the need
• Risk Management starts with Sourcing,
continues with Contracting and finally
Vendor Management
• Extend your in-house staff seamlessly if
managed well
Slide 31 Managing Risk in IT
3rd Party Providers – cont.
• Growing number of delivery models, specialized services and budget pressure are driving more reliance on 3rd party service providers
• 25% of IT budgets are now going to 3rd party providers
• Over 50% of IT managers surveyed will increase their budget
on SAAS providers.
Slide 32 Managing Risk in IT
3rd Party Providers – cont.
• Areas of Risk and Mitigation:
– Data Security
– Stability of provider and their service
– Your brand and reputation
– Legal and Professional liability
Slide 33 Managing Risk in IT
3rd Party Providers – cont.
• Data Security • Privacy policies in contract
• Vendor audit
• Internal training on Data Security
awareness
• Sensitive information (e.g. High
Wealth Donors) may warrant DLP
Slide 34 Managing Risk in IT
3rd Party Providers – cont.
• Stability of provider • Basic Balance sheet and Cash Flow analysis
• Bankruptcy, M and A
• Stability of service • Service Levels objectives in contract
• Incentives and discounts/refunds
• Vendor Scorecards
Slide 35 Managing Risk in IT
3rd Party Providers – cont.
Slide 36 Managing Risk in IT
3rd Party Providers – cont.
• Brand reputation • Brand usage built in to contracts
• On site risk assessment
• Deliverable reviews
Slide 37 Managing Risk in IT
3rd Party Providers – cont.
• Legal and Professional
liability • Business Continuity plan review
• Standardized best practices
• Standard Legal Terms and
Conditions
Slide 38 Managing Risk in IT
Managing Risk in IT
Conclusion
• Be partner with business
• Make risk management strategic
• Evaluate outsourced and cloud offerings
• Follow Best Practices
• Use Best of Breed
• Utilize 3rd party providers wisely
Slide 39 Managing Risk in IT
Managing IT Risk in a small-
medium sized organization
Slide 40 Managing Risk in IT
Each entry is a chance to win an NTEN engraved iPad!
or Online using <#NTC12RISK> at www.nten.org/ntc/eval
Evaluate This Session!