Every Organization needs to take a step back and assess the Risks that it is susceptible to and responsible for but as I have found out in working with many clients…this is not a Best Practice and I hate to say it but it is not even a common practice. Risk Management while incredibly important to the success of a business, is looked upon as fear mongering and progress stifling while if done correctly…is exactly the opposite.
ISO 31000 is a document from the International Standards Organization that not only defines Risk Management but in its document titled Risk management — Principles and guidelines it does a great job of defining what Risk Management is. It lays out what Risk is, who owns the Risk, the difference between internal and external Risk. For a “Standards Document” it is laid out and not a difficult read at all.
Wikipedia does a great job of condensing the long definition presented in the ISO Document to:
Risk management is the identification, assessment, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives, whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
One of the big challenges that most of the organizations I work with find the most challenging is that there is not a cookie cutter solution to managing Risk. This is actually stated on page 8 of the ISO document:
g) Risk management is tailored. Risk management is aligned with the organization’s external and internal context and risk profile.
So if Risk, Risk Management and Risk Tolerance are all unique to an organization…then why not at the very least create a Risk Profile? It is an exercise that any organization, regardless of size can do and should do to ensure that the dollars, pounds and EU’s being spent are being applied correctly and with maximum impact.
I have discussed a Risk Management Frameworks in the past but they were more focused on mitigating risk around specific Technologies (ie. Risk Management in a Cloud Computing World) but the reality is, applying a framework to general Risk Management is a perfect example of starting to align with Best Practices. ISO 31000.
The important concept to understand with Risk Management is once it is started…there is a continual improvement built into the framework…this is an investment that keeps on giving and taking from the organization. It would be nice if it was clean cut and simple and just throw an application or a monitoring suite at it and play the set it and forget it plan…that really doesn’t apply here, nor should it for any project or priority (IT or business related).
Looking to Risk Management is a matter of measure twice and cut once. Even within the ISO Standard there are several versions of the document that I linked to that range from the 24 page document, but in search I located some that are 42, 11 and 35 pages so I recommend going directly to the source…it is not free but at least it has not been tampered with or modified (www.iso.org).
There are many great resources out there to start to look at Risk Management. If you have not done so in the past, or as an IT Leader you know you need to do a better job at Managing and Mitigating Risk…look to the web as a starting point or as many of my clients have told me…start with the Web and then give Krispy a call…he will put some context behind the query and help support the process itself.
Chris J Powell