Customer Reviews

IT Risk: Turning Business Threats into Competitive Advantage

5 star:		(8)
4 star:		(1)
3 star:		(0)
2 star:		(1)
1 star:		(0)

 

 

IT used to be thought of as separate from the business, a staff function that by itself could enable but not change the business, its value or its brand. Well that view no longer holds water and Westerman and Hunter show how IT risk is really business risk and needs to be treated as such. In their book, the two provide a clear and concise discussion about IT risk from the perspective of the leader/practioner rather than the perspective of the auditor.

Since business and IT have become so closely intertwined and this book offers clear and actionable advice - not fear, uncertainty or doubt - I recommend this as a read for the CIO/IT executive as well as the CEO so they can understand what to expect both in terms of protection but also competitive advantage from the ability to manage IT risks.

I come to this position from the way Westerman and Hunter introduce the concept of risk management and the way they have organized the book. They introduce a framework of four "A's" that looks at risk from a business perspective, rather than an auditing or compliance perspective. The four A's that define IT risk are:

Availability -- keeping business processes and information flowing through the business

Access -- ensuring that the appropriate people, including customers and suppliers, can get the information and functionality they need to be effective

Accuracy -- concentrating on providing timely and complete information to meet operating and oversight needs

Agility -- the ability to change with managed cost and speed.

Westerman and Hunter address this subject in a clean and concise nine chapters that provide actionable advices on how to plan and manage risks. One thing of note is that the book talks about using your risk management capability as a competitive weapon -- what you can do that others cannot because you manage risk better. This gives the topic of risk management a strategic context that is unique to this work.

The book can be thought of as being in three parts.

Part One is about the framework and the overall approach to risk management. It includes the following chapters:

Chapter 1: The 4A Risk Management Framework
Chapter 2: The Three Core Disciplines of IT Risk Management

Part Two concentrates on the actionable management steps business and technology executives can use to manage risk.

Chapter 3: Fixing the Foundation: strengthening the base of the pyramid -- about the importance of infrastructure in risk management.

Chapter 4: Fixing the Foundation: simplifying the base of the pyramid -- about how complexity drives risk, cost and performance levels.

Chapter 5: Developing the Risk Governance Process -- covering how do you manage and make decisions regarding IT and Business risks.

Chapter 6: Building a risk-aware culture-- here the authors make an important connection between risk and culture and a critical distinction between being risk aware (strategically important) and being risk adverse (strategic killer)

Chapter 7: Bringing the three disciplines up to speed -- concentrates on the program and patterns for effective implementation.

Part Three looks at the future and improvements to risk management

Chapter 8: Looking ahead -- talks about how to incorporate risk management as a positive force in planning and strategy setting

Chapter 9: Ten ways executives can improve IT risk Management.

Overall this is a must read for CIOs, IT risk management and IT profesionals. It is also recommended reading for CEOs and others who want to understand how to manage IT and how to gain advantage from having good IT.

I was lucky enough to get a pre-release copy of IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. The book approaches IT risk not as a technical issue but as a business and management one with potentially serious consequences. As businesses increasingly are there information systems, this point of view is both necessary and valuable. The book introduces IT risk and its consequences, discusses the authors' 4A framework and outlines 3 core disciplines for IT risk management. It then drills into actual steps to take to fix the foundation, develop risk governance processes and establishing a risk aware culture. It wraps up with some forward looking thoughts and a list of ways in which executives can improve IT risk management.

Their basic premise is that effective IT governance essential in times of high change and increasing complexity (of systems as well as of business/problems). They discuss 4As - availability of systems, access to systems and data, accuracy or data and results, and agility in terms of ease of change - as being the framework for risk management. These 4As are supported by a foundation, a risk management process and a risk aware culture. The framework and the disciplines mostly work well for the authors, only occasionally becoming confusing to the reader. From my perspective I found the focus on agility very interesting as possible changes to systems should be considered along with general IT effectiveness when managing risk. Also, while the foundation is lower level than I usually consider, I think the objectives for the foundation can all be met more easily by and organization that has adopted enterprise decision management - the approach discussed in Smart Enough Systems: How to Deliver Competitive Advantage by Automating Hidden Decisions. It can make it easier to assess risk, easier to maintain systems, easier to change and fix them. It can also make it easier to apply risk assessments in operational systems by calling out the decisions that must be made, which is where risk assessment matters.

Fixing the foundation is described as a journey and I really liked the focus on incremental improvement. The foundation is a problem as most companies developed their IT infrastructure in stages. However, a poor foundation undermines agility by degrading the business/IT relationship and by making change to existing systems, to meet changing business needs, hard. While I think there are other ways to add agility into existing systems, I do agree with their assertion that you need to change and replace foundation to some extent. They make some fairly good suggestions for broad steps you can take and show the kinds of payoffs that come from the capabilities you enable with a better infrastructure. The authors make a critical point when they show how change in infrastructure is IT change while change in applications is business change but most IT departments don't see the difference - they see it all as "system" change making it harder to manage than necessary. Again, a focus on separate automation and management of decisions can help clarify this difference. There is a fair amount of useful discussion in the book about the need for both local and central management to which I would add one more category - where do decisions live in your organization? Should they be managed locally or centrally? The book outlines both incremental and "big bang" approaches to fixing the foundation and notes that incremental change is slower but surer. The discussion of how legacy application modernization might be business value based or risk based (human resources or technology risk for instance) or both (such as a need to change to support a new business strategy) was well done. I also really liked their idea of a renewal and reinvestment budget to keep legacy modernization ongoing and they had some great stories about human resources risk coming from retirements and the need to get knowledge out of people's heads and into systems.

The section on a risk governance process was thorough, although I think you need to be careful not to implement all of it blindly, and I liked the focus on broad risk awareness - not "risk-averse" or "risk-pro" just "risk-aware". To support this idea, IT needs to build systems in a risk-aware way - they need to drive their use of technologies and languages, consider the consequences of a failure to update documentation or code and so on. It occurred to me while reading these sections that organizations considering a policy manual for this stuff should also consider the value of rules and decision management as a basis for a "policy engine". They had a particularly nice example of a mid-sized company finding its legacy applications, and the lack of agility in them, to be a key risk and investing in replacing and upgrading systems to make maintenance and evolution easier and less risky. This kind of agility improvement is something enhanced by a parallel focus on decision management.

The book was a fairly quick read, had lots of useful suggestions and some good ways to think about the problem. If you think IT risk matters, you should read this.

Finally... a book on Information Technology risk that didn't put me to sleep or infuriate me to no end... IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter. This book and approach makes sense, and weighs options in conjunction with the business rather than in an ivory tower.

Contents:
IT Risk and Consequences; The 4A Risk Management Framework; The Three Core Disciplines of IT Risk Management; Fixing the Foundation - Strengthening the Base of the Pyramid; Fixing the Foundation - Simplifying the Installed Base; Developing the Risk Governance Process; Building a Risk-Aware Culture; Bringing the Three Disciplines Up to Speed; Looking Ahead; Ten Ways Executives Can Improve IT Risk Management; Notes; Index; About the Authors

I'm a software developer, and I'm paid to design and build solutions for our organization. I love what I do, and I *do* realize that there are risks inherent in the choices I make in terms of design. Where I get frustrated is when numerous people review code or designs, and come up with an endless list of "risks" that are posed by your particular design. But at some point, choices need to be made as to what's an acceptable risk and what isn't. And that's where the process often fails. It's safer to discuss and do nothing than to assess risk and choose a path. The 4A framework proposed by the authors help get to this point. The four A's are Availability, Access, Accuracy, and Agility. These areas make up the risk profile for an organization, and allow both the business and IT to talk about risk from the same angle... what benefits the business, what could harm the business, and what are the tradeoffs. These areas are framed against three core disciplines of risk management... the process, an awareness of risk, and the foundation of the IT base. Again, the explanations of these disciplines are clear and concise, and deal with practical reality rather than a theoretical elimination of any and all risk to an enterprise. Because as any IT person will tell you, there is no way to eliminate all risk.

I could see this book being useful for a company that hasn't really addressed a structured risk management process for their IT assets. Time spent here will save you plenty of time, money, and headaches down the road. And for those IT departments who seem to be paralyzed with fear, this could help you break the logjam and start dealing from an angle of practicality.

Have you ever had your business disrupted because some aspect of your IT systems stopped working? The reality is that many of the critical processes of your business and many key capacities are based on computers and software. Any IT risk you face is also a business risk and you have to manage them accordingly.

This book provides a framework for making your IT risks visible. They call them the 4A framework (availability, access, accuracy, agility). During your discussions, the tradeoffs involved will become clear and can be actively declared and chosen. The other alternative is to make choices based on politics and expediency until something blows up and the blame game begins.

The authors then discuss the three disciplines: building a solid and smaller foundation of systems, rationalizing your processes, and building a risk-aware culture. As you do that, some of your assumptions in the 4As will likely have to be revisited and the new understanding can be iteratively added in.

I enjoyed this book and think the discussions would be good for any company to have. The examples of how real life businesses handled (or suffered for not handling) these issues are well chosen. I also appreciated the real world advice the authors give. For example, they warn you that your real world track record in handling big initiatives will matter in pulling off a project such as this.

Also, if this project doesn't matter to your CEO and is not strongly led by senior management, getting this done will be very difficult. And the discussion of the trade-offs of doing this kind of transformation quickly (a few years) versus a deliberate and conservative pace (a decade) are enlightening. The point of handling vulnerabilities first rather than fretting about threats of attack is spot on.

The book is quite helpful, easy to read (not full of jargon), and the topic is important to modern businesses.

Reviewed by Craig Matteson, Ann Arbor, MI

This is the first book to both take a research perspective and address IT risk management as a business process to be improved.
Many other publications look at IT risk in silos. Depending on the risk discipline involved, this has led to narrow views such as IT risk=network security or IT risk=IT project management. From a research perspective, other survey research looked at "how much did you spend on ____?" or "how concerned are you about _____threat?" Few publications have taken the broader view of areas of risk and then tried to prioritize actions based on how they related to business needs and effectiveness. At a practical level, the approach of this book could help enterprises realize that organizational approaches such and "security and risk" or "risk and compliance" teams are both inappropriately focused and waste corporate resources. Instead, it is important to look at a range of IT-related risks to business operations.
The two main framework contributions are:
1) The 4s (availability, access, accuracy and agility). This is based on grouping types of risk into areas of business-IT benefit.
2) The 3 disciplines: the IT Foundation, Risk-Aware Culture and Risk Governance. This is based on grouping risk management activities into specific actions that are taken to better manage risk.

This book has demonstrated staying power in two ways:
1) It strongly influenced a later survey research project with 258 business and IT respondents from several countries. This led to three more research papers that take the book content to the next level.
2) It was referenced by ISACA in influencing the creation of their Risk IT Framework and best practice guide (see [...]).

For people newly placed into IT-wide risk management jobs or in a silo trying to take a broader perspective, this book is for you. Chief Information Officers and Chief Risk Officers seeking to give better guidance to their teams will also benefit from this book.

For my graduate degree, I've done a lot of research on goverance, risk and compliance and I found this book to be an awesome read for anyone looking to simplify their approach to enterprise risk management. The concept of the 4a's makes sense and the impact each has on the tiers above them is very powerful understanding. If you're looking for mathematical equations to prioritize risk, this book is not for you. However, if you're looking for places to start assessing risk within your company, buy the book.

I also liked the three disciplines of risk management and felt it to be very compatible for most small, medium, and large organizations. Like most of the other comments about this book, I believe this book to be at the perfect depth for any C-level executive.

Of all the books out there that I've read on enterprise risk management, this book is by far the most capable of applying conceptual ideas into real life implementable practices to fit any business scenario.

I definitely give it 5 stars!

"IT Risk: Turning Business Threats Into Competitive Advantage" by George Westerman (Research Scientist in the Center for Information Systems Research at the MIT Sloan School of Management) and Richard Hunter (Group Vice President and Gartner Fellow in Gartner Executive Programs, a division of Gartner, Inc.) addresses the liabilities that information technology can have for a high-tech manufacturer's ability to conduct the business of buying and selling. Identifying the four categories of IT risk (Availability; Access; Accuracy; and Agility). These areas of risk are something that can only be managed and minimized, not eliminated. "IT Risk" provides business managers with the tools and disciplines necessary for successful IT risk management. Of special note are the numerous organizational examples of successful IT risk management. "IT Risk" should be on the supplemental reading list of every MBA program, and high priority reading for corporate managers charged with the responsibility of conducting business in the age of the internet.

Dr. Westerman gave an EXCELLENT presentation during the 14th Annual Pink Elephant Service Management conference in Las Vegas during the week of February 22, 2010.

In summary, the approach utilizes RISK as a compelling conversation driver to pursue positive IT change within your organization. How simple, it's been right there in front of us........ This should be an AH-HA moment for us all.

When I was asked to design an IT Risk Management program beyond just data security for an IT department of a Fortune 100 company, I performed a significant amount of research of existing material. After engaging both internal and external research departments, then reading dozens of books and hundreds of articles and white papers, I decided to...on a Saturday after a surfeit of information overload and blurred vision...search in Amazon.com.

And I happened upon this book.

Since I was designing the framework and governance, I needed practical models. Westerman and Hunter provided many, of which I have applied several which work well in a large and complex company. As an example, applying the 4A's provided clear snapshot insight in one page for our executives.

My copy of this book is so dog-earred, tabbed and highlighted, but even as beat-up as it appears, it remains on top of my desk as a quick reference. I certainly hope Westerman and Hunter come out with a sequel.

Hunter and Westerman have managed to write an entire book about the risk of IT without actually quantifying any particular IT risks. The empirical data they present has nothing to do with actual risks like project failures, unrealized benefits, or changing technology. They simply present the results of surveys of CIO's. Imagine if your insurance company computed risks by surveying the perceptions of risks of their customers. Instead, insurance companies use real historical data plugged into some real mathematics. Doug Hubbard's book How to Measure Anything: Finding the Value of "Intangibles" in Business actually says more about the real quantified risk of IT than Hunter and Westerman even though that's not the only focus of his book. I would highly recommend reading Hubbard before reading Hunter and Westerman only because it will radically alter your expectations for what should count as valid risk analysis.

Hunter and Westerman do, however, list some useful *types* of risk even though they don't offer a valid measurement. The risk management approaches are probably useful, although they are also limited by the lack of quantification. After all, how do we manage risk without measuring it? When the authors do get to proposing a method to assess risk, they describe what boils down to a simple weighted score. Not surprisingly, this is NOT how actuaries and statisticians quantify risks. The method the authors propose is no better than astrology.