IT risk management is a very different exercise than just managing and mitigating technology threats and vulnerabilities related to infrastructure. What's often missing in discussions of risk is the business impact should a condition arise that affects (at a minimum) the confidentiality, integrity or availability of the business' most important assets.
Most enterprises -- regardless of size -- have no reliable way of understanding how to prioritize their efforts and spending, as a measured result of managing risk, to an acceptable level based upon a transparent process. This is usually because they don't have a transparent process for IT risk management.
The first and most profound observation regarding the lack of a holistic risk management program is the simple lack of a repeatable, well-defined and business-driven risk assessment process using a framework that allows the business, IT, security and governance organizations to transparently participate in the process.
In many cases, putting in place a risk assessment process is thought of as too daunting, onerous and resource intensive. Some other companies seem to think that the daily firefighting and tail-chasing is the best that can be achieved when it comes to IT risk management. Meanwhile, industry risk management frameworks are often too overwhelming, and staffers have a hard time understanding where to start.
The channel can help businesses embrace the notion of managing risk by selecting a streamlined, rational and operationally feasible risk assessment framework. Service providers can master this framework and use it to both educate customers and add as a service in their portfolio offerings. Two examples are OCTAVE and FAIR.
Once you begin consistently speaking to your customers in terms of managing risk and not just threats and vulnerabilities, you will ultimately open the doors to higher-level discussions regarding opportunities that matter most to organizations. This is because the discussion becomes one that is focused on prioritizing efforts based upon the business' needs and not the technology "hamster wheel of pain" that IT has come to represent.
This was first published in March 2008