IT Risk: Let’s Get Serious About it Now, Says IBM

Information Technology is a good thing and it benefits any and all organizations. That IT helps organizations work better and be more aggressive is a truism. As you know, people don’t begin to use PCs so they can mismanage their time and slack off at their tasks. However, according to a risk management study just conducted by IBM, organizations need to dedicate more time to learning the potential downsides and risks resulting from using IT, and put more IT risk management behavior into practice.

To better understand how companies are handling risk, IBM Global Business Services spoke with more than 500 IT managers and CIOs from companies all over the world, and reported the results in a 16-page “2010 IBM Global IT Risk Study.” It’s available for download here:

The biggest discovery in the survey is that organizations aren’t really considering IT risks as seriously as they ought to. For example, only 50% of those surveyed have an actual risk management department. 12 percent say they have taken an “expert” approach to IT risk mitigation. This means that for the other 88 percent, there is still more work to be done.

When asked about disaster preparedness, the outlook was somewhat better. 54 percent said they had a “well-crafted” BC strategy. That’s a good figure, and it demonstrates that companies are considering the risk of application outages earnestly.

However, disasters and IT system outages are only one kind of risk that can affect IT. Overwhelmingly, the highest reported IT risk in the survey was information security. Almost 80% of IT managers and CIOs said that IT security—or being exposed to hackers and having someone use the company’s systems without authorization—is the top IT-related risk to their organizations. The rest of the concerns are: system and hardware malfunction; power outages and physical security; theft; quality of product; compliance; natural disasters; e-discovery requests; failures of supply chain; and terrorism (in this order).

There is also risk when organizations begin using new applications or technologies. Among the most potentially harmful applications and technology types include social networking tools (this includes websites, blogs and IM); mobile computing (e.g., smartphones); and cloud computing. CIOs and IT managers said they have concerns about confidential data being leaked through these types of new technologies and applications. On the other hand, survey participants said the adoption of service-oriented architecture (SOA) and virtualization do not have as much risk, by comparison.

This is not to say that an organization should avoid adopting smartphones, cloud computing or social networking tools. Actually, when implemented properly, these applications can be used by a company to receive more revenue or profits by connecting with customers in the best way possible, helping sales people with important information, and becoming better consumers of emerging applications. However, companies should not adopt these applications blindly, without taking the potential risks associated with them into consideration and ensuring steps are taken to mitigate those risks.

So what can be done to avoid as much risk as possible? IBM says that what was found in the study is a confirmation “that companies need to work harder at educating, communicating and supporting risk management and compliance initiatives across the enterprise," and establish an approach to IT risk that is "unified, holistic."

To read the IT Jungle article, click here: