IT Risk defined - or not?

  • Print

Could IT failures be limited or avoided? In plain English, risk is defined as possibility of loss or injury (Merriam-Webster’s Online Dictionary.) Therefore, managing uncertainty by predicting, preventing and responding to the unwanted and detrimental situation – failures should be the essence of IT risk management. However, there is no unique and formal definition of IT risk that is accepted across the IT industry.

At the time of writing this article, a Google search for IT failure returns 1,080,000,000 results. Within those results, the range of failure spans:

The number of Google results for IT failure (1,080,000,000) and IT risk (2,180,000,000) clearly indicates that the problem of IT failure and risk are not only more prevalent than one may have thought, but also more widely talked about. Even a superficial look at the list of IT failures begs the questions “Are today’s IT management and particularly IT risk management adequate for the state-of-the-art information technology?”

I would argue that many of today’s management practices routinely marketed across the IT sector do not recognize risk as an essential factor of Information Systems Development. It is deeply disturbing that the above given examples and many, many other spectacular IT failures are not enough to address reality of IT endeavours that are fraught by risk. For example, let’s take a closer look at the specific definition of IT risk as offered by Risk Management frameworks used across the IT industry.

1.‘Risk is the effect of uncertainty on objectives’ - ISO 31000 [ISO] is a generic framework for risk management applicable to all enterprises, not only IT intensive enterprises.

2. ‘Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.’ Thus, risk is ‘the possibility that an event will occur and adversely affect the achievement of objectives.’ – This rather descriptive definition is from the COSO Enterprise Risk Management Integrated Framework [COSO].

3. The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.’ - Basel II regulations are intended for financial institutions and contain a definition of operational risk [Dowd]; that is in that context, many IT risks are considered operational risks.

4. ‘An uncertain event or condition that, if it occurs, has a positive or negative impact on project objectives.’ – this is PMBOK definition of project risk, which is ‘always in the future.’

And here are two definitions taken from IT frameworks:

5.  ‘A possible event that could cause harm or loss, or affect the ability to achieve objectives. A risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred.’ – ITIL v3 [ITIL] is a framework of IT Service Management (ITSM) practices.

6. Business Risk – a probable situation with uncertain frequency and magnitude of loss (gain),’ and IT risk is ‘business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.’ These are definitions from the ISACA Risk IT Framework [ISACA] that is created to fill the gap between generic risk management frameworks and detailed (primarily security-related) IT risk management frameworks’ and to be ‘an educational resource for chief information officers (CIOs), senior management and IT management.’

Obviously, IT risk is still open to interpretation. According to the above given definitions, risk can be either ‘in the future’ or is an ‘effect’ implying that it has already happened. Risk can also be an event’, ‘probability’, ‘situation’, or something else altogether.

Why is defining risk so important? Because it is difficult to associate metrics, measure risk, and create methods for risk management based on such slippery definitions of risk. Adoption of Cloud Computing puts yet another twist on IT risk management. What is my risk exposure if I go with cloud service provider A or cloud service provider B? That is, none of the above mentioned frameworks provides a foundation for benchmarking in relation to Cloud Computing. Clearly, the usefulness of these risk management frameworks should be challenged and in future articles I will address the nature of IT risk and usefulness of methods and frameworks for IT risk management.

In the meantime, I would love to hear from you. What is your definition of IT risk? What is the nature of IT risk and what are its unique properties?

 

References:

[Asay]     Asay, Mat. “The UK has wasted over $4 billion on failed IT projects since 2000”, CNET, January 4, 2008, accessed March, 2012.

[COSO]   The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise Risk Management – Integrated Framework, September 2004, accessed March 4, 2012

[Dowd]   Dowd, Victor. “Measurement of operational risk: the Basel Approach” in Operational Risk edited by Carol Alexander, Prentice Hall, 2003

[ISO]   International Organizations for Standardization (ISO), ISO 31000:2009 – Risk management, Principles and Guidelines, accessed March 4, 2012

[ITIL]   IT Information Library (ITIL), ITIL Glossary and Abbreviations, 2011, accessed March 4, 2012

[ISACA]   Information Systems Audit and Control Association (ISACA), The Risk IT Framework, 2009, accessed March 4, 2012

[King]   King, Leo. “London Ambulance misses 999 calls after IT failure”, Computer World UK, accessed March 4, 2012

[Garside]   Garside, Juliette. “BlackBerry creators pay price for failing to keep up with Apple”, The Guardian, accessed March 4, 1012

[PMI]   Project Management Institute (PM), A Guide to the Project Management Body of Knowledge (PMBOK Guide) – Fourth Edition, accessed March 4, 2012


Rubina Polovina, PhD is a principal IT consultant who has been providing leadership on national and international multi-party initiatives in the public and private sectors. During more than 20 years in the IT industry, she contributed to projects in Europe, North America and in the Middle East. Currently, Rubina lives in Toronto, Ontario. She has been working on projects at major Canadian financial institutions and the Government of Ontario. Her research interests include enterprise architecture, knowledge management, IT management, IT project management, IT risk management, privacy protection, social networks and eHealth. Rubina’s scientific work has been both tested across various vertical industries and presented on peer-review international conferences. Rubina graduated in electrical engineering in 1987 from the University of Sarajevo, Bosnia and Herzegovina, and she received her PhD in computer science and engineering in 2000 from the Czech Technical University in Prague, Czech Republic. Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.