Beruflich Dokumente
Kultur Dokumente
This article is based on more than five years of field research, including surveys,
interviews, and more than a dozen case studies. (For details, see the Appendix.) It also
builds on previously published concepts by the author.4 The purpose of this article is
to show how discussions about risk can be a focusing mechanism for making better
MISQE is decisions about how to invest in, manage, and use IT. Our research found a strong link
Sponsored by between mature IT risk-management capabilities and IT/business alignment. Firms
with mature risk-management capabilities also reported significantly fewer negative
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 109
Westerman / IT Risk as a Language for Alignment
Strategic-Change Operational-Resilience
Perspective Perspective
Accomplishing changes the Avoiding incidents the
business wants to accomplish business wants to avoid
incidents, higher efficiency, and higher agility.5 But processes are reliable, secure, and maintainable.
achieving this kind of improvement requires thinking The aim is not to build functionality quickly but
differently about IT risks and how they link to rather to ensure it is very well built and robust.
business objectives. This perspective examines questions such as what
technology and IT management processes will ensure
that the technologies are safe and secure, or when
THE STRATEGIC CHANGE VS. the firm should upgrade old technology or improve
OPERATIONAL RESILIENCE skills to stay ahead of threats. For new initiatives, the
operational-resilience perspective focuses on how the
TENSION
new solution will integrate with existing technologies
Managing IT requires a balance of two different—and and business processes or whether the solution is
sometimes conflicting—perspectives that emphasize scalable and maintainable. With this perspective,
different sets of priorities, success criteria, and slowing down an initiative to ensure that it is
timeframes (see Figure 1). being done safely is seen as acceptable since quick
action without necessary controls can lead to later
The strategic-change perspective focuses on using difficulties.
new or existing information technology to achieve
new strategic business objectives. This perspective There is often tension between these two perspectives.
examines what changes are necessary—such as adding The strategic-change perspective is about making a
features to a website or strengthening integration specific change, at this time, to deliver specific returns
with business partners—and what information is in specific new ways. The operational-resilience
needed to enable them. It may also include launching perspective is about spending resources and effort
new products and services or transforming old to keep doing what the company is already doing.
processes to produce a new benefit. The emphasis It is also about how a decision in one part of the
is on functionality and information: on how IT and company, or in a project, can affect the resilience of
related business processes must change to enable many parts of the company. Many organizations make
new business gains. The focus is on getting the decisions predominantly from one or the other of these
job done now, for the current purpose. From the perspectives without managers fully recognizing the
strategic-change perspective, standards reviews or implications of their decisions, or even that a bias
strict development methodologies can be seen as exists in their decision making.
bureaucratic inertia if they interfere with the process
While it’s tempting to attribute the strategic-
of achieving new strategic benefit.
change perspective to business executives and the
The operational-resilience perspective focuses on operational-resiliency perspective to IT executives,
ensuring that current technologies and business our research shows that both groups operate from
both perspectives. But they have different priorities.
Consider, for example, the requirement for projects to
5 Westerman, G. and Barnier, B. ibid, 2008.
110 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 © 2009 University of Minnesota
IT Risk as a Language for Alignment
undergo security and architecture-compliance reviews, team to resolve conflicting perspectives when making
to be built on standardized components, to follow a new IT investment decision. The story highlights
standard methodologies, or to conduct extra testing for that the difficulty of balancing the strategic-change
critical functionality. Resilience-focused executives and operational-resilience perspectives stems
may see such rules as necessary to ensure resilience, from more than just differing roles, incentives,
even if they slow a project or reduce the amount of and information. The differences between the two
customized functionality. But executives focused on perspectives also stem from different beliefs about
strategic change may see the rules and procedures as the drivers of IT value. Resolving the dilemma is not
bureaucratic hurdles that get in the way of change. about choosing which perspective is correct. Rather,
it is about making choices or identifying new options
Tension between the two perspectives can therefore that best match the firm’s preferred weighting of
lead to distrust. In the extreme, resilience-focused operational-resilience and strategic-change priorities.
managers can see their strategic-change focused
counterparts as impatient and domineering—wanting Even after deciding that the strategic-change
to force through projects without considering the perspective should outweigh the resilience one, VSI
longer-term consequences for their units or the executives chose to spend additional money to reduce
enterprise—while managers focused on strategic resiliency risks. Unfortunately, many managers
change may see resilience-focused ones as overly find it relatively easy to shortchange the resilience
rigid naysayers. By discussing the two different perspective in the face of higher-priority strategic-
perspectives in a common language everyone can change requirements. To them, focusing on resilience
understand, IT and business executives can adjust is like spending money on an insurance policy or on
their requirements to resolve conflicts. As shared preventive maintenance—something people may cut
understanding develops, they may identify new back if money is short.
approaches that better balance both perspectives from
the start. This is why the language of risk can help to bridge the
two perspectives.
The VSI story shown in the box provides an example
of how focusing on risk helped a senior management
Using Risk Management to Resolve Conflicts Between the Strategic-Change and Operational-Resilience
Perspectives
VSI (a pseudonym) is a virtual firm offering high-quality medical transcription services to hospitals through
a network of thousands of part-time home-based transcribers. After six years’ growth, the firm was straining
the limits of its systems. The CIO proposed two replacement options, one based on highly secure and reliable
private lines, remote access servers, and proprietary technologies, the other on Internet-based technologies that
could not be “hardened” as effectively against outages or security incidents. The CIO favored the hardened
option; the CFO and CEO favored the Internet one. As debates ensued, the CIO began to silently question the
senior team’s commitment to patient privacy, while the CFO and CEO began to question the CIO’s commitment
to the success of the firm.
After several rounds of unsatisfying back-and-forth discussions, the management team realized that the
disagreement was really about different appetites for risk. The CIO believed the company should have
zero tolerance for resilience issues such as process outages and privacy violations. The CFO’s and CEO’s
preferences were weighted much more heavily toward leveraging strategic opportunities, such as adding
offshore transcribers or making it easier to link new clients into the company’s systems.
Once members of the senior team saw that the technical decision was really a business decision about which
risks mattered most, they reached consensus quickly. Maintaining VSI’s capacity to grow was their top business
priority, with resilience close behind. They agreed that the Internet approach addressed current and foreseeable
strategic-change risks better than the proprietary approach. Resiliency protections did not need to be perfect but
did need to match or exceed those of the firm’s clients. The management team funded an Internet solution but
also allocated significant resources to improve resiliency beyond that provided by a generic Internet solution.
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 111
Westerman / IT Risk as a Language for Alignment
Our interviews with IT and business executives The Four A’s framework provides a robust set of
identified 110 unique risks, ranging from viruses and dimensions through which IT and business executives
hackers to regulatory compliance to skills shortages can develop shared understanding of the strategic-
or vendor issues, as well as many different ways of
reducing those risks. This sheer volume of risk issues 6 Note that these risk areas focus on operational risks to the
and potential management techniques can prevent enterprise, not on risks to the achievement of a project. While better
IT and business decision makers from coming to operational risk management can eventually reduce some project
a common understanding. However, our analysis risk, and while well-defined and managed projects can start to reduce
operational risks, the concepts of operational and project risk are
revealed that the complexity of discussing IT risk can distinct.
be significantly reduced by focusing on enterprise 7 See, for example, DeHoratius, N. and Raman, A. “Inventory Record
risks associated with four business objectives— Inaccuracy: An Empirical Analysis,” Management Science (54:4),
2008, pp. 627-641.
8 Westerman, G., Cotteleer, M., Austin, R., and Nolan, R. “Tektronix,
Inc: Global ERP Implementation,” Harvard Business School case
9-699-043, 1999.
112 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 © 2009 University of Minnesota
IT Risk as a Language for Alignment
AGILITY
Adapting with appropriate
speed and cost
ACCURACY
Ensuring information is timely,
complete and correct
ACCESS
Network not reliable
Providing information to to
theallright
locations
people
Lack of internal controls
(and not the wrong ones)
in applications
AVAILABILITY
Keeping business processes running and
recovering quickly from interruptions
change and operational-resilience perspectives. IT executives are often skilled at identifying and
Discussing availability and access risks can help managing sources of risk but may need to rely on
strategic-change focused managers identify when business executives to determine whether to accept
to adjust their requirements in favor of greater certain risks in order to secure a new market, enable
resilience. Discussing accuracy and agility risks can rapid growth, or diversify an offering. Alternatively,
help resilience-focused managers understand when if the business case for an architecture, portfolio
to modify their requirements to facilitate strategic management, or security initiative does not have
change. Moreover, discussing all four risks may lead a strong ROI, IT executives can use the Four A’s
to alternatives that better balance the two perspectives, framework as a common language to demonstrate how
such as the solution VSI’s executives identified.9 the initiative can reduce one or more of the four risks.
The Four A’s framework enables informed discussion Other examples of where discussions about risk
about risk without requiring a deep knowledge of helped IT/business alignment include:
technology or IT management procedures. In contrast,
the traditional IT risk categories used by many firms— • When examining availability risk, a financial
such as security, business continuity, regulatory services company identified that a critical
compliance, HR, and vendor risks—have considerable application was supported by a two-person
overlap and can require context-specific knowledge consulting firm. It was highly likely those two
that not all people share. people would be unavailable if the application
failed, leaving the business unit without a core
Discussion of the Four A’s puts business executives on transaction process.
familiar ground because it takes a business view of IT • As mentioned earlier, the senior executive
risk. They know how to compare an hour of downtime team at Celanese opted for higher availability
on the factory floor with an hour of downtime in HR, risk from its vendor (increasing the potential
or the value of easier data access against potential impact of an outage from 15 minutes of
losses from leaks. They understand how fragmented downtime to 12 hours) in return for lower
or inaccurate data increases the difficulty of decision costs.
making, destroys supply-chain efficiencies, and raises
regulatory threats. And they know better than anyone • Tektronix’s senior team chose to implement
the costs of a delay in a major strategic-change a $55 million ERP system to address
initiative. potentially debilitating agility risks. After its
IT transformation, Tektronix gained the ability
to buy and sell businesses as needed, together
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 113
Westerman / IT Risk as a Language for Alignment
with significant improvements in accuracy and time. The extra up-front integration effort provided
business efficiency.10 benefits for availability, access and accuracy risks,
and provided a new form of agility (the ability to
On the other hand, senior management at ComAir make global changes) while not significantly reducing
repeatedly chose not to invest in upgrading an aging agility to sell the businesses later.
crew-scheduling system. Unfortunately it also did not
have an effective business-continuity plan. The system Discussing the Four A’s is essential for alignment
failed for four days during the holiday season of 2004, because IT and business executives can differ in
causing millions of dollars in losses and leading to the their perceptions of the importance of each risk.
resignation of the company’s president.11 Figure 3 shows our global survey findings on how
100 IT executives and 158 line-of-business (LOB)
Risk-management priorities can also change over business executives viewed the importance they
time. For example, an automotive components attach to the Four As for their most important business
manufacturer managed agility risk by choosing not processes. Both LOB and IT executives placed similar
to integrate the ERP systems of the many companies importance on availability and access risks. However,
it acquired. This allowed the company to bring LOB executives placed statistically significantly more
acquisitions up to speed quickly and to divest them importance on accuracy and agility risks than IT
just as quickly. Globally, accuracy risk was initially
executives did.
limited because the firm’s manual processes seemed
to meet management’s needs. However, accuracy Discussing the Four A’s helps IT and business
risks arising from new corporate governance executives reach a shared understanding on which
regulations and new demands from global customers risks matter most. It can also surface differences
caused the company to implement tighter data about how well each group believes the risks are
integration. The company eventually changed its being managed. But more is needed. Understanding
agility approach and started to convert acquired differences of opinion on agility and access risks, for
companies to a standard ERP system at acquisition example, can still lead to conflict if the approaches
Percentages of IT and LOB executives rating the risk as 6 or 7 to the question “How important is each of the following
to the successful execution of your most important business process?” on a 7-point scale (1 = not at all important, 7 =
extremely important). Percentages in squares represent statistically significant differences between LOB and IT executives’
responses.
10 Westerman, G., Cotteleer, M., Austin, R., and Nolan, R., op. cit.,
1999.
11 Westerman, G. and Hunter, R., op. cit., 2007.
114 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 © 2009 University of Minnesota
IT Risk as a Language for Alignment
to resolving the two types of risk conflict. In the next to the risk factors of the other three areas plus IT/
section, we explain how the hierarchy implicit in the business relationships and project delivery capability.
framework highlights strong complementarities in the
approaches to managing the four risk areas. In other words, the risks form a hierarchy, with
availability as the “easiest” and agility as the
“toughest.” The hierarchy can be used as the basis
USING THE IT RISK HIERARCHY for a discussion of how long-term agility risks arise
TO BALANCE CHANGE/ from making short-term decisions that increase other
risk factors. It can also highlight how the choice to
RESILIENCE TRADEOFFS create additional architectural complexity can increase
risks for all four A’s and how additional effort today
Although the Four A’s can be considered as separate
can avoid many risks in the future. For example,
dimensions in a tradeoff, they share many risk factors.
a decision to use a nonstandard technology or to
Addressing a single risk factor can reduce all four risk
duplicate and customize an application for a small part
areas now, while facilitating further improvements in
of the company may make sense in the context of a
the future. 12
particular project but could increase all four risk areas
Figure 4 shows the risk factors associated with the for the company.
Four A’s identified in a survey of 134 CIOs. The
For example, when a running shoe company
vertical arrows signify that a risk factor in any tier
entered the apparel market, it decided the easiest
is statistically significantly associated with the
approach was to create a duplicate version of its shoe
extent of risk in that tier and tiers above it. Factors
applications and customize them for apparel. The
associated with availability risk, most notably
decision made some business sense when apparel was
design, management, and knowledge issues in the
a new and small part of the company, even though the
technology infrastructure, are also associated with
two different business lines had many similarities in
the higher-level access, accuracy, and agility risks.
the way they worked with suppliers and retail stores.
Access risk is driven not only by the availability risk
But, as the systems evolved differently over time, this
factors, but also by issues associated with application
decision led to large risks to access, accuracy, and
and network design. Accuracy risks arise from the
agility. It became difficult to integrate information
same factors but additionally from factors associated
globally for a single retailer, and many global changes
with the way information is generated or integrated.
had to be applied to the two systems separately.
Agility risk is the most complex because it is related
Figure 4: The IT Risk Hierarchy Highlights Interdependencies Among the Four Risks12
Analysis of 134 CIO surveys shows that each risk factor for a given enterprise IT risk (level of the pyramid) is statistically significantly correlated
with the extent not only of that risk, but also of risks above it in the pyramid.
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 115
Westerman / IT Risk as a Language for Alignment
116 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 © 2009 University of Minnesota
IT Risk as a Language for Alignment
Complex interdependencies between systems return in transforming IT, and they saw great risk of
increased the difficulty of recovery in the disturbing customer relationships during the transition.
event of failure. Many critical systems were
supported only by vendors—sometimes one- The CIO used the language of risk to make the case
or two-person firms—and PFPC had no formal for his transformation plan. When he called attention
vendor management program. to the resilience risks inherent in the current legacy
infrastructure, the amount of effort required to
• Access: With different lines of business
manage those risks, and the detrimental effects of
following different practices and using
fragmentation on agility, IT and business leaders
different vendors, it was difficult to ensure that
were able to come to a shared understanding. Line-
security controls were adequate. In addition,
of-business heads became willing to give up some
as PFPC extended its systems to customers,
local autonomy to advance the goal of a streamlined,
managing customer access introduced new
well-integrated and well-maintained platform. Projects
risks.
were required to undergo new review processes,
• Accuracy: Regulations such as Sarbanes- use standard methods, and choose from a reduced
Oxley created new accuracy risks in the set of preferred vendors. If a project appeared to
firm’s business processes for internal financial have a strong ROI but did not align with standards,
management and customer fund accounting. it underwent extra scrutiny from IT architects and
Meanwhile, the new globalization and cross- internal auditors as well as senior management. Yet
selling strategy raised accuracy risks related to some IT investments that had unclear ROI could be
a single view of the customer and managing approved for risk-reduction reasons.
multiple currencies.
After 24 months, PFPC saw solid benefits from
• Agility: PFPC was finding it difficult to keep
incorporating risk into alignment discussions. There
its fragmented legacy environment up to date
was a measurable reduction in IT-related audit issues,
with competitive and regulatory changes.
the number of active risks dropped, and the firm
Differing vendors and application development
received good ratings on its first-ever IT-specific
methods across the 11 businesses made
Federal Reserve audit. Even as PFPC reduced risks,
it difficult to guarantee consistent project
it was able to reduce IT costs and add functionality.
delivery. The firm also lacked some skills
It also achieved a better balance between strategic
needed to modify existing systems and build
change and resilience. The share of the IT budget
new ones.
allocated to new development (as opposed to
Some issues applied to multiple levels of the maintenance) increased so that the firm could spend
Four A’s framework. Vendor-management issues more on new functionality. Ensuring that all projects
led to availability and access risks but also had went through risk reviews reduced the amount
implications for accuracy (when vendors used their of rework, yielding more benefit from the firm’s
own methodologies) and agility (as knowledge strategic-change investments. The new functionality—
was fragmented across vendors). Frequent audits justified through using the language of risk—
highlighted risks in availability, access, and accuracy improved service to customers, and PFPC even began
while responding to audit findings diverted resources to use its risk-management capabilities as a sales tool
away from strategic changes. for new customers.
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 117
Westerman / IT Risk as a Language for Alignment
Strategic-Change Operational-Resilience
Perspective Perspective
Accomplishing changes the Avoiding incidents the
business wants to accomplish business wants to avoid
1. Discuss the Four A’s with Business case for incremental improvements—or larger
Counterparts transformations—to the firm’s IT assets and business
processes.
IT leaders should discuss the Four A’s in one-on-one
meetings with key business executives to develop a Revisit the discussions periodically, especially as the
shared understanding about the strategic-change and firm’s strategies or external conditions change. In
operational-resiliency perspectives for new initiatives addition, take advantage of “teachable moments” such
and ongoing operations. Discussing the Four A’s for as discussions on integrating an acquired firm, buying
a new initiative makes clearer the tradeoffs between nonstandard software or mobile phones, or getting
the two perspectives and also highlights how the exceptions to policy. IT (and sometimes business)
initiative may affect ongoing risks to the enterprise. executives can use these moments as opportunities
Discussing the Four A’s for ongoing execution of key to discuss the risk tradeoffs at hand and to improve
business processes can help IT and business managers shared understanding.
to develop a shared understanding of their strategic-
change and operational-resilience perspectives as well An important element of shared understanding is an
as the conditions that can cause or resolve conflicts. awareness of the risks created by IT infrastructure
As they develop a shared understanding, they can and applications complexity. Each policy exception,
identify policies, processes, and strategies to improve nonstandard technology, or methodology shortcut
their IT-enabled business processes from the bottom of can create new risks in all four areas, making it more
the pyramid upward. difficult both to maintain resilience and to introduce
new strategic changes. Complex IT environments
IT leaders should ask business executives how have a large variety of components that have to be
important each of the Four A’s is for their key understood and more nonstandard interdependencies
business processes and how effectively the company between components. Systems in such environments
is managing each of the four areas of risk. They have more failure points and recovery is more
should use the conversations to test their assumptions difficult. The systems are also more difficult to
and learn more about current business drivers. The change. Every change affects components in complex
discussion can also be an opportunity to gently ways, some changes must be done multiple times,
educate business executives about the IT architecture and testing is complicated. Discussing the Four A’s
vision, the drivers of resilience problems, and the role with business executives can help them to understand
that IT’s rules and standards play in the process of the risks of complexity and the need for policies and
managing IT. standards that constrain the growth of complexity.
By identifying disconnections or contradictions
between executives, IT executives can help to resolve 2. Extend Resilience-Focused Activities
disagreements. They can show how tiered levels to Improve Alignment
of service (at different levels of cost) may provide Activities such as business-continuity planning, IT
the right level of service to the right people at lower service management, and even IT audit can not only
cost. The discussions can also help make the business identify issues and improve resilience, but also help
118 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 © 2009 University of Minnesota
IT Risk as a Language for Alignment
to improve alignment. Business-continuity planning, incidents. IT staff may already embrace this dual
for example, not only identifies procedures and view of their IT risk-management activities but
mitigation techniques related to availability—the may be hampered by responsibilities, incentives, or
bottom of the risk hierarchy—but also starts to build governance processes that reward restrictive rather
shared understanding. For example, when business than enabling activities. An IT security specialist
executives are asked how much resilience they need who will be severely penalized for a security incident
in their business processes, many will initially say it will naturally give more emphasis to protection than
needs to be perfect. Yet, when presented with the costs strategic change.
and asked to risk-rank their processes across multiple
business units, they develop a more differentiated IT leaders should work with their specialists to
view of how important each one really is and what identify creative approaches to enabling agile security
type of protection it needs. or flexible compliance capabilities. These approaches
may include changing the review procedures, carrying
Business-continuity planning can also be a useful them out earlier or more frequently, or possibly
way for IT executives to help business executives engaging in awareness activities for project managers,
understand their part in managing IT-enabled architects, and business sponsors.
business processes. When the CIO of a Massachusetts
insurance company was finding it difficult to 3. Embed Risk Management into All IT
engage business executives in business-continuity
planning, he staged a high-profile demonstration of
Management Processes
IT’s disaster-recovery capability. Then, he turned to IT leaders should integrate risk management
the business executives and said, “The systems are more tightly into other IT management processes
running again, but headquarters is gone. What are so it becomes a natural way of doing business.
your people going to do next?” This made the point For example, project methodologies have often
very clearly that managing business process resiliency focused on delivery risks but under-emphasized
was about more than just managing technology. potential operational risks from implementing a new
application. Security and architecture reviews have
IT audit is another example. CIOs who are relatively traditionally been carried out from a compliance-
new to their positions can use IT audit to improve based viewpoint—avoiding risks—rather than a
alignment. Audits can highlight issues in controls, risk-based viewpoint of managing all areas of the
infrastructure management, and complexity as a Four A’s framework (including agility). Application
result of past management practices. By identifying development techniques such as agile development
these issues proactively, IT leaders can make the case or “Scrum”14 should be tuned to balance the Four
to implement changes before the issues gain higher A’s appropriately. Ensuring that all four risk areas
profile in regulatory audits. are considered when funding and executing projects
makes projects more risk-aligned, improves business
Service management activities can also be extended executives’ awareness of what creates risk, and
to improve alignment. IT executives should track generates information to manage any incremental
incidents such as outages, intrusions, reconciliation operational risk created by exceptions.
errors, failed batch jobs, failed projects, or help desk
calls. Showing the frequency and impact of incidents But don’t stop with project management. Consider
can be a good way to make the case for change. changing HR processes as well. For example, add risk
Furthermore, showing downward trends on incidents, awareness training to the onboarding process for new
and the costs avoided through risk management, can employees or to the process for giving employees a
demonstrate that IT is being well managed. new computer. Similarly, IT should be informed the
minute the firm becomes aware that an employee will
Extending the role of resilience activities to improve be leaving, so that access can be disabled at the right
alignment may require changing the mindsets of time.
IT staff. IT leaders should work with security,
architecture, and regulatory compliance staff to Infrastructure management activities provide another
ensure they are enabling agility as well as preventing opportunity to build risk management into IT
processes. For example, change management activities
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 119
Westerman / IT Risk as a Language for Alignment
in the ITIL framework15 can be extended to ensure risk considerations into all IT processes and decisions,
the right attention to agility risk as well as availability both IT and business leaders make better decisions
and access risks. Configuration management and other about how they design and manage their IT-enabled
processes can be integrated with project management business processes. They can adjust strategic-change
methods to reduce the potential for risks arising initiatives to improve resilience, place proper priority
from unexecuted tasks or incomplete information. on improving IT assets, and develop IT management
Furthermore, many of the metrics gathered by IT rules that are better aligned with business objectives.
service management processes can serve as key risk
indicators. Companies that are more mature at IT risk
management report stronger business alignment and
fewer incidents, and also have more efficient and
4. Create a Risk-as-Opportunity Culture agile IT.16 They don’t just manage IT risk better; they
Risk-enabling alignment does not just mean changing manage IT better.
management processes. It also involves changing
culture. The shared understanding being built between
IT and business executives must also be extended to APPENDIX: ABOUT THE
all IT staff. RESEARCH
To help achieve the culture change throughout IT, IT This article is based on more than five years of
executives should emphasize that risk management research into the concept of IT risk management. Key
is an opportunity, not just an obligation. When studies included:
seen as a chore, risk management is just a cost of
doing business—in essence, an insurance cost to • Interviews with 49 IT and business executives
mitigate the effects of negative incidents. This cost in 11 companies to understand the nature of IT
makes the company somewhat safer but sometimes risk.
at the expense of new opportunities. More and • An exploratory survey of 134 CIOs to
more companies are using risk management as an understand linkages between risk factors, risk
opportunity to improve their businesses. When management methods, and the extent of risk in
investigating risk issues, they can identify new all areas of the Four A’s framework.
opportunities to streamline processes, better integrate
data, or link more closely to customers and suppliers. • A global survey of 100 IT and 158 business
executives in 258 companies to understand
PFPC started using its IT risk management differing preferences and to statistically test
capabilities to make the company more attractive to associations between IT risk management
customers. Many companies now audit their service maturity and various IT outcomes.
providers, and providers that can show greater risk- • Case studies of more than a dozen firms,
management capabilities have an advantage. Other including Motorola, PFPC, Steelcase, Disney,
companies can, like Tektronix, use accuracy and Dell Computer, Sun Microsystems, and
agility improvements originally justified through the Celanese.
language of risk to out-compete other firms in the
ways they launch products or serve customers. The Four A’s framework was originally developed
in working papers and teaching at the MIT Sloan
Center for Information Systems Research (CISR).
CONCLUSION It is described in the book IT Risk: Turning Business
Threats Into Competitive Advantage (See Footnote 4),
For too long, IT and business executives have which was named a Best Book of 2007 by CIO Insight
struggled to improve IT/business alignment. The magazine. This book also describes how to build a
language of risk provides a new approach. The Four mature IT risk-management capability based on three
A’s framework can serve as a common language core disciplines: a well-managed IT foundation, a risk
through which IT and business executives develop governance process, and a risk-aware culture.
a shared understanding of the strategic-change and
operational-resilience perspectives. By incorporating
120 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 © 2009 University of Minnesota
IT Risk as a Language for Alignment
© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 121