Gartner Says CIOs Must Manage IT Risk as Business Risk

Analyst Highlights Findings from Latest Book “IT Risk” at Gartner IT Security Summit, 17-19 September, London

Egham, UK, September 17, 2007 � While IT has become increasingly central to business success, many enterprises have not adjusted their processes for IT decision making and risk management, according to Gartner, Inc. In addition, increased dependence on the smooth functioning of IT has amplified the business impact of IT risk incidents.

In the book �IT Risk :Turning Business Threats into Competitive Advantage�, published by Harvard Business School Press, Richard Hunter, group vice-president and Gartner fellow in Gartner Executive Programmes, and George Westerman, research scientist in the Center for Information Systems Research at the MIT Sloan School of Management, examine how IT risks directly impact business performance, and advise business executives on how they can manage IT risk as business risk with business consequences.

�IT risk has changed,� said Mr Hunter, who presented findings from the book during the Gartner IT Security Summit 2007, which is being held from 17-19 September in London, UK. �IT risk incidents harm constituencies within and outside companies. They damage corporate reputations and expose weaknesses in companies� management teams. Most importantly, uncontrolled IT risk dampens an organisation�s ability to compete.�

He cited the examples of a failed software implementation at a pharmaceutical manufacturer that led to the company�s bankruptcy, a data theft at CardSystems Solutions that prompted the company�s two largest customers – Visa and Mastercard – to defect, and errors in a tax-credit management system at the UK Inland Revenue that led the organisation to pay out over �2 billion in erroneous tax credits.

�In many companies, it is difficult for business and IT people to exchange information about IT risks in a mutually meaningful way,� said Mr Hunter. �To make effective decisions about IT risk, business executives need to know what happens to the business when technology fails or underperforms. Furthermore, any IT risk must be understood in terms of its potential to affect all of the company objectives that are enabled by IT. IT risk is too important to be delegated entirely to the IT organisation.�

The authors defined IT risk as a threat to any of four interrelated business objectives:

  • Business objective: Availability
  • IT risk: Will a company�s IT systems and business processes continue running, and will they recover from interruptions?
  • Business objective: Access
  • IT risk: Do the right people in an organisation have access to the data and systems they need to do their jobs? Are the wrong people blocked from access to those data and systems?
  • Business objective: Accuracy
  • IT risk: Can a company�s IT systems be relied on to provide correct, timely, and complete information that meets the requirements of management, staff, customers, suppliers, and regulators?
  • Business objective: Agility
  • IT risk: Do the organisation�s IT systems possess the capability to change if the company acquires another firm, completes a major business process redesign, or launches a new product or service?

�No enterprise can be completely free of IT risk. Like any other risk, IT risk is something to be managed, not eliminated,� Mr Hunter said. �Management means making trade-offs between risk and return, between the perils a company can bear and the risks it would rather avoid. But until now, business managers have lacked the tools and disciplines to manage IT risk in these ways.�

Mr Hunter introduced three disciplines that enterprises must master to manage IT risk effectively:

  • A solid foundation of IT assets, people, and supporting processes and controls that enable executives to manage the right risks in the right order.
  • A well-designed risk governance structure and process: integrating IT risk management into every business decision to identify, prioritise and track risks.
  • A risk-aware culture, nurtured from the top, that attunes people to the causes and solutions for IT risks and that increases vigilance across the organisation.

�These disciplines are complementary. Together, they aim to improve risk management capability and giving business and IT people a language to ensure that IT risks stay under control,� he added. �Enterprises should choose their focal discipline based on their culture, their circumstances and their capabilities, but ultimately they must be competent in all three.�

�The most dangerous risks are the ones that are never considered, or considered too late,� Mr Hunter said. �Executives need to look to the future. IT risk management is working the way it should when it is simply part of the way the company does business.�

About Gartner:

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, we work with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,800 associates, including 1,200 research analysts and consultants in 75 countries. For more information, visit