Thursday, August 21, 2014

IT Services and Enterprise Risk Management

IT services instrument nearly all operations of many enterprises in in-sourced or outsourced manners. They connect the people and processes to operate the enterprise. Those who provide IT services (typically IT department) understand the (real-life and potential) end-to-end business scenarios (that the enterprise faces and is equipped to handle) better than most other enterprise staff. Yet in most enterprises, risk management is a function much seperated from the IT department. This seems to be a legacy of a silo-based risk management approach (i.e. focused on isolated portions of the business) rather than the modern approach of taking an enterprise-wide view of risk. As managing enterprise wide risk in an increasingly dynamic business environment becomes more and more important for sustenance and growth of enterprises, this legacy is no longer appropriate. As the business environment becomes more and more volatile, loose integration between the enterprise risk management department and IT department means less flexible, less granular and less frequent measurement and management of enterprise risk. Due to this, IMHO a tighter integration between enterprise risk management department and IT department will maximize business value.
1. The recent events in the airline industry where commercial flights (MH370, MH17 and AH5017) had accidents in regions of extreme events due to war-like situations and atmosphere indicating the need for commercial airlines to integrate enterprise risk management into their operational decision making processes and systems. But it is clear that risks due to geological events (e.g.Icelandic volcanic cloud), Terrorism (9-11) are also risks that need to be monitored closely and in near real-time. The world is a much more dynamic place increasingly. The advent of newer technologies like drones makes the world more and more dynamic and risky. There is no alternative to managing risk more aggresively than before.
2. Business agility is a gospel which has been preached for some time now as the need for the hour as a response to the dynamism of the business environment. Yet the priorities of outsourcing and offshoring continue to be centred around saving money with little attention to business continuity and resilience. Most businesses are not organized to respond quickly to risks of various kinds (Climate Change, Techology). Their people, technologies, processes are mired in the old less-dynamic and risky world.
3. Managing the increased risk level at the level of making provisions (and pricing them into the sale prices) and taking actions to eliminate, reduce, transfer risks to ensure longer term sustainability of the business needs to be baked into the enterprise, people, IT and business process architectures.
It is no longer ok for IT services to be divorced from risk management. Enterprises and their IT service providers need to integrate enterprise risk management into the core of their activities in a much more real-time manner than before.
This is increasingly mandatory for survival and growth in the brave new world.
Pratap Tambay
Post a Comment