Minimal IT - Risk management and system governance

9 May 2006

Risk management and system governance

IT risk management overlooks critical long-term risks. With system governance, you can identify and manage these risks.

The risk management expert Felix Kloman summarised risk management as "A discipline for living with the possibility that future events may cause adverse effects."

Within IT, we manage a variety of risks.

Within IT projects, we manage project risks such as lack of resources, and time and cost overruns. We manage technical risks, to make sure that the solution will actually work and interoperate.
We manage security risks, to preserve confidentiality and guard against fraud. We implement system access controls, network security, and manual processes to maximise overall security.
We manage operational risks, such as hardware and software failure. We have regimes of data backups, and system restoration procedures.
We manage the risk of being prosecuted by managing legal and regulatory compliance.

System governance is a framework for measuring and improving system quality, where system quality is broadly defined to cover fitness for purpose, viability, supportability, security, compliance, and technical standards.

System governance contributes to existing IT risk management. It provides a framework for gathering risk-related information, analysing it, and recommending improvements. Although we at Metrici would not claim it is a full risk management method, it does provide a comprehensive, easy, quick and cheap method for gathering this information.

Perhaps more significantly, system governance can provide visibility of critical long-term risks, that are not well covered by current IT risk management. Here are just some examples.

The risk of gradual technical obsolescence.
The risk that support costs increase dramatically because of a decline in system structure, in the quality of documentation, in the coverage of test plans; and a rise in the number of ill-defined interfaces.
The risk that problems build up because management attention is diverted to more exciting new development.
The risk that the systems will not last as long as anticipated, for the reasons above.

These risks are critical. In the long run they significantly undermine our ability to provide effective IT services. They reduce our ability to respond to business change. They increase costs. The costs of replacing systems are huge, and yet we do little to manage the risks that systems will need to be replaced early. These long-term risks are much more significant than short-term project delivery risks, but in comparison we hardly manage them at all.

I think we in IT do not even recognise these as risks. Risk management makes a distinction between a risk (something that might happen) and a problem (something that has happened or is inevitable). In IT, we treat these long-term areas as inevitable problems, not as manageable risks.

In the same way that it provides the information for existing IT risk management, system governance provides the information, analysis and recommendations to manage long-term risks. It gives management visibility and guidance on the risks before they turn into problems. With system governance, you can complete your IT risk management and manage long-term risks, not just short-term ones.