[...]... framework identifies capability and shortfall, and then works to ensure that these are accurate assessments It enables assured statements to be made about the organization’s IT While this is the critical step in beating IT risks, it deals with much more than just risks So what does it mean when you know that your organization is IT- capable? While there is no consensus on the upward limit of this, there should... of IT risk can dominate the thinking, but monitoring all of them is necessary An IT governance framework is the essential step to understand and take authority over the organization’s use of IT There’s a great pride when managers and board members are able to say, ‘Our organization is IT- capable.’ It s even better when it s true IT governance is the link between the rhetoric and the reality An IT governance... up a bookshop with great coffee in a sleepy beachside resort You need to manage IT risk, with initiatives that fit your organization and its situation But because of the pervasiveness and variability of IT risk, the initiatives are organization-wide and will represent, in time, a significant change in the way in which your organization approaches IT There are three key steps in making IT risk work for... This draws the focus onto one of the key success factors of IT governance: ownership of the IT risk portfolio Too often risks are dealt with in a piecemeal, ad hoc way Without the systematic, sustained and consistent approach to the many dimensions of risk that are associated with IT, there is little hope for mastery The IT risk portfolio All IT risks are not the same, but there are enormous benefits from... upon it; inadequate capacity to deal with the workloads; insufficient maintenance to keep it in proper repair But IT infrastructure has additional risks and opportunities for failure, such as selection of standards, interoperability of components – especially during upgrades – and the capacity to support unanticipated applications in the future When infrastructure fails, all the applications and IT services... separate it from the remainder of your organizational activity Many of the risks that we have discussed are specific to IT or are those where IT has a significant contribution There are others where the contribution of IT is smaller or where IT may assist in the mitigation of the other risks Let’s examine this latter point first IT can contribute to the active management of other classes of enterprise risks. .. portfolios The multiple perspectives within the teams and the multiple perspectives across teams are the critical initiative in aiming for completeness of risk assessment coverage and in hoping to overcome the boundary or territory issue: it s not our (silo’s) responsibility 2 IT governance framework The first step, and we argue the most critical step, in dealing with the IT risks that the organization faces... facilities) is seldom complete When a comprehensive review of IT services is carried out, service continuity vulnerabilities will be identified The appropriate actions to deal with these risks will include duplication of resources, increasing the fault-tolerance or resilience of the infrastructure, establishment of secondary facilities, hot sites and the like It will also be important to work out priorities,... governance The most critical step in beating IT risks is to put in place an IT governance framework IT risks are large and pervasive They can be large enough to bring an organization to the point of ruin, yet most organizations do not have systematic or comprehensive approaches to dealing with IT risk For many organizations, the greatest sources of risk are their products and customers, but IT risk would be... of IT should outweigh costs – and both should be accurately known Risks from IT should be tolerated for potential rewards Then, most importantly, when the business strategy needs some IT functionality, it must be delivered What more The cure for your IT risk headache 9 would you want to call your organization IT- capable? It will depend upon the industry you’re in and your organization’s mission but it .