You are previewing Beating IT Risks.
O'Reilly logo
Beating IT Risks

Book Description

Beating IT Risks is the essential guide for anyone at risk from information technology failure. The book provides proven models and evaluation tools that will guide board members, senior management, IT leaders and business unit managers in decision-making, monitoring and negotiation roles. Featuring real-world PA Consulting Group case studies along with the authors' own direct experience in managing IT risks, this book will sit above more specialist titles to help you develop an integrated and comprehensive understanding of different IT risks and how to combat them. The authors cover all types of IT risk, and offer explicit guidance about what to consider when implementing a risk management approach to best meet an individual company's needs.

Table of Contents

  1. Copyright
  2. About the authors
  3. Foreword
  4. Acknowledgements
  5. 1. Thriving on risk
    1. 1.1. The challenge
    2. 1.2. Complications and deficiencies
    3. 1.3. The cure for your IT risk headache
      1. 1.3.1. 1. IT and risk governance
      2. 1.3.2. 2. Portfolio approach
      3. 1.3.3. 3. Manage down complexity
      4. 1.3.4. IT governance
      5. 1.3.5. The IT risk portfolio
        1. 1.3.5.1. Projects
        2. 1.3.5.2. IT services
        3. 1.3.5.3. Information assets
        4. 1.3.5.4. Service providers and vendors
        5. 1.3.5.5. Applications
        6. 1.3.5.6. Infrastructure
        7. 1.3.5.7. Strategic and emergent risks
        8. 1.3.5.8. IT and other enterprise risk classes
  6. 2. IT governance framework
    1. 2.1. Different approaches to governance
      1. 2.1.1. The corporate governance perspective
      2. 2.1.2. The investor perspective
      3. 2.1.3. The compliance perspective
      4. 2.1.4. The enterprise-wide risk management perspective
      5. 2.1.5. The audit and control perspective
      6. 2.1.6. The engineering and systems perspective
      7. 2.1.7. The life scientist, biology and ecology perspective
      8. 2.1.8. An integrated perspective for your organization
    2. 2.2. Building a framework for your organization
      1. 2.2.1. Governance processes and outcomes
      2. 2.2.2. Governance structures and roles
    3. 2.3. Design and implementation issues
      1. 2.3.1. IT governance models and approaches
      2. 2.3.2. Matching the IT governance model to your organization
      3. 2.3.3. Implementing the IT governance framework
    4. 2.4. Case study: Aventis
  7. 3. IT risk portfolio
    1. 3.1. Introducing the IT risk portfolio
      1. 3.1.1. First seek to manage IT risks like other business risks
      2. 3.1.2. A portfolio of IT risks
      3. 3.1.3. Classes of IT risk
        1. 3.1.3.1. Projects – failing to deliver
        2. 3.1.3.2. IT service continuity – when business operations go off the air
        3. 3.1.3.3. Information assets – failing to protect and preserve
        4. 3.1.3.4. Service providers and vendors – breaks in the IT value chain
        5. 3.1.3.5. Applications – flaky systems
        6. 3.1.3.6. Infrastructure – shaky foundations
        7. 3.1.3.7. Strategic and emergent – disabled by IT
      4. 3.1.4. Understanding relationships between IT risk classes
        1. 3.1.4.1. Strategic and emergent risk relationships
        2. 3.1.4.2. Project risk relationships
        3. 3.1.4.3. Service provider and vendor risk relationships
        4. 3.1.4.4. Applications and infrastructure risk relationships
      5. 3.1.5. Impacts of IT risks
      6. 3.1.6. Wider impacts of your IT failures
    2. 3.2. Implementing an IT risk management capability
      1. 3.2.1. Strategy and policy
      2. 3.2.2. Roles and responsibilities
      3. 3.2.3. Processes and approach
      4. 3.2.4. People and performance
      5. 3.2.5. Implementation and improvement
      6. 3.2.6. Call to arms
    3. 3.3. Health check
      1. 3.3.1. Is IT risk management important to your business?
      2. 3.3.2. Are you doing the right things?
      3. 3.3.3. Do you have a good track record?
    4. 3.4. Case study: European fleet management services provider
  8. 4. Projects
    1. 4.1. The impact of project failure
      1. 4.1.1. Time
      2. 4.1.2. Functionality and quality
      3. 4.1.3. Costs
      4. 4.1.4. Systemic failures in project delivery
    2. 4.2. Organizational, program and project views of risk
      1. 4.2.1. Managing the organization for project delivery
      2. 4.2.2. Managing the program – risks associated with multiple concurrent IT projects
      3. 4.2.3. Managing the project – generic voyage risks
      4. 4.2.4. Decision-making and control over time, functionality and cost
    3. 4.3. Understanding IT project risk factors
      1. 4.3.1. Key risk factors to manage
        1. 4.3.1.1. Making size count
        2. 4.3.1.2. Impacting the organization in the right way
        3. 4.3.1.3. Managing complexity
      2. 4.3.2. Understanding your project's 'degree of difficulty'
      3. 4.3.3. Commonly misinterpreted project risk factors
        1. 4.3.3.1. Stability of requirements – getting the degree of flex right
        2. 4.3.3.2. Skills and experience – relying on the A team
        3. 4.3.3.3. Number and types of technology – the devil you know
      4. 4.3.4. Alternative delivery models and their risk characteristics
      5. 4.3.5. Beyond development – enhancement and upgrade projects
        1. 4.3.5.1. Enhancements
        2. 4.3.5.2. Upgrade and replacement
    4. 4.4. Alternative philosophies for delivery assurance
      1. 4.4.1. Outputs and deliverables
      2. 4.4.2. People
      3. 4.4.3. Methods and standards
    5. 4.5. Identifying, reporting and managing project risks
      1. 4.5.1. Committee oversight
      2. 4.5.2. Alternative management responses
      3. 4.5.3. What to look for at each stage of the project
        1. 4.5.3.1. Concept and feasibility
        2. 4.5.3.2. Requirements and architecture
        3. 4.5.3.3. Build
        4. 4.5.3.4. Testing, acceptance and implementation
        5. 4.5.3.5. Post-implementation
    6. 4.6. Health check
      1. 4.6.1. Is this important to your business?
      2. 4.6.2. Are you doing the right things?
      3. 4.6.3. Do you have a good track record?
    7. 4.7. Case study: Agility
  9. 5. IT services
    1. 5.1. IT service failures that impact your business
      1. 5.1.1. Service performance
      2. 5.1.2. Planning rules OK
      3. 5.1.3. Disasters and crises
      4. 5.1.4. Information asset impacts
      5. 5.1.5. Managing system failures
      6. 5.1.6. Complex scenarios
    2. 5.2. Planning and preparation
      1. 5.2.1. Business impact analysis
      2. 5.2.2. Disaster avoidance–disaster recovery
      3. 5.2.3. Levels of assurance
    3. 5.3. Implementing IT service continuity
      1. 5.3.1. Budget setting
      2. 5.3.2. Risk context
      3. 5.3.3. Designed-in
      4. 5.3.4. Buy-in and appetite
      5. 5.3.5. Performance indicators
    4. 5.4. Health check
      1. 5.4.1. Is this important to your business?
      2. 5.4.2. Are you doing the right things?
      3. 5.4.3. Do you have a good track record?
    5. 5.5. Case study: Police service
  10. 6. Information assets
    1. 6.1. Accessing your information assets
      1. 6.1.1. The 'availability' paradox
    2. 6.2. The impacts of information asset exploitation
      1. 6.2.1. Loss of exclusive use
      2. 6.2.2. Direct benefit of the exploitation to the perpetrator
      3. 6.2.3. Time, energy, goodwill
      4. 6.2.4. Loss of confidentiality
    3. 6.3. The impacts of degraded information assets
      1. 6.3.1. You don't know what you've got 'til it's gone
      2. 6.3.2. Loss of integrity
      3. 6.3.3. Repair cost
      4. 6.3.4. Opportunity cost
    4. 6.4. The dimensions of security
      1. 6.4.1. Objectives
        1. 6.4.1.1. Confidentiality
        2. 6.4.1.2. Integrity
        3. 6.4.1.3. Availability
        4. 6.4.1.4. Compliance
      2. 6.4.2. Culture
      3. 6.4.3. Justified countermeasures
    5. 6.5. Implementing information asset management
      1. 6.5.1. Components of ISO standard not included in information asset management
      2. 6.5.2. Information asset management essential ingredients
        1. 6.5.2.1. Information asset policies
        2. 6.5.2.2. Risk assessment
        3. 6.5.2.3. Record keeping
        4. 6.5.2.4. Roles and responsibilities
        5. 6.5.2.5. Asset categories and control
        6. 6.5.2.6. Computer and network management
        7. 6.5.2.7. System access control
        8. 6.5.2.8. Systems development and maintenance
    6. 6.6. Health check
      1. 6.6.1. Is this important to your business?
      2. 6.6.2. Are you doing the right things?
      3. 6.6.3. Do you have a good track record?
    7. 6.7. Case study: Investment management
  11. 7. IT service providers and vendors
    1. 7.1. The dimensions of service provider failure
      1. 7.1.1. Failure to meet service levels for an operational service
      2. 7.1.2. Failure to meet other contract or relationship requirements
      3. 7.1.3. Failure to deliver project services
      4. 7.1.4. Failure to stay in business
      5. 7.1.5. Other service provider risks
        1. 7.1.5.1. Finger-pointing rather than accountability
        2. 7.1.5.2. One-horse races rather than contestability
        3. 7.1.5.3. Poor value for money
        4. 7.1.5.4. Inflexibility
        5. 7.1.5.5. Difficulty integrating services
        6. 7.1.5.6. Bumpy transitions
        7. 7.1.5.7. Unfulfilled transformation objectives
        8. 7.1.5.8. Poor visibility
        9. 7.1.5.9. Lack of control
      6. 7.1.6. Alternative service delivery model risks
        1. 7.1.6.1. In-house
        2. 7.1.6.2. External service provider
        3. 7.1.6.3. Shared services
    2. 7.2. The dimensions of vendor failure
      1. 7.2.1. Failure to support the product
      2. 7.2.2. Other vendor risks
        1. 7.2.2.1. Functional gaps open up
        2. 7.2.2.2. Aggressive upgrade cycles
        3. 7.2.2.3. Proprietary solution lock-in
        4. 7.2.2.4. Unfulfilled promises
    3. 7.3. Managing service provider risk
      1. 7.3.1. Sourcing strategy
      2. 7.3.2. Pre-negotiation
      3. 7.3.3. Evaluation
      4. 7.3.4. Negotiation
      5. 7.3.5. Transition
      6. 7.3.6. Management
      7. 7.3.7. Review / termination / renewal
      8. 7.3.8. Risk-effective contracting
        1. 7.3.8.1. Service level agreements
        2. 7.3.8.2. Rights and responsibilities
        3. 7.3.8.3. Ability to change
        4. 7.3.8.4. Terms and conditions
      9. 7.3.9. Managing the relationship towards lower risks
        1. 7.3.9.1. Positioning the relationship – contractor to partner
        2. 7.3.9.2. Investing in the relationship
        3. 7.3.9.3. Measuring and managing performance
        4. 7.3.9.4. Auditing
        5. 7.3.9.5. Benchmarking
    4. 7.4. Managing multiple IT service providers
      1. 7.4.1. Shape the 'clusters' of IT services
      2. 7.4.2. Align technology strategies with sourcing strategies
      3. 7.4.3. Link processes end-to-end
    5. 7.5. New and emerging risks in IT service provision
      1. 7.5.1. Offshore sourcing
      2. 7.5.2. Open-source software support
    6. 7.6. Health check
      1. 7.6.1. Is this important to your business?
      2. 7.6.2. Are you doing the right things?
      3. 7.6.3. Do you have a good track record?
    7. 7.7. Case study: Financial services
  12. 8. Applications
    1. 8.1. The impacts of IT application failure on your business
      1. 8.1.1. Continuity, correctness and tolerance
      2. 8.1.2. Systems in context and the extent of business impact
      3. 8.1.3. When people and computers don't mix
      4. 8.1.4. When applications need to talk and work together
        1. 8.1.4.1. Two applications
        2. 8.1.4.2. A suite of integrated core systems
    2. 8.2. The evolution of IT application risk
      1. 8.2.1. Greater dependency
      2. 8.2.2. Greater complexity
      3. 8.2.3. Specialization and proliferation
      4. 8.2.4. Integration and interoperability
      5. 8.2.5. Retained legacies
    3. 8.3. IT application risk profiles
      1. 8.3.1. New applications
      2. 8.3.2. Packaged software
      3. 8.3.3. Custom-developed software
    4. 8.4. Software assets and liabilities
      1. 8.4.1. Controlling your application assets
      2. 8.4.2. Software as intellectual property
      3. 8.4.3. Software licenses
      4. 8.4.4. Unwanted and unwelcome software
    5. 8.5. The lifecycle approach to managing risks
      1. 8.5.1. Setting the systems agenda – strategy, architecture and planning
      2. 8.5.2. Concept and feasibility
      3. 8.5.3. Requirements and solution architecture
      4. 8.5.4. Solution build, acquisition and integration
      5. 8.5.5. Testing
      6. 8.5.6. Implementation
      7. 8.5.7. Maintaining and evolving systems
      8. 8.5.8. Retirement and decommissioning
    6. 8.6. Health check
      1. 8.6.1. Is this important to your business?
      2. 8.6.2. Are you doing the right things?
      3. 8.6.3. Do you have a good track record?
    7. 8.7. Case study: Leading water company
  13. 9. Infrastructure
    1. 9.1. How IT infrastructure failure impacts your business
      1. 9.1.1. Facilities
      2. 9.1.2. Centralized computing
        1. 9.1.2.1. Failure
        2. 9.1.2.2. Performance degradation
        3. 9.1.2.3. Third party reliance
      3. 9.1.3. Distributed computing
      4. 9.1.4. Data networks
      5. 9.1.5. Voice networks
      6. 9.1.6. Industry-specific infrastructure and risks
    2. 9.2. IT infrastructure's evolving risks
      1. 9.2.1. Migration of IT application features into the infrastructure layer
      2. 9.2.2. Market dynamics of infrastructure
      3. 9.2.3. Why timing is important
      4. 9.2.4. The emerging utility model and some risks to consider
    3. 9.3. Moving towards ‘set and forget’
    4. 9.4. De-risking infrastructure transformation
      1. 9.4.1. Set direction
      2. 9.4.2. A step at a time and fall-back ready
    5. 9.5. Health check
      1. 9.5.1. Is this important to your business?
      2. 9.5.2. Are you doing the right things?
      3. 9.5.3. Do you have a good track record?
    6. 9.6. Case study: GCHQ
  14. 10. Strategic and emergent
    1. 10.1. The impact of IT failing to support the execution of your business strategy
      1. 10.1.1. Graceful degradation
      2. 10.1.2. Choose a grail, any grail
      3. 10.1.3. Diversity versus standardization
      4. 10.1.4. IT doesn't matter
      5. 10.1.5. Sustainability
      6. 10.1.6. Sabre-rattling
    2. 10.2. Driving shareholder value through IT-enabled business change
      1. 10.2.1. IT is the business – or not
      2. 10.2.2. Enablers of change
      3. 10.2.3. Engine room efficiency
    3. 10.3. The influence of your IT capability on business capability
      1. 10.3.1. IT as turbo booster / brake
      2. 10.3.2. Emerging technology
      3. 10.3.3. Delivery
    4. 10.4. Health check
      1. 10.4.1. Is this important to your business?
      2. 10.4.2. Are you doing the right things?
      3. 10.4.3. Do you have a good track record?
    5. 10.5. Case study: Egg
  15. 11. IT and other enterprise risks
    1. 11.1. Relating the IT risk portfolio to other types of enterprise risk
      1. 11.1.1. Rating IT risk alongside other risks
      2. 11.1.2. Aligning roles and responsibilities for risk management
      3. 11.1.3. Where to focus team efforts
      4. 11.1.4. Banking industry operational risks
      5. 11.1.5. Risks of compartmentalizing IT-related risks
    2. 11.2. Supporting risk-based management with IT
      1. 11.2.1. The wired organization (now going wireless)
      2. 11.2.2. Locked-down operating
      3. 11.2.3. Constant surveillance
      4. 11.2.4. Decision support, risk analytics and reporting
    3. 11.3. The dependence of IT risk management on broader enterprise competencies
      1. 11.3.1. Human resource management
      2. 11.3.2. Strategy and planning
      3. 11.3.3. Legal
      4. 11.3.4. Financial management
      5. 11.3.5. Physical security
    4. 11.4. In conclusion
  16. A. Review checklists
    1. A.1. Key review questions to answer: Completion of concept and feasibility stage
      1. A.1.1. Business rationale
      2. A.1.2. Solution and delivery options
      3. A.1.3. Commercial value
      4. A.1.4. Organizational impact
      5. A.1.5. Management and delivery
    2. A.2. Key review questions to answer: Completion of requirements and architecture stage
      1. A.2.1. Business support
      2. A.2.2. Solution and delivery choices
      3. A.2.3. Commercial arrangements
      4. A.2.4. Organizational impact
      5. A.2.5. Management and delivery
    3. A.3. Key review questions to answer: Build mid-point
      1. A.3.1. Business support
      2. A.3.2. Solution fitness-for-purpose
      3. A.3.3. Delivery arrangements
      4. A.3.4. Commercial arrangements
      5. A.3.5. Organizational impact
      6. A.3.6. Management and delivery
    4. A.4. Key review questions to answer: Testing, acceptance and implementation mid-point
      1. A.4.1. Business support
      2. A.4.2. Solution fitness-for-purpose
      3. A.4.3. Delivery arrangements
      4. A.4.4. Commercial arrangements
      5. A.4.5. Organizational impact
      6. A.4.6. Management and delivery
    5. A.5. Key review questions to answer: Post-implementation
      1. A.5.1. Business results
      2. A.5.2. Solution fitness-for-purpose
      3. A.5.3. Operations and support arrangements
      4. A.5.4. Commercial outcomes
      5. A.5.5. Organizational impact
      6. A.5.6. Management and delivery
  17. References