A common misconception when discussing Risk Management with IT professionals (including IT Project Managers) is that the IT staff manage risks every day through Problem Management and Incident Management.
Note the following discussion is as equally appropriate when dealing with IT Project Management.
An objective of many IT functions is to improve the quality of IT services to the entity (company or government department) through a general reduction in incident volume and better first-time fix rates. This is generally achieved through IT Problem Management and IT Incident Management. While these two areas of IT Management are well understood and imbedded into the culture of many IT functions, they are often misunderstood as IT Risk Management.
IT Problem Management is a sub-function within the overarching IT function that serves to:
IT Problem Management has the following aspects:
IT Problem Management is distinct from IT Incident Management, which instead aims to restore the service to the end-user as quickly as possible. This is often done through workarounds rather than through trying to find permanent solutions (as in the case of IT Problem Management).
At a high-level, IT Risk Management is the application of established risk management methods for the purposes of managing the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within the entity.
It should be noted that the management of risk is an iterative process, rather than an event.
Event identification management involves using appropriate techniques to identify potential risks to achieving strategic and operational objectives.
An event could be one occurrence, several occurrences, or even a non-occurrence (when something doesn’t actually happen that should have happened). It can also be a change in circumstances.
Events always have causes and usually have consequences. Events without consequences are referred to as near-misses, near-hits, close-calls, or incidents (note this does not necessarily mean an IT incident and vice versa, which adds to the confusion).
The Risk identification process sets out to identify an organisation’s exposure to uncertainty. This can be undertaken using various techniques such as questionnaires, checklists, workshops, brainstorming etc., as opposed to being an anomaly/incident from the day-to-day operations of an IT function.
The organisation should select the methods most suited to its culture and current priorities. Often, workshops and brainstorming can be very effective ways of identifying risks, but are dependent on having the right people in the room to make the process effective. In addition, when dealing with IT professionals, initial discussion should be centred around the distinction between a risk event and an IT incident.