Tough times and risk management, Part 2

Two weeks ago, I promised to continue with my "tough times" rant, but last week I was diverted to awarding the Gibbs Golden Turkey Award to American Express. With Thanksgiving now behind us, however, let us forget our recent Bacchanalian revelries (and our extra pounds) and forge ahead.

What I discussed in Part 1 was the need for a risk-assessment approach to IT management overall, not just to security. Reader Scott Crawford (Boulder, Colo.) commented: "High time someone carved out the same systematic approach to IT risk that we have almost taken for granted in other aspects of IT management!"

Scott and I talked on the phone (if you write, include your number and I may well call), and he was adamant that the risk-assessment-based approach is so neglected as to be almost a lost art.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Two weeks ago, I promised to continue with my "tough times" rant, but last week I was diverted to awarding the Gibbs Golden Turkey Award to American Express. With Thanksgiving now behind us, however, let us forget our recent Bacchanalian revelries (and our extra pounds) and forge ahead.

What I discussed in Part 1 was the need for a risk-assessment approach to IT management overall, not just to security. Reader Scott Crawford (Boulder, Colo.) commented: "High time someone carved out the same systematic approach to IT risk that we have almost taken for granted in other aspects of IT management!"

Scott and I talked on the phone (if you write, include your number and I may well call), and he was adamant that the risk-assessment-based approach is so neglected as to be almost a lost art.

The problem is that this approach requires a willingness to allocate resources strategically; that in turn means you will knowingly neglect investing in the low-value areas of your network should disaster strike.

As I suggested in Part 1, this leads to some interesting political issues, because in most organizations, power, the driving force of politics, is vested in the groups and individuals perceived as being the most influential, a perception that usually has less to do with budget size or revenue potential than with who controls the flow of information.

Who really controls the flow of information? You do! As I’ve been telling audiences at a series of events on identity management I've been involved with, we are the masters of the universe because there is no such thing as business without IT. There's nothing happening without IT providing the motive power.

So, here's the thing: You, my friend, are going to meet some serious political resistance when you tell the manager of widget production that -- as much as you would like to specify, identify, implement, configure and run his crucially needed restroom-cleaning management system -- there isn't enough money to do that. When you tell him that upgrading the stock-management system -- which, if it fails could bring the company to its financial knees -- is more strategic than his project, he probably won't be happy and he'll flex his political muscle.

How are you going to respond? The worst thing you can do is to present a logical, dispassionate analysis based on facts and your years of experience -- typically when power politics are involved, it is isn't the cool, rational argument that wins but he who masters the sound bite.

So, you, O master of the universe, need to consolidate your position preemptively. If you fail to communicate your strategic vision when the heat is off, there's little chance for you to own the sound bite when political push comes to shove you.

You understand the IT needs of the organization, so you need to develop a clear, simply argued road map that allows you to allocate your budget according to strategic need rather than tactical want. Your job is to get the greatest bang for your IT budget buck. That means that you need to make decisions with the cooperation of the business units singly and collectively while the heat is off.