All IT risks are not the same, but there are enormous benefits from bringing them together and treating them consistently. You need to treat them just like any other business risk, but also in ways that reflect the unique characteristics of IT. A portfolio approach gathers IT risks together for three reasons: completeness, connectedness and significance:

  1. Completeness: Some areas of IT risk may be overlooked in the priority given to the most demanding.
  2. Connectedness: A single event, such as an upgrade announcement or a compliance requirement, can have multiple impacts in different classes of risk.
  3. Significance: By putting all the IT risks together in a portfolio, the overwhelming consequences posed by the totality of risks will be apparent.

The portfolio approach recognizes that IT risk is ever-present and that continuous monitoring is essential. It is, in effect, a series of alarm bells that together give effective coverage to all IT risk areas. If any of the alarms were missing, the value of the remainder would be seriously downgraded. The universal compass of the set gives enhanced value to each of the components. In addition, any particular event or external stimulus may create alarms in several areas – through their interconnectedness – so there is a heightened chance that the driving force will be detected.

Having gathered together the significant IT risks into our portfolio, we are now better prepared to argue that the returns justify the risks. Part of the function of the IT risk portfolio is to take away the ‘blame’ dimension associated with IT. All employees should be comfortable to report
‘such-and-such risk has just increased’ without being isolated or castigated. So, if risk is no longer ‘bad’ in itself, how do we measure the risk performance of the IT function? Fortunately, the portfolio approach enables a global perspective on whether risk is being managed down across the set of categories. It also raises the emphasis on areas that are commonly overlooked, such as business continuity and infrastructure.

When IT goes well, there are business benefits. These opportunities have long been discussed and form the basis for most organizations’ approach to IT. We are arguing for a complementary view that identifies, assesses and monitors the corresponding risks.

— Extract from Beating IT Risks, Chapter 1: Thriving on risk —