Four stages to establishing a successful IT Risk Management Lifecycle

Four stages to establishing a successful IT Risk Management Lifecycle
by: Ryan Shopp

I recently came across this article from Symantec called IT Risk Management: Five Steps to Get from Good to Great. After reading it I found myself noticing it's similarity to a four step process I picked up in my early consulting days at International Network Services (INS) that seems to always be valid for most IT related life cycles. This four step life cycle I'm referencing is "P, D, I, O" which stands for "Plan, Design, Implement, Operate."

So mapping the concepts of P, D, I, O to new names I have a recommended "4 stages to successful IT Risk Management".


1. Baseline - what do you currently have in place, what do you know is missing, what are some industry recognized recommendations, organize this mountain of data with a maturity model methodology (discussed in my previous posting). Then pick 3 exposures that you think will have the biggest impact, that most likely will require the lowest amount of work - don't do this in a vacuum, talk with your peers (key part of this stage) and get their insights, perspectives and ultimately their buy-in.

2. Evangelize - take those three exposures and quantify them in business terms (e.g., approximate how much money could be saved, how much time could be saved, how better the customer service experience could be or even how it would increase employee morale as they are so frustrated with this situation). Now, take these to your manager and explain that you've got buy-in from these other people/groups and these are the "big bang for your buck" items to "make him look good (depending on your boss' style you may not want to say it this blunt)." Hopefully, since it's a digestible set of items for the first time through this process it will be an easy sell and your off to the next step.

3. Do it - Your peers are bought in, your boss is watching, you have a finite list of tasks to accomplish...now make it a priority and make time for these to get accomplished! Have other peers help you out, ask your boss for recommendations on who can help break down barriers or challenges (if you have any) while your working to do it.

4. Status progress - don't just do the work and forget it...now it's time for everyone to get the glory! Make sure to highlight what has been accomplished when and attempt to quantify if the return on investment is already showing itself.

Then, make it a point to kick-off this process again by going back to step 1 in the near future (next month or two....don't wait a year). Keep the first couple times through small, digestible and focused on high impact, low resource value proposition (remember you have a tactical day job to do also). After that, the process will have established credibility with peers and management and then you can recommend putting a more comprehensive program and plan in place. Once you get to this level, there are a variety of products out there that can help automate some of the manual steps within each stage for you to consider. Just keep that in mind when the time comes and good luck!