The nature of IT risk is changing, reducing the effectiveness of traditional risk management approaches

Ten years ago IT risks were "contained" within the four walls of the data centre. Today, IT risks are public and they can have dramatic personal ramifications. Take for example Pharmatrak, a US-based company that tracked Web site visitors for pharmaceutical companies like Pfizer Incorporated, Glaxo Wellcome Plc and Pharmacia Corporation. From mid-1998 to late 2000, it gathered and analyzed visitors' browsing habits for its pharmaceutical customers. Privacy legislation and contractual agreements with those pharmaceutical companies prohibited Pharmatrak from gathering personally identifiable information. Apparently as the result of an interaction between Pharmatrak's NETcompare software and the code found on various Web pages, Pharmatrak collected personally identifiable information on about 232 of the approximately 18.7 million users whose activities it tracked.

In August 2000, a lawsuit filed against Pharmatrak alleged (correctly) that the company had collected personally identifiable information. Such titbits as names, addresses, telephone numbers, dates of birth, genders, education levels, occupations, medical conditions, medications, and reasons for visiting the particular (pharmaceutical) Web site were later pulled off Pharmatrak's computers. Pharmatrak's corporate customers immediately cancelled their contracts and Pharmatrak ceased operations in December 2000. The lawsuit was resolved years later by a US Federal Court of Appeals, after tens of millions of dollars in legal fees and thousands of hours of senior management attention. Was the Pharmatrak debacle an example of IT risk, or a poor business decision? Certainly IT was indispensable to the decisions and actions that caused the company's collapse. The technology worked, but Pharmatrak ignored the confidentiality of personal information - or missed the interaction of its software with that of the Web sites of its pharmaceutical customers'. The fatal mistake was that Pharmatrak failed to recognize and address this integrated technology risk.

Is risk awareness worth the cost? A survey of more than 130 CIOs on risk management confidence, spending and practices found a pattern of effective risk management. Those CIOs that manage risk well integrate multiple approaches - formal risk management processes, expertise and installed base simplification - to manage integrated risk. Yet they all have one approach that they are particularly good at. So if you are very good at a process, you need "enough" expertise and installed base simplification to make the whole thing work. The successful CIOs also use more people to manage risk, and they put those people together to identify and assess risk more frequently. Because they face risk openly, they have the ability to act faster on opportunities as well as threats, and they enjoy stronger relationships with business executives. The results are staggering. Effective risk managers spend slightly more on risk management (between 1 percent and 2 percent more of their IT budget), but gain disproportionately better levels of risk mitigation. And they seem to have much better relationships with their business colleagues to boot.

Effective risk management involves sound process and a "risk register". Process tends to be the primary risk management approach in companies that are large or in highly regulated industries where management is keenly aware of the potential for "bottomless" risk - like pharmaceuticals and financial services - and in organizations that are subject to frequent audit.

The thing that distinguished effective risk managers from burdensome bureaucrats was their use of "enough" process - but not too much. The best processes seemed to be to convene knowledgeable experts to identify risks and then define a joint response to them. Also key is the documentation of these risks and how they will be managed. This "risk register", which records risk exposure and decisions about its management, becomes a critical risk management tool and allows future generations of risk managers to build on this knowledge.

Companies surveyed use a range of risk registers, from Web-based interfaces to risk database applications, word-processing documents and spreadsheets, to hold their risk registry. All these approaches are apparently successful so the secret seems to be to use the one that fits best with your corporate culture.