Beating IT Risks Ernie Jordan and Luke Silcock Beating IT Risks Allie Beating IT Risks Ernie Jordan and Luke Silcock Copyright © 2005 Ernie Jordan and Luke Silcock Published in 2005 by John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England Telephone (+44) 1243 779777 Email (for orders and customer service enquiries): [email protected] Visit our Home Page on www.wileyeurope.com or www.wiley.com All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher should be addressed to the Permission Department, John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex PO19 8SQ, England, or emailed to [email protected], or faxed to (+44) 1243 770620. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold on the understanding that the Publisher is not engaged in rendering professional services. If professional advice or other expert assistance is required, the services of a competent professional should be sought. Other Wiley Editorial Offices John Wiley & Sons Inc., 111 River Street, Hoboken, NJ 07030, USA Jossey-Bass, 989 Market Street, San Francisco, CA 94103-1741, USA Wiley-VCH Verlag GmbH, Boschstr. 12, D-69469 Weinheim, Germany John Wiley & Sons Australia Ltd, 33 Park Road, Milton, Queensland 4064, Australia John Wiley & Sons (Asia) Pte Ltd, 2 Clementi Loop #02-01, Jin Xing Distripark, Singapore 129809 John Wiley & Sons Canada Ltd, 22 Worcester Road, Etobicoke, Ontario, Canada M9W 1L1 Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data Jordan, Ernie. Beating IT risks / Ernie Jordan, Luke Silcock. p. cm. Includes bibliographical references and index. ISBN 0–470–02190–X (cloth) 1. Information technology—Management. 2. Management information systems. 3. Risk management. I. Silcock, Luke. II. Title. HD30.2.J67 2005 658′.05—dc22 2004018705 British Library Cataloguing in Publication Data A catalogue record for this book is available from the British Library ISBN 0–470–02190–X Typeset in 10/12pt Garamond by Graphicraft Ltd, Quarry Bay, Hong Kong. Printed and bound in Great Britain by T.J. International Ltd, Padstow, Cornwall. This book is printed on acid-free paper responsibly manufactured from sustainable forestry in which at least two trees are planted for each one used for paper production. Contents About the authors ix Foreword xi Acknowledgements xiii 1 Thriving on risk 1 The challenge 2 Complications and deficiencies 3 The cure for your IT risk headache 6 2 IT governance framework 19 Different approaches to governance 22 Building a framework for your organization 35 Design and implementation issues 38 Case study: Aventis 42 3 IT risk portfolio 45 Introducing the IT risk portfolio 45 Implementing an IT risk management capability 60 Health check 66 Case study: European fleet management services provider 67 4 Projects 71 The impact of project failure 73 Organizational, program and project views of risk 78 Understanding IT project risk factors 82 Alternative philosophies for delivery assurance 95 Identifying, reporting and managing project risks 97 Health check 103 Case study: Agility 104 vi Contents 5 IT services 107 IT service failures that impact your business 109 Planning and preparation 113 Implementing IT service continuity 117 Health check 122 Case study: Police service 123 6 Information assets 125 Accessing your information assets 126 The impacts of information asset exploitation 127 The impacts of degraded information assets 129 The dimensions of security 132 Implementing information asset management 138 Health check 149 Case study: Investment management 150 7 IT service providers and vendors 153 The dimensions of service provider failure 154 The dimensions of vendor failure 163 Managing service provider risk 165 Managing multiple IT service providers 174 New and emerging risks in IT service provision 176 Health check 179 Case study: Financial services 180 8 Applications 183 The impacts of IT application failure on your business 184 The evolution of IT application risk 189 IT application risk profiles 192 Software assets and liabilities 195 The lifecycle approach to managing risks 198 Health check 201 Case study: Leading water company 203 9 Infrastructure 205 How IT infrastructure failure impacts your business 206 IT infrastructure’s evolving risks 212 Moving towards ‘set and forget’ 214 De-risking infrastructure transformation 216 Health check 217 Case study: GCHQ 218 Contents vii 10 Strategic and emergent 221 The impact of IT failing to support the execution of your business strategy 222 Driving shareholder value through IT-enabled business change 227 The influence of your IT capability on business capability 230 Health check 232 Case study: Egg 233 11 IT and other enterprise risks 235 Relating the IT risk portfolio to other types of enterprise risk 235 Supporting risk-based management with IT 245 The dependence of IT risk management on broader enterprise competencies 248 In conclusion 251 Appendix 1: Review checklists 253 References 261 Index 271