ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > IT Management

Management Toolkit

Don't leave risk management to chance

Maxine Holt Butler Group

Published: 04 Oct 2005 16:00 BST

...must indeed be mentioned. In any IT project solution 'losers' — i.e. individuals or departments whose work will in some way be detrimentally affected by the results of the project — will exist and it is vitally important to manage these people. It only takes a few users to kill a solution before it has even been implemented.

The efficiency of an IT department can also be used to track the effectiveness of risk management. Software licensing is a great example — a large number of organisations either over- or under-subscribe to software licences. The former is obviously costly to the organisation, but the latter could prove to be even more costly in terms of fines. By having a software asset management solution organisations can be aware of the solutions they have to manage and thus the IT department can be aware of how many licences are required to use these systems. An efficient IT department will generally only subscribe to the number of software licences they need.

Another example is the maintenance fees for commercial off-the-shelf software that many organisations utilise. Such software is often subject regular and annual maintenance fees of around 18 percent of the initial cost are typically what Butler Group sees. Anything over 20 percent can generally be deemed excessive.

A final example in the area of efficiency is the number of contract staff employed over the previous six months. Too many indicates poor planning and IT governance; none or very few could indicate over-employment simply to deal with peaks in demand.

Integrity is the last area to be raised in this article as a factor that can be used to measure how well an It department is managing the risks it has control of. Again, use of ISO 17799 is applicable, helping organisations to secure the information they hold — if the information is secure, then it can be said to have integrity.

Additionally, key data quality indicators, which are metrics designed to reflect the accuracy and validity of the underlying data, can be applied and measured. This will enable the organisation to manage data quality as an ongoing process and use these indicators to highlight the effectiveness of the process.

All in all, risk assessment is an ongoing process — it is not something that is fire-and-forget. By using metrics in order to ensure that the risks the organisation faces are continuously being managed should help the IT department keep track of their achievements in the areas of availability, compliance, confidentiality, effectiveness, efficiency, and integrity.