This topic introduces risk management best practices that can assist in the creation of a risk management culture.

Adopting Risk Management

There can be obstacles to successfully adopting risk management for IT. If an operations group does not already have a culture of risk management, then adopting risk management can represent a significant change. This will require visible commitment and adherence from senior management and a clear communication to staff at all levels about the benefits of risk management to the business.

Another major obstacle to that change may be the complexity of the risk management process itself. Those who are not yet performing risk management in a structured way generally do not see the need to change; and if the risk management process is too complex, then people are likely to dismiss it as unproductive busywork.

Keep these obstacles in mind when considering the best practices in this paper. Overcoming them may make risk management more effective, but may also increase its complexity.

Enterprise Risk Management Function

Effective risk management should be performed at the enterprise level rather than at the individual business unit or IT department level. Business and technical approaches to enterprise risk management (ERM) are evolving, driven by the needs to identify and manage risks across the enterprise and to comply with new regulatory requirements.

As a result of these needs and the complex challenges facing organizations in managing operational risks, many organizations have created a new executive role, sometimes referred to as the chief risk officer (CRO). This role is charged with coordinating risk management initiatives across the entire organization, as opposed to treating different business units in isolation. Another key role played by the CRO is to establish and champion the concept of enterprise risk management and to also liaise with the owner of the overall business continuity plan.

At first glance, the CRO position might seem to contradict the key principle of integrating risk management into all job roles and functions. The distinction is whether everyone plays a part in risk management. If so, then it can be very helpful to have a specific role such as a CRO, who focuses on risk management full-time, acting as an executive sponsor and mentor and coordinating risk management activities that might otherwise be inefficient or even contradictory. In short, IT has more potential to support and enhance business processes than ever before; but, in turn, failures in IT have more potential to disrupt business operations and directly affect an organization's profitability and success.

Emergency Response Teams

Large organizations often have emergency response teams (ERTs) that react to critical failures and disasters. They are trained to respond by following established emergency response and contingency plans. These teams need to be included during all phases of risk management, especially contingency planning.

Note:
Several Microsoft Operations Framework (MOF) service management functions (SMFs) provide input to the risk management process-for example, Change Management, Release Management, Service Desk, Capacity Management, IT Service Continuity Management, and Availability Management.

Human Resources and Training

IT operational risk management is very much dependent on support from the operations workforce. Such support should begin the day an employee is hired. Ideally, you should make the possession of risk management skills a factor when hiring people into the IT group. Give everyone access to risk management training. Also, make sure that everyone receives proper job training because the better that employees understand a job, the more effective they will be in identifying and addressing risks.