Having established that you can't do without IT, that IT risks are significant and need to be managed properly, the question then turns to how IT risks should be managed. Certainly this is one of the first questions you should expect from your key IT governance participants!
The IT risk portfolio approach that is described in this chapter enables proactive management of IT risks by providing a structure for business managers to apply when considering the different classes of IT risk, making management decisions and taking action.
When implemented into your organization, systematic and repeatable processes will ensure that important IT risks are identified, confronted, addressed and managed.
As IT risks are all, ultimately, also business risks, it is necessary for the management of IT risks to integrate into your wider business risk management context.
There is a need for IT experts, specialized in a particular class of IT risk, to provide advice to management and carry out necessary specialist activities, such as advising on external network connectivity and recommending security measures. However, it should not be necessary for each of these specialists separately to build the 'bridge of understanding' across the void that invariably exists between business managers and IT experts over these specialist topics.
More useful is a single integrated IT risk management approach that both business managers and IT specialists ...