The best CIOs offer multiple options and choices. Establishing standard processes for measuring risk and reward makes it easier for senior management to assess the potential business value of IT projects.
It's important for the CIO to have a standard process for balancing risk and exposure when prioritizing IT investments. It's equally important for the rest of the C-suite to understand the CIO's process for assessing risk, because the CIO cannot perform this function in a vacuum. The risk assessment process often requires knowledge from several functional areas of the enterprise, and it should be a team effort.
The C-suite and the CIO must work together to produce effective assessments of multiple risk/exposure scenarios. Collaboration is crucial because no individual or functional area of the enterprise possesses all of the knowledge and experience required to generate an accurate assessment. Ideally, your IT investment decisions will be influenced significantly by these risk/exposure assessments, so take the time to get them right.
Remember, it's a balancing act. No one can afford to protect everything all of the time. There will always be some exposure. The goal is determining which systems and applications are worth protecting and how much you should spend protecting them.
The CIA risk assessment model has nothing to do with the Central Intelligence ...