How to reduce risk by aligning business strategy and IT strategy
Last updated on January 7th, 2019
Although it’s slowly becoming more common for IT to have “a seat at the table” in big board-room meetings, many companies still separate business and IT into distinct divisions. On the ‘business’ side you have the long term business strategy and plans or business requirements. On the other side lies the IT function.
This visible gap is where misalignment begins, but it’s often compounded by the negative preconceptions each side holds of the other.
|What business executives think of the IT department
||What IT departments think of business executives
|The IT department takes a long time to get anything done
||The business constantly changes its mind about what they want/need
|The IT department takes up too much budget and doesn’t deliver results
||The business chooses non-optimal IT solutions without our input
|IT is a ‘necessary evil’
||The business doesn’t understand the purpose of IT
|The IT department doesn’t understand our needs
||The business dictates to us without giving us any say
Why does disconnect matter?
Well, for virtually every business operation today, IT is an essential component. It is critical to the success of the business and a lack of alignment between business and IT strategies can deal a heavy blow to the bottom line.
All too often, IT strategy is an afterthought – something bolted onto the wider business plan. This can result in overly complex infrastructures or systems that are difficult to change which make it a struggle to maintain and enhance business operations later on.
However, and perhaps more critically, misalignment can leave the business vulnerable.
The way IT interconnects with almost every business operation naturally results in an increased risk profile. Previously when talking about IT, we simply meant hardware and networks – things for providing a means to process, backup and safely store data. Now our expectations are much greater. We demand more information, more complex analytical reporting, greater integration, and increased data storage capabilities. Then on top of that, we demand that everything is kept easily accessible and highly secure.
This, coupled with an evolving dependence, means IT events – such as data loss, corruption, security breaches and infrastructure failures – can no longer be confined to the department in which they occurred. When one of these IT events occurs now, the whole organisation’s productivity, reputation and ability to achieve strategic goals are hampered.
Despite this, many business leaders do not consider aligning IT risk management with strategic business initiatives. Instead, they choose to rely on a traditional approach combining a cost-based analysis of ‘what may go wrong’ with metrics based on historic KPIs.
Such an approach can be unreliable as it’s too narrow to effectively identify and manage risk. Risks that fall outside the conventional realm – like fires, floods and power failures – can be easily overlooked. Furthermore, it fails to demonstrate how risks can affect the likelihood of achieving strategic objectives because it does not establish links between them. This contravenes ISO 31000 which emphasises risk management as a strategic function to enable businesses to make risk-adjusted decisions, rather than a compliance-orientated one.
Now, this isn’t to say that the act of quantifying and qualifying factors is not useful, as it most certainly is. Instead the key takeaway is that to effectively identify the risk of IT, use of a broader view is required. One which goes beyond traditional standards and aligns IT use with the strategic aims of the business.
Instead of only looking at the financial impact of physical and natural threats to IT service delivery, businesses must broaden the spectrum it includes and consider the impact or contribution each one will have to the achievement of strategic goals.
The positives of this approach are numerous. Firstly, by aligning risk techniques to strategic business initiatives, organisations can better document key performance indicators (KPIs) and key risk indicators (KRIs). These metrics are vital to continually monitor risk, providing an early warning system for a potential risk before it occurs.
Secondly, with a greater understanding of the business’ tolerance to risk, it is easier to implement a more realistic and balanced strategy and distribute clear communication plans. This will help protect the brand and shield against potential reputational/financial damage which can arise from IT events – for example, a poorly planned cloud migration resulting in significant disruption to customers.
This approach also delivers a significant competitive advantage by helping businesses to make calculated responses to risk that others in their industry may lack the insight to make. However, this does rely on KRIs being implemented and used properly. These indicators must provide an alert of emerging risk in good time, so the business has time to react and make appropriate decisions. Thereby reducing the potential negative impact on achieving strategic goals.
IT risk will always exist in some form, but by improving alignment this can be continually monitored and communicated meaningfully to stakeholders. A proactive risk approach will enable the business to operate more cost-effectively, become more agile and respond to change with more informed, measured decisions.