How to reduce risk by aligning business strategy and IT strategy

On the ‘business’ side you have the long term business strategy and plans or business requirements. On the other side lies the IT function.

This visible gap is where misalignment begins, but it’s often compounded by the negative preconceptions each side holds of the other.

Why does disconnect matter?

IT is an essential component of every business operation today. It is critical to the success of the business and so a lack of alignment between business and IT strategies can deal a heavy blow to the bottom line.

All too often, IT strategy is an afterthought – something bolted onto the wider business plan. This can result in overly complex infrastructures or systems that are difficult to change – making it a struggle to maintain and enhance business operations later on.

However, and perhaps more critically, misalignment can leave the business vulnerable.

The way IT interconnects with almost every business operation naturally results in an increased risk profile. Previously when talking about IT, we simply meant hardware and networks – things for providing a means to process, backup and safely store data. Now our expectations are much greater. We demand more information, more complex analytical reporting, greater integration, and increased data storage capabilities. Then on top of that, we demand that everything is kept easily accessible and highly secure.

What problems does disconnect cause?

The evolving dependence of the business on IT means IT events – data loss, corruption, security breaches and infrastructure failures – can no longer be confined to the department in which they occurred. When one of these IT events occurs now, the whole organisation’s productivity, reputation and ability to achieve strategic goals are hampered.

Yet despite this, many business leaders still aren’t considering aligning IT risk management with strategic business initiatives. Instead, they choose to rely on a traditional approach combining a cost-based analysis of ‘what may go wrong’ with metrics based on historic KPIs.

Such an approach can be unreliable as it’s too narrow to effectively identify and manage risk. Risks that fall outside the conventional realm – like fires, floods and power failures – can be easily overlooked. Furthermore, it fails to demonstrate how risks can affect the likelihood of achieving strategic objectives because it does not establish links between them. This contravenes ISO 31000 which emphasises risk management as a strategic function to enable businesses to make risk-adjusted decisions, rather than a compliance-orientated one.

Now, this isn’t to say that the act of quantifying and qualifying factors is not useful, as it most certainly is. Instead, the key takeaway is that to effectively identify the risk of IT, the use of a broader view is required. One which goes beyond traditional standards and aligns IT use with the strategic aims of the business.

How can I counter disconnect?

Instead of only looking at the financial impact of physical and natural threats to IT service delivery, you must broaden the spectrum and consider the impact or contribution each one will have to the achievement of strategic goals.

The positives of this approach are numerous. Firstly, by aligning risk techniques to strategic business initiatives, organisations can better document key performance indicators (KPIs) and key risk indicators (KRIs). These metrics are vital to continually monitor risk, providing an early warning system for a potential risk before it occurs.

Secondly, with a greater understanding of the business’ tolerance to risk, it is easier to implement a more realistic and balanced strategy and distribute clear communication plans. This helps protect your brand and shield against potential reputational/financial damage which can arise from IT events – for example, a poorly planned cloud migration resulting in significant disruption to customers.

This approach also delivers a significant competitive advantage by helping businesses to make calculated responses to risk that others in their industry may lack the insight to make. However, this does rely on KRIs being implemented and used properly. These indicators must provide an alert of emerging risk in good time, so the business has time to react and make appropriate decisions. Thereby reducing the potential negative impact on achieving strategic goals.

Another task you will need to undertake is addressing the original cause of disconnect on an employee level by cutting out the stereotypes executives and the IT department have of one another. Ensuring that each group sees value in each other is often a task that falls onto the shoulders of the CIO who acts as a bridge between the IT and business aspects of your organisation. But the responsibility also lies with every individual to ensure that they are working towards a common goal in the business.

IT risk will always exist in some form, but by improving alignment this can be continually monitored and communicated meaningfully to stakeholders. A proactive risk approach will enable the business to operate more cost-effectively, become more agile and respond to change with more informed, measured decisions.