Not long ago, IT-based risk was a fairly low-key activity focused on whether IT could deliver projects successfully and keep applications up and running. But with the opening up of the organization’s boundaries to external partners, service providers, external electronic communications, and online services, managing IT-based risk has morphed into a “bet the company” proposition. Not only is the scope of the job bigger, the stakes are much higher. As companies have become more dependent on IT for everything they do, the costs of service disruption and inadequate security practices have escalated exponentially. Therefore, the job of managing IT-based risk has become broader and more complex. Whereas in the past companies have sought security through physical or technological means (e.g., locked rooms, virus scanners), there is now growing understanding that managing IT-based risk must be a strategic and holistic activity that is not just the responsibility of a small group of IT specialists, but part of a mindset that extends from partners and suppliers to employees and customers. This paper explores how organizations are addressing and coping with increasing IT-based risk. It presents the results of an in-depth discussion of this issue with 20 senior IT practitioners and the challenges facing them. It proposes a holistic view of risk and examines the characteristics and components needed to develop an effective risk management framework, presenting a generic framework for integrating the growing number of elements involved in it. Finally, it describes successful practices organizations could use for improving their risk management capabilities.
Smith, H., & McKeen, J. D. (2009). Developments in Practice XXXIII: A Holistic Approach to Managing IT-based Risk. Communications of the Association for Information Systems, 25, pp-pp. https://doi.org/10.17705/1CAIS.02541