Businesses must recognise that failing to handle IT risks puts them at a competitive disadvantage, according to analyst firm Gartner.
While IT has become increasingly central to business success, many businesses have not adjusted their processes for IT decision making and risk management, Gartner says.
Analyst Richard Hunter said that failure to properly take account of, and plan for, IT risks can affect business agility. "Managements that do understand IT risks are pulling ahead, while those that don't are falling behind and getting eaten," said Hunter. "Uncontrolled IT risk dampens an organisation's ability to compete."
Hunter said that businesses that tailor business processes to take account of IT risks find they are better able to integrate systems, for example, after an acquisition, and are more capable of divesting themselves of companies they wish to sell.
"IT risk has changed," said Hunter, who was speaking at Gartner's IT Security Summit in London on Monday. "IT risk incidents harm constituencies within and outside companies. [Incidents] damage corporate reputations and expose weaknesses in companies' management teams."
IT managers must convey the consequences of IT risks to the business, said Hunter. "It's not simply a case of saying: 'There's a risk that the server might go down.' You have to look beyond to say what that server supports in the business — that, if it goes down, you'll lose $50m in the first week, and be out of business in three weeks."
According to the analyst, a company must ask itself whether its IT systems and business processes will continue running in the event of technology failure, and whether the systems will recover from interruptions. Companies should also ask whether the right people have access to the data they need to do their jobs, and whether the wrong people are blocked from accessing that data.
"Can the company's IT systems be relied on to provide correct, timely, and complete information that meets the requirements of management, staff, customers, suppliers and regulators?" asked Hunter. "And do the organisation's IT systems possess the capability to change if the company acquires another firm, completes a major business-process redesign, or launches a new product or service?"
The analyst said that a company needs a solid foundation of IT assets, people, and supporting processes and controls that enable executives to manage the right risks in the right order; a risk governance structure and process that integrates IT risk management into every business decision to identify, prioritise and track risks; and a risk-aware culture, nurtured from the top, that attunes people to the causes and solutions for IT risks and that increases vigilance across the organisation.