Almost every white paper on IT Risk Management starts with the advice to first identify and assign values to every IT asset. This means finding and cataloging every PC, laptop, printer, server, etc. and deciding if it is of High, Medium or Low value.
A couple of problems with this. First, it is really hard to do. I mean really hard. And after you find an asset who is going to admit it is not of High value??
My proposal is to focus on scenario planning instead.
In future postings I will set up some scenarios that IT departments can start with and describe how scenario planning as a discipline can be applied to IT Risk Management.