1999 was great for so many reasons. While I don't try to party like it anymore, '99 holds a special place in my professional ethos thanks to Mike Judge's seminal work. If I type the name of the movie you'll be distracted with comedic thoughts so I'll just share my favorite image - the "planning to plan" whiteboard. If I'm more inclined to execute vs. prepare this is the reason why. So when I started to pen this post about planning a road map for an IT risk management program I had to check myself.
Many organizations I work with share my experience of leadership asking for a risk driven road map aligned with business objectives. Easy to say, hard to do. However most IT organizations aren't equipped or supported to build a mature program. They may want to be top quartile but they're not prepared for the journey. Plus, they may not understand how fast the organization is willing to mature. I haven't seen a program jump from what-the-audit-found-strategy to top quartile over night. If our objective is to deliver an evidence driven investment road map aligned with the business, it's OK to plan a phased approach and demonstrate value while the culture, process, and necessary resources gain momentum.
I see three general steps on the path:
- Compliance: road map driven by compliance findings to develop basic hygiene
- Control Maturity: evaluate capability maturity to prioritize investments
- Evidence Driven Risk Management: the big leap where complete risk statements are formed across threats, agents, vulnerabilities, control effectiveness, short and long term impacts. Risk stakeholders have clear roles and risks complete their life cycle in a central register.
- When I see folks trying to jump from step 1 to step 3, they don't have the support, skills, and resources to succeed. Lately I've seen more folks develop explicit plans to gradually mature. The best news is the evolution doesn't have to be sequential. For organizations struggling for support, a fine technique is to leverage each stage to focus where you'll actually develop evidence-driven risk statements. For example, use compliance assessments to prioritize where to assess control maturity. In turn, use the most glaring actual vs. target maturity discrepancies to focus your risk estimation and treatment process. Over time the risk register becomes an authoritative source for managing risk.
A key to success here is to get leadership support for the long-term plan and milestones. You have to define what the end looks like or you'll continue fighting to justify the program's growth. Perhaps the following slide can help articulate the stages.
The good news is we have more examples, community support, and resources how to build and execute risk management programs than ever before. However sometimes a good plan is warranted - wouldn't want to just "jump to conclusions..."
What say you? Do you need to formalize a plan or are you already working through one?