You all seem to have the notion of risk and response down well.  The three risk processes are

• Risk Governance – setting the appetite and tolerance of risk for the organization.  The important point here is that IT risk should be treated like any other enterprise risk and the administration of IT risk governance should be part of the way the enterprise manages all its risk.
• Risk Evaluation – What risks are you facing?  How likely are they?  How much impact will they have if they occur?  The expected outcome of a risk is equal to its likelihood X its impact.  The IT organization will need to deal with any IT Risk whose expected outcome is greater than the enterprise’s risk tolerance for risks of this sort.
• Risk Response – your can address risks in four ways
  • Accept it – just go with it (which means raising you risk tolerance if the expected outcome is greater than your current risk tolerance.
  • Transfer it – get insurance so that you alone don’t feel all of the impact of the risk if it comes to be.
  • Mitigate it – put in controls to lessen the likelihood or impact of the risk.  Residual risk is the risk that remains after your mitigation and should be less than your risk tolerance.
  • Avoid it – change what the organization is doing so as not to face the risk anymore.  If you are worried about losing credit card information, don’t take credit cards.

FUD is a major player in all risk discussions and is evidenced in the AWA case.  FUD stands for Fear, Uncertainty and Doubt.  There are always things that we don’t know or haven’t experienced when thinking about making a change.  Its natural.  Both AWA and the EHR case we looked at earlier contained compliance risks.  Sure, outsourcing changes the nature of compliance risk although the ownership remains the same.  We feel comfortable with what we have always done (do everything ourselves) even if we know we don’t do it well.  It takes some courage and a lot of due diligence to look as a new arrangement and see that its no worse, maybe even better than what we had before.

This is where controls come in.  If you research what could go wrong, talk to others who have already made the move, designed and review a set of controls that you think will work and put them in place, then, with audit, you should be able to make it work.   In the AWA case, the firms they were looking at are very experienced and professional.  Sabre works with over 400 airlines.  To me, the risk of doing an good outsourcing deal are minimal as long as AWA pays attention to what its doing.  The risk of continuing as is and underfunding IT to the point of ruin is far higher.

Readings

1. What is the difference between risk appetite and tolerance?
2. What three types of IT risk are there? Can you give an example of each?
3. In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
4. How can an organization respond to any IT risk?

The All World Airlines Case

Focus your analysis two of the five areas of risk identified by the CFO.  Ignore the questions at the end of the case. Come to class ready to discuss the two areas of risk that you choose.  Based on just your analysis would you recommend AWA continue with its plans to outsource it ALCS?  Why or why not?