You all seem to have the notion of risk and response down well. The three risk processes are
- Risk Governance – setting the appetite and tolerance of risk for the organization. The important point here is that IT risk should be treated like any other enterprise risk and the administration of IT risk governance should be part of the way the enterprise manages all its risk.
- Risk Evaluation – What risks are you facing? How likely are they? How much impact will they have if they occur? The expected outcome of a risk is equal to its likelihood X its impact. The IT organization will need to deal with any IT Risk whose expected outcome is greater than the enterprise’s risk tolerance for risks of this sort.
- Risk Response – your can address risks in four ways
- Accept it – just go with it (which means raising you risk tolerance if the expected outcome is greater than your current risk tolerance.
- Transfer it – get insurance so that you alone don’t feel all of the impact of the risk if it comes to be.
- Mitigate it – put in controls to lessen the likelihood or impact of the risk. Residual risk is the risk that remains after your mitigation and should be less than your risk tolerance.
- Avoid it – change what the organization is doing so as not to face the risk anymore. If you are worried about losing credit card information, don’t take credit cards.
FUD is a major player in all risk discussions and is evidenced in the AWA case. FUD stands for Fear, Uncertainty and Doubt. There are always things that we don’t know or haven’t experienced when thinking about making a change. Its natural. Both AWA and the EHR case we looked at earlier contained compliance risks. Sure, outsourcing changes the nature of compliance risk although the ownership remains the same. We feel comfortable with what we have always done (do everything ourselves) even if we know we don’t do it well. It takes some courage and a lot of due diligence to look as a new arrangement and see that its no worse, maybe even better than what we had before.
This is where controls come in. If you research what could go wrong, talk to others who have already made the move, design and review a set of controls that you think will work and put them in place, then, with audit, you should be able to make it work. In the AWA case, the firms they were looking at are very experienced and professional. Sabre works with over 400 airlines. To me, the risk of doing a good outsourcing deal is minimal as long as AWA pays attention to what its doing. The risk of continuing as is and underfunding IT to the point of ruin is far higher.