We live in a parallel universe Tiger. Organizational change is necessary, but I have survived and continue to work for the CEO. Although due to compliance pressure, get this - we are FORCED to have committees make the decision. In the view of those overseers, 5 people making a decision versus 1 person assumes less of a risk should it fail to pan out. HUH? I see the logic if one could fill the room with technical minds and when it comes to hardcore software development I would agree. But participating in a room filled with minds that get bored with the mere mention of "internet filter" is problematic to another topic... the faulty and often illogical mindset of auditors running off the "trends" of circa 1998. That is when most of our compliance regulations were drafted.

So until my power is removed, I drive IT business strategy and bring the decision to a committee after money is spent and implementation is complete. They happily sign off because they are not forced to undergo the cost benefit analysis or detailed technical diagrams which I can happily display for hours at a time. Having this committee has definitely relieved some compliance pressure though. They like to see some internal "oversight" for IT regardless if the substance in beneficial. In that respect compliance is just fluff to toss at a bean counter.

So to share some internal rambling... compliance and security collate into risk management as many have introduced. In fact the mere presence of a good risk management strategy will guide compliance. In my opinion it is the heart and shoul of compliance both external and internal to your companies own policies. In fact IT Risk is one small category that fall under the umbrella of Business Risk. That is risk to the organization regardless of the origination. Once we understand that, and shift focus away from our IT closets (we love our closets) new doors open up and IT becomes a critical process in management.

RC's Copyrighted Business Risk Factors:

Financial Risk
Operational Risk
Strategic Risk
Regulatory/Legal Risk

I am leaving out a lot of the scoring formula but you can get a picture of the overal business risk process. Lets pick a task and assign a level of impact on a scale of 0 to 3, 3 being being highest impact and 0 being no impact...

IT Risk Factor: Desktop Management and Support

Financial Risk: 2
Operational Risk: 2
Strategic Risk: 0
Legal/Compliance Risk: 0

Business Risk Factor: 4 (add ‘em up)
Potential For Change: 1.25 (hey things change, add it in. Items with a high potential of change have a higher number that increases the risk weight)


As you can see, if we took a task risk like Compliance it could have a higher risk rating than a specific IT Security risk item. It could effect the overall business strategy and legal risk. Ok Let's pick one:

IT Risk Factor: Business Continuity Planning (not security at all!)

Financial Risk: 3
Operational Risk: 3
Strategic Risk: 0
Legal/Compliance Risk: 2

Business Risk Factor: 8
Potential Change Factor: 1

Now would I spend money on desktop support or business continuity planning? Security or Compliance?