Which Risks Are Most Common?

In my last post, I discussed the importance of senior executive involvement in the risk management function. In this post, I'll take a look at some common risks. There is no universally accepted set of risk definitions; however industry experts agree that they fall into the following broad categories:

Project - the risk that an IT project will fail to meet objectives due to poorly defined requirements; inadequate project sponsorship; loss of project resources; project scope; insufficient project management processes or organizational maturity.

Technical - the risk that technology will fail to meet business requirements. Examples include unproven technology; complex technology; outdated, unsupported or unstable technology; increasing maintenance and support requirements.

Security - the risk that individuals may gain unauthorized access to confidential or competitive information or systems; the risk that business systems are unable to adequately protect data, personnel and corporate assets in accordance with business requirements and regulations; loss or theft of corporate information.

Financial - the risk that the business will experience financial losses; a poor return on its investment; cost overruns, overspending or wasteful spending; insufficient budgets; financial instability; funding cuts or loss of business revenue.

Availability - the risk that systems, infrastructure or resources critical to business success may become unstable or unavailable and cause a loss of service.

According to research conducted by the IT Governance Institute, "most IT organizations view security and availability as the highest priorities. Most business executives would agree that these are important. However, increasingly the business focus is on return on IT investment and project and investment risks." The impact of any given risk can affect the business in ways that may not be evident when viewed purely from the CIO's perspective. It is for these reasons that risk management needs to be a regular topic of meaningful discussion on the senior executive/board agenda.