Value of Enterprise-wide Risk Management: argument against maintaining the status quo

January 26th, 2015 No comments
Reading Time: 5 minutes

B0IuYcJCUAAox9MToday is a based off several things colliding at the same time for me – discussions with friends, colleagues and some twitter banter.

Everywhere I’ve been, risk management is broken into discreet units and managed individually ostensibly due to it’s complexity, working on the assumption that what they have is enough. Even Enterprise Architecture Frameworks skip over how Risk Management is to be engaged and offer little to no support in understanding the holistic picture.

Despite the argument of organisations that they don’t believe enterprise risk management (ERM) is necessary or that the existing static, compliance based tools or technique employed are sufficient, there is a place for ERM. By assuming that the nature of the business will stay the same, as-good-as-it-gets is an arrogant disregard for the fact that environments change. There will always be a requirement to navigate risk in business, as to avoid risk is to avoid success.

  • How do you navigate risk in your business?
  • Do you use a spreadsheet compiled from compliance questions?
  • How about a pre-canned register provided by a consulting company?
  • Is risk management handled at a project or programme level without higher level visibility within the organisation?
  • Is there a single, unified view of risk management?

To disregard risks that may destroy value, you risk destroying the business; this is what static, disaggregated risk management techniques can cause. ERM, that is looking holistically at the organisation, provides a structured and disciplined process that aligns strategy, process, people and technology in order to maximise the desired outcomes and minimise the undesirable.

A holistic ERM approach allows the identification of various types of risks, providing the necessary visibility to the business. This visibility can provide the business with the ability to apply a measured and complete approach to the remediation or mitigation of risks, through tools and techniques, as well as identifying emergent risks to the organisation. As an example, a change in one area of the business’ policy due to legislative change, may have further implications though if handled in isolation, wouldn’t allow the business to be proactive.

Focusing on a single component of risk, such as looking to insure as a loss reduction technique for operational and financial risk, neglects the other risk types (of Technical, operational, financial, commercial or project-based/time based) and has the same affect as a business silo risk management model.

Read more…

Chief Enterprise Architect as Transformational and Transactional Leader

January 17th, 2015 No comments
Reading Time: 1 minutes

medium_3488998147I recently read the article from Dr Gerald Gray (@SmartGridJer) on “Chief Enterprise Architect as Transformational and Transactional Leader“.

What I enjoyed most is that Dr. Gray succinctly captured the duality of the the day to day of the Chief Architect. The biggest challenge I face on a day-to-day is working at the transformational level with the CxO executives then jumping into the transactional aspects of a programme deployment and dealing with both the people vs. outcome focus which is overlaid with the situational leadership model that is presented.

Some day’s I’m successful in juggling these multiple, competing goals…. others not so much.

photo credit: wallyg via photopin cc

Thoughtlet: Agility in business

January 16th, 2015 1 comment
Reading Time: 1 minutes

Seth’s blog on business plyometrics is exactly what business agility is all about. It isn’t a haphazard approach to business,  it is, as one of my professors says, the speed boat that sits alongside the tanker. This model allows you, as a business, to try new things in a controlled manner as you turn the tanker. Key point is that it needs to NOT be haphazard.

Categories: Strategy Tags: ,

How to build a roadmap in 7 steps

January 2nd, 2015 No comments
Reading Time: 5 minutes

RoadMapMoving Information Technology (IT) into the sphere of “the business” is still a challenge in a lot of organisations. How to move up requires that the IT/ICT teams demonstrate value (showing how you can support the business achieve its goals) to more senior executives within the business, where to start is always a hard question. Whilst there are many ways to approach this, the roadmap is one of the simplest ways of getting started.

 

Over the years I’ve noticed that there is little consistency in the generation and development of roadmaps; Infrastructure, Application or even Business structure. This can be for various reasons including:

 

  • There isn’t visibility of the full picture, but you have to show some degree of thought
  • Enterprise Architects are now really Technology Architects so the views are skewed towards a technology, conversely there are consultants posing as Enterprise Architects who have nothing more than an MBA and no experience or exposure
  • Businesses don’t truly understand what they are doing with ICT or why they need to be planned and not reactive
  • It’s a contract deliverable and come hell or high-water you’ll deliver something.
  • Newly minted TOGAF, SABSA or other practitioners attack this discipline with too much vigour that they get quickly shutdown by the business.

 

Regardless of the reason, it is important to be able to show those needing to invest in ICT services, what they are going to invest in and why they are going to invest. I’ve found that providing clear traceability between business objectives, ICT strategies (where available) and the roadmap help you as the architect understand WHY better which helps when presenting up higher the the organisation; communicating in the business’ terms and not techno-speak.

It can also help the CIO/Director of ICT/etc. understand how their organisation is supporting the wider business and its initiatives.

Remember a roadmap is generally for inside an ICT organisation. it requires distilling into bite-sized chunks for management to absorb

So let’s get to it. Building a roadmap can be broken into 7 stages

  1. Confirm the business’ priorities
  2. Current State
  3. Define End state
  4. Identify the measures
  5. Gap analysis!
  6. Sequence the events
  7. Publish the end goal

Read more…

Stealing your data while you watch

December 20th, 2014 No comments
Reading Time: 3 minutes

medium_4612834833 In IT and IT Security there is a constant complaint about the risks of shadow IT, and the adoption of consumer collaboration and sharing tools. Over the last couple of years we also saw the emergence of novel exfiltration techniques including the persistent ultrasonic technique, where the infected devices  communicates with other compromised hosts via high frequency; or the Twitter based technique, where malware sends out data 140 characters at a time for anyone to read;  and the more recent Video technique, encrypting data in video files and putting corporate secrets onto video sites or later retrieval.

Read more…