At its simplest, IT governance can be defined as an IT investment decision-making framework, designed to maximise the return or benefits while managing risk at acceptable levels. But what exactly is meant by "acceptable levels?" The answer is that it differs from one organisation to the next. Some organisations are conservative and risk-averse, while others are willing to accept greater risks in the pursuit of greater returns. To address this differentiation; an IT governance framework should clearly define the strategic context of IT risk as it pertains to IT risk appetite and IT risk tolerance. With such a framework in place, you can compare individual decisions to an in-place standard and more easily identify, consider, and manage deviations from the standard.

An organisation's IT risk appetite is a subset of its overall enterprise risk appetite and therefore cannot be developed in isolation. It is ultimately the responsibility of the board of directors to define an organisation's risk appetite based on input and recommendations of senior management. The IT organisation can define, document, and communicate the IT risk appetite and risk tolerance by developing a table that includes the IT risk elements, the risk appetite for each element, and the risk tolerance for each element as described below:

A risk element defines a category of risk:
There are a variety of IT risks, including execution risks, technology risks, security risks, etc. As the first step in developing an IT risk appetite profile, an organisation must develop a list of the most likely IT risks it may face. For example, technology risk occurs when a technology component fails to operate as expected or is unavailable, such as if a project is dependent on a new software module but the vendor delivers the module three months later than required.

Risk appetite defines how much risk is acceptable:
For each risk element identified, the amount of risk that is acceptable for that element needs to be defined. For instance, because the business depends on IT for frequent enhancements to its customer-facing systems, it requires projects to be delivered on time and on budget.

Risk tolerance defines the tolerable deviation:
Once the risk appetite has been defined, the risk tolerance for the risk element must be defined. For risk-averse organisations, the risk tolerance may be zero, while a more risk-aggressive firm would have a higher risk tolerance.

The organisation's IT risk appetite and risk tolerance can be documented and communicated via a table (see Figure 2). Failure to define a risk appetite and risk tolerance undermines any risk management process. The lack of definition deprives the organisation of any guidance in making decisions about when and how to address risks as they arise. Furthermore, it ensures that any response to risk is an isolated action and not aligned with the overall enterprise approach to risk.

In practice, the risk appetite and risk tolerance will be used to determine if and when the organisation will respond to specific risk events. Operational risk governance will categorise the risk event and determine how the organisation will respond.

Figure 2: Defining Risk Appetite and Risk Tolerance

IT governance and risk

Make strategic risk part of IT governance

Due to the large investments organisations make in IT, in addition to IT being embedded in most business processes, IT risk is also business risk. This means IT risk must be integrated as part of enterprise risk. The first step is to incorporate strategic IT risk as part of an overall governance framework. CIOs should:

Incorporate IT strategic risk into enterprise risk:
The CIO should work with the board of directors and executive management to help them understand IT risk and its implications for business risk. This should begin with a current risk assessment plus recommendations and then end with a discussion and decision about defining the IT risk appetite and risk tolerance.

Revisit risk governance on a quarterly basis:
An organisation's risk appetite and risk tolerance are not static. Depending on internal and external factors, organisations may adjust their risk posture by either reducing or increasing the level of risk that they will accept. The CIO should ensure that a discussion of IT risk appetite and risk tolerance is on the agenda at least quarterly during executive team meetings.

Communicate frequently to all stakeholders:
Risk awareness is the key to any risk management approach since risk is an integral part of any business. Risks themselves are not always to be avoided or even eliminated, but they must be understood and identified so that they can be managed effectively. Frequent communication about IT risk ensures that it remains top of mind.

About the author:

Craig Symons is VP and Principal Analyst at Forrester and focuses his research on IT/business alignment, IT performance measurement, IT governance, IT portfolio management, IT investment management, IT demand management, IT human capital management, and running IT like a business.