Answer:
The key is to deliver IT risk information in a standard, quantifiable, non-finite method that allows the user to easily compare the inherent business risk of IT with the relative capability of IT to protect this business risk. Simply presenting IT risk in compliance terms with finite (e.g. red, yellow, green) indicators does not give the business user the necessary tools or “intelligence” to be able to take action in managing IT to the appropriate level of risk based on business needs. Delivering IT risk in these terms requires an easy to understand method for calculating and reporting risk that can be baked into current business processes similar to how a credit report and score are used in a loan underwriting process.
First published on BankersOnline.com 4/20/09
print
share