———————————————————————————————————-
Numerous CIOs have found that an IT risk assessment (IT-RA) of capabilities and vulnerabilities is a valuable undertaking with surprising benefits. From establishing a communication and alignment vehicle with the business, to building a foundation for IT strategy, the outcomes build credibility and confidence in IT leadership.
———————————————————————————————————-

A West Coast transportation industry CIO conducted an IT-RA before assuming her official CIO responsibilities. She knew there were issues in IT, but because she was replacing a popular CIO who was retiring she needed to establish her credibility and have complete business support for the initiatives she knew would have to be undertaken.

The risk assessment was conducted by an objective third party, and it provided a clear statement to the business of the vulnerable aspects of IT infrastructure, applications and IT/business process maturity. It also provided the new CIO with the core elements of a multiyear IT strategy, now in its second year. According to the CIO, “Without the objectivity of the risk assessment results, I doubt we could have achieved the focus and buy-in of the business in areas where we were critically vulnerable.”

A Midwest insurance company CIO took over a troubled IT organization and used an IT-RA to build a transformation strategy for IT that was successful in less than 24 months. “While the major symptoms were infrastructure related, the root causes were in the lack of process, controls and management,” he says. “The assessment identified those areas, and while some of the changes were difficult, they were welcomed by the business and adopted by IT leadership. We used the results to build road maps for a number of critical exposures. We were able to mitigate those risks and establish ongoing controls and governance to keep them from happening again.”

The CEO of that same insurance company extolled the benefits of the IT-RA to another insurance company CEO. He, in turn, passed the information to his CIO who conducted an assessment, again with beneficial results.

Gartner has conducted extensive research around IT-RAs. The Gartner Risk Assessment Methodology (GRAM) was developed to enable security and risk management professionals and other stakeholders to make informed, realistic judgments about the risks facing their enterprises.

According to Gartner research, GRAM can be used for a number of practical reasons, including:
– Gaining a better understanding of the organization’s IT risk profile
– Addressing IT and information security risks
– Providing management assurance that IT risks are being managed
– Identifying critical IT resources
– Complying with regulations and policies
– Implementing risk, security and business continuity planning
– Prioritizing spending on risk control

The IT-RA is a compelling tool for CIOs. One of its most valuable benefits is how it facilitates communication with business unit leaders, executive leadership and even the board of directors. In two of the examples above, the boards of those companies were highly interested in the outcome of the assessment, as well as in ongoing updates on mitigation progress. The board of the Midwest insurance company mandated the conducting of an IT-RA every two to three years.

CIO CALL TO ACTION
Whether using GRAM to self-assess, or using a third party to conduct an IT-RA, CIOs should recognize the power of an objective assessment of the enterprise’s IT health. Making an IT-RA a proactive process has obvious benefits over waiting for it to be a reactive measure to a serious IT problem. Gartner recommends that CIOs do the following:
– Develop business-focused evaluation criteria.
– Define the scope and objectives of risk assessments to focus the risk assessment process.
– Use GRAM to identify and evaluate risks.
– Develop formal treatment plans for treatment tracking and reporting.
– Consolidate risk information in a data repository for risk reporting, ongoing risk management and maintaining a history of risk management activities.

BOTTOM LINE
An IT risk assessment is an effective CIO tool for understanding the capabilities and vulnerabilities within IT infrastructure, applications, process, governance and even organizational structure and maturity. Conducted every two to three years, IT-RAs enable CIOs to stay ahead of potentially serious threats to the stability and effectiveness of IT.

Business Impact:
Identifying and mitigating IT risks before they escalate into outages that can cause business damage (and potentially millions of dollars in losses) are core responsibilities of every CIO. An IT risk assessment is a valuable tool that can keep the CIO and the business ahead of these issues.

Additional Insights
1. “Assess Risks Using Gartner Risk Assessment Methodology”, Les Stevens, F. Christian Byrnes (Research), 14 August 2008

2. “Toolkit: Applying the Gartner Risk Assessment Methodology to Critical Enterprise Assets”, Les Stevens, Jay Heiser (Research), 25 September 2009

———————————————————————————————————-
Lean is a robust management discipline initially developed in manufacturing but now finding increasing currency with a growing number of CIOs implementing it within their IT organizations to reduce waste, increase agility and improve customer value. It works by focusing an enterprise, its people, processes and resources on only what customers value; systematically eliminating everything else as “waste”.

Early findings show there are two routes into Lean: Transformational Lean, which depends on a culture change for its enterprisewide impact and sustained improvement, and Focused Lean, which is shorter-term and more limited in its scope but is much quicker to implement.
———————————————————————————————————–

Lean is a popular management discipline among CIO to reduce waste, increase agility and improve customer value because it has been proven to work, and can be implemented with very little up front capital investment.

Lean has its roots in manufacturing, but is now being applied in many service industires such as banking, healthcare, government, equipment rental, public transport retail and so on.

Lean works by focusing an enterprise, its people, processes and resources on only those things valued by end customers, systematically eliminating everything else as “waste.” To do this, it applies five principles:
– Understand what your customers perceive as value and how you deliver it to them (the chains of activities that deliver value Lean calls ‘value streams’);
– Flow cleanly from start to finish rather than starting then stopping then restarting (for example too many application development projects seem to suffer from this);
– Make what is pulled by customers, don’t build solutions or provides feature that is in excess of the business requirements;
– Eliminate waste from your activities (Lean, reflecting its roots in Toyota Japan, uses three Japanese words to characterize waste types: muda – any activity that does not add value; mura – wasted caused by unevenness; and muri – waste caused by overstressing teams, individuals, plant and equipment);
– Seek continued waste elimination through continual improvement.

But Lean has its challenges. It requires robust leadership, which frequently has a personal cost to the leader. Persistent benefits and bigger payoffs require it to become an embedded way of working, which in turn relies on cultural change. As a result, Lean, as a transformation, is a massive multiyear exercise.

Early findings show there are two complementary ways into Lean for the CIO: for those CIOs committed to process improvement and with a target process identified, “Focused Lean” (an outcomes approach to Lean focused on delivering short-term performance improvements rather than lasting cultural change) is a low risk starting point that provides short-term business value and valid opportunity to prove Lean works in their existing culture.

For CIOs committed to the longer-term creation of a resilient organization and sustained performance improvement, Transformational Lean offers longer-term sustainable change with bigger performance gains than does Focused Lean, albeit at the cost of a longer harder implementation.

Lean also combines nicely with other business process improvement initiatives like BPR and Six Sigma, so can be used along side them, providing both additional tools and a unifying approach to process improvement.

CIO CALL TO ACTION
Lean is management discipline that offers the possibility to reduce waste, increase agility and improve customer value. The two complementary implementation approaches for Lean – Focused Lean and Transformational Lean – allow the CIO to choose the type of Lean best suited to their organization’s maturity and requirement.

BOTTOM LINE
If a CIO is looking for transformational change in their IT organization to create a low-cost, effective, agile and sustainable organization with an embedded culture of continuous improvement, then Transformational Lean offers a way in which this may be achievable.

Business Impact:
Lean is a powerful proven and effective management approach that creates and sustains a continually improving enterprise. It is gaining currency with CIOs because it offers a way to simultaneously improve cost, quality, speed and agility.

In addition, Lean also provides a very effective platform for team building and improved inter-team communication.

Please e-mail the authors with your comments:
Andy Rowsell-Jones: Andrew.rowsell-jones@gartner.com
Richard Hunter: Richard.hunter@gartner.com

Dan Miklovic: Dan.miklovic@gartner.com

Additional Insights:
“Success With Standards,” Dave Aron and Andy Rowsell-Jones (EXP Research), May 2006

“Improving Business Processes,” John P. Roberts and Andy Rowsell-Jones (EXP Research), May 2009

“Hype Cycle for Business Process Management, 2009,” Michele Cantara (Research), 20 July 2009

“Maturity Assessment for Application Organizations: Application Portfolio Management,” Jim Duggan (Research), 13 July 2009

“Maturity Assessment for Business Process Improvement Leaders: Six Phases for Successful BPM Adoption,” Marc Kerremans (Research), 3 September 2008

“Best-in-Class Lean Manufacturing Leverages IT,” Dan Miklovic (Research), 19 March 2008

“Findings: Lean ‘Lite’ Is Not Lean,” Dan Miklovic (Research), 1 May 2009

“Findings: In Lean, Process, Not Pretty, Is Key to A3 Success,” Dan Miklovic (Research), 1 May 2009

“Q&A: Moving Lean From the Plant to the IT Organization, Part 1,” Dan Miklovic (Research), 18 November 2008

“Moving Lean From the Plant to the IT Organization, Part 2,” Dan Miklovic (Research), 7 January 2009

“Moving Lean From the Plant to the IT Organization, Part 3,” Dan Miklovic (Research) 15 April 2009

“Understand How Methodologies Evolve Into Standards to Achieve Service Excellence,” Jim Longwood (Research), 26 May 2009

“How to Apply Lean Principles to ERP/Business Application Implementation and Support,” Pat Phelan and Dan Miklovic (Research), 26 June 2009

“Using Lean Principles to Improve Multisourcing
Disciplines,” Frank Ridder and Frances Karamouzis (Research), 17 July 2009

“Case Study: Denver Health Leverages ‘Lean’ for a Breakthrough in Enterprise Patient Scheduling Implementation,” Vi Shaffer (Research) 17 December 2008