Blog posted by: Alison Bennett, ICT Project Manager, 01 August 2022.
Alison Bennett, ICT project manager working in the public sector, was among the first professionals to study and obtain the new Management of Risk (M_o_R 4) certification.
She offers an insight into ICT risk and the role best practice plays in managing it:
Axelos: What are some of the primary risks you need to manage in ICT projects?
Alison Bennett (AB): There are all kinds of risk, such as security, aging hardware and software, availability of staff in key projects and in wider programmes of work. The knock-on effects of these risks can mean increased costs, loss of data with the potential for fines and serious impact on organizational reputation.
Axelos: How much do you think risk management in IT has changed in recent years?
AB: Increased digitalization overall does introduce different risk profiles. So, anything that's on an IT system presents the risk of a cyber-attack.
In theory, ICT should be an easier risk to mitigate against than, for example, loss of hard copy information if a building is destroyed. Using back-ups for information versus a paper format and spreading risk across data centres reduces risk but, in an age of cyber-attacks, it's difficult to protect against everything.
When an organization moves to working in a cloud environment, it's necessary to understand the platform provider's level of control, security and accreditation.
Axelos: What do you think is important about taking a best practice approach to risk management?
AB: For me the important thing is consistency. Best practice such as M_o_R 4 helps create a common language and understanding of risk and the use of similar principles and processes.
Without a common framework, people assess risk in different ways, which can lead to flawed decision making. The lack of a robust approach to assessing risk means things get missed and resources can be misallocated.
Axelos: Overall, what did you learn from studying M_o_R 4 that you think is relevant to managing risk today?
AB: It provides a great reminder to be more robust when managing risks.
One of the biggest issues for risk is organizational culture and having a clear strategy from the top.
For that reason, I think M_o_R 4 is definitely useful throughout an organization. The typical perception is that risk management is just for the project manager, but that's not the way it should be. Everyone in an organization should be flagging risk, which helps create a robust approach to risk management by getting cultural buy-in and accountability at all levels.
Axelos: How do you think certifying in M_o_R 4 has improved your approach to risk management?
AB: I've certainly become stricter about managing risks both upwards and downwards and encouraging people to accept ownership of risk. And I'm clearer about when something needs to be escalated.