Building trust in IT
For example, a company can have a policy that no user can install illegal or unlicensed software on their PC, Lee said. The IT department can also order that no PC user can have administrative rights on the network. But "these policies are hard to enforce because there are no tools to monitor compliance," he noted. Its also hard to get resources to solve a potential problem if the threats are measurable and perceived to be limited, Lee suggested. For example, if an organization faces the risk of incurring a $50 million fine if a particular IT administration system isnt implemented, Lee said. But the risk of incurring the fine will still be measured against the cost of implementing the system.For Wachovia Corp., managing risk involves carefully assessing and categorizing the potential risks to try to address the ones that have the most potential to cause problems, according to Doug Sappenfield, senior vice president of the banking giants risk management group in Charlotte, N.C. Wachovia has more than 11,000 servers running more than 20,000 databases, Sappenfield said. Assessing all the potential risks to the operation of all these IT resources is a challenging task. It became a matter of weighing inherent risks against mitigating controls to winnow the potential list down to residual risks that needed to be addressed with new policies or systems, he said. In the end, IT was left with a list of 63 items that posed acceptable risks that didnt require prompt attention, he said. Aside from carefully weighing the potential risks, Ted Knodel, vice president and senior consultant with the Robert Frances Group, said there are a number of measures that IT executives could carry out to reduce operational risks and increase corporate trust in the IT department. IT departments need to focus on the problems that are uppermost in the minds of senior corporate executives and then make sure that they know what IT has done to solve problems, reduce risks, and help the organization make and save money, he said. Knodels management mantra is "trust begets communication and communication begets trust." Without this virtuous cycle, senior management will retain the same impressions that bedevil many corporate IT departments: that projects are always late and too costly, there is never enough money for the most important projects, IT isnt aligned to the most strategic needs or IT doesnt deliver value for the money it spends, he said. Check out eWEEK.coms Enterprise Applications Center at http://enterpriseapps.eweek.com for the latest news, reviews and analysis about productivity and business solutions.
In effect, you "cant scare people into spending money" when the risks are measurable and you can assess potential tradeoffs of the cost versus the risk, he said.