Starting an IS risk management programme
It is important to remember that a completely risk-free IS project does not exist. IS risk management is about reducing risks, but it is never possible to entirely eliminate them.
IS risk management is not as complex as is sometimes thought. In fact, occasionally individuals are disappointed that there is not a greater collection of sophisticated tools and techniques available for the implementation of an IS risk management programme. It is sometimes thought that advanced mathematics or statistics need to be used to measure probabilities of all the events in order to understand and take control of IS project risks. This is simply not true. Much of IS risk management is to do with the application of relatively straightforward and routine management procedures which help focus on potential problems. By giving these potential problems adequate attention they are either eliminated or the organisation goes some way to minimise the impact of these
problems if they occur eventually. Perhaps the words of Tom Peters (1997) are relevant in this respect when he said: Success in information management is 5% technology and 95% psychology. For IS risk management to be successful it is essential to have several quite specific things in place. Some of these are to do with corporate culture and business attitudes while others are to do with business practices and processes. Of these two challenges, the corporate culture and business attitudes are the most difficult to work with and it is essential to get this right if appropriate changes are to be made.