IT Risk defined - or not?

Could IT failures be limited or avoided? In plain English, risk is defined as possibility of loss or injury (Merriam-Webster’s Online Dictionary.) Therefore, managing uncertainty by predicting, preventing and responding to the unwanted and detrimental situation – failures should be the essence of IT risk management. However, there is no unique and formal definition of IT risk that is accepted across the IT industry.

At the time of writing this article, a Google search for IT failure returns 1,080,000,000 results. Within those results, the range of failure spans:

The number of Google results for IT failure (1,080,000,000) and IT risk (2,180,000,000) clearly indicates that the problem of IT failure and risk are not only more prevalent than one may have thought, but also more widely talked about. Even a superficial look at the list of IT failures begs the questions “Are today’s IT management and particularly IT risk management adequate for the state-of-the-art information technology?”

I would argue that many of today’s management practices routinely marketed across the IT sector do not recognize risk as an essential factor of Information Systems Development. It is deeply disturbing that the above given examples and many, many other spectacular IT failures are not enough to address reality of IT endeavours that are fraught by risk. For example, let’s take a closer look at the specific definition of IT risk as offered by Risk Management frameworks used across the IT industry.

1.‘Risk is the effect of uncertainty on objectives’ - ISO 31000 [ISO] is a generic framework for risk management applicable to all enterprises, not only IT intensive enterprises.

2. ‘Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.’ Thus, risk is ‘the possibility that an event will occur and adversely affect the achievement of objectives.’ – This rather descriptive definition is from the COSO Enterprise Risk Management Integrated Framework [COSO].

3. The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.’ - Basel II regulations are intended for financial institutions and contain a definition of operational risk [Dowd]; that is in that context, many IT risks are considered operational risks.

4. ‘An uncertain event or condition that, if it occurs, has a positive or negative impact on project objectives.’ – this is PMBOK definition of project risk, which is ‘always in the future.’

And here are two definitions taken from IT frameworks:

5.  ‘A possible event that could cause harm or loss, or affect the ability to achieve objectives. A risk is measured by the probability of a threat, the vulnerability of the asset to that threat, and the impact it would have if it occurred.’ – ITIL v3 [ITIL] is a framework of IT Service Management (ITSM) practices.

6. Business Risk – a probable situation with uncertain frequency and magnitude of loss (gain),’ and IT risk is ‘business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.’ These are definitions from the ISACA Risk IT Framework [ISACA] that is created to fill the gap between generic risk management frameworks and detailed (primarily security-related) IT risk management frameworks’ and to be ‘an educational resource for chief information officers (CIOs), senior management and IT management.’

Obviously, IT risk is still open to interpretation. According to the above given definitions, risk can be either ‘in the future’ or is an ‘effect’ implying that it has already happened. Risk can also be an event’, ‘probability’, ‘situation’, or something else altogether.

Why is defining risk so important? Because it is difficult to associate metrics, measure risk, and create methods for risk management based on such slippery definitions of risk. Adoption of Cloud Computing puts yet another twist on IT risk management. What is my risk exposure if I go with cloud service provider A or cloud service provider B? That is, none of the above mentioned frameworks provides a foundation for benchmarking in relation to Cloud Computing. Clearly, the usefulness of these risk management frameworks should be challenged and in future articles I will address the nature of IT risk and usefulness of methods and frameworks for IT risk management.

In the meantime, I would love to hear from you. What is your definition of IT risk? What is the nature of IT risk and what are its unique properties?



[Asay]     Asay, Mat. “The UK has wasted over $4 billion on failed IT projects since 2000”, CNET, January 4, 2008, accessed March, 2012.

[COSO]   The Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise Risk Management – Integrated Framework, September 2004, accessed March 4, 2012

[Dowd]   Dowd, Victor. “Measurement of operational risk: the Basel Approach” in Operational Risk edited by Carol Alexander, Prentice Hall, 2003

[ISO]   International Organizations for Standardization (ISO), ISO 31000:2009 – Risk management, Principles and Guidelines, accessed March 4, 2012

[ITIL]   IT Information Library (ITIL), ITIL Glossary and Abbreviations, 2011, accessed March 4, 2012

[ISACA]   Information Systems Audit and Control Association (ISACA), The Risk IT Framework, 2009, accessed March 4, 2012

[King]   King, Leo. “London Ambulance misses 999 calls after IT failure”, Computer World UK, accessed March 4, 2012

[Garside]   Garside, Juliette. “BlackBerry creators pay price for failing to keep up with Apple”, The Guardian, accessed March 4, 1012

[PMI]   Project Management Institute (PM), A Guide to the Project Management Body of Knowledge (PMBOK Guide) – Fourth Edition, accessed March 4, 2012

Rubina Polovina, PhD is a principal IT consultant who has been providing leadership on national and international multi-party initiatives in the public and private sectors. During more than 20 years in the IT industry, she contributed to projects in Europe, North America and in the Middle East. Currently, Rubina lives in Toronto, Ontario. She has been working on projects at major Canadian financial institutions and the Government of Ontario. Her research interests include enterprise architecture, knowledge management, IT management, IT project management, IT risk management, privacy protection, social networks and eHealth. Rubina’s scientific work has been both tested across various vertical industries and presented on peer-review international conferences. Rubina graduated in electrical engineering in 1987 from the University of Sarajevo, Bosnia and Herzegovina, and she received her PhD in computer science and engineering in 2000 from the Czech Technical University in Prague, Czech Republic. Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

Comments (3)
  • Rubina  - On the nature of IT risk


    Thank you for the comments.

    “I'm struggling with the following question; "Do IT projects fail because they do not manage risk adequately or do they fail because their management is based on false assumptions?"”

    My short answer to your question is “both.”

    I would consider IT Risk Management an essential factor of management of IT-intensive endeavours, so if IT risk management was based on false assumptions, than IT management is also based on false assumptions. Therefore, it is important to understand the nature of IT risk, in order to determine the right assumptions and adequately manage IT-intensive endeavours.

    For example, I would say that risk in an omnipresent factor of IT-intensive endeavours, but I don’t see that any of definitions given in the article capture this. IT risk is so omnipresent that it cannot be separated from the fabrics and substance of IT endeavours and manage as a "stand-alone" process. Right from the conception of an IT-related idea to the final keystroke of a programmer or user, the activity is fraught with uncertainty and potential for error. At this point, I would make my case that IT Risk Management is based on false assumptions; the false assumption would be that IT risk can be “divorced” from IT and managed as a “stand-alone” process by another organizational group.

    Similarly, if people ignore IT risk and don’t adequately manage IT risk, then “their management” is also inadequate.

    "The people working in the world of IT, from my experience, seem to believe that reality is governed according to the principles of determinism, universalism, reductionism, etc. Moving from these principles to those of indeterminism, contextualism and holism would surely change how we manage and deliver software."

    “What if reality is not predictable? What if there is no universal truth and way of doing things? What if a divide-and-conquer approach does work?”

    I have many colleagues who know that they have to manage IT risk all the time if they want to avoid or limit failures and losses. We are not lacking literature on these topics (for example, Capers Jones “The Economics of Software Quality” provides empirical evidence). We (IT people) are also very well aware of factors that are predictable and those that are not, the truth about universal truth, and we know how to breakdown complex projects into manageable activities. We are familiar with the principles of indeterminism, contextualism and holism, because they are in the nature of information systems, and many of us manage that way.

    Now, why do many people who work in the world of IT ignore the fundamental risks? I can only speculate on this. Is it because they find IT industry lucrative and decided to go there although they don’t understand it? Do they have IT background at all? Is this because their university programs were inadequate? Do they have basic talent necessary to comprehend an IT endeavours? Do they really need to lose a billion dollars before they realize that something is not working?

    Ultimately, I would say that both “not managing enough” and “managing too much” are manifestations of inadequate management.

    Again, thank you for your comments,

  • James  - Poor risk management or just wrong assumptions ?

    I'm struggling with the following question " Do IT projects fail because they do not manage risk adequatly or do they fail because their management is based on false assumptions ?"

    The people working in the world of IT, from my experience, seem to believe that reality is governed according to the principles of determinism, universalism, reductionism, etc. What if reality is not predictable ? what is there is no universal truth and way of doing things ? What if a divide-and-conquer approach does work ?

    Moving from these principles to those of indeterminism, contextualism and holism would surely change how me manage and deliver software.

    So what I'm trying to say is that maybe the underlying cause of IT failure is "not that we are not managing enough but rather that we are managing too much"!

  • Rubina  - Link IT failure and risk

    As James suggested, IT failure should be linked with IT risk.

    Thanks James,


Only registered users can write comments!