Developing a Framework for Maturing IT Risk Management Capabilities

Understanding the value derived from IT investments and IT enabled operational improvements is difficult, and has been a subject of research and debate among ICT practitioners and academics for many years. This is particularly so because innovative technological developments have supported transformative changes in organizational operational activities. Research continues to investigate approaches to not only understanding the value derived by IT but also to optimizing this value. One of the key aspects of optimizing IT-driven value is the requirement to effectively manage risk. The continual evolution of the IT risk landscape requires effective Risk Management (RM) practices for all IT risk areas, such as, but not limited to security, investments, service contracts, data protection and information privacy. Effectively managing these risk areas pose specific concerns from the perspective of Chief Information Officers (CIOs) and Chief Risk Officers (CROs). Hence, significant considerations should be given to not only the processes involved in assessing, prioritizing, handling and monitoring these risks but also to ensuring the development of an appropriate risk culture and the establishment of effective RM governance structures, to support effective RM. This paper examines the maturity model/framework approach to improving an organization's IT capabilities, with specific reference to effectively managing IT-related risks, and increasing value derived over time. A new IT Risk Management maturity model is presented; this framework is part of the IT Capability Maturity Framework (IT CMF) which supports value-driven IT management practices. It was developed by the Innovation Value Institute at the National University of Ireland Maynooth, following a design science and open innovation research approach. The IT CMF, consisting of 33 Critical Capabilities, focuses on maturing key activities of the IT organization. The Risk Management Critical Capability presented in this paper enables organizations to determine their IT RM maturity and identify key recommendations in specific areas to improve maturity overtime. Thereafter the paper presents an analysis of the maturity model approach to managing risk, to improving an organization's IT capabilities, and to deriving enterprise-wide value from more mature IT practices.