Practical steps to managing IT-related risk to business performance objectives

Training Duration: 2 days

Training Delivery Method: On-site, instructor-led course


There is no prerequisite to attend for this course.

What Problem Does This Training Help Solve?

Typical approaches to IT-related business risk have several weaknesses including:

  • Narrow or silo focus on a few areas (e.g., data breach), missing far larger risks to the business
  • Excessive emphasis on compliance/audit/controls over broader risk to business objectives
  • Concepts such as risk appetite, registers, residual, material/significant, emerging risk, and then “frozen” heat maps not only distract, but can mislead users away from high-priority risks.
  • Using tools designed for managing risk to financial reporting for managing risk to achieving business objectives in a dynamic world of change, complexity and fatigue
  • Using controls to manage risk rather than more efficient and effective approaches
  • Using controls without testing the control approach with the 4Cs and testing specific controls with the Controls Chain of Fitness
  • Missing opportunities for personal and professional growth through the use of the “power of the invite and flashlight”

This outcomes acceleration workshop seeks to overcome these typical weaknesses by describing how to shift from compliance-driven to performance-driven management of risk. Drawing on decades of practical, proven experience, managing risk to business performance objectives is more efficient and effective in achieving results. To simplify the process of managing risk and empower risk managers to provide more business value, the approach features the 5+2 Step Cycle for Managing Risk.

Who Should Attend?

Professionals who are responsible for:

  •  IT-wide risk management
  • An area of risk management (security, continuity, change, project, portfolio, finance) who need to connect to the “big picture,”
  • Auditors who need to first understand IT related risk management before they can effectively audit it.

As managing risk is a “team sport,” teams are encouraged to attend together.

Course Material:

  • Course handout
  • Reference Materials:

Course Syllabus:

Business leaders need to grow revenue, cash flow and jobs in a dynamic world of change, complexity and fatigue. To achieve these objectives, businesses need to be competitively differentiated. This includes managing risk to strategy process, plan and implementation – better than competitors.

In enabling business leaders to more easily achieve performance objectives, IT-related risk management function leaders are struggling to determine “what good looks like” in managing IT-related business risk (investment, program/project or operations/service delivery). Typical “steady state” programs are wasting 20-40% of their resources, those in planning stages, over 50%. Guidance from industry organizations, technology vendors, regulators and others is often difficult to implement leaving practitioners asking, “Where do I start?” Decades of improvement initiatives of all types have failed in implementation. What lessons can be learned? How does IT risk management become better?

For leaders who want to bring clarity, and make a difference in their organizations and careers, this workshop walks through key lessons (using worldwide recent examples from Fortune 500 companies), helps build a solid foundation and reviews typical tools one by one to help practitioners determine what to stop, continue and start in order to improve.

Different from other risk management workshops, this one is designed:

  • For professionals who feel they are laboring under the burden of: control environments that seem to be adding more time and cost, than improving business operations; and managing risk to compliance reporting more than managing risk to business performance.
  • Based on proven practical experience in systems analysis, gaming, operations and quality management from dynamic situations such as aviation, manufacturing or sports, rather than compliance methods originally designed for more static situations such as employee expense or accounts payable disbursement. This experience includes diagnosis of where controls missed the looming “bad thing.”
  • For advancing personal career by growing business benefit, rather than memorizing content needed for certification.
  • To align methods for managing a range of risks — IT, operational, product, fraud, strategy, economic and more – to make it far easier to manage those risks to business performance objectives. These risks are all linked through the power of the 5+2 Step Cycle for managing risk.
  • By Brian Barnier with years of experience contributing to professional practices guidance (Risk IT, COBIT, SIG, AUPs, Red Book, …)practical experience “making it work” as reflected in his books, articles, videos, podcasts and more; and personal business experience at investor, board and management levels. This workshop is based on The Operational Risk Handbook (Brian Barnier, Harriman House, Great Britain) for managing risk to performance objectives. The Handbook is uniquely designed to apply practical, proven lessons learned from across a range of industries, countries and professional disciplines.

“Core Fitness” Foundation Workshop is designed to help participants learn how to:

  • Better manage risk programs:
    • Create a program focused on business performance objectives, not just controls or compliance
    • Avoid “bolt-on” management of risk that disconnects from the business and business benefit
    • Explain dynamics of risk to business leaders and engage those leaders in managing risk to their business objectives
    • Shape business cases for improvement
    • Inform better business decisions to more easily achieve better business outcomes
  • Better manage the risk cycle
    • Scope an environment, understand the factors in an environment
    • Understand implications of capabilities in an enterprise, partners, customers and competitors
    • Identify business dependencies on IT, how IT risk typically gets disconnected from the business, and how to reconnect
    • Create life-like, realistic stories that are based on real causes in the real world
    • Spot and avoid the dangers of bias in evaluating risk
    • Identify key warning signs of unfolding situations
    • Identify roots of effective risk responses

Benefits include

  • Less:
    • Gaps and blind spots
    • Complications and cost in controls
  • More:
    • Actionable insights for risk-aware business decisions
    • More benefit to the “the business”
    • Valuable career path

Learning Objectives:

Participants will gain new insight into:

  • How to best apply the 5+2 Step Cycle for managing risk to performance objectives
  • Why scenario analysis is the heart of risk management
  • Why typical techniques create blinders to risk, increasing risk; then, learn to take off the blinders to be more situational aware and agile in response.
  • How to implement new insights more effectively through workshops that foster substantive and culture change at the same time.
  • How to use scenario analysis workshop to save time and cost in your organization – and better understand “what if?”
  • Power of “the invite and the flashlight/torch”

Suggested Pre-work:

This workshop is intended to help you take away practical, actionable insight to apply to your daily job. Thus, to help you accelerate your personal progress, it is suggested to:

  • Review your organization’s business environment (economic, buyers, competitors, partners, suppliers, distributors, political/regulatory, technology trends)
  • Review your organization’s business objectives (financial and operational) overall and key initiatives
  • Review your organization’s business capabilities (skills, business and IT processes, technology, intellectual property)
    • Review your organization’s business dependencies on IT (IT alignment to business, business-IT investment portfolio, architecture diagrams, system diagrams, continuity dependency diagrams, application maintenance and change records (especially those used for understanding what business process will be unavailable when changes are made)
  • Review your organization design, especially to understand how IT provides support to business lines, functions and geographic regions
  • Understand how improvement-oriented management support functions such as business process improvement, quality improvement, program/project management, enterprise architecture, transformation initiatives and risk management relate to each other