IT Risk as a Language for Alignment

IT Risk as a Language for Alignment1,2

Q MIS
Uarterly
E xecutive

George Westerman Executive Summary

Massachusetts
Institute of Technology This article argues that the language of risk is a powerful tool for improving IT/business
(U.S.) alignment. Incorporating risk into IT management conversations helps both business
and IT executives make better decisions about how they balance the needs for strategic
change and operational resilience. Based on five years of research with IT and business
executives, we describe a hierarchical framework of four broad dimensions of IT risk
(availability, access, accuracy, and agility). The framework provides a common language
for discussing strategic and operational objectives, as well as a foundation for shared
understanding about how IT should be implemented and managed. The article provides
four guidelines for using the language of risk to improve alignment and IT value.

USING RISK LANGUAGE CAN IMPROVE IT/BUSINESS

ALIGNMENT
There is widespread agreement that communication between business leaders and
IT leaders is essential for effective alignment between IT and the business. Strong
alignment is more than just negotiating agreement about a particular set of initiatives
at a point in time. It requires the development of a shared understanding on how the
organization will use IT to operate effectively and to generate new value. Business
and IT executives continue to list alignment among their highest priorities, signaling
that there is still room for improving alignment techniques.3

Using business language to communicate about risk helps IT and business

executives develop this shared understanding. IT executives can use risk language to
communicate the business rationale for, and consequences of, different technological
and IT management techniques. Business executives can use risk language to discuss
preferences related to operational business and technical requirements using terms
they understand.

This article is based on more than five years of field research, including surveys,
interviews, and more than a dozen case studies. (For details, see the Appendix.) It also
builds on previously published concepts by the author.4 The purpose of this article is
to show how discussions about risk can be a focusing mechanism for making better
MISQE is decisions about how to invest in, manage, and use IT. Our research found a strong link
Sponsored by between mature IT risk-management capabilities and IT/business alignment. Firms
with mature risk-management capabilities also reported significantly fewer negative

1  Carol Brown is the accepting Senior Editor for this article.

2  The author would like to thank Richard Hunter, Raymond Henry, Jeanne Ross, Carol Brown, Yolande Chan,
and V. Sambamurthy for helpful comments on this article. The research was made possible by sponsors and
patrons of the MIT Sloan Center for Information Systems Research.
3  Alignment between the business and IT is the No. 1 issue in the 2008 SIM survey, the results of which are
published in this September 2009 issue of MIS Quarterly Executive (see Luftman et al.). For recent articles on
IT/business alignment challenges and solutions, see the March 2009 issue of MIS Quarterly Executive, a special
issue on this topic.
4  See in particular Westerman, G. and Hunter, R. IT Risk: Turning Business Threats Into Competitive
Advantage, Harvard Business School Press, 2007; and Westerman, G. and Barnier, B. “How Mature Is Your IT
Risk Management?,” MIT Sloan CISR Research Briefings, VIII(3c), December 2008.

© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 109
Westerman / IT Risk as a Language for Alignment
Figure 1: The Strategic-Change and Operational-Resilience Perspectives Have
Competing Objectives
Strategic-Change
Perspective
Accomplishing changes the
business wants to accomplish
• Changing the business to
meet current and near-term
commitments
Alignment
• “Do it right now”
• (Often) Local perspective:
“Make sure it does what I
need”
incidents, higher efficiency, and higher agility.5 But
achieving this kind of improvement requires thinking
differently about IT risks and how they link to
business objectives.
THE STRATEGIC CHANGE VS.
OPERATIONAL RESILIENCE
TENSION
Managing IT requires a balance of two different—and
sometimes conflicting—perspectives that emphasize
different sets of priorities, success criteria, and
timeframes (see Figure 1).
The strategic-change perspective focuses on using
new or existing information technology to achieve
new strategic business objectives. This perspective
examines what changes are necessary—such as adding
features to a website or strengthening integration
with business partners—and what information is
needed to enable them. It may also include launching
new products and services or transforming old
processes to produce a new benefit. The emphasis
is on functionality and information: on how IT and
related business processes must change to enable
new business gains. The focus is on getting the
job done now, for the current purpose. From the
strategic-change perspective, standards reviews or
strict development methodologies can be seen as
bureaucratic inertia if they interfere with the process
of achieving new strategic benefit.
The operational-resilience perspective focuses on
ensuring that current technologies and business
5  Westerman, G. and Barnier, B. ibid, 2008.
110 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009
Operational-Resilience
Perspective
Avoiding incidents the
business wants to avoid
• Ensuring reliability and
effectiveness over the long
term
• “Do it right”
Tension • (Often) Enterprise perspective:
“Make sure it works reliably for
everyone”
processes are reliable, secure, and maintainable.
The aim is not to build functionality quickly but
rather to ensure it is very well built and robust.
This perspective examines questions such as what
technology and IT management processes will ensure
that the technologies are safe and secure, or when
the firm should upgrade old technology or improve
skills to stay ahead of threats. For new initiatives, the
operational-resilience perspective focuses on how the
new solution will integrate with existing technologies
and business processes or whether the solution is
scalable and maintainable. With this perspective,
slowing down an initiative to ensure that it is
being done safely is seen as acceptable since quick
action without necessary controls can lead to later
difficulties.
There is often tension between these two perspectives.
The strategic-change perspective is about making a
specific change, at this time, to deliver specific returns
in specific new ways. The operational-resilience
perspective is about spending resources and effort
to keep doing what the company is already doing.
It is also about how a decision in one part of the
company, or in a project, can affect the resilience of
many parts of the company. Many organizations make
decisions predominantly from one or the other of these
perspectives without managers fully recognizing the
implications of their decisions, or even that a bias
exists in their decision making.
While it’s tempting to attribute the strategic-
change perspective to business executives and the
operational-resiliency perspective to IT executives,
our research shows that both groups operate from
both perspectives. But they have different priorities.
Consider, for example, the requirement for projects to
© 2009 University of Minnesota
 IT Risk as a Language for Alignment

undergo security and architecture-compliance reviews,
to be built on standardized components, to follow
standard methodologies, or to conduct extra testing for
critical functionality. Resilience-focused executives
may see such rules as necessary to ensure resilience,
even if they slow a project or reduce the amount of
customized functionality. But executives focused on
strategic change may see the rules and procedures as
bureaucratic hurdles that get in the way of change.
Tension between the two perspectives can therefore
lead to distrust. In the extreme, resilience-focused
managers can see their strategic-change focused
counterparts as impatient and domineering—wanting
to force through projects without considering the
longer-term consequences for their units or the
enterprise—while managers focused on strategic
change may see resilience-focused ones as overly
rigid naysayers. By discussing the two different
perspectives in a common language everyone can
understand, IT and business executives can adjust
their requirements to resolve conflicts. As shared
understanding develops, they may identify new
approaches that better balance both perspectives from
the start.
The VSI story shown in the box provides an example
of how focusing on risk helped a senior management
team to resolve conflicting perspectives when making
a new IT investment decision. The story highlights
that the difficulty of balancing the strategic-change
and operational-resilience perspectives stems
from more than just differing roles, incentives,
and information. The differences between the two
perspectives also stem from different beliefs about
the drivers of IT value. Resolving the dilemma is not
about choosing which perspective is correct. Rather,
it is about making choices or identifying new options
that best match the firm’s preferred weighting of
operational-resilience and strategic-change priorities.
Even after deciding that the strategic-change
perspective should outweigh the resilience one, VSI
executives chose to spend additional money to reduce
resiliency risks. Unfortunately, many managers
find it relatively easy to shortchange the resilience
perspective in the face of higher-priority strategic-
change requirements. To them, focusing on resilience
is like spending money on an insurance policy or on
preventive maintenance—something people may cut
back if money is short.
This is why the language of risk can help to bridge the
two perspectives.

Using Risk Management to Resolve Conflicts Between the Strategic-Change and Operational-Resilience
Perspectives

VSI (a pseudonym) is a virtual firm offering high-quality medical transcription services to hospitals through
a network of thousands of part-time home-based transcribers. After six years’ growth, the firm was straining
the limits of its systems. The CIO proposed two replacement options, one based on highly secure and reliable
private lines, remote access servers, and proprietary technologies, the other on Internet-based technologies that
could not be “hardened” as effectively against outages or security incidents. The CIO favored the hardened
option; the CFO and CEO favored the Internet one. As debates ensued, the CIO began to silently question the
senior team’s commitment to patient privacy, while the CFO and CEO began to question the CIO’s commitment
to the success of the firm.

After several rounds of unsatisfying back-and-forth discussions, the management team realized that the
disagreement was really about different appetites for risk. The CIO believed the company should have
zero tolerance for resilience issues such as process outages and privacy violations. The CFO’s and CEO’s
preferences were weighted much more heavily toward leveraging strategic opportunities, such as adding
offshore transcribers or making it easier to link new clients into the company’s systems.

Once members of the senior team saw that the technical decision was really a business decision about which
risks mattered most, they reached consensus quickly. Maintaining VSI’s capacity to grow was their top business
priority, with resilience close behind. They agreed that the Internet approach addressed current and foreseeable
strategic-change risks better than the proprietary approach. Resiliency protections did not need to be perfect but
did need to match or exceed those of the firm’s clients. The management team funded an Internet solution but
also allocated significant resources to improve resiliency beyond that provided by a generic Internet solution.

© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 111
Westerman / IT Risk as a Language for Alignment
RISK AS A UNIFYING LANGUAGE
Traditionally, enterprises have often managed risks
in silos (security, regulatory compliance, business
continuity, project delivery, etc.), but this is beginning
to change. Regulations such as Sarbanes-Oxley, as
well as recent economic conditions, have helped some
firms to think more broadly about some of their risks.
Our focus in this article is on discussing risk as a
means of improving IT/business alignment. We
define IT risk as the likelihood and potential impact
of an unplanned IT event compromising one or more
business objectives. Like preventive maintenance or
insurance, objectives from the operational-resilience
perspective often focus on avoiding or mitigating risk
rather than earning additional financial return. And,
like investments in safety, relatively minor changes
in the environment or behavior can often deliver big
benefits in risk reduction.
By asking questions about business risk, IT executives
can help their business counterparts develop a fuller
understanding of the need for many of IT’s rules and
management techniques. By listening to the answers,
IT executives can develop a better understanding
of when IT management rules need to be relaxed or
changed to meet the needs of the business.
A risk-aware approach uses concepts of IT risk to
bridge the strategic-change and operational-resilience
perspectives. What are the strategic-change risks of
using standard software rather than a customized
application? How does that relate to the resiliency
risks arising from using nonstandard technologies and
from additional complexity? From each perspective,
what is the maximum level of risk that can be
tolerated? A risk-based approach can also highlight
how small issues, such as project delays or minor
service outages, can be indicators of much larger risks
that have not yet been discovered.
Our interviews with IT and business executives
identified 110 unique risks, ranging from viruses and
hackers to regulatory compliance to skills shortages
or vendor issues, as well as many different ways of
reducing those risks. This sheer volume of risk issues
and potential management techniques can prevent
IT and business decision makers from coming to
a common understanding. However, our analysis
revealed that the complexity of discussing IT risk can
be significantly reduced by focusing on enterprise
risks associated with four business objectives—
112 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009
availability, access, accuracy, and agility, which we
refer to as “the Four A’s” (See Figure 2).6
Availability: Keeping business processes running and
recovering quickly from interruptions. IT and business
people can discuss what constitutes an acceptable
or unacceptable level of downtime for any business
process and what the company is doing to meet those
requirements. For example, the senior executive
team of Celanese decided that, instead of recovering
in 15 minutes from a failure in a key process, it
was acceptable to recover in 12 hours. They made a
business decision that the annual cost savings were
well worth the additional cost if a failure were to
occur.
Access: Providing the right people with access to
the information and applications they need while
preventing the wrong people from gaining access.
For example, a consulting firm, after losing multiple
proposals to the same competitor, found that an ex-
employee still had access to the company’s intranet.
Access risks also include noncompliance with laws
such as HIPAA in the U.S. or privacy legislation in
Europe.
Accuracy: Ensuring that information provided
to management, staff, customers, suppliers, and
regulators is timely, complete, and correct. Accuracy
risks include not only regulatory compliance
requirements such as Sarbanes-Oxley, but also the
risks of fragmented customer data or poor quality
inventory data.7
Agility: Adapting to new business requirements with
appropriate speed and cost. For example, Tektronix
could not divest one of its divisions because its
systems were too intertwined with those of the rest
of the company.8 Other agility issues include failed
projects or business dissatisfaction arising from
projects that always seem to take too long.
The Four A’s framework provides a robust set of
dimensions through which IT and business executives
can develop shared understanding of the strategic-
6  Note that these risk areas focus on operational risks to the
enterprise, not on risks to the achievement of a project. While better
operational risk management can eventually reduce some project
risk, and while well-defined and managed projects can start to reduce
operational risks, the concepts of operational and project risk are
distinct.
7  See, for example, DeHoratius, N. and Raman, A. “Inventory Record
Inaccuracy: An Empirical Analysis,” Management Science (54:4),
2008, pp. 627-641.
8  Westerman, G., Cotteleer, M., Austin, R., and Nolan, R. “Tektronix,
Inc: Global ERP Implementation,” Harvard Business School case
9-699-043, 1999.
© 2009 University of Minnesota
 IT Risk as a Language for Alignment

Figure 2: The Four A’s Framework For Managing IT Risks9

AGILITY
Adapting with appropriate
speed and cost

ACCURACY
Ensuring information is timely,
complete and correct

ACCESS
 Network not reliable

Providing information to to
theallright
locations
people
 Lack of internal controls
(and not the wrong ones)
in applications

AVAILABILITY
Keeping business processes running and
recovering quickly from interruptions

change and operational-resilience perspectives.
Discussing availability and access risks can help
strategic-change focused managers identify when
to adjust their requirements in favor of greater
resilience. Discussing accuracy and agility risks can
help resilience-focused managers understand when
to modify their requirements to facilitate strategic
change. Moreover, discussing all four risks may lead
to alternatives that better balance the two perspectives,
such as the solution VSI’s executives identified.9
IT executives are often skilled at identifying and
managing sources of risk but may need to rely on
business executives to determine whether to accept
certain risks in order to secure a new market, enable
rapid growth, or diversify an offering. Alternatively,
if the business case for an architecture, portfolio
management, or security initiative does not have
a strong ROI, IT executives can use the Four A’s
framework as a common language to demonstrate how
the initiative can reduce one or more of the four risks.

The Four A’s framework enables informed discussion
about risk without requiring a deep knowledge of
technology or IT management procedures. In contrast,
the traditional IT risk categories used by many firms—
such as security, business continuity, regulatory
compliance, HR, and vendor risks—have considerable
overlap and can require context-specific knowledge
that not all people share.
Discussion of the Four A’s puts business executives on
familiar ground because it takes a business view of IT
risk. They know how to compare an hour of downtime
on the factory floor with an hour of downtime in HR,
or the value of easier data access against potential
losses from leaks. They understand how fragmented
or inaccurate data increases the difficulty of decision
making, destroys supply-chain efficiencies, and raises
regulatory threats. And they know better than anyone
the costs of a delay in a major strategic-change
initiative.
Other examples of where discussions about risk
helped IT/business alignment include:
• When examining availability risk, a financial
services company identified that a critical
application was supported by a two-person
consulting firm. It was highly likely those two
people would be unavailable if the application
failed, leaving the business unit without a core
transaction process.
• As mentioned earlier, the senior executive
team at Celanese opted for higher availability
risk from its vendor (increasing the potential
impact of an outage from 15 minutes of
downtime to 12 hours) in return for lower
costs.
• Tektronix’s senior team chose to implement
a $55 million ERP system to address
potentially debilitating agility risks. After its
IT transformation, Tektronix gained the ability
to buy and sell businesses as needed, together

9  Westerman, G. and Hunter, R., op. cit., 2007.

© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 113
Westerman / IT Risk as a Language for Alignment
with significant improvements in accuracy and
business efficiency.10
On the other hand, senior management at ComAir
repeatedly chose not to invest in upgrading an aging
crew-scheduling system. Unfortunately it also did not
have an effective business-continuity plan. The system
failed for four days during the holiday season of 2004,
causing millions of dollars in losses and leading to the
resignation of the company’s president.11
Risk-management priorities can also change over
time. For example, an automotive components
manufacturer managed agility risk by choosing not
to integrate the ERP systems of the many companies
it acquired. This allowed the company to bring
acquisitions up to speed quickly and to divest them
just as quickly. Globally, accuracy risk was initially
limited because the firm’s manual processes seemed
to meet management’s needs. However, accuracy
risks arising from new corporate governance
regulations and new demands from global customers
caused the company to implement tighter data
integration. The company eventually changed its
agility approach and started to convert acquired
companies to a standard ERP system at acquisition
Figure 3: IT and Line-of-Business Executives’ Perceptions of the Four A’s
Agility: Being able to change with
acceptable speed and cost
Accuracy: Providing timely, complete,
and accurate information to all relevant
stakeholders
Access: Ensuring the right people
have access to appropriate information
and the wrong people do not
Availability: Keeping existing processes
running and recovering from interruptions
Percentages of IT and LOB executives rating the risk as 6 or 7 to the question “How important is each of the following
to the successful execution of your most important business process?” on a 7-point scale (1 = not at all important, 7 =
extremely important). Percentages in squares represent statistically significant differences between LOB and IT executives’
responses.
10  Westerman, G., Cotteleer, M., Austin, R., and Nolan, R., op. cit.,
1999.
11  Westerman, G. and Hunter, R., op. cit., 2007.
114 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009
time. The extra up-front integration effort provided
benefits for availability, access and accuracy risks,
and provided a new form of agility (the ability to
make global changes) while not significantly reducing
agility to sell the businesses later.
Discussing the Four A’s is essential for alignment
because IT and business executives can differ in
their perceptions of the importance of each risk.
Figure 3 shows our global survey findings on how
100 IT executives and 158 line-of-business (LOB)
business executives viewed the importance they
attach to the Four As for their most important business
processes. Both LOB and IT executives placed similar
importance on availability and access risks. However,
LOB executives placed statistically significantly more
importance on accuracy and agility risks than IT
executives did.
Discussing the Four A’s helps IT and business
executives reach a shared understanding on which
risks matter most. It can also surface differences
about how well each group believes the risks are
being managed. But more is needed. Understanding
differences of opinion on agility and access risks, for
example, can still lead to conflict if the approaches
40%
53%
64%
84%
64% 85%
80%
85% IT
82% LOB
© 2009 University of Minnesota
 IT Risk as a Language for Alignment

to resolving the two types of risk conflict. In the next to the risk factors of the other three areas plus IT/
section, we explain how the hierarchy implicit in the business relationships and project delivery capability.
framework highlights strong complementarities in the
approaches to managing the four risk areas. In other words, the risks form a hierarchy, with
availability as the “easiest” and agility as the
“toughest.” The hierarchy can be used as the basis
USING THE IT RISK HIERARCHY for a discussion of how long-term agility risks arise
TO BALANCE CHANGE/ from making short-term decisions that increase other
risk factors. It can also highlight how the choice to
RESILIENCE TRADEOFFS create additional architectural complexity can increase
risks for all four A’s and how additional effort today
Although the Four A’s can be considered as separate
can avoid many risks in the future. For example,
dimensions in a tradeoff, they share many risk factors.
a decision to use a nonstandard technology or to
Addressing a single risk factor can reduce all four risk
duplicate and customize an application for a small part
areas now, while facilitating further improvements in
of the company may make sense in the context of a
the future. 12
particular project but could increase all four risk areas
Figure 4 shows the risk factors associated with the for the company.
Four A’s identified in a survey of 134 CIOs. The
For example, when a running shoe company
vertical arrows signify that a risk factor in any tier
entered the apparel market, it decided the easiest
is statistically significantly associated with the
approach was to create a duplicate version of its shoe
extent of risk in that tier and tiers above it. Factors
applications and customize them for apparel. The
associated with availability risk, most notably
decision made some business sense when apparel was
design, management, and knowledge issues in the
a new and small part of the company, even though the
technology infrastructure, are also associated with
two different business lines had many similarities in
the higher-level access, accuracy, and agility risks.
the way they worked with suppliers and retail stores.
Access risk is driven not only by the availability risk
But, as the systems evolved differently over time, this
factors, but also by issues associated with application
decision led to large risks to access, accuracy, and
and network design. Accuracy risks arise from the
agility. It became difficult to integrate information
same factors but additionally from factors associated
globally for a single retailer, and many global changes
with the way information is generated or integrated.
had to be applied to the two systems separately.
Agility risk is the most complex because it is related

Figure 4: The IT Risk Hierarchy Highlights Interdependencies Among the Four Risks12

• Poor IT/business relations AGILITY

• Projects failing to meet budget/schedule

 Applications do not meet business requirements

 Manual data integration required ACCURACY
 Significant implementation underway or
recently completed

 Data not compartmentalized Network not

 Network notreliable
reliable
 Applications need to all
to all locations
locations ACCESS
standardization Lack of
 Lack ofinternal
internalcontrols
controls
in applications
in applications
 High IT staff turnover  Poorly understood processes
 Infrastructure not standardized and applications AVAILABILITY
 Ineffective patch/upgrade management  Missing skills for new initiatives
 Old technology  Regulators would find
 Poor backup/recovery deficiencies

Analysis of 134 CIO surveys shows that each risk factor for a given enterprise IT risk (level of the pyramid) is statistically significantly correlated
with the extent not only of that risk, but also of risks above it in the pyramid.

12  Westerman, G. and Hunter, R., op. cit., 2007.

© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 115
Westerman / IT Risk as a Language for Alignment
The hierarchy suggests that an approach to improving
all four risk areas (and thus starting to reduce the
tension between the strategic-change and operational-
resilience perspectives) is to work from the bottom up.
First focus on infrastructure and related risk factors
for availability, since these risk factors also impact the
other three risk areas. Next, focus on the additional
applications and IT process factors related to access
and accuracy risks. Finally, tackle the relationship and
project management issues that are unique to agility
risks.
The disadvantage of this approach is that it can take
longer to fully address the accuracy and agility factors
that line-of-business executives consider much more
important than IT executives do. The advantage is that
it is a lower-risk approach than transforming IT all at
once. IT executives have the expertise and authority
to exert a strong influence on risk factors at the
bottom of the pyramid, such as staffing, infrastructure
management, and knowledge of the links between
technologies and business processes. These risk
factors can often be addressed without changing
business processes, whereas risk factors at the top
of the pyramid require more systemic change across
business processes and management methods.
Many firms have tried to address availability and
access risks without fully addressing the risk factors
in those levels of the Four As hierarchy. They have
typically “bolted on” protections rather than resolved
the root causes of these risks. This approach can
provide adequate protection against availability
and access incidents but does not resolve ongoing
accuracy and agility risks. Making cost-effective and
sustainable improvements in accuracy and agility
will ultimately require reworking complexity and
management issues starting at the base of the pyramid.
The case described in the next section illustrates
the danger of ongoing misalignment between
the strategic-change and operational-resilience
perspectives. It shows how one CIO used risk
language to improve shared understanding between
the business and IT and to make the case for
transforming the company’s IT infrastructure and
applications.
116 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009
IMPLEMENTING RISK AWARE
ALIGNMENT AT PFPC13
PFPC provides processing services such as fund
accounting and transfer agency to other firms in the
financial services industry. The firm grew rapidly
in the 1990s through independent activity in 11
lines of business as well as through several mergers.
During its growth period, PFPC over-emphasized
the strategic-change perspective, introducing new
functionality as quickly as possible while under-
emphasizing reliance-related standards and controls.
The resulting IT architecture was highly complex,
difficult to maintain, and difficult to change. As one
senior IT manager said,
“In the late 90s, accounts were growing
exponentially … We had no time to look
internally at rationalization or architecture. We
grew our customer base through acquisition.
We’d do the barebones, integrate the general
ledger, make sure the networks could talk to
each other, and then move on to the next thing
… In 2000 and beyond, market growth slowed
down. All of a sudden, we’re not acquiring,
we’re protecting current accounts. That’s
when we saw all these legacy problems, the
problems of yesterday that we’re dealing with
today.”
In the early 2000s, PFPC’s executive team refocused
its strategy. Instead of independent innovation and
growth in each division, the company would now
focus on organization-wide cross-selling, customer
service, and globalization. It would also develop a
single view of the customer and allow customers
access to the firm’s systems through a portal. At
the same time, the regulatory environment changed
dramatically. PFPC was audited frequently to validate
that the information in its fragmented, error-prone IT
systems met not only the requirements of the firm’s
own regulators, but those of its customers and their
regulators.
By 2002, the company faced large risks in all areas of
the Four As framework.
• Availability: Financial regulators considered
PFPC’s services to be market-critical, but the
firm’s backup facility was so close to its data
center that a single incident could affect both.
13  Westerman, G. and Walpole, R. “PFPC: Building an IT Risk
Management Competency,” MIT CISR Working Paper #348, March
2005.
© 2009 University of Minnesota

Complex interdependencies between systems
increased the difficulty of recovery in the
event of failure. Many critical systems were
supported only by vendors—sometimes one-
or two-person firms—and PFPC had no formal
vendor management program.
• Access: With different lines of business
following different practices and using
different vendors, it was difficult to ensure that
security controls were adequate. In addition,
as PFPC extended its systems to customers,
managing customer access introduced new
risks.
• Accuracy: Regulations such as Sarbanes-
Oxley created new accuracy risks in the
firm’s business processes for internal financial
management and customer fund accounting.
Meanwhile, the new globalization and cross-
selling strategy raised accuracy risks related to
a single view of the customer and managing
multiple currencies.
• Agility: PFPC was finding it difficult to keep
its fragmented legacy environment up to date
with competitive and regulatory changes.
Differing vendors and application development
methods across the 11 businesses made
it difficult to guarantee consistent project
delivery. The firm also lacked some skills
needed to modify existing systems and build
new ones.
Some issues applied to multiple levels of the
Four A’s framework. Vendor-management issues
led to availability and access risks but also had
implications for accuracy (when vendors used their
own methodologies) and agility (as knowledge
was fragmented across vendors). Frequent audits
highlighted risks in availability, access, and accuracy
while responding to audit findings diverted resources
away from strategic changes.
PFPC’s fragmented IT assets and IT management
processes forced IT staff to spend most of their time
on resilience—keeping systems running safely and
securely—while line-of-business heads and regulators
continued to demand strategic change to respond to
new regulatory and market requirements. According to
PFPC’s IT leaders, the situation was not sustainable.
They concluded they could only balance the needs for
resilience and strategic change by transforming the
firm’s legacy infrastructure, business processes, and
IT management processes. On the other hand, line-
of-business heads did not see a significant financial
© 2009 University of Minnesota
IT Risk as a Language for Alignment
return in transforming IT, and they saw great risk of
disturbing customer relationships during the transition.
The CIO used the language of risk to make the case
for his transformation plan. When he called attention
to the resilience risks inherent in the current legacy
infrastructure, the amount of effort required to
manage those risks, and the detrimental effects of
fragmentation on agility, IT and business leaders
were able to come to a shared understanding. Line-
of-business heads became willing to give up some
local autonomy to advance the goal of a streamlined,
well-integrated and well-maintained platform. Projects
were required to undergo new review processes,
use standard methods, and choose from a reduced
set of preferred vendors. If a project appeared to
have a strong ROI but did not align with standards,
it underwent extra scrutiny from IT architects and
internal auditors as well as senior management. Yet
some IT investments that had unclear ROI could be
approved for risk-reduction reasons.
After 24 months, PFPC saw solid benefits from
incorporating risk into alignment discussions. There
was a measurable reduction in IT-related audit issues,
the number of active risks dropped, and the firm
received good ratings on its first-ever IT-specific
Federal Reserve audit. Even as PFPC reduced risks,
it was able to reduce IT costs and add functionality.
It also achieved a better balance between strategic
change and resilience. The share of the IT budget
allocated to new development (as opposed to
maintenance) increased so that the firm could spend
more on new functionality. Ensuring that all projects
went through risk reviews reduced the amount
of rework, yielding more benefit from the firm’s
strategic-change investments. The new functionality—
justified through using the language of risk—
improved service to customers, and PFPC even began
to use its risk-management capabilities as a sales tool
for new customers.
GUIDELINES FOR IMPROVING
IT/BUSINESS ALIGNMENT
THROUGH THE LANGUAGE OF
RISK
IT leaders can use the Four A’s framework presented
in this article as a common language for improving IT/
business alignment (see Figure 5).
MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 117
Westerman / IT Risk as a Language for Alignment
Figure 5: Risk as a Common Language for IT/Business Alignment
Strategic-Change
Perspective
Accomplishing changes the
business wants to accomplish
• Changing the business to
meet current and near-term
commitments
• “Do it right now”
• (Often) Local perspective:
“Make sure it does what I
need”
1. Discuss the Four A’s with Business
Counterparts
IT leaders should discuss the Four A’s in one-on-one
meetings with key business executives to develop a
shared understanding about the strategic-change and
operational-resiliency perspectives for new initiatives
and ongoing operations. Discussing the Four A’s for
a new initiative makes clearer the tradeoffs between
the two perspectives and also highlights how the
initiative may affect ongoing risks to the enterprise.
Discussing the Four A’s for ongoing execution of key
business processes can help IT and business managers
to develop a shared understanding of their strategic-
change and operational-resilience perspectives as well
as the conditions that can cause or resolve conflicts.
As they develop a shared understanding, they can
identify policies, processes, and strategies to improve
their IT-enabled business processes from the bottom of
the pyramid upward.
IT leaders should ask business executives how
important each of the Four A’s is for their key
business processes and how effectively the company
is managing each of the four areas of risk. They
should use the conversations to test their assumptions
and learn more about current business drivers. The
discussion can also be an opportunity to gently
educate business executives about the IT architecture
vision, the drivers of resilience problems, and the role
that IT’s rules and standards play in the process of
managing IT.
By identifying disconnections or contradictions
between executives, IT executives can help to resolve
disagreements. They can show how tiered levels
of service (at different levels of cost) may provide
the right level of service to the right people at lower
cost. The discussions can also help make the business
118 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009
Operational-Resilience
Perspective
Avoiding incidents the
business wants to avoid
• Ensuring reliability and
effectiveness over the long
term
• “Do it right”
• (Often) Enterprise perspective:
“Make sure it works reliably for
everyone”
case for incremental improvements—or larger
transformations—to the firm’s IT assets and business
processes.
Revisit the discussions periodically, especially as the
firm’s strategies or external conditions change. In
addition, take advantage of “teachable moments” such
as discussions on integrating an acquired firm, buying
nonstandard software or mobile phones, or getting
exceptions to policy. IT (and sometimes business)
executives can use these moments as opportunities
to discuss the risk tradeoffs at hand and to improve
shared understanding.
An important element of shared understanding is an
awareness of the risks created by IT infrastructure
and applications complexity. Each policy exception,
nonstandard technology, or methodology shortcut
can create new risks in all four areas, making it more
difficult both to maintain resilience and to introduce
new strategic changes. Complex IT environments
have a large variety of components that have to be
understood and more nonstandard interdependencies
between components. Systems in such environments
have more failure points and recovery is more
difficult. The systems are also more difficult to
change. Every change affects components in complex
ways, some changes must be done multiple times,
and testing is complicated. Discussing the Four A’s
with business executives can help them to understand
the risks of complexity and the need for policies and
standards that constrain the growth of complexity.
2. Extend Resilience-Focused Activities
to Improve Alignment
Activities such as business-continuity planning, IT
service management, and even IT audit can not only
identify issues and improve resilience, but also help
© 2009 University of Minnesota

to improve alignment. Business-continuity planning,
for example, not only identifies procedures and
mitigation techniques related to availability—the
bottom of the risk hierarchy—but also starts to build
shared understanding. For example, when business
executives are asked how much resilience they need
in their business processes, many will initially say it
needs to be perfect. Yet, when presented with the costs
and asked to risk-rank their processes across multiple
business units, they develop a more differentiated
view of how important each one really is and what
type of protection it needs.
Business-continuity planning can also be a useful
way for IT executives to help business executives
understand their part in managing IT-enabled
business processes. When the CIO of a Massachusetts
insurance company was finding it difficult to
engage business executives in business-continuity
planning, he staged a high-profile demonstration of
IT’s disaster-recovery capability. Then, he turned to
the business executives and said, “The systems are
running again, but headquarters is gone. What are
your people going to do next?” This made the point
very clearly that managing business process resiliency
was about more than just managing technology.
IT audit is another example. CIOs who are relatively
new to their positions can use IT audit to improve
alignment. Audits can highlight issues in controls,
infrastructure management, and complexity as a
result of past management practices. By identifying
these issues proactively, IT leaders can make the case
to implement changes before the issues gain higher
profile in regulatory audits.
Service management activities can also be extended
to improve alignment. IT executives should track
incidents such as outages, intrusions, reconciliation
errors, failed batch jobs, failed projects, or help desk
calls. Showing the frequency and impact of incidents
can be a good way to make the case for change.
Furthermore, showing downward trends on incidents,
and the costs avoided through risk management, can
demonstrate that IT is being well managed.
Extending the role of resilience activities to improve
alignment may require changing the mindsets of
IT staff. IT leaders should work with security,
architecture, and regulatory compliance staff to
ensure they are enabling agility as well as preventing
© 2009 University of Minnesota
IT Risk as a Language for Alignment
incidents. IT staff may already embrace this dual
view of their IT risk-management activities but
may be hampered by responsibilities, incentives, or
governance processes that reward restrictive rather
than enabling activities. An IT security specialist
who will be severely penalized for a security incident
will naturally give more emphasis to protection than
strategic change.
IT leaders should work with their specialists to
identify creative approaches to enabling agile security
or flexible compliance capabilities. These approaches
may include changing the review procedures, carrying
them out earlier or more frequently, or possibly
engaging in awareness activities for project managers,
architects, and business sponsors.
3. Embed Risk Management into All IT
Management Processes
IT leaders should integrate risk management
more tightly into other IT management processes
so it becomes a natural way of doing business.
For example, project methodologies have often
focused on delivery risks but under-emphasized
potential operational risks from implementing a new
application. Security and architecture reviews have
traditionally been carried out from a compliance-
based viewpoint—avoiding risks—rather than a
risk-based viewpoint of managing all areas of the
Four A’s framework (including agility). Application
development techniques such as agile development
or “Scrum”14 should be tuned to balance the Four
A’s appropriately. Ensuring that all four risk areas
are considered when funding and executing projects
makes projects more risk-aligned, improves business
executives’ awareness of what creates risk, and
generates information to manage any incremental
operational risk created by exceptions.
But don’t stop with project management. Consider
changing HR processes as well. For example, add risk
awareness training to the onboarding process for new
employees or to the process for giving employees a
new computer. Similarly, IT should be informed the
minute the firm becomes aware that an employee will
be leaving, so that access can be disabled at the right
time.
Infrastructure management activities provide another
opportunity to build risk management into IT
processes. For example, change management activities
14  For a description of Scrum, see http://en.m.wikipedia.org/wiki/
Scrum_(development).
MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 119
Westerman / IT Risk as a Language for Alignment
in the ITIL framework15 can be extended to ensure
the right attention to agility risk as well as availability
and access risks. Configuration management and other
processes can be integrated with project management
methods to reduce the potential for risks arising
from unexecuted tasks or incomplete information.
Furthermore, many of the metrics gathered by IT
service management processes can serve as key risk
indicators.
4. Create a Risk-as-Opportunity Culture
Risk-enabling alignment does not just mean changing
management processes. It also involves changing
culture. The shared understanding being built between
IT and business executives must also be extended to
all IT staff.
To help achieve the culture change throughout IT, IT
executives should emphasize that risk management
is an opportunity, not just an obligation. When
seen as a chore, risk management is just a cost of
doing business—in essence, an insurance cost to
mitigate the effects of negative incidents. This cost
makes the company somewhat safer but sometimes
at the expense of new opportunities. More and
more companies are using risk management as an
opportunity to improve their businesses. When
investigating risk issues, they can identify new
opportunities to streamline processes, better integrate
data, or link more closely to customers and suppliers.
PFPC started using its IT risk management
capabilities to make the company more attractive to
customers. Many companies now audit their service
providers, and providers that can show greater risk-
management capabilities have an advantage. Other
companies can, like Tektronix, use accuracy and
agility improvements originally justified through the
language of risk to out-compete other firms in the
ways they launch products or serve customers.
CONCLUSION
For too long, IT and business executives have
struggled to improve IT/business alignment. The
language of risk provides a new approach. The Four
A’s framework can serve as a common language
through which IT and business executives develop
a shared understanding of the strategic-change and
operational-resilience perspectives. By incorporating
15  ITIL® is the most widely accepted approach to IT service
management. It provides a cohesive set of best practices, drawn from
the public and private sectors internationally.
120 MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009
risk considerations into all IT processes and decisions,
both IT and business leaders make better decisions
about how they design and manage their IT-enabled
business processes. They can adjust strategic-change
initiatives to improve resilience, place proper priority
on improving IT assets, and develop IT management
rules that are better aligned with business objectives.
Companies that are more mature at IT risk
management report stronger business alignment and
fewer incidents, and also have more efficient and
agile IT.16 They don’t just manage IT risk better; they
manage IT better.
APPENDIX: ABOUT THE
RESEARCH
This article is based on more than five years of
research into the concept of IT risk management. Key
studies included:
• Interviews with 49 IT and business executives
in 11 companies to understand the nature of IT
risk.
• An exploratory survey of 134 CIOs to
understand linkages between risk factors, risk
management methods, and the extent of risk in
all areas of the Four A’s framework.
• A global survey of 100 IT and 158 business
executives in 258 companies to understand
differing preferences and to statistically test
associations between IT risk management
maturity and various IT outcomes.
• Case studies of more than a dozen firms,
including Motorola, PFPC, Steelcase, Disney,
Dell Computer, Sun Microsystems, and
Celanese.
The Four A’s framework was originally developed
in working papers and teaching at the MIT Sloan
Center for Information Systems Research (CISR).
It is described in the book IT Risk: Turning Business
Threats Into Competitive Advantage (See Footnote 4),
which was named a Best Book of 2007 by CIO Insight
magazine. This book also describes how to build a
mature IT risk-management capability based on three
core disciplines: a well-managed IT foundation, a risk
governance process, and a risk-aware culture.
16  Westerman, G. and Barnier, B., op. cit., 2008.
© 2009 University of Minnesota
 IT Risk as a Language for Alignment

ABOUT THE AUTHOR

George Westerman
George Westerman (georgew@mit.edu) is a Research
Scientist at the MIT Sloan Center for Information
Systems Research (CISR) and faculty chair for
the course “IT for the Non-IT Executive.” His
research and teaching examine executive-level
management challenges at the interface between
information technology and business units, such as
risk management, innovation, and IT leadership. He is
co-author (with Richard Hunter) of the book IT Risk:
Turning Business Threats Into Competitive Advantage
(Harvard Business School Press, August 2007) as well
as academic and managerial papers on innovation and
IT management. His new book, The Real Business of
IT: How CIOs Create and Communicate Value (also
with Richard Hunter) will be published by Harvard
Business School Press in October 2009.

© 2009 University of Minnesota MIS Quarterly Executive Vol. 8 No. 3 / Sep 2009 121