One of my clients is currently undergoing a risk management exercise, pretty ordinary, albeit important stuff. List all the conceivable risks, rate their probability of occurrence, consider the impact if they occurred, and the consider the costs of mitigation. From that matrix, some sort of priority list for investment can be developed and implemented.
However, when we started considering the IT risk, we found ourselves confronted by an expanding list of considerations that seemed to grow the more we considered it. The pervasive nature of IT as it has evolved over the last 10 years has changed its risk profile in a profound way.
The boundaries between management functions have been blurred, as have the processes that drive manufacturing, procurement, customer management, and everything else where we routinely now use IT.
Even a simple IT failure is no longer isolated to the immediate functional area impacted by the loss of data, it impacts through the supply chain, and across functional areas in ways we had great difficulty predicting.
The message is simply that IT is sometimes easy to ignore, to treat as an expense, because it us so much part of the environment, but ignoring it is the worst possible outcome, instead, it should be at the front of discussions about investment (financial & human) productivity, process improvement, risk management and competitive advantage.