Although IT risk can have wide-ranging business consequences, few executives feel comfortable discussing it. Risk is uncertainty, and addressing IT risk seems to require making sense of complex technical issues. In reality, executive-level trade-offs around IT risk are managerial, not technical. The Four A Framework of Availability, Access, Accuracy and Agility provides a common language you and your IT managers can use to manage IT risks without getting bogged down in technical details. Then you can start to take additional steps - improving the IT foundation, installing a risk governance process and creating a risk-aware culture - to build a capability that increases the returns from your IT risk management investments.

Tools and Frameworks:
> The Four A Framework (Availability, Access, Accuracy, Agility) that executives and IT people can use to clarify tradeoffs, so that every discussion converts technical issues into business ones.
> Three core disciplines of effective risk management.

Examples Cited:
ComAir, a subsidiary of Delta Airlines; Tokyo Stock Exchange; retailer TJX; CardSystems, Inc.; U.K. Inland Revenue; the electronics manufacturer Tektronix; and the financial services provider PFPC.

Research Basis:
Interviews with IT and non-IT executives in a dozen firms, followed by survey research with more than 130 firms around the world. Teaching or speaking to more than 2,000 IT and non-IT executives. In-depth discussions with more than 50 additional firms.

About the Authors:
Dr. George Westerman is a research scientist in the Center for Information Systems Research at the MIT Sloan School of Management, and faculty chair for MIT Sloan's executive education course, "IT for the Non-IT Executive."

Richard Hunter is a Group VP at global IT analyst firm Gartner Inc., where he conducts research on behalf of Gartner's CIO members.