Systems thinking is the ability or skill to solve problems in a complex system. Systems thinking focuses on understanding the way subsystems and resources of a system are interrelated and identifying interdependencies of subsystems in the context of the organization. In other words, it provides a big-picture understanding of the organization and its systems.
Many organizations consider IT risk independently from enterprise risk management and try to integrate them as an afterthought. This approach creates obvious gaps in risk assessment results and, when risk materializes, the organization may experience unexpected impacts. Systems thinking may help organizations overcome this issue.
Here are some systems thinking considerations to look at when implementing enterprise risk management:
- A system is composed of parts, so vulnerabilities that introduce uncertainty can result in risk to either the system as a whole or its parts. Any change in the system’s parts may change risk status and impact risk upon other parts.
- A system is considered the sum of its parts; however, multiple systems within an enterprise may depend on each other. Therefore, even if all systems are analyzed independently for risk impact and risk likelihood, the analysis of all systems combined (risk aggregation) may indicate a different risk impact and risk likelihood on the organization due to the interdependency of systems.
- A system has a boundary, and the actors within the system have access to its resources. The risk impact is determined by the change in the status of resources (e.g., data) due to users’ actions within the system.
- A system can be nested inside another system, and the risk that exists for the nested system could have a nonlinear and unexpected impact on the system in which it is embedded.
- A system can overlap with another system.
- A system follows a life cycle. Operations and maintenance are major parts of the life cycle. Initiation and retirement of system activity can be triggered by a risk assessment.
- A system is bound within an organization’s environment and may not be located at the same location as the business function. This can result in regional and geographic factors impacting risk assessment results.
- A system receives input from and sends output to the organization and, as a result, risk can be propagated in the business environment, causing unexpected and undesired systemic impact. The system consists of processes that transform inputs into outputs and interact with other systems. Risk management can attach risk analysis to certain inputs and outputs, and it can transform system insight through risk assessment and continually ensure this process through a feedback loop.
A systems thinking approach helps to consider the entire enterprise while implementing risk management. This approach helps in understanding technology-induced risk from a business perspective through its aim at holistic organizational understanding.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP, is a consultant and trainer in IT governance and information security.