Odds Are (cont.)

Taking the risk out of IT risk management

Business-focused risk management

As Citigroup's example shows, when your group generates billions of dollars a year in profit, IT risk management is critical. "If we have an event that affects our ability to conduct business, we need adequate backup plans and configurations in place to continue our business as seamlessly as possible," says Giesken, who is responsible for global business continuity within Citigroup's profitable Equity Division.

For Citigroup, the place to start risk management is with the business. "From a process standpoint, we start with a business impact analysis, where we work with the business to determine their requirements for the technologies and resources they would require in event of an outage," says Giesken.

Citigroup then works through a number of potential threat scenarios-from data corruption on up through the loss of facilities or even a region-and creates sets of different configurations and their costs that will address those scenarios. "We need to be able to explain in simple language what's possible and what the costs are so our business users have an opportunity to make an informed decision as to how they want to invest based on potential risks," adds Giesken.

An often overlooked component of a solid risk management plan is adequate testing. "What I've learned in the past 15 years is that developing a test strategy and then pushing the tests to the point of failure is probably the most important part of the whole process of IT risk management," Giesken says.

Citigroup used Symantec clustering solutions as part of its overall IT risk management solution. "Clustering allows us to do a number of important things. We can reduce our spend on infrastructure, eliminate the need to support multiple environments, address our recovery time and recovery point objectives, and maintain our throughput," says Giesken. "Clustering helps us make sure our IT costs meet the service levels that we've agreed to by driving the recovery point and recovery time objectives down as close to zero as possible. We need to be able to failover immediately between machines in case we have a failure."

Instead of classical backup and recovery solutions that have been the basis for many organizations' disaster recovery and business continuity plans, Giesken wants to take Citigroup to a new level of IT and business resilience. "From a pure technology side, we're using technologies like clustering that will enable us to have multiple machines spread out geographically but which are still logically part of the same environment for processing transactions."

As excited as Giesken is about new approaches to mitigating IT risk, he stays focused on the business benefits of the solutions he's delivering and the responsibility he has. "The ultimate goal in this kind of role between business and technology is making sure we're providing the services the business wants at a price they're willing to pay."