Main groups of IT risks
- Project: schedule and budget overruns, vague requirements, technical debt.
- Infrastructure: server and network failures, dependence on a single provider or data centre.
- Cybersecurity: attacks, leaks, ransomware (see "An IT team does not protect the business").
- Contractor and vendor dependence: a supplier leaving, software support ending.
- Data: loss, corruption, non-compliance with protection requirements.
Risk management in Agile/Scrum
In agile teams risk management is built into the rhythm of work rather than done once a year:
- Risks are discussed at sprint planning and retrospectives.
- A lightweight risk register is kept, with owners and status.
- The most dangerous assumptions are tested with early prototypes (reducing uncertainty).
- Techniques for fast decisions under uncertainty — see the "three-scenario method".
IT risks and continuity
Even with good protection you need a plan for failure: target recovery objectives (RTO/RPO), backups and a disaster recovery plan (DRP). This links IT risk to business continuity.
See how resilient your business really is
13 questions, 5 minutes, free — results on screen and by email.
FAQ
How is IT risk management different in Agile?
It is continuous: risks are reviewed every sprint, a lightweight register is kept and dangerous assumptions are tested with early prototypes, rather than once at the start of the project.
Are IT risks only about cybersecurity?
No. They also include failed projects, infrastructure outages, contractor dependence and data risks. Cybersecurity is an important but not the only part.
Evgeny Telenkov
Chief Risk Officer · PhD in Economics · "Best Risk Manager of Russia 2020"
20 years in risk management. Led risk management at Beeline, Nornickel, Rosneft and EY. Built business continuity plans for Nornickel, Rostec, NSD and DIA. Trained 300+ risk and BCM specialists.