Citizens and watchdog groups are clamoring for greater efficiency and transparency from government agencies, and governors expect their CIOs to find ways to improve both. Given such demands, it's natural for government CIOs to implement changes that will reduce costs while still providing their internal clients with the computing resources they need. But they also must fully assess and mitigate the risks of changing their IT environment.

As government CIOs look to make changes and improvements to their IT infrastructure, they can't overlook the need to closely manage IT risk. The following are five common pitfalls to avoid when rightsizing or revamping government IT resources in today's economic environment.

1. Taking a checklist approach to IT risk management.

In too many state and local governments, CIOs take a tactical, rather than strategic, approach to IT risk management.

Organizations can't manage IT risk effectively by going down a list of internal controls -- howsoever comprehensive -- and checking them off as they would a weekend to-do list: clean the gutters, rake the leaves and straighten up the garage. True risk management requires a unique public sensitivity combined with a business perspective. The checklist approach to risk management ignores the critical dimension of a government's business processes and treats all risks with the same importance -- whether or not they merit it.

State and local governments should take a broad, top-down approach to IT risk management that typically comprises five steps:

1. Document the overall environment by taking an inventory and linking major governmental processes, technologies and vendors.
2. Define the risk factors, criteria and risk tolerance levels to be uniformly applied to the inventory in step No. 1. This ensures consistent assessment across all governmental processes. When logically grouped, the risk factors, criteria and risk tolerance levels help determine inherent risk at a device or process level.
3. Assess each technology component, using the drivers and criteria developed in the previous two steps, to produce an objective risk ranking (high, medium or low).
4. Define the necessary internal controls and create a corresponding framework for managing them.
5. Put new changes and enhancements through the aforementioned steps to assess the real risk and controls before finalizing them.

A governmentwide, top-down approach must include elements of IT risk assessment to evaluate systems under the public CIO's control. Government organizations that use this approach will end up with more effective and efficient controls that help mitigate these risks and still serve their constituents.

For example, Indiana is taking a proactive approach to IT risk management. The Indiana Department of Homeland Security, in partnership with the Indiana CIO's office, developed an IT cyber-security risk framework that can be used statewide. All state agencies will be asked to use the framework in assessing IT risk. This is an important, fundamental step in taking a strategic approach to IT risk management.

2. Playing a nonstrategic role in selecting a GRC platform.

Just as it's important to take a comprehensive view of IT risk management, it's also important for the public sector to strategically approach the selection of integrated technology platforms for governance, risk management and compliance (GRC).

From a management perspective, governments resemble conglomerates -- companies with multiple lines of business and subsidiaries that operate with a certain amount of independence to compete effectively in their market segments. The interrelationships among GRC beg for an integrated, enterprisewide solution -- one that's consistent across all agencies and departments.

In some cases, government CIOs make quick selection decisions that automate GRC processes without first assessing the effectiveness of the processes themselves. Automating bad processes is never a good idea.

In other cases, government CIOs take a hands-off approach to GRC and