As more companies implement the Turnbull recommendations, Computer
Weekly reports on how business risk could influence your dealings
with others
Many IT managers may still greet phrases such as corporate
governance, risk management, business continuity and crisis
management, internal control or Turnbull guidelines with a blank
stare. On the other hand, most business managers probably have
little understanding of fault tolerant systems, disaster recovery
or denial of service. Yet these two worlds with their different
vocabularies are converging on risk management and, as they do, the
role and responsibilities of the IT manager could change forever.
The catalyst for this convergence is the Combined Code of the
Committee on Corporate Governance, commonly referred to as the
Turnbull Report after its chairman Nigel Turnbull. It was published
in September 1999 and awareness of it is just starting to creep
into the corporate boardroom, but the impact of its guidelines has
yet to percolate through organisations or, more specifically, to
the IT department.
"The evidence is that companies are taking risk analysis seriously,
but in many cases, it does not seem to have filtered through to the
IT department. There is not a high awareness of the recommendations
of the Turnbull Report in that constituency," says David Bridson,
marketing manager of Internet Security Systems.
The report recommends that companies should set up a uniform system
of risk management across the organisation's systems, which will
give directors a holistic view of the potential threats to the
company and the danger each poses.
The processes involve:
- Assessment and monitoring of a risk to the business
- The probability of the risk occurring
- The impact to the business should it occur
- The business' ability to avoid or reduce that impact
- Whether the costs of preventive action are justified.
Turnbull's recommendations differ from previous guidelines on
corporate governance as the report recommends that companies look
at all threats to the business, not just financial risks.
These include "operational risks" - any factor that could:
- Potentially inhibit the business' ability to operate
effectively and profitably
- Damage the reputation or share price of the firm or the
company's assets
- Put the company at risk from legal proceedings.
A potential operational risk is the threat posed by a petrol crisis
or a fire. And the terrorist attacks of 11 September gave ghoulish
new meaning to operational risk. But in the modern business there
is also exposure to technology-related risks. These range from IT
systems failure, through loss or theft of confidential customer
information to an employee's inappropriate use of e-mail, but will
also include the alteration of the company's risk profile as the
firm embarks on a new Internet project. In such circumstances, it
is likely that a corporate strategy for auditing risk and any
consequential course of action will affect or even alter the role
of the IT manager.
The Turnbull guidelines are only recommendations and therefore not
obligatory, but their influence cannot be underestimated. The
report brings greater awareness at board level of the importance of
taking an holistic view of the company's situation and implementing
a uniform system of internal control. But more importantly,
Turnbull has also started a ripple effect as many of the external
organisations the business deals with will come to expect, if not
actively force, the company to prove compliance with Turnbull's
guidelines.
Companies listed on the London Stock Exchange have already felt the
first of Turnbull's ripples. According to the listing rules, those
firms that filed their accounts after 23 December 2000 must inform
shareholders whether and to what extent they have complied with the
Turnbull recommendations.
The second wave of adoption will come from industry regulators,
which are expected to incorporate Turnbull into their codes of
practice. Howard Davies, chairman of the banking/insurance
regulator the Financial Services Authority, says that it intends to
regularly scrutinise and rank members according to their risk
management procedures.
In January this year, the Institute of Management warned business
managers that the current government review of company law sought
to include the guidelines, making risk management a legal duty for
directors.
Companies could also find dealings with banks and insurers easier
where they can prove processes for risk management. At the most
basic, employing a full-time internal audit officer could reduce a
company's insurance premiums. Mike Sobers, a partner in the
information risk discipline at KPMG, reports that one bank pulled
back on a deal after auditing the operational risks to which a
client's business was exposed.
In future, key suppliers and customers (in the public or private
sector) may also scrutinise a partner's risk management process.
Some companies insist that partners have achieved BS7799/ISO17799
certification. This involves the assessment of risk and taking
preventive action against risk to a company's information systems.
Corporate governance is an important element in the decision to
acquire a company. For example, Berwin Leighton Paisner, a
London-based firm of solicitors, takes into account the extent to
which a target firm has documented both internal systems
development and software development when advising an acquiring
company. "Companies that have been relaxed about procedures and
processes will have to pull their socks up," says Richard Chapman,
a lawyer in Berwin Leighton Paisner's technology media group.
So what has it got to do with IT?
"Risk management is the core competency of any manager. It is as
integral to the job of the IT manager as to any other," says
Sobers.
A survey of business managers published in January by the Institute
of Management found that 82% of respondents said loss of IT
capacity was a key threat to their business, above fire (62%), loss
of skills (59%), loss of site (55%) or damage to the corporate
image or reputation (50%).
The board's responsibility is to establish and routinely monitor a
company-wide corporate governance process or methodology, but the
actual risk analysis and management of those risks will be
delegated. Over the past three years, some firms have set up
dedicated risk managers, directors or risk management teams, but
these - mostly financial institutions - are, and will remain for
the foreseeable future, a minority. In most companies, assuming
that they adopt an ethos of risk management at all, the
responsibility will be divided between department heads.
The problem here is that since technology underpins so many
business functions - particularly new projects and disciplines -
where "risks" do not fall easily under the responsibilities of one
department head, they could end up on the IT manager's already
crowded plate.
Any IT manager knows that network, Internet, application or
datacentre downtime could harm the company - and knows how to
reduce the chance of it occurring. But, without assistance, most IT
managers will struggle to document the exact consequences for the
business if each system fails, should the board require it.
For existing systems, the board could potentially require a
document detailing:
- What could cause a particular application to fail
- The probability of failure
- The implications of failure, (which and how many employees
would be affected and to what extent)
- What business function would not happen and for how long
- With what consequences
- Whether they will be visible to or affect customers or
suppliers and whether that matters
- How much it would cost the business if the system failed
completely?
The board will then need to know how long it would take to restore
the application either partially or completely:
- What the chances and implications are of irreparable data
loss
- What can be done to prevent or minimise downtime and how much
each costs
- And ultimately, given limited resources, is it justified to
devote the cash to minimising the risk of the application going
down rather than dedicating it to another purpose.
There could be sweeping changes to the way new projects are planned
and implemented. Before proposed projects are sanctioned, the board
will expect an assessment of the risks to the project and how it
changes the risk profile of the business as a whole, weighed up
against perceived benefits. This procedure will be noticeable in
companies that are recovering from the effects of disastrous
Internet projects.
It is easy to put the blame for failed Internet projects on the
marketing or business development department that led them or the
speed at which they drove projects. True, many projects were
business rather than technical failures and plenty of e-commerce
projects were lacking on the technical side as well.
"Risk management is a fundamental part of operating as a successful
project manager and more credence should be given to the
discipline," says Andrew Meyer, chairman of the British Computer
Society E-commerce Group (he also speaks as a programme manager for
one of the larger telecommunication companies). "Good project
managers should not only have a project management method under
their belts, they should also be well versed in a risk management
method, such as Cramm. Only then can some disastrous projects of
the past become history. Management of risk is applied common
sense. The problem is that everyone has his own opinion, right or
wrong. That's why there is a need for training."
Internet projects increase the business' exposure to many different
sorts of risk.
Many of those who ended up with egg on their faces will have failed
to apply the rigorous financial controls or the strict
methodologies to their Internet project that ought to be applied to
IT projects.
The penalty for lack of forward planning or time for testing is
often a requirement for further investment. Insight's principal
consultant Steve Daniels points out that appropriate due diligence
should include assessing factors such as whether e-commerce systems
need to be integrated into back-end systems and the risk associated
with relying on new applications from new suppliers.
A company should not only consider the threats posed by hacking or
denial of service attacks to the e-business site itself - the site
provides a soft underbelly to the corporation as a whole. A
security breach may lead to financial loss or, where customer or
supplier information is exposed, it could breach confidentiality
agreements or tarnish the reputation or brand and damage confidence
and trust in the company.
The legally enforcable risk regulations which must be adhered to
include consumer, distance selling, tax, human rights (privacy) and
data protection laws. Berwin Leighton Paisner describes the level
of compliance with data protection laws as "quite shocking". There
are further areas of law where the impact of the Internet remains
largely untested. These could include the tort of negligence -
should companies (particularly service providers) owe a duty of
care to their customers and suppliers to assess what threats could
compromise their systems; or employer liability, for example,
recriminations against the company for content of an employee's
"smoking gun" e-mail.
Information assurance "is a boardroom issue that cannot be
delegated to the IT department. Only one in five directors
currently recognises his or her responsibility for protecting the
information they use or control," says a director's guide to
information assurance, published by the Institute of Directors in
April.
In the information age, the knowledge that a company collectively
holds about the market, product, supplier and customer is seen as
an asset, not just to be protected, but also managed
physically.
There are three main drivers for requirement for knowledge
management:
- The move to the electronic office and the electronic
document
- The move to deal with customers and suppliers through multiple
channels, in particular increasing reliance on the Internet
- High levels of staff attrition.
To all intents and purposes the electronic document is now regarded
as a legal one. Solicitors are required to keep client documents,
including electronic documents, for six years. In the US, some
States demand that government departments keep all e-mails for
seven years. Similar policies are appearing in commercial
organisations such as financial institutions. But as the Microsoft
case taught us, it is just as important to have a process for
deleting stored e-mails when the period of retention is over, as it
is for storing them in the first place, points out Mike Hedger,
chief executive of US municipal software solutions provider KVS.
The establishment of a knowledge management discipline embodies
company policy for the storing or archiving of all electronic
documents where they can be easily found and retrieved. So, instead
of documents on customer X residing on distributed databases or Web
servers or as e-mails or memos on PCs, they are grouped together or
linked. Knowledge management also encompasses the documentation of
project methodology or workflows, so projects can be replicated or
revisited even if the architect or manager has moved on.
A knowledge management strategy requires the establishment of the
process, technological architecture and enforcement of policy. It
could, in practice, require a system for backing up every
electronic document in the company, whatever the format or
location.
A board-led risk-management initiative will create the need to
monitor and, where necessary, take preventive measures to reduce
the threats to the organisation.
This could include:
- Regular audits of IT and security systems and procedures, the
requirements for fail-over systems and procedures for backing up
data and the documentation of those audits
- The requirement for risk analysis before any new project is
embarked on and the thorough documentation of every aspect of the
risk process and the implementation
- Establishing and implementing employee e-mail policy and/or
monitoring e-mails to ensure its adherence, implementing a
knowledge management strategy or ensuring that customer data
collected over the Internet is used correctly and
legally.
While every IT manager would argue that he already has too much on
his plate, that does not mean IT is ready to wash its hands of risk
management, it is just that it does not want to and should not have
to shoulder the burden of responsibility.
"Who owns the business data? Is it technology? No, we are just the
custodians," explains Martin Whitehead, head of information
security at the Co-operative Bank. "If they can't set us goals, we
can only strive to achieve best practice but no more. If the
business manager can't articulate to the IT manager what makes the
business work, he will continue to think in terms of keeping the
bits and bytes flowing round the network. Business managers and IT
need to work hand-in-hand to come to a common understanding of
where the areas of risk exposure lie."
In fact, for an IT manager who is used to documenting all projects
and rigorously following methodologies such as Cramm, the adoption
of a risk-management ethos across the company will give him the ear
of the board. Not only will it give IT earlier and more
consequential input into the feasibility and timescales being given
to business-driven Internet projects, it will also give IT a
process and a language to articulate its fears to the board.
"Consider a message that goes up the chain of command regarding a
risk of not having a disaster recovery solution for a major system
on which the company is totally dependent for its revenue. The way
that this risk is communicated is very important, if done
incorrectly when it reaches the top it will be interpreted as "IT
want some more kit!" concludes Meyer.
No business without trust
The key to building an
Internet business is not just about doing the risk assessment, it
is about convincing the customer that due diligence has been done.
This is why the Co-operative Bank chose the gruelling task of
certifying its Internet bank Smile for the BS7799 standard. It was
a process that led to 175 pages of documentation and cost 45
consulting days, 20 of which were dedicated to risk assessment.
"We were conscious from our market research that customers had
concerns - valid concerns - as to the security of doing banking
over the Internet. That is why we chose the BS7799 certification
over other standards, not because it's better necessarily, but
everyone recognises the British Standards Institute kitemark," says
Whitehead.
Awareness of risk management
The level of awareness
among IT managers of the importance of standard risk assessment
procedures can be seen from the following indicators:
- Cramm is claimed to be the most widely accepted methodology for
information risk assessment worldwide. It is also the UK
Government's preferred method. Yet, it has only sold 400 copies
in15 years. Insight Consulting's principal consultant Steve Daniels
says,"It's only a drop in the ocean."
- A recent survey by a UK IT consultancy Idetica found that
two-thirds of IT managers of FTSE 500 companies surveyed had never
heard of the government-sponsored British Standard (BS) 7799
(adopted in ISO standard 17799) Code of Practice for Information
Security Management.
The Turnbull Report
Principle D.2
"The board should maintain a sound system of internal control to
safeguard shareholders' investment and the company's assets."
Provision D.2.1
"The directors should, at least
annually, conduct a review of the effectiveness of the group's
system of internal control and should report to shareholders that
they have done so. The review should cover all controls, including
financial, operational and compliance controls and risk
management."
Provision D.2.2
"Companies which do not have an
internal audit function should from time to time review the need
for one."
London Stock Exchange listing rules
Paragraph 12.43A makes it obligatory or a company incorporated in
the UK to state in its accounts, whether it has complied with the
Turnbull guidance. If it has complied, then it must do so in a
manner "that enables its shareholders to evaluate how the
principles have been applied". If it has not it must explain how it
failed to comply and "give reasons for any non-compliance".
accountancy advice
The Institute of Chartered Accountants in England & Wales
offers the following advice for companies seeking to comply with
Turnbull:
The board of directors is responsible for establishing the
company's policy for internal control and regularly reviewing its
implementation and effectiveness.
The board should consider:
- The nature and extent of the risks facing the company
- The extent and categories of risk, which it regards as
acceptable for the company to bear
- The likelihood of the risks concerned materialising
- The company's ability to reduce the incidence and impact on the
business of risks that do materialise
- The costs of operating particular controls relative to the
benefit thereby obtained in managing the related risks.
Management should identify and evaluate the risks faced by the
company for consideration by the board and design, operate and
monitor a suitable system of internal control which implements the
policies adopted by the board. All employees have some
responsibility for internal control as part of their accountability
for achieving objectives.