Risk managementhas traditionally been
considered the concern of the finance department, but regulatory
requirements and an increasing number of risk-based standards are
pushing IT directors to consider the issue as well.
Although most large organisations have had registries dealing
with financial risk for some time, many are starting to realise
that potential information security risks should also be included,
not least because external auditors are increasingly requiring
it.
Organisations are also beginning to find that more of their
customers are demanding a risk-based approach to security. For
example, public sector organisations have to comply with the
ISO 27001 standard for information security management, and so
are demanding that their suppliers do the same.
In addition, under the
2004
Civil Contingencies Act, public authorities need to have
business continuity plans in place. This has led to many
councils trying to make local businesses aware that they should
undertake risk management.
Under the
BS 25999 business continuity and disaster recovery planning
code of practice, organisations are required to undertake both a
risk and business-impact analysis. Awareness of this issue is only
likely to rise when the
ISO 31000 risk management standard is released in December
2008.
Planning for business risk
Despite the increasing emphasis on risk awareness, the adoption
of risk policy is still patchy across organisations. Some firms are
ahead of the game, with many blue-chip companies in highly
regulated industries, such as financial services and
pharmaceuticals, having whole departments dedicated to risk
management.
Companies large and small that operate in areas where the damage
caused by information loss is obvious - such as online retailers,
or those that have built their business on a reputation for
integrity and reliability - will likewise have a coherent strategy
in place, says Tim Watson, head of De Montfort University's
computer forensics and security group.
But elsewhere, although awareness of the need to do something
may be high compared with five years ago, too many are still
failing to actively address the problem.
Michael Owen, managing consultant at Information Risk
Management, says that if organisations are not compelled to go down
this route, they all too often end up seeing it as just another
expense, not least because justifying investment in information
security can be tricky at the best of times. This is particularly
true of small and medium-sized enterprises (SMEs) with limited cash
flow.
Owen says, "Some IT directors are put off raising the issue
because they fear they might lose control if they talk to the
business about it, or they see the issue as being too complex. For
others, it is simply a time issue. It is rare that security teams
have a lot of time on their hands to do this, and while many
realise they need to be more risk-focused, it can be difficult if
they have not done it before."
Mike Gillespie, principal consultant at Advent Information
Management, says, "Although a lot of SMEs do risk management on an
ad-hoc basis as part of their everyday operations, they do not
formally document it as a process, and the results are not formally
captured, which means that some risks end up falling through the
cracks."
Nonetheless, he believes that it makes sense to undertake the
activity properly as there are real business and financial benefits
to be gained from doing so, not least because risk mitigation will
be based on fact. "This means you will only spend on resources
where you need to, not where you think you should," says
Gillespie.
"Risk management gives you a good foundation to understand what
threats and vulnerabilities can impact the business and what the
likelihood is of them happening. Whatever it is you are trying to
assess, it gives a formal methodology for helping to determine what
the real risks are, which enables the business to focus on its true
needs."
He adds that risk analysis can sometimes be surprisingly quick
to deliver results. "Simply implementing or reviewing processes,
policies and procedures can help mitigate much risk, costing the
business little money. It just takes time to introduce them and
educate staff."
Standardising to limit risk
John Robson, CIO EMEA at contact centre business-process
outsourcer Sitel, says that undertaking risk management is crucial
so that organisations know what they are dealing with.
"Risk is when something happens that you do not want or did not
expect, but if you remove as many of those events as you can, you
end up dealing with exceptions. I see my role as CIO as managing
those exceptions, because we look after the day-to-day stuff in a
known way," he says.
This approach is becoming increasingly important because of the
growing convergence between IT and risk management. "Given that the
biggest elements of operational infrastructure these days are
IT-based, and given that the business runs on IT, it means that
this is where you will find the most risk," Robson says.
Sitel began its own journey down this route earlier this year
after it merged with ClientLogic, where Robson had previously
headed the IT department. After he became the CIO of the joint
European entity, he got heavily behind ITIL service delivery
standards in a bid to improve customer satisfaction levels. The
move involved centralising the IT department in order to provide
service delivery in a uniform and standard way.
The first step was to introduce a centralised service desk based
on ITIL practices to undertake incident management. "We wanted to
have visibility into all events across Europe so that we could see
what the risks to the business were, " says Robson.
This shift was also necessary because decentralised
decision-making makes it difficult to control variation, which is
important as most risk comes through change, Robson says.
Because risk management is such a fundamental component of IT,
you cannot bolt it on afterwards. "You have to design it in and
make it part of your infrastructure, which means that it is much
easier if you can get it in there right from the start," says
Robson.
Such activity cannot happen overnight as it is impossible for
most organisations to undertake wholesale infrastructure
replacement. However, a rolling programme of improvement that fits
into an overarching strategic architecture is a more realistic
approach.
But, Robson says, "If you design a solution that the business
cannot afford, it will never happen. So one of the roles of the CIO
is to determine how to assign expenditure, with risk management
playing a key part in each purchasing decision. The worry is, of
course, that all of this will make the elephant in the corner
bigger, but the trick is to eat it bit by bit so it gets smaller
each day."
Using the BS 7799 risk management standard - which Robson says
aligns very well with ITIL - as a framework, the business created
four risk management teams to assess the situation and target
resources appropriately.
Actions can range from risk reduction or elimination to
transferring some of the risk, for example, to an outsourcing
partner. Alternatively, it can mean simply accepting risk where the
cost of fixing the problem would be too high and the risk too low
to warrant it.
Sitel's risk management teams comprise a compliance and
governance group, which is headed by Robson and is made up of 12
staff, to look after technology and process-based risk a physical
security group, which is managed by the head of facilities
management and human resources, which explores risk management from
a personnel perspective. Internal audits are also conducted to
consider risk from a financial viewpoint and are controlled by the
chief financial officer.
"They work together closely as a peer group to deal with risk,
but because we are a global business that operates in 44 locations,
they also share best practice between geographical areas as
different threats emerge in different ways in different places,"
says Robson, who in effect acts as a chief security officer.
Get the executives on board
This close collaboration between all parts of the business and
IT is crucial to success, as is buy-in from senior management and
having well-defined risk owners.
"There is no point setting off on a mission with an evangelical
glint in your eye if no one is there with you. So you have got to
get buy-in from the top down," Robson says. "It cannot be optional,
and you cannot say 'we will manage risk until we do not feel like
it any more or until it is too hard'. You have to have momentum
behind it, and it has to be an ongoing process."
Such a process takes time, however, because it involves raising
consciousness, education and constant monitoring to ensure that a
risk management culture is embedded into the organisation. And this
culture will be different for every company, as each has its own
individual risk profile and risk appetite.
Gillespie says, "Some organisations are very conservative, while
others take lots of risks as a way to make lots of money. So the
business has to know how much risk it is prepared to accept and in
what areas, and whether that fits its risk profile. This differs
enormously from business to business, but it is often
overlooked."
Getting it wrong can mean spending time and money on purchasing
security products and tweaking security processes that are simply
not worth the investment.
"Auditors assess organisations against known best practice and
say 'you are not doing this and that'. But if you have done a risk
assessment and managed that risk, you can say 'it does not matter
to us, so we are not going to do anything about it unless it is
laid down as a mandatory requirement'.
"It is about finding out what needs to be protected and
balancing that against cost, rather than doing things just for the
sake of it," says Gillespie.