As more companies implement the Turnbull recommendations, Computer Weekly reports on how business risk could influence your dealings with others
Many IT managers may still greet phrases such as corporate governance, risk management, business continuity and crisis management, internal control or Turnbull guidelines with a blank stare. On the other hand, most business managers probably have little understanding of fault tolerant systems, disaster recovery or denial of service. Yet these two worlds with their different vocabularies are converging on risk management and, as they do, the role and responsibilities of the IT manager could change forever.
The catalyst for this convergence is the Combined Code of the Committee on Corporate Governance, commonly referred to as the Turnbull Report after its chairman Nigel Turnbull. It was published in September 1999 and awareness of it is just starting to creep into the corporate boardroom, but the impact of its guidelines has yet to percolate through organisations or, more specifically, to the IT department.
"The evidence is that companies are taking risk analysis seriously, but in many cases, it does not seem to have filtered through to the IT department. There is not a high awareness of the recommendations of the Turnbull Report in that constituency," says David Bridson, marketing manager of Internet Security Systems.
The report recommends that companies should set up a uniform system of risk management across the organisation's systems, which will give directors a holistic view of the potential threats to the company and the danger each poses.
The processes involve:
- Assessment and monitoring of a risk to the business
- The probability of the risk occurring
- The impact to the business should it occur
- The business' ability to avoid or reduce that impact
- Whether the costs of preventive action are justified.
Turnbull's recommendations differ from previous guidelines on corporate governance as the report recommends that companies look at all threats to the business, not just financial risks.
These include "operational risks" - any factor that could:
- Potentially inhibit the business' ability to operate effectively and profitably
- Damage the reputation or share price of the firm or the company's assets
- Put the company at risk from legal proceedings.
A potential operational risk is the threat posed by a petrol crisis or a fire. And the terrorist attacks of 11 September gave ghoulish new meaning to operational risk. But in the modern business there is also exposure to technology-related risks. These range from IT systems failure, through loss or theft of confidential customer information to an employee's inappropriate use of e-mail, but will also include the alteration of the company's risk profile as the firm embarks on a new Internet project. In such circumstances, it is likely that a corporate strategy for auditing risk and any consequential course of action will affect or even alter the role of the IT manager.
The Turnbull guidelines are only recommendations and therefore not obligatory, but their influence cannot be underestimated. The report brings greater awareness at board level of the importance of taking an holistic view of the company's situation and implementing a uniform system of internal control. But more importantly, Turnbull has also started a ripple effect as many of the external organisations the business deals with will come to expect, if not actively force, the company to prove compliance with Turnbull's guidelines.
Companies listed on the London Stock Exchange have already felt the first of Turnbull's ripples. According to the listing rules, those firms that filed their accounts after 23 December 2000 must inform shareholders whether and to what extent they have complied with the Turnbull recommendations.
The second wave of adoption will come from industry regulators, which are expected to incorporate Turnbull into their codes of practice. Howard Davies, chairman of the banking/insurance regulator the Financial Services Authority, says that it intends to regularly scrutinise and rank members according to their risk management procedures.
In January this year, the Institute of Management warned business managers that the current government review of company law sought to include the guidelines, making risk management a legal duty for directors.
Companies could also find dealings with banks and insurers easier where they can prove processes for risk management. At the most basic, employing a full-time internal audit officer could reduce a company's insurance premiums. Mike Sobers, a partner in the information risk discipline at KPMG, reports that one bank pulled back on a deal after auditing the operational risks to which a client's business was exposed.
In future, key suppliers and customers (in the public or private sector) may also scrutinise a partner's risk management process. Some companies insist that partners have achieved BS7799/ISO17799 certification. This involves the assessment of risk and taking preventive action against risk to a company's information systems.
Corporate governance is an important element in the decision to acquire a company. For example, Berwin Leighton Paisner, a London-based firm of solicitors, takes into account the extent to which a target firm has documented both internal systems development and software development when advising an acquiring company. "Companies that have been relaxed about procedures and processes will have to pull their socks up," says Richard Chapman, a lawyer in Berwin Leighton Paisner's technology media group.
So what has it got to do with IT?
"Risk management is the core competency of any manager. It is as integral to the job of the IT manager as to any other," says Sobers.
A survey of business managers published in January by the Institute of Management found that 82% of respondents said loss of IT capacity was a key threat to their business, above fire (62%), loss of skills (59%), loss of site (55%) or damage to the corporate image or reputation (50%).
The board's responsibility is to establish and routinely monitor a company-wide corporate governance process or methodology, but the actual risk analysis and management of those risks will be delegated. Over the past three years, some firms have set up dedicated risk managers, directors or risk management teams, but these - mostly financial institutions - are, and will remain for the foreseeable future, a minority. In most companies, assuming that they adopt an ethos of risk management at all, the responsibility will be divided between department heads.
The problem here is that since technology underpins so many business functions - particularly new projects and disciplines - where "risks" do not fall easily under the responsibilities of one department head, they could end up on the IT manager's already crowded plate.
Any IT manager knows that network, Internet, application or datacentre downtime could harm the company - and knows how to reduce the chance of it occurring. But, without assistance, most IT managers will struggle to document the exact consequences for the business if each system fails, should the board require it.
For existing systems, the board could potentially require a document detailing:
- What could cause a particular application to fail
- The probability of failure
- The implications of failure, (which and how many employees would be affected and to what extent)
- What business function would not happen and for how long
- With what consequences
- Whether they will be visible to or affect customers or suppliers and whether that matters
- How much it would cost the business if the system failed completely?
The board will then need to know how long it would take to restore the application either partially or completely:
- What the chances and implications are of irreparable data loss
- What can be done to prevent or minimise downtime and how much each costs
- And ultimately, given limited resources, is it justified to devote the cash to minimising the risk of the application going down rather than dedicating it to another purpose.
There could be sweeping changes to the way new projects are planned and implemented. Before proposed projects are sanctioned, the board will expect an assessment of the risks to the project and how it changes the risk profile of the business as a whole, weighed up against perceived benefits. This procedure will be noticeable in companies that are recovering from the effects of disastrous Internet projects.
It is easy to put the blame for failed Internet projects on the marketing or business development department that led them or the speed at which they drove projects. True, many projects were business rather than technical failures and plenty of e-commerce projects were lacking on the technical side as well.
"Risk management is a fundamental part of operating as a successful project manager and more credence should be given to the discipline," says Andrew Meyer, chairman of the British Computer Society E-commerce Group (he also speaks as a programme manager for one of the larger telecommunication companies). "Good project managers should not only have a project management method under their belts, they should also be well versed in a risk management method, such as Cramm. Only then can some disastrous projects of the past become history. Management of risk is applied common sense. The problem is that everyone has his own opinion, right or wrong. That's why there is a need for training."
Internet projects increase the business' exposure to many different sorts of risk.
Many of those who ended up with egg on their faces will have failed to apply the rigorous financial controls or the strict methodologies to their Internet project that ought to be applied to IT projects.
The penalty for lack of forward planning or time for testing is often a requirement for further investment. Insight's principal consultant Steve Daniels points out that appropriate due diligence should include assessing factors such as whether e-commerce systems need to be integrated into back-end systems and the risk associated with relying on new applications from new suppliers.
A company should not only consider the threats posed by hacking or denial of service attacks to the e-business site itself - the site provides a soft underbelly to the corporation as a whole. A security breach may lead to financial loss or, where customer or supplier information is exposed, it could breach confidentiality agreements or tarnish the reputation or brand and damage confidence and trust in the company.
The legally enforcable risk regulations which must be adhered to include consumer, distance selling, tax, human rights (privacy) and data protection laws. Berwin Leighton Paisner describes the level of compliance with data protection laws as "quite shocking". There are further areas of law where the impact of the Internet remains largely untested. These could include the tort of negligence - should companies (particularly service providers) owe a duty of care to their customers and suppliers to assess what threats could compromise their systems; or employer liability, for example, recriminations against the company for content of an employee's "smoking gun" e-mail.
Information assurance "is a boardroom issue that cannot be delegated to the IT department. Only one in five directors currently recognises his or her responsibility for protecting the information they use or control," says a director's guide to information assurance, published by the Institute of Directors in April.
In the information age, the knowledge that a company collectively holds about the market, product, supplier and customer is seen as an asset, not just to be protected, but also managed physically.
There are three main drivers for requirement for knowledge management:
- The move to the electronic office and the electronic document
- The move to deal with customers and suppliers through multiple channels, in particular increasing reliance on the Internet
- High levels of staff attrition.
To all intents and purposes the electronic document is now regarded as a legal one. Solicitors are required to keep client documents, including electronic documents, for six years. In the US, some States demand that government departments keep all e-mails for seven years. Similar policies are appearing in commercial organisations such as financial institutions. But as the Microsoft case taught us, it is just as important to have a process for deleting stored e-mails when the period of retention is over, as it is for storing them in the first place, points out Mike Hedger, chief executive of US municipal software solutions provider KVS.
The establishment of a knowledge management discipline embodies company policy for the storing or archiving of all electronic documents where they can be easily found and retrieved. So, instead of documents on customer X residing on distributed databases or Web servers or as e-mails or memos on PCs, they are grouped together or linked. Knowledge management also encompasses the documentation of project methodology or workflows, so projects can be replicated or revisited even if the architect or manager has moved on.
A knowledge management strategy requires the establishment of the process, technological architecture and enforcement of policy. It could, in practice, require a system for backing up every electronic document in the company, whatever the format or location.
A board-led risk-management initiative will create the need to monitor and, where necessary, take preventive measures to reduce the threats to the organisation.
This could include:
- Regular audits of IT and security systems and procedures, the requirements for fail-over systems and procedures for backing up data and the documentation of those audits
- The requirement for risk analysis before any new project is embarked on and the thorough documentation of every aspect of the risk process and the implementation
- Establishing and implementing employee e-mail policy and/or monitoring e-mails to ensure its adherence, implementing a knowledge management strategy or ensuring that customer data collected over the Internet is used correctly and legally.
While every IT manager would argue that he already has too much on his plate, that does not mean IT is ready to wash its hands of risk management, it is just that it does not want to and should not have to shoulder the burden of responsibility.
"Who owns the business data? Is it technology? No, we are just the custodians," explains Martin Whitehead, head of information security at the Co-operative Bank. "If they can't set us goals, we can only strive to achieve best practice but no more. If the business manager can't articulate to the IT manager what makes the business work, he will continue to think in terms of keeping the bits and bytes flowing round the network. Business managers and IT need to work hand-in-hand to come to a common understanding of where the areas of risk exposure lie."
In fact, for an IT manager who is used to documenting all projects and rigorously following methodologies such as Cramm, the adoption of a risk-management ethos across the company will give him the ear of the board. Not only will it give IT earlier and more consequential input into the feasibility and timescales being given to business-driven Internet projects, it will also give IT a process and a language to articulate its fears to the board.
"Consider a message that goes up the chain of command regarding a risk of not having a disaster recovery solution for a major system on which the company is totally dependent for its revenue. The way that this risk is communicated is very important, if done incorrectly when it reaches the top it will be interpreted as "IT want some more kit!" concludes Meyer.
No business without trust
The key to building an Internet business is not just about doing the risk assessment, it is about convincing the customer that due diligence has been done. This is why the Co-operative Bank chose the gruelling task of certifying its Internet bank Smile for the BS7799 standard. It was a process that led to 175 pages of documentation and cost 45 consulting days, 20 of which were dedicated to risk assessment.
"We were conscious from our market research that customers had concerns - valid concerns - as to the security of doing banking over the Internet. That is why we chose the BS7799 certification over other standards, not because it's better necessarily, but everyone recognises the British Standards Institute kitemark," says Whitehead.
Awareness of risk management
The level of awareness among IT managers of the importance of standard risk assessment procedures can be seen from the following indicators:
- Cramm is claimed to be the most widely accepted methodology for information risk assessment worldwide. It is also the UK Government's preferred method. Yet, it has only sold 400 copies in15 years. Insight Consulting's principal consultant Steve Daniels says,"It's only a drop in the ocean."
- A recent survey by a UK IT consultancy Idetica found that two-thirds of IT managers of FTSE 500 companies surveyed had never heard of the government-sponsored British Standard (BS) 7799 (adopted in ISO standard 17799) Code of Practice for Information Security Management.
The Turnbull Report
"The board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets."
"The directors should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management."
"Companies which do not have an internal audit function should from time to time review the need for one."
London Stock Exchange listing rules
Paragraph 12.43A makes it obligatory or a company incorporated in the UK to state in its accounts, whether it has complied with the Turnbull guidance. If it has complied, then it must do so in a manner "that enables its shareholders to evaluate how the principles have been applied". If it has not it must explain how it failed to comply and "give reasons for any non-compliance". accountancy advice
The Institute of Chartered Accountants in England & Wales offers the following advice for companies seeking to comply with Turnbull:
The board of directors is responsible for establishing the company's policy for internal control and regularly reviewing its implementation and effectiveness.
The board should consider:
- The nature and extent of the risks facing the company
- The extent and categories of risk, which it regards as acceptable for the company to bear
- The likelihood of the risks concerned materialising
- The company's ability to reduce the incidence and impact on the business of risks that do materialise
- The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks.
Management should identify and evaluate the risks faced by the company for consideration by the board and design, operate and monitor a suitable system of internal control which implements the policies adopted by the board. All employees have some responsibility for internal control as part of their accountability for achieving objectives.