Risk management has traditionally been considered the concern of the finance department, but regulatory requirements and an increasing number of risk-based standards are pushing IT directors to consider the issue as well.
Although most large organisations have had registries dealing with financial risk for some time, many are starting to realise that potential information security risks should also be included, not least because external auditors are increasingly requiring it.
Organisations are also beginning to find that more of their customers are demanding a risk-based approach to security. For example, public sector organisations have to comply with the ISO 27001 standard for information security management, and so are demanding that their suppliers do the same.
In addition, under the 2004 Civil Contingencies Act, public authorities need to have business continuity plans in place. This has led to many councils trying to make local businesses aware that they should undertake risk management.
Under the BS 25999 business continuity and disaster recovery planning code of practice, organisations are required to undertake both a risk and business-impact analysis. Awareness of this issue is only likely to rise when the ISO 31000 risk management standard is released in December 2008.
Planning for business risk
Despite the increasing emphasis on risk awareness, the adoption of risk policy is still patchy across organisations. Some firms are ahead of the game, with many blue-chip companies in highly regulated industries, such as financial services and pharmaceuticals, having whole departments dedicated to risk management.
Companies large and small that operate in areas where the damage caused by information loss is obvious - such as online retailers, or those that have built their business on a reputation for integrity and reliability - will likewise have a coherent strategy in place, says Tim Watson, head of De Montfort University's computer forensics and security group.
But elsewhere, although awareness of the need to do something may be high compared with five years ago, too many are still failing to actively address the problem.
Michael Owen, managing consultant at Information Risk Management, says that if organisations are not compelled to go down this route, they all too often end up seeing it as just another expense, not least because justifying investment in information security can be tricky at the best of times. This is particularly true of small and medium-sized enterprises (SMEs) with limited cash flow.
Owen says, "Some IT directors are put off raising the issue because they fear they might lose control if they talk to the business about it, or they see the issue as being too complex. For others, it is simply a time issue. It is rare that security teams have a lot of time on their hands to do this, and while many realise they need to be more risk-focused, it can be difficult if they have not done it before."
Mike Gillespie, principal consultant at Advent Information Management, says, "Although a lot of SMEs do risk management on an ad-hoc basis as part of their everyday operations, they do not formally document it as a process, and the results are not formally captured, which means that some risks end up falling through the cracks."
Nonetheless, he believes that it makes sense to undertake the activity properly as there are real business and financial benefits to be gained from doing so, not least because risk mitigation will be based on fact. "This means you will only spend on resources where you need to, not where you think you should," says Gillespie.
"Risk management gives you a good foundation to understand what threats and vulnerabilities can impact the business and what the likelihood is of them happening. Whatever it is you are trying to assess, it gives a formal methodology for helping to determine what the real risks are, which enables the business to focus on its true needs."
He adds that risk analysis can sometimes be surprisingly quick to deliver results. "Simply implementing or reviewing processes, policies and procedures can help mitigate much risk, costing the business little money. It just takes time to introduce them and educate staff."
Standardising to limit risk
John Robson, CIO EMEA at contact centre business-process outsourcer Sitel, says that undertaking risk management is crucial so that organisations know what they are dealing with.
"Risk is when something happens that you do not want or did not expect, but if you remove as many of those events as you can, you end up dealing with exceptions. I see my role as CIO as managing those exceptions, because we look after the day-to-day stuff in a known way," he says.
This approach is becoming increasingly important because of the growing convergence between IT and risk management. "Given that the biggest elements of operational infrastructure these days are IT-based, and given that the business runs on IT, it means that this is where you will find the most risk," Robson says.
Sitel began its own journey down this route earlier this year after it merged with ClientLogic, where Robson had previously headed the IT department. After he became the CIO of the joint European entity, he got heavily behind ITIL service delivery standards in a bid to improve customer satisfaction levels. The move involved centralising the IT department in order to provide service delivery in a uniform and standard way.
The first step was to introduce a centralised service desk based on ITIL practices to undertake incident management. "We wanted to have visibility into all events across Europe so that we could see what the risks to the business were, " says Robson.
This shift was also necessary because decentralised decision-making makes it difficult to control variation, which is important as most risk comes through change, Robson says.
Because risk management is such a fundamental component of IT, you cannot bolt it on afterwards. "You have to design it in and make it part of your infrastructure, which means that it is much easier if you can get it in there right from the start," says Robson.
Such activity cannot happen overnight as it is impossible for most organisations to undertake wholesale infrastructure replacement. However, a rolling programme of improvement that fits into an overarching strategic architecture is a more realistic approach.
But, Robson says, "If you design a solution that the business cannot afford, it will never happen. So one of the roles of the CIO is to determine how to assign expenditure, with risk management playing a key part in each purchasing decision. The worry is, of course, that all of this will make the elephant in the corner bigger, but the trick is to eat it bit by bit so it gets smaller each day."
Using the BS 7799 risk management standard - which Robson says aligns very well with ITIL - as a framework, the business created four risk management teams to assess the situation and target resources appropriately.
Actions can range from risk reduction or elimination to transferring some of the risk, for example, to an outsourcing partner. Alternatively, it can mean simply accepting risk where the cost of fixing the problem would be too high and the risk too low to warrant it.
Sitel's risk management teams comprise a compliance and governance group, which is headed by Robson and is made up of 12 staff, to look after technology and process-based risk a physical security group, which is managed by the head of facilities management and human resources, which explores risk management from a personnel perspective. Internal audits are also conducted to consider risk from a financial viewpoint and are controlled by the chief financial officer.
"They work together closely as a peer group to deal with risk, but because we are a global business that operates in 44 locations, they also share best practice between geographical areas as different threats emerge in different ways in different places," says Robson, who in effect acts as a chief security officer.
Get the executives on board
This close collaboration between all parts of the business and IT is crucial to success, as is buy-in from senior management and having well-defined risk owners.
"There is no point setting off on a mission with an evangelical glint in your eye if no one is there with you. So you have got to get buy-in from the top down," Robson says. "It cannot be optional, and you cannot say 'we will manage risk until we do not feel like it any more or until it is too hard'. You have to have momentum behind it, and it has to be an ongoing process."
Such a process takes time, however, because it involves raising consciousness, education and constant monitoring to ensure that a risk management culture is embedded into the organisation. And this culture will be different for every company, as each has its own individual risk profile and risk appetite.
Gillespie says, "Some organisations are very conservative, while others take lots of risks as a way to make lots of money. So the business has to know how much risk it is prepared to accept and in what areas, and whether that fits its risk profile. This differs enormously from business to business, but it is often overlooked."
Getting it wrong can mean spending time and money on purchasing security products and tweaking security processes that are simply not worth the investment.
"Auditors assess organisations against known best practice and say 'you are not doing this and that'. But if you have done a risk assessment and managed that risk, you can say 'it does not matter to us, so we are not going to do anything about it unless it is laid down as a mandatory requirement'.
"It is about finding out what needs to be protected and balancing that against cost, rather than doing things just for the sake of it," says Gillespie.