Risky business

The concept of risk management throws up a significantly higher number of connotations for some chief information officers (CIOs) than others.

For Martin Joy, CIO at specialist consultancy Control Risks, the threat of losing valuable data to hackers and fraudsters sits incongruously alongside the danger of losing human lives in far flung trouble spots around the world, including Afghanistan and Iraq.

“It’s a dangerous world out there and whether the threats are real or perceived, people are worrying, so we will go in and help them out,” he says. “It is a growing market space ­ you only have to read the newspapers and watch the news to understand the kind of challenges that are out there today.”

Control Risks looks to do exactly what it says on the tin in more or less every part of commercial life and protects its clients’ business interests with firewalls, penetration tests, staff background checks and heavily armed security guards in Baghdad’s Green Zone.

For a company with a wide range of blue-chip multinational clients, the all-encompassing approach is one of necessity. However, a holistic strategy for managing contemporary commercial risk management is increasingly crucial, says Jay Heiser, research vice president at analyst Gartner.

“One significant recent trend is the recognition that there are a lot of issues that actually fall within risk management and that generic risk management techniques can be and should be appropriately applied to a large number of things that have previously been managed in silos,” he says.

“The traditional approach has been to get as big a budget as possible and not worry about anything else confronting the enterprise. The holistic approach to risk management takes the specialist risk people out of the competitive realm and makes them part of the team.”

Heiser is also a keen advocate of joined-up working for better risk manageme nt, but believes risk is all about the age-old theme of how well technology and business leaders understand the demands of the other side.

“The word alignment has been overused, but in risk management I really don’t think the practitioners have understood what it’s like to be aligned with the business,” he says.

A common question from CIOs for Gartner, says Heiser, is how much other organisations are spending on security - and his reaction is always the same. “You need to go back to the business and find out how much confidentiality, integrity and availability it needs,” he says.

Heiser invariably gets the same response; IT leaders cannot draw specific information because the business is unclear about risk requirements. Responsibility for the confusion ultimately rests with business leadership.

“The business is taking it for granted that IT is going to solve any risk-related issue without knowing the business context,” he says. “Technology teams don’t know what is valuable to the business, what is most important and the level of effort to compromise such processes. IT workers have to help the business, but
it is up to the business to say how much security it wants.”

A recent survey of IT companies suggests confusion is rife, even among technically-minded organisations that might be expected to know better. The Chartered Management Institute and Cabinet Office research found that just 39 per cent of IT companies have business continuity plans (BCPs) in place. Such firms trail behind public sector organisations, where 62 per cent are ready with BCPs, and the 55 per cent of listed companies claiming to be well prepared.

The findings led Bruce Mann, director of civil contingencies at the Cabinet Office, to suggest that too many organisations do not have effective business continuity arrangements in place. And research suggests the key driver in pressuring organisations to take BCPs seriously is corporate governance, a factor that has certainly tightened disaster recovery plans at delivery specialist NYK Logistics UK.

Myron Hrycyk, the company’s CIO, points to service management standard the IT Infrastructure Library (ITIL), and the 2002 US legislation the Sarbanes-Oxley (SOX) Act, as examples of discipline-imposing, process management strategies. Named after the Congressmen who pushed the law through in the wake of major US accounting scandals, SOX is a rigorous ­ some might say daunting ­ means of regulating financial practice and corporate governance.

Hrycyk has seen enough of the processes to know how much work is involved, having been audited by US-based client companies directly covered by the legislation and having used a SOX-based system employed by NYK’s Japanese parent company.

“It is a very time consuming task, involving going through key processes, such as introducing change or analysing the financial investments in IT systems. But to be honest, I actually welcome the changes because what you end up with is a far more secure set of processes than you would have had at the beginning,” he says.

“What you get out of the approach is an enormous amount of material that allows you to tighten up on your processes of risk management, business change or procurement. It’s good ammunition for the IT department to say ‘we need to invest in this process’, so it is a good thing.”

NYK’s UK operation is also a determined user of ITIL for managing its IT infrastructure, an ongoing process that Hrycyk claims has brought welcome
benefits to the way the company deploys change ­ slashing the risks associated with introducing new systems and processes into the organisation.

“If you are running a £400m business where you are supporting business-to-business (B2B) customers, you have to be very good at managing risk when introducing new upgrades and processes,” he says.

“You have to mitigate against the risk of change, the risk of failure in the architecture ­ that’s been quite a focus for me. We’ve taken a common sense approach by saying that ITIL’s processes and procedures are a great framework
for us to deploy, offering a protocol for running IT.

“From this we have produced a change advisory board, which supports risk management by ensuring which questions are asked before you allow a new piece of software to go live. So, we can understand that if a change goes through, are we putting it in at the right stage of the business cycle? Do we have a back-up plan if we fail; do we have people on call if we have problems and has it been fully tested?”

Such deep-seated thinking to risk management is not just evident in the commercial world. The public sector’s relatively advanced grasp of risk management is in evidence at Essex County Council, where the authority has a keen sense of the mission critical data that the organisation could not do without in the event of a catastrophe.

Joachim Adenusi, head of risk at the council and a member of the Institute for Risk Management’s board of directors, says his organisation has carried out exercises looking at what would happen if a key building became unavailable. “Basically, what do we need to do to keep our business going and how valuable certain information would be to us,” he says. Such an approach helps determine the organisation’s most crucial resources.

“For example, we have lots of software and we wanted to be able to prioritise which is the most critical, which we cannot do without and which is not as valuable in terms of exposure and the quality of information,” says Adenusi. “We have been able to score and assess the value of our information, so we can plan and manage the exposure of the information to damage.”

Essex’s IT systems are afforded the backup of separate data centres, and for Adenusi, the council’s statutory status imposes a legal discipline which makes contingency planning vital.

“As part of our council responsibilities we contribute to the Civil Contingencies Act, so we have an emergency plan in place for disasters. For example, this includes a business contingency plan in case there is a flood in Essex, ” he says. “We have an emergency planning team that will respond to the plan, as well as having emergency backup facilities and evacuation procedures in place.”

The UK may not offer the eye watering security threats familiar to businesses operating in Kabul or Baghdad. But the terror attacks on London in 2005, and the floods that swept England last year, serve as powerful reminders of the threats all businesses might have to confront if disaster came their way.

Placing such experiences to the fore might be the best way for the majority of organisations to help think that the unthinkable can occur.

For more on risk management, visit: http://managingrisk.computing.co.uk

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!