CATALYST
The combination of the increasing business dependence on IT and the increasing types of risk to which IT is exposed result in the need for organisations to take a holistic approach to managing IT risk. While the majority of IT Risk Management activities fall within the IT sphere, a satisfactory IT Risk Management regime can only show long-term benefits if it is matched to business expectations and the organisation’s attitudes to risk taking. It is therefore necessary for business sponsors to understand the issues and accommodate the appropriate level of investment.
ANALYSIS
Introduction
Organisations vary in the immediacy of their vulnerability to IT failures. Some start losing money the moment that a critical system becomes unavailable while others may be able to carry on with a near-normal operation for a considerable time. However, ultimately any substantial business is dependent on IT services. This means that any business should be able to determine the costs (both direct and indirect) of the different types of IT failure, and to plan an appropriate, cost-effective response to IT risks. The types of failure that need to be considered have become much more complex since the almost universal adoption of distributed systems, direct Business-to-Business (B2B) and Business-to-Customer (B2C) transactions, remote and mobile access, and portable storage media. They include transient or long-term loss of access to applications, the corruption or destruction of information, the potential for information to fall into the wrong hands, and the failure of vital systems belonging to partners or suppliers. Each of these has multiple potential causes, and therefore multiple potential solutions. For these reasons it has become increasingly urgent for organisations to adopt a holistic strategy towards IT Risk Management instead of attempting to patch each leak as it is discovered.
Business Issues
Much of the business focus of IT Risk Management is driven by the high-profile, twin drivers of business continuity and compliance. Both of these have been raised in profile by recent events. The escalation of both natural and man-made disasters have inevitably raised the issue of the ability of an organisation to continue functioning should a catastrophe make its IT services unavailable for a prolonged period of time. At the same time there have been well-publicised, serious consequences of failure to comply with legal regulations concerning the responsible management of information and acceptable practice trading rules. These have hammered home the message that business executives need to take personal responsibility for the conduct of key IT processes.
While these two examples have been at the centre of attention for business executives, it should be clear that these simply represent the opposite ends of the risk spectrum, with a wide range of other risk types having less extreme but nevertheless serious consequences to the business if left unmanaged. The business needs to understand that there are real, quantifiable costs associated with different types of IT risk, and that it is therefore possible to create a justifiable case for introducing cost-effective risk mitigation activities. The only way to understand the true cost to the business is to recognise the role that IT plays in high-level business processes, and to understand the value of those processes to the organisation and the manner in which costs escalate when they are not functioning. On a positive note, it is also possible to use the investment in IT Risk Management as a genuine benefit in becoming a preferred supplier or partner. A properly executed risk management initiative based on a set of approved standards will raise the level of confidence of outside organisations or individuals in trading with the business, knowing that its continuity of supply is assured and the security of sensitive commercial details is guaranteed.
Technology Issues
Right from the beginning, IT departments have had to deal with various forms of risk, but tended to respond on a case-by-case basis. It used to be good enough to fix points of risk exposure as they became obvious by the implementation of point-solution technologies. That approach fails to scale-out to provide an effective solution to the complex set of risk exposures faced by modern IT. Risk management technologies should not be seen as the primary weapon to combat IT risks. Rather, the front-line defence for most risks will be the establishment of appropriate policies and responsibilities, and the creation of processes that ensure the appropriate use and management of IT resources. The technologies simply enable the automation of tasks within those processes. However, because of the scale and complexity of the risk management problem, any organisation that has a dependency on IT will need to invest in appropriate technologies.
When considering any particular aspect of IT risk the most cost-effective solution will be to deploy a relatively simple product that addresses just the risk in question. However, it is becoming increasingly apparent that this approach is far from optimal when considering the whole breadth of IT activities and risks. Overall, it is far more cost-effective to deploy an integrated suite of risk management technologies that address multiple aspects and collaborate through a central repository to ensure that the subsequent impact of a failure on different parts of the environment does not come as a surprise, but can be managed proactively.
It should be stressed, however, that in order to make a business case for investment in a broad-ranging suite of risk management technologies, the organisation will need to adopt a structure with appropriate roles with global risk management responsibilities, where individuals with the relevant level of authority can see the ‘big picture’ across the whole spectrum of potential IT risks.
Market Issues
The market is still absorbing the need for comprehensive suites of risk management technologies. Vendors competing in the ‘GRC’ technology market originate from several distinct markets. There is a small number of IT GRC specialist vendors, plus vendors that stem from financial or enterprise GRC. There is a set of vendors that have their roots in IT systems management or security management, and there is another set of vendors whose roots are in Enterprise Architecture tooling. It is likely that considerable consolidation will take place as the GRC market
matures. The current likelihood is that the large systems management and security management suite vendors will have the financial strength to acquire leading niche vendors, both to strengthen the existing product line and to swell the user base (thus increasing maintenance revenue to fund further development). As is often the way with nascent markets, the primary focus for vendors is the set of large enterprises with the biggest problems and the biggest budgets for fixing them. This does tend to leave Small to Mediumsized Enterprises (SMEs) struggling to find cost-effective solutions. Therefore, at the present time these SMEs have the alternative of deploying point-solution products to address the most serious concerns, or of outsourcing the problem to a managed services provider.
Conclusions
An IT Risk Management initiative should ideally be a subset of, or stem from, a broader enterprise risk governance process. It should be sponsored at the highest level of the organisation where a holistic view of risks, costs, and benefits can be taken without being constrained by the budgets of individual business units. Organisations should review their current capabilities with respect to risk management and understand how these map on to actual requirements before committing to expensive and large-scale changes.
Risks should be quantified in terms of the cost to the business, and this requires recognition of the role that IT plays within high-level business processes. Many different IT roles will have a risk management element, and it is important that each individual understands not only his/her direct risk management responsibilities, but also the interactions with other roles in the
hierarchy of the risk management organisation. Ultimately, every individual in the enterprise has some level of responsibility in risk containment, and this should be expressed through business policies and processes, and communicated through ongoing staff education. GRC technologies will play an increasingly important role in IT Risk Management, but they will only be used at their most cost-effective potential when deployed within well-conceived, constantly-reviewed, and consistently-enforced processes.
[Studien Infos ausblenden]
