Professional workshop: Managing your way out of risk

• Article 24 of 33
• SC Magazine, January 2011
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

As well as auditing the systems, Beale, his team and the IT directors looked at several key areas. “System access in any company is going to be a critical risk, but data privacy – particularly personal data – is also key. It is important that it is kept secure in a legally compliant way.”

Because of the existing compliance regime, the company already had a good grasp of what assets it owned. However, the move to a risk management approach across the organisation required three metrics to be created. “I put some framework around risk to help management teams when discussing and debating risks,” explains Beale. “If you're trying to judge risk, frequency and impact are important.” For frequency, managers could look at questions such as whether something had occurred that year or whether it was likely to occur in the next two years. For impact, he provided guidance on the different kinds of possible impact, such as how it would affect a subsidiary's ability to hit annual targets or the resources required to fix an incident if it occurred. He would break these down into ranges to make it easier for managers to gauge the severity and to compare them across businesses.

Ensuring that risk management reporting worked consistently across all the operating companies and divisions was also something Beale worked hard to achieve. “If one team reviewed an area and gauged it on a scale from one to five and another did the same, you had to ask each team, ‘Is one good on your scale? What does five mean?' If two threats are reported red, green and orange, what does orange actually mean in both cases? If you're reporting to the same management, you need to be consistent about which is good and which is bad, to get a sensible view of risk across the business.”

With risks ranked and prioritised, the operating companies could then mitigate them. Beale's team of auditors not only made sure they understood how the risks were being identified, but that the right risks were identified. They also monitored the operating companies to ensure that what they said was happening was actually happening and that the controls being put in place were adequate.

To ensure that risk assessment and management remained as priorities, Beale got managers to include updating of risk portfolios in the bi-annual planning cycle. “That way they weren't considering just the economic external environment, their goals and how they were going to achieve them, but also the risks the company would be open to while trying to achieve those goals.” Having support, right down to his CFO “visibly reading material” about risk, also helped considerably.

Initially, the companies used simple Word documents to analyse and compare risk. However, that didn't allow the companies to do ‘What if…?' analysis of the data and the risks. So Beale invested in risk management software from Flexeye that would allow them to analyse risk and map it over time. “We needed something that would be as easy to use for the key personnel in subsidiaries as filling in Word documents: if it was more complicated in the early stages, we felt they wouldn't do it.” Once adopted, the software also allowed the managers in subsidiaries to look across at their peers and if there was a common risk see what others were doing to mitigate it.

After adopting a risk management strategy, Inchcape still faced incidents, but, says Beale, the strategy meant “people could see why we had the strategies and processes in place that we did”.

Viewpoints: Critical knowledge
While risk management might at first seem like just another approach to IT security management, it is increasingly being seen as a vital skill on an ISP's CV. Chris Petch of the Information Security Forum (ISF) says that “if you search for risk management in a job database, it pops up more than it used to”, but Brian Barnier, principal at ValueBridge Advisors and a member of the Risk IT development team at the Information Systems Audit and Control Association (ISACA), says that knowledge of risk management is now “critical for anyone who seeks to advance in a role in management. ISACA, CoBIT, the Office of Government Commerce, British Standards and ISO all embrace the principles of risk management and how to reduce the likelihood of incidents. It would be difficult to get promoted without a risk management background now.”

The reason for the increase in interest in risk management is an appreciation that no business can be truly secure. “If I want zero risk, I have to shut down life and stay in the house,” says Barnier. “If I shut down business by locking the door, can I actually operate?” Only by embracing risks – such as allowing partners to access specific IT resources – can businesses achieve higher returns. Equally, says Barnier, “if you want to be the one giving direction, you need to be able to determine people's priorities – you need to be able to do more than just firewall rules and encryption.”

The compliance approach, says Petch, is more a box-checking exercise. “You may have ticked all the boxes, but have you missed something? And typically it's horrendously expensive. Risk management reduces the magnitude, frequency and impact of incidents.”

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages