Five Steps to Get from Current to Best-Practice IT Risk Management

By Greg Hughes

As individuals, corporations, and our economy grow increasingly dependent on the Internet and IT systems, the risks in these systems become far more visible and significant. Breaches or failures of information systems cause serious business crises reputation damage caused by identify theft, business losses stemming from system failures, and regulatory restrictions arising from compliance issues. Recent news has prominently covered many major stories of information technology risk, including phishing scams, theft of personally identifiable data records, identity theft, stolen backup tapes, litigation resulting from improper preservation and production of electronic records, and intellectual property breaches.

Click here to learn more about e911 and its impact on VoIP

Click Here to Learn How You Can Profit from IP Communications. Live, in Person at INTERNET TELEPHONY Conference & EXPO West 2006 in San Diego.

IPTV is coming fast. Educated service providers will reap profits first. Learn how at FierceMarkets' IPTV Evolution Workshop this fall.

Get Your IMS Education from The Expert Team at INTERNET TELEPHONY Magazine and TMCnet. This Fall in San Diego at IMS Expo.

The rate of recovery from these events is a contributing factor in the severity of the business crises. A recent study by Oxford Executive Research found that companies that recovered quickly from major operational disasters increased their share price by five percent on average versus the market. Companies that struggled to regain their operations took a 20 percent drop in relative value. From this research, it appears that investors factor a companys resilience to adversity into its stock price.

It is clear to see why corporate executives in boardrooms around the world want answers to the IT risk question: How we dramatically mitigate the risk and improve the return on investments in information systems?

The answer to these questions lies in treating information technology risk within the integrated framework of business risk management. IT risks need to be identified, measured and managed as part of a single view of all risks in the corporation, with oversight by senior management to understand and guide the appropriate risk/reward tradeoffs to achieve the goal of increasing return on IT investments. The name for this approach to managing and balancing information risk and reward is IT risk management.

The Reality of IT Risk Management
Most companies have a poor awareness of their IT risk exposure, arent fully exploiting the breadth of tools to manage these risks, and havent begun to systematically build the knowledge and processes to manage IT risks.

Companies have struggled partly because IT risk management is a newly emerging field, where the traditional models of risk management do not always cleanly apply. Typically, businesses have only a vague understanding of the impact of the loss of information assets or access to their applications. For example, the ability to transfer risk is a fundamental concept in financial risks; however, since liquid markets do not yet exist for buying and selling IT risks, companies must build the internal competence to manage these risks on their own.

Another example of the difference is that IT risks are more challenging to quantify. In IT, the kind of well developed statistical or actuarial models that assess financial risk and give it a reasonable level of precision do not yet exist. However, roughly right approaches based on heuristics and experience still yield accurate, valuable and usable measures of IT risk.

Going from current to best-practice IT risk assurance could yield substantial improvements to shareholder value.

In order to lead this transformation to best-practice IT risk assurance, business leaders should:
1. Develop an awareness of the nature of the different IT risks to the business;
2. Determine the quantified impact to their business resulting from the loss of information or access to applications
3. Understand the range of tools available to manage IT risks
4. Align the costs of IT risk management to the business value
5. Build a systematic, corporate capability to manage security risk.

Developing an awareness of IT risks
Information technology risks either concern the potential loss of information and its recovery, or they concern the ongoing usage of information. They fall into the following six major categories.

Security: Risk that information is altered or used by non-authorized people. Example causes: Computer crimes, internal breaches, and cyberterrorism.
Availability: Risk that information is not accessible, such as after a system failure. Example causes: Configuration changes, lack of redundancy in architectures, human errors.
Recoverability: Risk that needed information cannot be recovered in sufficient time after a security or availability incident. Example causes: Hardware and/or software failures, external threats, and natural disasters.
Performance: Risk that information is not provided when it is needed. Example causes: Distributed architectures, peak demand, heterogeneity in the IT landscape.
Scalability Risk that major new sources of demand for information (new applications, new businesses) cannot be handled cost-effectively. Drivers: Business growth, provisioning bottlenecks. Siloed architectures.
Compliance: Risk that the management or usage of information violates regulatory requirements. Example causes: Government regulations, corporate governance guidelines, internal policy.

Understanding the quantified impact to the business
It is essential to understand the risks in terms of the probability of an event that would trigger the risk, and in terms of the time value of the exposure should such risk occur. Further, the risks need to be quantified for each critical business application. Knowing these two parameters allows the decision maker to plot the values on a simple two-dimensional graph and to assign mitigation/remediation priorities to different applications. Moreover, a policy to deal with different and/or multiple categories of risks can be defined and applied effectively and consistently throughout the enterprise.

Looking more broadly across multiple categories risks and correlating risks across these categories will better quantify the business impact. For example, an exploited security vulnerability may contribute to a recoverability risk. An application performance issue that prevents data access may provide opening for a security risk or result in a compliance risk. The business impact may be direct or indirect including financial, legal, customer loss and operational dependencies. Each of these may, in turn, have downstream implications.

Businesses find diligence in this area hard to justify, and there is often denial that risks exist or that their impact can be effectively measured. While challenges are real, quantifying the business impact gets to the core issue of being able to manage the risk equation.

Understanding IT risk management approaches
IT risks have different root causes and thus different approaches are required to manage and mitigate them. Broadly speaking, these approaches require a combination of process, people, technology and information.

First, processes for running data center and IT operations are going through a similar period of rapid evolution, as the best run IT organizations are moving from a haphazard, job shop model to more rigorously designed, executed, and measured systematic approach. IT Infrastructure Library (ITIL), International Organization for Standardization (ISO), and other standards are emerging to describe best of breed IT operational processes.

Second, companies are paying more attention to the way they employ their people in the battle to reduce risk. Companies are experimenting with a wide-range of techniques, including awareness-building, identity or role specific authority, new divisions of labor, new roles and specialists, and enhancing risk mitigation capabilities at all levels.

Third, new software is emerging from vendors who are responding to the demand for improved IT risk management. Rapid advances have created an arsenal of software in such areas as long-distance replication, clustering, content, intrusion and phishing detection, data protection and backup, vulnerability assessment and policy management. Importantly, these tools are being integrated to offer workflow-driven solutions designed to follow customized processes and regulatory requirements. Event-driven automation is increasingly taking the place of onerous manual analysis and remediation.

Fourth, information sources are available that provide insight into emerging as well as known threats and vulnerabilities, which can be assessed against companies internal security environment (e.g., security risks, virus signatures and databases, operating system patches and configurations) to identify exposures and develop mitigation plans. Considering the speed with which new attacks propagate across networks, such early warning intelligence is essential to proactive and successful defense.

Align the costs of IT risk management to business value
Investments in, process, people technology and information are required to mitigate risks. However, since IT budgets are constrained (and feeling continued downward pressure), leading companies need to make sure theyre not over-investing or under-investing in risk management. How do companies manage their IT risk management investments effectively and efficiently?

Utility computing has emerged over the past few years as the most promising approach to align the costs of IT to the business value. In utility computing, the role of IT with respect to the business evolves from a cost center to a service center. As it evolves under the utility computing approach, the IT organization masters four primary activities:

1. Providing IT as a collection of well-defined services, developed and managed by a service management group that interfaces with the business
2. Exposing these services to the business through service level agreements and charge-backs to the business
3. Building and maintaining a shared, heterogeneous infrastructure to improve capital utilization and reduce costs, rather than building custom systems for each business application
4. Running IT operations in an automated fashion to increase labor efficiency and reduce costs

A number of leading companies are first applying the utility computing concept by building storage utilities. The storage utility provides data storage for business application usage through different service classes, for example
Platinum storage service with very high performance, availability, recoverability and security
Gold storage service with moderate performance, availability, recoverability and security
Bronze storage service with the low performance, availability, recoverability and security

The costs of these different storage services are exposed to the business Platinum is typically 10 times more costly than Bronze service aligning the risk requirements of the business and overall usage to the spending on IT.

Mastering the activities of utility computing is a journey for IT organizations. The first step they take is to discover the IT assets, for example servers and storage, and ideally tie these assets to critical business processes. Second, they redesign and consolidate the environment to gain efficiencies in administrator productivity and resource utilization. Third, they start to standardize classifying applications and agreeing upon specific vendors for storage and server hardware, while managing the environment through a standard set of software tools. Fourth, they automate, driving down the time and labor required to request, provision and manage the environment. And, fifth, they move to a true service provider model by equating service level delivery with costs by allocating or charging-back to the business units.

Building an institutional capability to control IT risk
Leading corporations are building an institutional capability to understand, act on and control IT risks with the same level of scrutiny and urgency as financial risks. Using insight from a variety of sources they develop a risk heat map showing the potential impact and likelihood of the six IT risks on their lines of business, core business processes or major applications. Then, they create a prioritized program to remediate these risks and deploy the tools of software, people, process improvements and information. Finally, they control the risks by continuous measurement and improvement. In these corporations, IT risk management is fundamentally affecting IT governance and risk governance approaches.

As companies build IT risk management into an institutional capability, the questions most are trying to address include:
If and how does our IT strategy need to evolve or change in accordance with maintaining an acceptable risk posture?
Should we have new or expanding leadership roles to address IT risk, such as an IT Risk Manager?
How do we create reporting and management systems to monitor performance?
Must we create a governance board to oversee and approve IT risk decisions?
How do we educate our IT staff, and build skills for cultural awareness and understanding of risk throughout the employee base?
What steps should be take to make our planning and testing processes more rigorous and to make our systems impenetrable?

Improving IT risk management should be on the agenda of nearly every senior executive of a large corporation. Those executives, who are aware of their IT risks, understand the tools to manage these risks, and build the institutional capability to control them should be in a fundamentally better position to improve the risk and return of information investments.

Greg Hughes is senior vice president of global services and support, managing Symantec's consulting, education, and technical support operations.