Special feature: Don't risk it – how technology can help manage risk

One of the major concerns in risk management is that the very concept of risk varies wildly from person to person and from organisation to organisation. A business leader in a comfortable boardroom at head office may have a very different view on business risk to a middle-manager in a regional office. So it’s important to remember that a lot of risk management comes down to cultural and behavioural issues and while these issues are difficult to address with technology alone, it does have a role to play.

Industry analyst Gartner points out that organisations need to ensure they are equipped with the necessary business intelligence tools to enable business users to make more informed decisions. In fact, it has identified five critical risk-related roles: IT risk management; information security; privacy; compliance; and business continuity (or disaster recovery) management.

In Gartner’s view, an ‘IT risk manager’ has overarching responsibility for the coordination and execution of IT and related risk management strategies across the enterprise. This includes promoting common IT and related risk practices throughout the enterprise and synchronising enterprise technology efforts.

The IT risk management role will continue to mature as enterprise culture shifts and processes are formalised. The role of risk manager is moving out of the IT organisations in terms of reporting relationships, but remains a critical link between the IT organisation and the business.

Cultural change
Research released by the Information Security Forum (ISF) in 2008 agrees that the role of information security professionals is currently in flux, with pressure to evolve coming from within the profession itself, the changing nature of business, increased regulation and shifts in cultures and behaviours.

ISF notes that information security professionals are becoming less technically focused and are instead assuming the role of business partners, adding value and shaping business strategy and processes. This isn’t just a re-labelling of job function; it’s more a change of skillset in the way security professionals communicate with their businesses and measure performance.

In the past, it has typically been the case that by the time risk information has filtered up to the board level, it is either old news or it’s been over-summarised to the point where it is of little practical use. So an information risk professional has to show the business how technology can deliver timely and accurate information on risk so the board can make those decisions effectively.

A rise in the importance of IT governance, risk management and compliance, often referred to as GRC, reflects the recognition that the strategic value of IT is not just in the technology itself, but in how it is applied and managed most effectively. The sheer volume of compliance and regulatory requirements is fast outstripping the ability of many organisations to update their technology. As a result, businesses are looking at technologies that allow them to do a rapid assessment and get an overall business view to find gaps in their compliance requirements. But it is extremely difficult to comply with the various regulations and legislation worldwide, so businesses are using technology to help them make informed decisions and take a risk-based approach to compliance.

Research firm Aberdeen Group shows the de facto order for IT GRC has been, first compliance, then IT governance, then risk management. According to Derek Brink, Aberdeen’s research director in IT security, these mature attitudes towards risk management mean that best-in-class organisations are more likely to have adopted a continuous improvement approach to their IT initiatives, underscoring their commitment to managing IT as a strategic asset. Using technology, successful firms have a risk management strategy that is more likely centralised and primarily automated, with initiatives that are risk-based, event-driven and featuring automated workflows for incident response. In contrast, industry laggards are more likely to be using manually intensive controls and procedures.

This approach is consistent with the general crawl, walk, run pattern commonly seen in technology adoption and the point is not to be good at the process of compliance, or governance, or risk management for its own sake, but to harness IT more effectively in support of achieving business objectives and managing financial, strategic and operational risks. As a result, Aberdeen says it expects risk management and compliance initiatives to continue to grow in relevance as a direct result of their ability to apply and manage technology more effectively and so maximise its strategic value to the organisation.

The bottom line is that technology can help a business manage risk and spot hidden dangers. However, although IT managers are becoming more adept at using technology to help manage risk, without the right processes, the best IT systems in the world cannot help if cultural attitudes to risk have not been addressed.