Special feature: Don't risk it – how technology can help manage risk

One of the major concerns in risk management is that the
very concept of risk varies wildly from person to person and from organisation
to organisation. A business leader in a comfortable boardroom at head office may
have a very different view on business risk to a middle-manager in a regional
office. So it’s important to remember that a lot of risk management comes down
to cultural and behavioural issues and while these issues are difficult to
address with technology alone, it does have a role to play.

Industry analyst Gartner points out that organisations need to ensure they
are equipped with the necessary business intelligence tools to enable business
users to make more informed decisions. In fact, it has identified five critical
risk-related roles: IT risk management; information security; privacy;
compliance; and business continuity (or disaster recovery) management.

In Gartner’s view, an ‘IT risk manager’ has overarching responsibility for
the coordination and execution of IT and related risk management strategies
across the enterprise. This includes promoting common IT and related risk
practices throughout the enterprise and synchronising enterprise technology
efforts.

The IT risk management role will continue to mature as enterprise culture
shifts and processes are formalised. The role of risk manager is moving out of
the IT organisations in terms of reporting relationships, but remains a critical
link between the IT organisation and the business.

Cultural change
Research released by the Information Security Forum (ISF) in 2008 agrees that
the role of information security professionals is currently in flux, with
pressure to evolve coming from within the profession itself, the changing nature
of business, increased regulation and shifts in cultures and behaviours.

ISF notes that information security professionals are becoming less
technically focused and are instead assuming the role of business partners,
adding value and shaping business strategy and processes. This isn’t just a
re-labelling of job function; it’s more a change of skillset in the way security
professionals communicate with their businesses and measure performance.

In the past, it has typically been the case that by the time risk information
has filtered up to the board level, it is either old news or it’s been
over-summarised to the point where it is of little practical use. So an
information risk professional has to show the business how technology can
deliver timely and accurate information on risk so the board can make those
decisions effectively.

A rise in the importance of IT governance, risk management and compliance,
often referred to as GRC, reflects the recognition that the strategic value of
IT is not just in the technology itself, but in how it is applied and managed
most effectively. The sheer volume of compliance and regulatory requirements is
fast outstripping the ability of many organisations to update their technology.
As a result, businesses are looking at technologies that allow them to do a
rapid assessment and get an overall business view to find gaps in their
compliance requirements. But it is extremely difficult to comply with the
various regulations and legislation worldwide, so businesses are using
technology to help them make informed decisions and take a risk-based approach
to compliance.

Research firm Aberdeen Group shows the de facto order for IT GRC has been,
first compliance, then IT governance, then risk management. According to Derek
Brink, Aberdeen’s research director in IT security, these mature attitudes
towards risk management mean that best-in-class organisations are more likely to
have adopted a continuous improvement approach to their IT initiatives,
underscoring their commitment to managing IT as a strategic asset. Using
technology, successful firms have a risk management strategy that is more likely
centralised and primarily automated, with initiatives that are risk-based,
event-driven and featuring automated workflows for incident response. In
contrast, industry laggards are more likely to be using manually intensive
controls and procedures.

This approach is consistent with the general crawl, walk, run pattern
commonly seen in technology adoption and the point is not to be good at the
process of compliance, or governance, or risk management for its own sake, but
to harness IT more effectively in support of achieving business objectives and
managing financial, strategic and operational risks. As a result, Aberdeen says
it expects risk management and compliance initiatives to continue to grow in
relevance as a direct result of their ability to apply and manage technology
more effectively and so maximise its strategic value to the organisation.

The bottom line is that technology can help a business manage risk and spot
hidden dangers. However, although IT managers are becoming more adept at using
technology to help manage risk, without the right processes, the best IT systems
in the world cannot help if cultural attitudes to risk have not been addressed.