Increased threat of cybercrime, computer failures shutting down stock exchange trading, computer performance degradation impacting productivity and sales, and heavy fines imposed due to lack of regulatory compliance... Sounds scary? In an interview with Gulf Business, Jeff Ogden, Director Consulting - MENA, Symantec Global Services, provides an overview of where risks lie in a company.
Do businesses in the region understand the growing issue of 'risk,' especially in their IT usage, where users, new technologies and the spread of sensitive data combine to create an environment in which risk is rife?
We find that many organisations have a good understanding - and programme - for managing risk in a specific area such as 'security' or 'disaster recovery,' but that they are not thinking about and assessing IT risk holistically.
Companies have struggled partly because IT risk management is a newly emerging field, where the traditional models of risk management do not always cleanly apply. Typically, businesses have only a vague understanding of the impact of the loss of information assets or access to their businesses. For example, the ability to transfer risk is a fundamental concept in financial risks; however, since liquid markets do not yet exist for buying and selling IT risks, companies must build the internal competence to manage these risks on their own.
In the Gulf region, businesses are approaching IT risk with people first, tools second and processes third. This is partially understandable as consultation leads to the use of tools to measure risk and identify critical risk points, from which processes can be developed to manage that risk.
Could you please briefly talk about the various components of IT risk and how they can impact an organisation's performance?
While securing IT infrastructure is an important part of IT risk management, it represents only one aspect of IT risk management. IT risk falls into four main categories that all need to be monitored, managed and mitigated - security, availability, performance and compliance.
Security risk is that information is altered or used by non-authorised people. According to Symantec's INFORM Customer Survey Data, 62 per cent of organisations expect a regulatory breach and major information loss in the next five years. Protection is required against unauthorised access, alteration, or use of information; data leakage; data privacy; fraud; identity theft; financial theft; and damage to reputation, brand, and assets.
It includes combating broad external threats - ie, viruses and spyware - and targeted attacks to specific applications, specific users, specific information, and specific systems that a business relies on every day.
Availability risk is that information is not accessible, such as after a system failure. High availability reduces the risk of customer abandonment and lost sales; reduced customer, partner, and employee confidence; and reduced employee productivity resulting from downtime of business-critical systems and processes. It means ensuring business continuity by keeping systems up and available.
It includes the need to mitigate the risk of application failure, data loss, and data corruption. In cases of a disaster, it requires being able to rapidly recover business processes or data that have become inaccessible in the timeframe needed by the business. Symantec's INFORM Customer Survey Data reveals that 66 per cent of organisations perceive high/critical operational risk in finance and administration.
Performance risk is that information is not provided when it is needed. Accommodate volume and performance requirements for access to business critical processes - even during peak times - to ensure the highest levels of user productivity, and client and customer loyalty, as well as prevent lost sales and reduced client satisfaction due to prolonged or unsatisfactory access times. Twenty-four per cent of IT staff time is devoted to addressing business application performance delays.
And finally, compliance - risk that the management or usage of information violates regulatory or other dictated requirements. Sixty-one per cent of organisations are not highly effective at governance, compliance and continuous improvement.
What are some of the ways in which business should assess and address their level of exposure to risk?
It is essential to understand the risks in terms of the probability of an event that would trigger the risk, and in terms of the likely business impact should such risk occur. Knowing these two parameters allows the decision-maker to plot the values on a simple two-dimensional graph and to assign mitigation/remediation priorities to different applications. Moreover, a policy to deal with different and/or multiple categories of risks can be defined and applied effectively and consistently throughout the enterprise.
Businesses find expenditure in this area hard to justify, and there is often denial that risks exist or that their impact can be effectively measured. While challenges are real, quantifying the business impact gets to the core issue of being able to manage the risk equation.
We have found that, often, trying to quantify IT risks down to lots of financial detail can be a waste of time since it is impossible to achieve this in many cases. But very often, a mitigation of risk can produce cost reductions and improved efficiencies.
Is IT risk management the sole responsibility of the CIO? What percentage of companies in the region do you believe have a Chief Risk Officer in their management portfolio?
Interestingly, many successful IT risk programmes do not fall purely under the CIO's remit. Many programmes either have a solid or a dotted line to the Operational Risk Officer (Business Risk) in an organisation. We do not believe that there is a 'correct' reporting line for an IT risk programme - it will depend on the organisation in question.
Symantec believes that the role of 'Chief IT Risk Officer' will emerge in the coming 24 months. A very small percentage of companies have this role in place today. IT risk management is often viewed just as an insurance policy against something bad happening to the organisation.
While its primary concern often focuses on protecting an organisation from events and incidents that can have a negative impact on business, an effective IT risk management programme has the inherent ability to have a positive impact on an organisation's bottom line.
What are some of the risks involved in outsourcing and what particular functions would you advise local and regional companies not to outsource?
Clearly, most risks that evolve from outsourcing are to do with the loss of control of IT direction, strategy and standards. This often leads to an increased gap between business requirement and IT services (particularly in fast-moving, innovative companies). As part of Symantec's approach to IT risk assessment, we always look at an organisation's third-party relationships (including outsourcers, sub-contractors and 'hosters').
We would not normally advise companies to outsource any IT service that is to remain a 'core competency' within the business. Interestingly, many of our IT risk customers are outsourcers. They too should be managing IT risk comprehensively and holistically in order to protect their assets and the customer's confidentially and reputation.
What is the best way in which CIOs can handle compliance and risk?
Compliance and risk cannot be effectively managed in isolation of the company's total risk effort. An IT risk management programme facilitates an organisation's ability to understand the different types of risks that can affect its business, as well as prioritise those risks and effectively manage them in a holistic and comprehensive manner.
Such a programme provides the necessary vehicle to bring together the proper stakeholders from the different levels of the enterprise's IT and business operations to enable the proper alignment of IT and business needs in regard to IT risk management and the overall operational effectiveness of the IT organisation.
As a growing number of organisations task their CIOs to create an IT risk management programme, questions often arise: 'What should the programme look like?' 'What and who does it involve?' 'What does it do?' and 'What should be its primary concerns?'
In answer to these questions, organisations need to examine the following six areas as they model or create their own IT risk management programmes: culture, governance, control areas and policies, programme office, IT risk register, and project management.
How does risk manifest itself in a typical business environment?
Some industry experts say that organisations' heavy and growing reliance on IT has led to many companies having IT account for more than 50 per cent of their total capital expenditures. In some industries, such as financial services and online retail, virtually the entire business may be transacted using IT systems and networks.
As enterprises increase their dependence on IT for effective business operations, they also need to increase their awareness of the risks inherent to their entire IT and business ecosystem.
International headlines expose many of the risks that plague enterprise IT: increased and more concerted cybercrime threats, computer failures shutting down stock exchange trading, computer performance degradation impacting productivity and sales, and heavy fines imposed due to lack of regulatory compliance.
While the business side of an enterprise might not care about the intricacies of the technology that drives its business, it needs to understand that unmanaged risks can have and do have a direct and significantly negative impact on business.
Every business has a different culture and a different attitude with regard to IT risk. In some industries such as banking, risk plays an integral role in day-to-day operations. Banks profit by addressing financial risk in a very structured, methodical, and systematic manner, relying heavily on mathematical models. On the other hand, other industries are very risk averse and endeavour simply to 'remove' as much risk as possible from their business.
Some organisations might be heavily concerned with regulatory compliance, while for others it might be barely a worry. A majority of organisations might cite business continuity as critical to their livelihood, but each will likely have a different tolerance for business disruptions or differing views on how long systems can be inaccessible before they have a significant impact on business.
© Gulf Business 2008
