In this month’s column, Gary Lawrence, country manager of CA, looks at the management of risk in an increasingly uncertain world.
The author Robert Levine once said that in life, the only certainty is uncertainty. That is particularly relevant in today’s market, where a shadow of uncertainty has been cast across the globe.
Various regulatory and legislative demands have elevated risk management, compliance and security solutions to business-critical status. Faced with a myriad of risks and uncertainties, the IT manager has had to become familiar with a new lexicon – and the management of a new set of complexities.
In this month’s column, we look at the role of technology in managing risk through the protection of an organisation’s assets, compliance and service continuity.
While regulations have made governance top-of-mind, they are not the only factor driving the need for improved risk management. Increased dependence on technology has resulted in increased operational risk – and the need to manage that risk.
What is driving this? There are a number of factors. First, there is a growing realisation of the interdependencies among the various risk areas within a business; such as applications, operations and security. Second, we have seen a worldwide move to regulations governing corporate behaviour in the financial and privacy arenas and the acceptance of frameworks such as COBIT for documenting controls. Lastly, risk has evolved beyond corporate financial risk to enterprise-wide operational risk.
Developing a risk management strategy
Enterprise risk management needs to be tackled as a business issue, not just as an information security concern. Technology professionals need to focus on three areas when they develop a strategy for managing risk:
* Protection of assets: This includes controlling who has access to your organisation’s corporate assets, systems and information; ensuring that security goals are mapped to business objectives and very importantly, to view corporate information as an asset.
* Compliance: Aspects to consider here include security compliance, software licence compliance, proper disposal of equipment and ensuring that information is within compliance guidelines as it pertains to the business, such as SOX and Basel II.
* Service continuity: Identify business units’ data continuity requirements, know who or what is impacted by a service or performance problem and ensure that disaster recovery plans can meet business needs.
Simply put, the aforementioned approach helps organisations to manage risk by controlling access, protecting information and assets and managing operational integrity and continuity.
A disconnected view of risk management no longer works. Organisations need to manage risk across the business in a manner that demonstrates tangible business value. It requires an understanding of all potential risks even after controls are put in place and monitoring and managing their impact.
Businesses therefore need to define the IT requirements in business terms and focus on continuously delivering core services, decreasing the costs associated with downtime of critical business processes, create a sustainable compliance programme through the automation of internal information security controls and reducing the risk of a major security event that can destroy corporate reputation and brand value.
The challenging economic environment sets the scene for next month’s column, where we look at the bottom line – how to do more with less, as well as insights and best practices to deliver greater value for your organisation.