Collaborative Comprehensive Information Technology Risk Management
By John Schaefer, Director of Risk Management, Lam Research
Risk management can be defined in many ways, but most definitions include the following elements:
1. Risk Identification: What can go wrong that interferes with the company’s objectives?
2. Risk Assessment: How likely is it that a specific negative event will happen, what is the speed of onset and how severe will the consequences be when it happens?
3. Risk reduction: What activities can be performed that will reduce the level of risk and to pay for the residual risk?
4. Risk monitoring: What risk indicators should be used to determine if the threat is increasing or decreasing?
These steps must be performed to not only keep information secure, but also to ensure the availability of key systems. These are largely defensive measures. However, IT can also be used to address risks faced elsewhere in the company including internal performance and meeting strategic objectives. This multi-layered approach is shown below.
As the circle expands, so does the need to include other groups within the risk management process. Much, but not all, of the core circle of information security can be addressed within an IT department. The CIO is often the guardian of key information since most of this is digitalized, travels across a company network and is stored in servers managed by IT. These risks are usually controlled through a combination of tools, processes and policies coordinated through IT.
System availability is also generally led from within IT, but keeping the systems running may also require assistance from groups like physical security to keep the data center secure, and Legal to ensure that third party providers have adequate contractual, systematic and policy protections in place. In both of the above situations, IT also needs to work with business units to identify and prioritize data and systems and to identify other vulnerabilities that come from outside of IT. For example, to reduce vulnerability to data loss from a third party, IT needs to work with Procurement and Legal to implement contractual and information security measures to ensure that key data is secure.
As “big data”, artificial intelligence and the internet of things, continue to expand, CIOs must also determine how to incorporate these capabilities into their company
If a business partner has access to key data or networks, the partner must also be monitored and corrective actions need to be implemented through the team that is managing the vendor’s overall performance.
In addition to managing security and availability risks, CIOs can use IT risk management to improve operational efficiency and scalability and to exploit strategic opportunities. As just one example of improved efficiency, the use of cloud providers has enabled many companies to reduce the cost of providing information technology throughout the company in much the way that enterprise requirements planning systems streamlined operations years ago.
As “big data”, artificial intelligence, mobile capabilities, virtual and enhanced reality, and the internet of things, continue to expand, CIOs must also determine how to incorporate these capabilities into their company. In some cases, these potentially disruptive technologies create fundamental challenges to an industry or company, but they also provide large opportunities to provide new products and services to existing customers. To be a strategic partner in these discussions the CIO must have the trust of business leaders throughout the company. Having the CIO involved in these discussions is very important because they understand not only the technologies, but also the related risks.
Many companies have already started down the path of comprehensive, collaborative information technology risk management. Some factors contributing to the success of this approach include:
1. Organization: The higher in the organization CIOs report, the more likely they are to focus on strategic risks and to have the influence to drive comprehensive risk reduction
2. Tone-at-the-top: Regardless of reporting structure, the message that the CEO sends about managing all risks will strongly affect the success of a risk management program. Accountability is also emphasized and clear decision processes are in place.
3. Governance: Broad participation in steering committees can inform CIOs of business risks and can facilitate reduction of the threat
4. Cross-functional teams: Topic specific cross functional can be formed to address areas such as privacy compliance, reduction of insider threats, management of third-party data sharing and use of cloud service providers.
5. Employee training: the more people that are aware of potential issues, and the benefits of risk reduction, the more successful the program will be.
A comprehensive, collaborative approach to managing the risks of information technology is the best way to ensure that companies can meet their objectives with the lowest practical potential for costly disruptive events.