• Home
• About
• Advertising
• Contact
• Podcasts and Resources
  • VoIP Resources
  • Disaster Recovery/Business Continuity Resources
  • Security Resources
  • Software-as-a-Service Resources
  • Storage Resources
  • Unified Communications Resources
  • Virtualization Resource Guide
  • Wireless/Mobility Resources
• Quick Takes Archive

Risk Management, a Real World Tool, Goes Beyond Simple Security

A common disconnect between finance and IT stems from a different understanding of what risk is.

IT has a tendency to view risk through the prism of security—managing controls and compliance through checklists and best practices. From the finance side, however, true risk management deals with uncertainty around outcomes–looking at potential consequences in business terms and weighing those against potential reward.

While information security standards and guidelines are a good thing, they can be very easily misused and abused. They encourage cookie-cutter thinking and miss the bigger point – no two industries are the same. No two companies within an industry are the same. No two geographies within a company are the same. No two data centers within a company geography are the same. No two services run on hardware in the same data center are the same.

And guess what? Depending on the time of the year, the needs of your customers and other factors, the same business process may have different needs on different days!

There are libraries of control checklists from numerous standards organizations that provide great common practice guidance around how to secure information assets. As new vulnerabilities are discovered, new patches and workarounds are circulated and proactively communicated through a huge number of alerting services. But there are always too much vulnerability to remediate and too many controls to implement across the typical enterprise. As a result, critical deficiencies may go unmanaged.

The IT security professional needs to be able to assess risk exposure—the likelihood of an event multiplied by the magnitude of the impact—in order to focus energy where it does the most good (in other words, focus on the lesser number of elephants rather than the multitude of mice).

Risk management is a business decision revolving around how much risk a business is willing to tolerate in order to meet its business objectives. That decision involves evaluating what the organization wants to accomplish and assessing the potential impact of outcomes.(Listen to The Maturing of GRC for more background.)

A risk manager’s primary concern is to help protects the firm’s continued business success by preparing for unexpected and unfavorable events and outcomes. The risk manager focuses on identifying and measuring risks to the business and figuring out how to mitigate it, such as by transferring risk to other entities via insurance, reducing the potential through controls, avoiding it by exiting a too-risky business area, or establishing capital reserves to ensure a risk event will be covered.

A risk management system provides the framework within which managers can explicitly consider how the organization’s risk exposures are changing, determine the amount of risk they are willing to accept, and ensure that they have the appropriate risk mitigation and controls in place to limit risk to targeted levels.

Over the past 40 years or so, information technology has migrated away from being a pure cost-center into a central function critical to the successful execution of corporate strategic objectives. Yet information technology managers and business managers still often find themselves at odds with each other.

For years, IT has talked about aligning to the needs of the business. It’s still a challenge. The fact of the matter is, it’s tough getting C-level executives to prioritize business objectives and processes amongst their own agendas and silo’d operations, much less as a deliverable for IT.

Bridging this gap requires greater transparency, more collaboration and a shared understanding regarding the impact of risk on the organization. Achieving this melding of the minds requires agreement on a taxonomy, or common language, that both business managers and IT can relate to and a framework for risk management across the organization.

Software can automate the process of identifying, measuring and monitoring operational risk. An enterprise risk management system can integrate all risk data in a risk analysis– risk and control self assessments, loss events and key risk indicators (KRIs) – into a single solution. Risk management software aims to integrate document and process management with a monitoring and decision support system that enables organizations to analyze, manage and mitigate risk in a simple and efficient manner.

There are some truly brilliant people managing information security and doing amazing things with limited budgets. Risk management systems can help information security professionals make better decisions faster, helping practitioners do more with less. Risk management is a great tool to help information security practitioners work more efficiently and ensure they’re working in synch with colleagues on the financial side of the house.

About Gordon Burnes: As Vice President, Sales and Marketing, Gordon M. Burnes is responsible for leading the company’s sales, marketing and partnership efforts to help drive OpenPages’ revenue growth. Burnes brings to OpenPages seventeen years of experience working with high growth companies. Burnes comes to OpenPages from McNamee Lawrence, a boutique investment bank focused on the information technology sector, where he provided strategic financial advisory services to mid-market software companies.

Homepage icon courtesy of Sim Wong.

Comments

Copyright © 2007 The IT-Finance Connection · Revolution News theme by Brian Gardner | Admin | Log in