RFG believes the need for IT risk management significantly increases as operational processes and technology infrastructure become more complicated and disparate. Regulatory requirements and the escalating importance of IT to the business mandate that IT executives work with line of business (LOB) and executive managers to adopt a formalized set of reproducible, scalable compliance management technologies and techniques. IT executives should identify areas where IT risk exists, prioritize exposure points to appropriately address susceptibility, and construct and enforce automated processes, policies, and procedures to support ongoing compliance assurance and mitigate risks.
Business Imperatives:
- Enterprises face ongoing exposures to risk in the forms of application, electronic records retention, event, platform, procedure, and security exposures. However, many IT executives lack sufficient knowledge and data about their vulnerabilities and potential losses from failure. Continuously evolving legislative and regulatory requirements, increasing business reliance on data, and regional and global uncertainty dictate corporations regularly appraise the solidity of business, operational, and technical capabilities to support these requirements and palliate risk. IT executives should work with executive, internal audit, LOB, and their own teams to assess where exposures exist, establish mitigation requirements and governance procedures, gauge the importance of critical infrastructure components, and judge potential outage costs.
- Once business, operational, and technology infrastructure exposures are scoped, key executive, internal audit, IT, and LOB members should discuss findings to determine how to appropriately allocate energies and funds to mitigate exposures. Findings should be documented, mitigation plans constructed, and progress reviewed quarterly to ensure efforts are on target and monies are properly dispersed on an ongoing basis. IT executives should articulate and require that proper compliance practices and procedures are adhered to without exception, and that centralized oversight is enacted to confirm conformity and full compliance with established requirements.
- For the most part, work efforts are decentralized and disbursed amongst a myriad of business partners, contractors, and employees. This complex business model coupled with the need for centralized oversight demands automated oversight processes; otherwise, the company will find itself in non-compliance, as manual processes may miss key red flags and expose the company to undue risks. IT executives should align compliance methodologies and software with existing applications, business processes, configuration management, development, operations procedures, and security tools, and consider purchasing risk insurance to further reduce exposures.
The role of IT is to support existing and drive new business by allowing enterprises to capitalize on the information stored within their systems. The ability to effectively transact business based on electronic data requires access be given only to properly authenticated parties, as well as data integrity, proper availability, and security from unauthorized views and tampering. Unfortunately, risks always exist and humans are imperfect, and most enterprises lack the proper procedures and technology to ensure that data, infrastructure, network, software, and system fault-tolerance, failover, and integrity is sufficiently mitigated.
According to a 2001 survey conducted by Fortera, Inc., a risk management company, almost 84 percent of respondents agreed that IT risk management was needed due to experiences with failed, late, and/or poorly budgeted projects. Further, 90 percent of companies concurred that having services contracts [and procedures] that ensured accountability and protected enterprise interest was of moderate to high value. Unfortunately, the answers to questions deeper into the survey demonstrated that the contingency budgeting and processes in place are lacking. A more comprehensive study conducted by The National Computing Centre Ltd. earlier this year produced similar results.
Risk comes in many forms, each of which should be understood in its business context to estimate the cost of an extended outage. Critical IT risk factors include increasing business dependence on IT, complex and diverse technologies, geographic dispersal of people and systems, and insufficient and disparate authentication, intrusion detection, and other security measures. Moreover, swelling business requirements are forcing IT departments to find ways to eliminate business constraints with automation, increase availability, and integrate processes and technologies across the enterprise and to key business partners. External factors include evolving legislature, event risk including acts of God, hostile employees, utility outages, and threats of viral attack and hacking.
Exposure points should be reviewed from an end-to-end business perspective, procedurally, and technically. IT executives should work with executive, internal audit, and LOB management teams to assess the business exposure of key application, data, and infrastructure components, and the potential costs of failures, to begin architecting where recovery requirement efforts are best placed. This risk assessment exercise should concentrate on taking full inventory of and identifying the critical characteristics of applications, business processes, databases, networks, and systems. For example, when looking at event risks, executive and business units should scope failure costs based on several potential outage periods (i.e., 5 minutes, 30 minutes, 1 hour, 1 day, 1 week, etc.), occurrence likelihoods, and times of day, as conclusions will change based on these variations.
Business risk, organizational risk, and technology risk collectively comprise the entirety of IT risk, and should be understood individually and at intersection points to properly mitigate exposure. The differences, effects, and methods required for reducing risk in each of these areas should be understood and employed by IT executives as they review individual points of failure and the interplay between systems and processes. Figure 1 details IT risk types and characteristics.
| Figure 1: IT Risk Types and Characteristics | |
| Business Risk | Business risk exists when processes and systems are unable to meet the desired business requirements for cost reductions, governance, productivity gains, and revenue generation. Business risk can be mitigated through proper modeling and risk detection prior to and throughout deployment. |
| Organizational Risk | Organizational risk occurs when users are unable or unwilling to use processes and systems appropriately or in full accordance with the requirements. Organizational risk is mitigated through effective communication with key stakeholders and users about the process and system merits and governance tools, and the development of automated governance tools that capture monitor, and report deviations from the norm. |
| Technology Risk | Technical risk exists when systems are not properly protected from attack, when systems cannot obtain the desired results, when rollout timelines are missed, and when obsolescence or aging prevents full recovery of stored information. Technical risk is mitigated through the use of enforcement, integrated technologies, security best practices, and technology refreshment. Piloting new technologies prior to widespread deployment to validate assumptions and ensure requirements can be attained also mitigates technical risk. |
Source: Robert Frances Group
Mitigating IT risk requires a strong compliance program that embraces communication, empowerment, enforcement, monitoring, policies and procedures, prevention, and oversight. The United States Sentencing Commission (USSC) originally established these seven elements as federal sentencing guidelines; however, they are equally applicable to compliance management. Additional information can be found at http://www.ussc.gov/2002guid/8a1_2.htm. To properly align, integrate, manage, and monitor governance, IT executives will require consolidated automation tools to ensure compliance and reliability. Figure 2 provides insight into the seven elements of effective compliance.
| Figure 2: Elements of Compliance | |
| Authority Delegation | Responsibilities for compliance should be delegated throughout the organization, and business and IT members empowered to ensure enforcement. While responsibility can be delegated, the ultimate authority cannot be. Policies and procedures must be in place to be able to immediately deal with violations caused by acts of commission or omission. |
| Communication | Communication includes the understanding of the importance of and methodologies used to govern compliance. Proper communication techniques should include the dissemination of requirements, policies and procedures, and reporting parameters. Regular meetings should occur at the executive, implementation, and compliance assurance levels, and inter-group communication should occur quarterly and as needed to validate efforts and remind people that these acts are being monitored. Electronic communication audits should be retained to assist in defensible policy enforcement. |
| Consistent Enforcement | Policies and procedures should be meticulously mapped to compliance enforcement for collaborative efforts with business partners, daily operations, ongoing development efforts, and risk mitigation. Thus, automated technologies need to be adopted to flag problems as they arise, present suggested resolutions, flag appropriate management for adherence failures, and the exception process. As a matter of rule, all constituents must comply with stated policy since the implications of the integrated and elastic enterprise results in effects reaching far beyond simply one area. |
| Future Prevention | The enterprise may be unable to effectively integrate all risk mitigation techniques from the outset, and may need to change policies and procedures to accommodate new exposures, threats, and legislation as they arise. IT executives should develop an exception process that incorporates feedback and correction procedures to review where policies fail in implementation, and to evaluate where and if changes are appropriate. Furthermore, internal audit, IT, legal, LOB, and other key executives should routinely discuss evolving challenges to determine the best-fit solutions. |
| Monitoring and Reporting | Initial IT risk mitigation efforts will focus on building a hierarchy of criticality to determine which exposures should be addressed and in what order that should occur. Ownership of project initiatives needs to be properly delegated and reporting accomplished to ensure parties stay in communication, and aware of ongoing challenges and progress. Further, centralized reporting and administration that can see across enterprise systems and provide both a dashboard and fine-grained level view will be required. |
| Oversight | IT, internal audit, LOB, and other key executives will ultimately be responsible for the success or failure of the compliance program, and will require proper oversight to monitor risk reduction progress and standards adherence. Over time, risk mitigation may uncover new business opportunities to ways to work with other market players to reduce costs. |
| Policies and Procedures | Compliance policies and procedures should be established to properly mitigate IT risk, disseminated throughout the organization, and stored in a central repository. Updates should be circulated monthly and be reflected immediately in the repository. As risk mitigation proceeds, technologies should be integrated into systems and processes updated to ensure compliance. |
Source: Robert Frances Group
Clear, consistent, and regular communication of the aforementioned compliance strategy will help ensure governance goals are reached. Since the operations and technology will require its own adjustment as it is aligned with the business, and affected personnel will need a period of time for conformity, IT executives need to balance the demands of the Sarbanes-Oxley Act of 2002 with being patient with users and fine-tuning methodologies as appropriate. As changes may be significant in many cases, IT executives will need to establish training programs to assist in the transition. Additionally, employee responsibilities and job descriptions may also need to adapt to support compliance efforts, and IT executives should work with other key executives to establish incentives for implementation speed and compliance.
RFG believes IT executives should work with other executives to construct and adopt improved risk mitigation policies, procedures, strategies, and technologies. The ensuing governance strategy should be universally implemented throughout the enterprise and employed by business partners to ensure consistency in implementation and compliance. IT executives should set up an audit review committee consisting of internal audit, IT, and LOB stakeholders to ensure appropriate exposure levels and to adapt to changes in market forces and business requirements. As more users become familiar with the new policies, procedures, and requirements through constant two-way communications, the greater the likelihood that they will conform to the legislative and regulatory requirements, thereby mitigating the risks.
RFG analyst Adam Braunstein wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Braunstein.