Risk management for dummies

By Linda Tucci, Senior News Writer 19 Sep 2005 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

"IT goes to the boss and says the company has this big problem and [it] needs $1 million to fix it. The problem with that, is that it's not your problem. It's their problem," Nolan said. "By telling them what to do, you sound like you're selling them, as opposed to helping them solve the problem. Last time I checked, executives want to tell you what to do, not the other way around."

Nolan offered the advice, along with some best practices on risk management, in a focus session at this week's SIMposium 2005, a leadership conference that drew some 600 IT leaders. Forsythe Solutions is a subsidiary of Forsythe Technology Inc., a Skokie, Ill.-based information technology consulting company.

The message resonated for Joe Wolke, the former head of Chicago-based Aon Corp.'s global business continuity program office. "This validated a lot of stuff that we ended up putting in place. We had a lot of various plans that went nowhere. Why? In some cases, IT would say, 'To do this right it's gonna cost $10 million' and it stopped. In other instances, the business said it's an IT issue, and that's all," Wolke said. His office formally combined disaster recovery with the business side, having a business analyst right in the office.

Defining risk management begins with an inventory of the company's vulnerabilities, Nolan said. Not an easy task, given that most IT infrastructures were built ad hoc and are putting on weight by the day. "You guys were minding your business and now you're responsible for the phone network, too."

Nolan said to think of risk management in terms of five pieces: disaster recovery, business continuity, confidentiality, accountability and data integrity.

Forsythe then advises CIOs to come up with a concise way to translate business and regulatory requirements into technology decisions. A simple method Forsythe uses is to spell out six key elements: content security, hosts security, application security, identity management, network security and security information management -- or CHAINS.

Once the vulnerabilities are identified, IT puts them on the table "like the 600-pound elephant and says what you want to do about them?" Nolan said. IT should avoid the mistake of suggesting the solution to soon. First, get company executives to agree there is a problem. And only when they ask to see their options, lay out the solution, he said.

Nolan suggests creating a tier of service levels, A,B and C, and spelling out how each service level addresses the risk and what it will cost, so that the solution is directly linked to corporate policy.

"At the end of the day there are three answers. The company can accept the risk, assign the risk or mitigate it. If they choose to do nothing, they sign here and accept the risk, that's fine. You may choose to leave the firm because you can't live with that decision, but at the end of the day it's the decision of the executive officers," Nolan said.

Pat Skarulis, CIO at Memorial Sloan-Kettering Cancer Center in New York, found Forsythe's "chain" approach of categorizing threats useful.

"I thought that was particularly helpful," she said, and agreed that negotiating risk management requires some finesse. "As IT people, we are so used to be being analysts and problem solvers. I thought he made a good point about having business take the ownership position."

Getting her bosses to agree that risk management is a big issue is perhaps not as difficult as in other businesses.

"All of the decisions that hospitals and medical centers make are really life and death decisions. So I think business is attuned to accepting and understanding risk, on a day-to-day business," Skarulis said.

This article originally appeared on our sister site SearchCIO.com.

Tags: IT Security Audits,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary