Managing risk in the information age

GITEX 2007 promises to be one of the most dynamic in its 26-year history. Arabian Business examines what the companies exhibiting at the show have to offer hungry business customers.

  • E-Mail
By  Administrator Published  September 6, 2007

Breaches or failures of information systems cause serious business crises - reputation damage caused by identify theft, business losses stemming from system failures, and regulatory restrictions arising from compliance issues. Recent news has prominently covered many major stories of information technology risk, including phishing scams, theft of personally identifiable data records, identity theft, stolen backup tapes, litigation resulting from improper preservation and production of electronic records, and intellectual property breaches.

The rate of recovery from these events is a contributing factor in the severity of the business crises. A recent study by Oxford Executive Research found that companies that recovered quickly from major operational disasters increased their share price by five percent on average versus the market. Companies that struggled to regain their operations took a 20% drop in relative value. From this research, it appears that investors factor a company's resilience to adversity into its stock price. It is clear to see why corporate executives in boardrooms around the world want solutions to the IT risk problem.

The solution lies in treating information technology risk within the integrated framework of business risk management. IT risks need to be identified, measured and managed as part of a single view of all risks in the corporation, with oversight by senior management to understand and guide the appropriate risk/reward trade-offs to achieve the goal of increasing return on IT investments. The name for this approach to managing and balancing information risk and reward is IT risk management.

IT Risk Management

Most companies have a poor awareness of their IT risk exposure, are not fully exploiting the breadth of tools to manage these risks, and have not begun to systematically build the knowledge and processes to manage IT risks.

The struggle is due in part because IT risk management is a newly emerging field, where the traditional models of risk management do not always cleanly apply. Typically, businesses only have a vague understanding of the impact of the loss of information assets or access to their applications. For example, the ability to transfer risk is a fundamental concept in financial risks; however, since liquid markets do not yet exist for buying and selling IT risks, companies must build the internal competence to manage these risks on their own.

Another example of the difference is that IT risks are more challenging to quantify. In IT, the kind of well-developed statistical or actual models that assess financial risk and give it a reasonable level of precision do not yet exist. However, "roughly right" approaches based on experience still yield accurate, valuable and usable measures of IT risk. Going from current to best-practice IT risk assurance could yield substantial improvements to shareholder value. In order to lead this transformation to best-practice IT risk assurance, business leaders should:

1. Develop an awareness of the nature of the different IT risks to the business;

2. Determine the quantified impact to their business resulting from the loss of information or access to applications;

3. Understand the range of tools available to manage IT risks;

4. Align the costs of IT risk management to the business value;

5. Build a systematic, corporate capability to manage security risk.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code