Too many people are thinking of security instead of opportunity. They seem more afraid of life than death. (James F. Byrnes)
Risk, just like death and taxes, is part of everyday life. The risk associated with business information and knowledge is sometimes dismissed as acceptable business overhead. However, the need to maintain and raise the value of business information is clear during economically challenging times. To this end, here is a crash course in improving information risk for your organization.
Step 1. Establish a program board of senior managers and change-makers to oversee and monitor the implementation of information risk management.
IT strategists routinely operate in a Prince2 environment, particularly in the UK. This is the standard project management methodology adopted to embed best practice standards for corporate initiatives. Prince2 aims to provide new project managers with an understanding of the main components required to manage a project throughout the Project Life Cycle successfully.
Step 2. Establish an IRM (Information Risk Management) performance plan.
Defining the IRM program’s high-level goals is critical to innovation and risk-taking as it sets out what will be delivered by when. Governance is also required to define specific policies on matters such as IRM oversight responsibilities, related management processes, information threat notification, and escalation processes. The IRM performance plan can also clarify risk definitions and risk appetite within limits or tolerances. This should integrate with corporate performance objectives.
Step 3. Develop common information risk definitions.
Drawing on leading IT practices, a company’s information risk assessments, based on interviews and other information-gathering techniques with selected change-makers, should produce a high-level list of the organization’s information risk priorities. These should map to current, and future priorities include assessments of the monetary value of risks and lead to clear action planning to mitigate or control information risks.
Step 4. Define an information risk assessment process.
The program board should sponsor common standards for evaluating information risk along several dimensions, including the threat and likelihood of impact of a risk event and the organization’s vulnerability to the event. Annual threat assessments are extremely common among IT firms, and Kaspersky produces a publicly available threat review each year to help this process.
Step 5. Prioritize and value key information risks.
The program board should identify the top 50 people across the enterprise who have specific knowledge or competencies relating to particular information risks or related threats. These people should be asked to support the evaluation of potential risks and threats within their field of specialty for each event’s impact, current vulnerability, and speed of onset, using the criteria established by the IRM process. Deloitte routinely adopts this as a key part of the strategy development process for customers, encouraging a wide-ranging discussion of the values and threats impacting costs and services at the current time.
Step 6. Develop a prioritized list of the top strategic and financial information risks to the organization.
This list should be consulted on far and wide to gain many perspectives in relation to the threats facing an organization. This should form the information risk and control assessment and be widely communicated to all staff as part of training and induction. This promotes knowledge sharing and can lead to the generation of ideas across services for risk mitigation. Risk scanning and compilation in itself is a valuable knowledge transfer activity, allowing links and connections across networks that did not previously exist.
Step 7. Identify important interrelationships among information risks.
Groups of related information risks (for example, related risks among contracts, third-party relationships, and outsourcing) must be identified, and the connecting points between each of the risks were explored. This requires a degree of expertise and innovation to map information risk.
Step 8. Take intelligent risks.
This is the key lesson to learn and should be reflected on by all information professionals. Recent research highlights that a critical part of success psychology relates to the attitude of information professionals.
Daniel Gilbert, professor of psychology at Harvard University, states, "Studies show people regret not having done things much more than they regret things they did. Why? We can rationalize an excess of courage more easily than an excess of cowardice because we can console ourselves by thinking of the things we learned from the experience. We hedge our bets when we should blunder forward. In fact, large-scale assaults on our happiness – a lost job or failed marriage – trigger our psychological defenses (and hence promote our happiness) more than smaller annoyances. The paradoxical consequence is that it is sometimes easier to achieve a positive view of a very bad experience than a bad one. And yet we rarely choose action over inaction. Knowing we overestimate the impact of almost every life event makes me a bit braver and more relaxed because I know what I'm worrying about probably won't matter as much as I think it will."
A leading IT thought leader had quoted Goethe by stating that IT professionals should, "Be bold and might things will come to your aid." This must become the mantra for any information professional seeking to learn the lessons of those who have pushed forward IT during the last ten years.