Rajesh Kapur, CISA, FIETE, MIE
Risk management in an enterprise is essentially about how to deal with the occurrence of a perceived vulnerability. The controls, metrics gathering, validations, costing and consequent inferences, etc., are all almost ritualistic actions to ensure that everything goes according to plan. In spite of our efforts, however, unforeseen events do occur, and our plans do get impacted adversely. This is especially true of high-value IT projects; IT, even though it is in the DNA of almost every enterprise business process, is still viewed as a specialist activity.
How do we ensure that our technology risk management efforts are effective? The fundamental challenge is to accrue sustained business value in the face of uncertainty and try to forecast the approximate business impact of exploitation of an organizational vulnerability. We can lower the inherent uncertainty by making sure that our controls, activities and IT investments are aligned with stakeholder expectations.
How are stakeholder expectations to be ascertained? One can always look toward the vision and mission of an enterprise; these, however, are rarely altered in reaction to a crisis in the business environment. I have found the balanced scorecard (BSC) to be an effective alternative indicator of enterprise stakeholder objectives—especially those of top management. There are some additional actions that are necessary if the BSC approach is to succeed:
It must be regularly reviewed and the latest priorities periodically updated by top management.
The chief information officer (CIO) must be clear about the mapping of the business goals to IT objectives and activities. Security is not the only issue here; other nonfunctional requirements including scale-up, interoperability and response time must be taken into account. Resources for implementing these in applications and all change or maintenance efforts have to be earmarked. The effect of IT initiatives corresponding to a BSC must be continually monitored, tweaked and analyzed for subsequent reference.
All employees who must implement and comply with the controls (not only the IT staff) must be aware and cooperative.
Finally, we must remember that risk management is probabilistic in nature. Even after all policies and mechanisms are in place, there is still a residual risk, which ultimately has to be accepted. The good thing is that we know it is there. Through planning and management, we can minimize the adverse impact. Neglecting to plan for and manage risk can be catastrophic!