By Marco Kapp and Simon Oxley, Citicus
A critical component of operational risk is information risk which can be defined as the chance or possibility of harm being caused to a person or organisation as a result of a loss of the confidentiality, integrity or availability of information. This definition has stood up to inspection for many years and has been widely adopted. It can be applied to all types of information and all means of capturing, storing, handling or transmitting it. Its use is therefore strongly commended.
How well are information and operational risk managed at the moment?
Just going about your normal day-to-day life will tell you that the answer is 'not very well'. Systems go down, process information incorrectly and disclose it to the wrong people so often that this seems to be part of the day-to-day reality of modern life.
To take a couple of incidents at random, a UK town council recently managed to publish a list of 'safe houses' for victims of domestic violence on its public web site — a shocking violation of victims' confidentiality; and a glitch at the UK's main air traffic control centre led to flights being cancelled at London's busy Heathrow airport — less shocking but still pretty irritating for the traveller's whose flights were cancelled or delayed.
To put the likelihood of suffering a major 'information incident' on a quantitative footing, reliable statistical data shows there is a 50%+ chance of a typical business-critical system suffering a major incident like this every year. Modern public- and private sector enterprises will be supported by tens, hundreds or thousands of such systems — which is why major glitches are so evident to employees and the people who rely on their efforts.
Detailed statistical analysis reveals that the harm caused by such incidents can be minimised simply by adopting good practice (eg testing that back-ups can be restored successfully within the critical timescale of a business application, rather than just assuming they can).
Controls like these can slash to the chance of suffering a major incident — and often cost little to implement. So why don't people adopt them? The answer is that:
• security people often focus on threats like hackers and viruses rather than the more mundane and far, far more common types of event (eg human error) that lead to a loss of confidentiality, integrity or availability . The effect is to unbalance efforts to guard against incidents.
• there are too many controls that need to be in good shape for any one person to focus on all of them — so key weaknesses are often overlooked
• there's no real consensus about what 'good practice' is
• increasingly, systems are connected to other systems, so weaknesses in one can foul up another
• 'ownership' of individual systems is often unclear — and 'owners' don't really know what how to manage risk down.
The net effect is that business-critical systems that support leading organisations tend to have controls that are in 'variegated' condition. This means typically, in great shape in a few control areas, weak in other equally-critical areas and 'average' in the rest.
Why information and operational risk are so needlessly high
Detailed inspection of the controls applied to thousands of systems and their experience of incidents shows that to drive risk down a very different pattern of controls is essential. Specifically, controls need to be in pretty good condition across the full spectrum of control areas. This is the key finding from a massive programme of research into what makes controls effective.
Only about 10% of business-critical systems that support leading organisations have controls in this condition. That's why information risk is so high.
Benefits of driving risk down
By getting controls in good shape, organisations can substantially reduce information risk. They can also significantly improve their bottom line - since good controls reduce the chance and financial impact of major incidents, and cut the number of minor incidents suffered day-to-day, and the inefficiencies that go with them. Thus, the benefits of driving risk down are substantial.
Causes of failure in managing information and operational risk down
To get the benefits, you have to go about managing risk in the right way, and avoid the pitfalls that lead to failure.
As part of the research we've carried out, we've examined factors that cause information risk management initiatives to fail and to succeed in a wide variety of case-study organisations.
Here are the key things to avoid:
• Inability to measure risk objectively
• Overly-complex approaches, that yield results business people don't believe in or understand
• Turf wars between proponents of competing risk methodologies
• Lack of tools to automate the process in a reproducible way
• Lack of co-operation on the ground
• Lack of resources to drive and run the risk management initiative
• Immature processes and reporting structures
• Weak programme management
• Questionnaire fatigue.
Each of the above is a potential 'programme killer' — but an inability to measure risk objectively and in business terms will bring any programme into disrepute - so that's possibly the most crucial one to get right.
Secrets of success
The secrets that emerged from the research we conducted are strongly reinforced by our experience in helping organisations of different types and sizes around the world manage risk successfully. They can be summarised as follows:
• Before you start, gain top management commitment.
• Get the organisational arrangements right.
• Have a strong, personable programme manager who has the drive, skill and experience to deal with business, people, and technical issues as well as to drive a company-wide programme.
• Base your approach on a crystal clear definition of risk that addresses what needs to be protected and both the magnitude and probability of harm.
• Measure the five determinants or indicators of risk that your insurance company considers when assessing the risk posed by drivers (criticality / value at risk; status of controls; special circumstances (eg complexity, scale); experience of incidents; and the business impact of incidents).
• Ensure the risk management process is constructive rather than blame-oriented (otherwise people will evade or sabotage the programme).
• Ensure the risk management process is continuous rather than a series of one-off evaluations (so improvements can be tracked over time).
• Make risk management a personal responsibility of individual business 'owners' of your 'targets of evaluation'.
• Keep risk evaluations simple, efficient, objective and business-oriented.
• Ensure the process is proportionate (when resources are limited it makes sense to focus them where they will have the greatest payback rather than spreading them evenly across everything).
• Produce meaningful results that capture the attention of busy decision-makers — particularly business 'owners'.
• Introduce an element of competition between facilitators and 'owners' (eg by publishing risk league tables).
• Cause pressure to filter down so it motivates others to act (eg by showing dependency risk).
• Embed risk management into the fabric of the organization (eg make criticality assessments become part of project approval and procurement processes).
These secrets of success are not unique to managing information and other areas of operational risk — they apply to any area of risk. Organisations that address them successfully will have a risk management programme that meets the expectations of investors and stands up to inspection by regulators. Moreover, they can expect to see a measurable reduction in the volume of incidents they suffer and a substantial drop in the likelihood of their suffering major incidents. These achievements are likely to prove a significant advantage in the years ahead.