New threats, new tackle

The change appears to come from new kinds of risks: terrorism and anti-terrorism campaigns where too much data might end up in the wrong hands, executive criminality, growing identify theft, the interconnection of businesses, and IT failures.

Terrorist attacks raised the perceived potential for catastrophic damage. Large firms have failed because of massive executive criminality. There is rising theft of identities, as well as of databases containing sensitive personal information. Anti-terrorist mass surveillance programmes have also made people fear for their personal security and privacy.

There is also an increasing inter-connection of businesses, which ups exposure to theft and misuse of intellectual property. Legal liability for IT failures is also becoming a real concern.

Almost every aspect of business operations now depends on IT. So no matter which of these risks is discussed, the CIO is involved in efforts to manage it.

Tracking down risks

To identify risks, start by sketching out enterprise-level scenarios. What will our strategies lead us to do? How will we do it? What might happen if we do that? What might cause us not to do it as well as expected? How will markets, rivals and regulators react?

Myopia is always a danger when discussing the nature and importance of risks. External consultants can help here.

The next step is to see how the enterprise’s practices and activities contribute to these risks. This analysis needs to be at the level of business processes, not business functions. Note that a process generally cuts across multiple functions, starting and ending with a customer. Hence, shipping is a function, while supply chain management is a process.

Ask senior managers to pinpoint the most vital risks and potential consequences they see in the business processes they handle. One way to encourage truth is by helping and funding those who report risks. Let them know that they are ultimately responsible for risks within their purview, whether they identify them or not.

No one can prioritise or focus on a list with more than five to seven items. Classify risks into categories, then assign responsibilities and compare risks within and between categories.

Mitigating risks

Given the high awareness of risk by executives and boards of directors, it is now time for the CIO to start mitigating risk with technology.

CIOs must show that they meet “due care” standards where the quality and security of corporate reporting systems are concerned. In particular, the CIO needs to pay more attention to threats from insiders, including those in high places.

Audit trails, including those related to electronic document access and modification, must be fully secure from manipulation and evasion. Automating policy for security and privacy via automated process controls helps to ensure compliance by system users. In response to the high degree of access and responsibility entrusted to IS, CIOs should have a code of conduct for IT personnel.

The accuracy of corporate systems must also comply with new regulatory environments, such as those created by the US’ Sarbanes-Oxley, the UK’s Turnbull and Europe’s Basel II. Regularly scheduled testing is often the best means to ensure the integrity of transaction processing systems.

Monitor access to systems that contain critical data, and make known the fact that monitoring is done. Watch out for staff accessing systems that are outside their normal job scopes and behaviour. Also be cautious with Web sites used for corporate reporting purposes. These must be robust and tamper-proof.

Set clear policies for retaining and managing electronic documentation, including spreadsheets, e-mail, word-processing documents and anything else that contributes to management decisions and reporting. In many cases, documents that have been managed locally (or not at all) will have to be managed at the enterprise level.

It is best not to use e-mail as a default document-management system, nor to retain e-mail indefinitely on corporate servers. They need to be purged after the minimum legally required retention period. This could be seven years, if the e-mail in question is an audit record.

Ensure that retained documents are what they purport to be, and that they have not been tampered with. In practice, that amounts to strong automated access controls and a valid access log.

Both Turnbull and Sarbanes-Oxley demand that issues affecting corporate performance be reported to stockholders at once. Business intelligence (BI) systems help to find such issues quickly. Poor internal BI capabilities may not be adequate excuse if crucial information is not disclosed in a timely manner.

Risk monitoring: Outsource it

Responsibility for many risks cannot be outsourced, but often the day-to-day administration can be. Under Sarbanes-Oxley, for instance, “whistle-blowers” must have a clear path to report problems directly to the board of directors, without review or interference by any level of management. However, it is hard to set up and administer such a programme from the inside. It is much easier to hire a third party to set up a toll-free telephone number, secure Web site, or other mechanisms that completely bypass internal administration.

Gartner Research estimates that by 2005, at least 60% of enterprises will outsource the monitoring of at least one perimeter security technology. More and more firms will outsource application development and management, another new risk area. Such arrangements must be carefully managed. The firm must take care to explain its own policies and tolerance for risk to the outsourcers, and to measure compliance with policy.

Developments in digital rights management and privacy assurance software will help to improve control at the primary source by “watermarking” data, or by applying external rules for access based on role and purpose. The ultimate solution is information that is self-aware of what it represents, and of the rules for its use. That solution is only theoretical at this point. It has not appeared in a lab, much less in commercial form, so it is at least a decade away.

The best defence is to entrust the most vital information only to trusted partners, specify via contracts and service-level agreements how the information is to be handled (for instance, “proprietary intellectual property may not be disclosed to third parties for at least five years”), and monitor and measure to ensure compliance.

Acknowledge the new IT risks in your enterprise, educate your peers and your team about them, then prepare to take a leading role in mitigating, transferring, accepting and avoiding these new risks. A risk-based approach will ensure that all critical gaps are plugged. n

Subrato Basu is vice-president of Gartner Executive Programs, a by-invitation only global C-level community.

Source: Intelligent Enterprise Asia