Print Edition
August 2010 
|
|
|
|
|
|
|
Managing Information Technology Risk |
« Back
|
|
Muazzin Mehrban, April 2009 |
|
|
|
Executives and managers are now increasingly focused on risk assessment and management in order to reduce the likelihood of damage being caused by an external threat. As a key part of this process, companies need to be aware of the risks attached to IT system. With regulatory oversight intensifying, and company dependence on technology increasing, the monitoring of risk attached to the use of technology has assumed business-critical importance.
The increasing reliance on IT services by businesses the world over means that companies are capturing, storing and transferring more data than ever before. As a consequence, the industry is reassessing its approach to risk management, appreciating that some changes need to be made. However, some experts suggest that the sector is not prioritising the need for risk management as highly as it should. “Few companies truly appreciate the value of their IT systems to ensuring the efficient and stable functioning of the company,” warns Peter Brudenall, a partner at Hunton & Williams.
Indeed, some companies almost exclusively interact with suppliers and customers via computers. “Many companies only appreciate the level of dependence when something goes wrong – whether it be a major systems failure, a problem with a key service provider if, for example, the operation and support of IT systems has been outsourced, or when data is lost,” continues Mr Brudenall. Improper evaluation of potential risks could result in criminal and civil liabilities, reduced shareholder value and could leave a company’s reputation in tatters. As such, Mr Brudenall insists that IT risk management should be high on the agenda at both managerial and boardroom level.
But boardroom oversight is complicated by the lack of resources that companies have to devote to monitoring their IT systems, given the pressures and distractions of the financial crisis. Robert Perlman, a principal at Booz Allen Hamilton, believes this is a key risk, as a company’s inability to function can have a detrimental effect on business relationships. IT may be unable to process transactions, for example. But this is just one of the problems a company may encounter. “Customers and suppliers could lose trust in the ability of the company to adequately service its customers and partners,” cautions Mr Brudenall. “That is a worst-case scenario, but a more common risk is the failure to properly maintain the security of personal data – be it customer data or the personal data of employees.”
The economic downturn has led some companies to reduce funding for the development of better risk management systems. They have also decreased the number of staff assigned to maintain IT structure. Consequently, the underlying understanding and knowledge of the data held by the company could also be lost. Not only does this increase the risk of companies experiencing a breach, it results in slower response times. “Companies need to ensure that they have effective internal controls in place to ensure that data is kept securely and that, wherever possible, it is not kept in disparate systems throughout the organisation. Knowing what data is kept and where it can be located is vital to managing data and reducing the risk of a security breach,” insists Mr Brudenall.
Outsourcing related risks
The downturn has also encouraged companies to outsource operations abroad, where operational costs are cheaper. But, as Mr Perlman explains, the outsourcing process presents security challenges of its own. “Anytime a company outsources its operations IT or otherwise – there is an added degree of risk that is often overlooked. Companies do a cost benefit analysis, but fail to risk assess the outsourcing process to understand the underlying exposure. Depending on the outsourcing location, the company may have a diminished service level,” he remarks. This can be attributed to issues as obvious as language barriers between the outsourcing firm and the customers it handles.
In addition, companies could leave themselves vulnerable to staff with malicious intentions if they fail to adequately screen outsourced employees. Furthermore, operations are generally outsourced to locations in emerging markets, where geopolitical risk can be more prominent. But a comprehensive risk assessment can offset these concerns, says Mr Perlman. “Once outsourced, the companies will be inextricably linked to the vendor for ongoing support and maintenance, which can leave companies vulnerable. As a result, companies serve themselves well to really understand the value-proposition of outsourcing,” he recommends.
With that in mind, it is wise to seek local expert advice from seasoned professionals within the relevant sector. IT companies should also consult advisers that are based in the target location or have conducted a similar switchover in the recent past before making any final decisions. Ultimately, savings can be made as long as comprehensive risk assessments and outsourcing strategies are well conceived. However, the long term implications of outsourcing must be understood. Once a deal is struck, a company will be reliant on the vendor for support and maintenance.
Boardroom expertise
The decision-making process behind an IT risk management strategy should be a conducted at board level. Experts are now emphasising the need to accommodate a technically-minded board member with IT experience in the IT sector. Mr Perlman thinks that the need for such individuals will continue to grow. “The board needs to include a member who understands the impact that emerging technology trends can have on the organisation and what competitive advantage adoption of these trends, or not adopting the trends, can provide to the organisation,” he explains. “IT decisions can have a major impact on the success of a firm in executing its mission and capturing market share. Having a technically savvy board member can ensure these decisions are well-timed and well-informed.”
Indeed, a technically minded board member is almost indispensible in today’s market, where companies need to have recovery times and recovery point objectives that are as close to real time as possible. Swift and efficient responses can only be effectively implemented and reinforced by board members. Mr Brudenall agrees, pointing out that if a company wishes to remain competitive in terms of the IT solutions it uses, there must be a certain degree of boardroom understanding. “Knowing how the strategic use of IT can make a company more competitive or reach new markets should not always be the sole responsibility of the CIO or head of IT, but should rather be a key component of the board’s strategic planning,” he advises.
|
|
|
|
|
= requires subscription
