Although relatively new, IT operational risk management will assist IT decision makers to deliver better and more consistent service for the business, according to Jim Hurley, vice-president and managing director, Information Security, at Aberdeen Group.
Hurley is the author of two reports recently published by the IT market analysis and positioning services firm based in Boston, Mass. In the Sept. 9, 2003 report Operations Risk Analysis and CORA, he notes that while financial risk management has advanced significantly during the past hundred years, the discipline of business operations risk management is in its infancy. He suggests that perhaps because of its newness, the emerging discipline of operations risk management has broader implications for success and failure. “After all, if unexpected operational disruptions that lead to failure and loss can be identified, anticipated, and accounted for in advance, it is entirely possible to mitigate or transfer catastrophic loss while avoiding operating risks that have real business impact,” he writes.
He cites IT risk management as a subset of business operations risk management and “an important contributor to the availability, reliability, integrity, continuity, and automation of business operations that make it possible for the enterprise to create value. IT operations risk management is the intersection between:
1. business operations;
2. organizational policies;
3. internal processes;
5. security and redundancies for buildings, IT systems, and networks; and
6. continuity and recovery procedures for IT-supported business operations.”
He notes that managing IT operations risk is not yet a science and must be self-mitigated. However, he suggests it will become increasingly important to firms as organizations become larger, IT systems and networks supporting business operations become more complex, and operations become increasingly global, electronically interconnected, and dependent on 24/7 operations.
“IT operations risk management – when properly done – mitigates operational loss, which will be reflected on the bottom line,” he writes.
Hurley notes that while financial and operations risk management share an objective financial measurement approach, the questions that make for best practices in IT operations risk management are not the same as those that are used for making decisions about managing financial risk. For IT functions, where operational risk always leads to negative financial consequences, relevant risk questions must be focused on anticipating operating loss events. He lists, for example, events such as fires in network hubs and operations centres, temporarily downed transaction systems, inaccessible data and records, and electronic hacking of customer billing systems among other operating perils.
IT LOSS EVENTS
The following questions are cited as relevant to identifying IT operational loss events. What is the financial value of specific business operations? What are the financial values associated with the enterprise’s business use of IT systems? What are the consequences when failures in IT result in business disruptions, losses, and thefts?
To manage risk, one must first identify those risks against which to allocate resources to manage, he explains. “Risk analysis categorizes and prioritizes the highest impact risks. When done appropriately, risk analysis will highlight risks that can be ignored, identify perils that must be avoided, and help to prioritize pedestrian operating risks routinely faced by the enterprise.”
In this context, he recommends the software tool CORA (Cost-of-Risk Analysis) from the New York, NY-based International Security Technology, Inc. (IST) as moving “beyond simple question-and-answer surveys to deliver hard answers, and therefore value.”
In New Directions in Risk Management, Electronic Safeguards and Protection Systems, published in January 2004, Hurley claims to “provide insight into Aberdeen’s most recent field experiences and fact-based research findings to shine a spotlight on the intimate relationship between business risk, IT operations risk, and new transformational approaches to electronic safeguards and security systems that are being used by firms to successfully mitigate their operating risks.”
Hurley reports that “despite being seen as a requirement for today’s interconnected world, the relationship between business value, risk and electronic systems safeguards often appears as a muddled belief system instead of an empirical activity that can be automated, measured and better controlled at an acceptable cost.”
This report focuses on some of the new challenges imposed by compliance and regulatory bodies, along with the new risk and electronic safeguard systems being employed to achieve operational excellence.
Aberdeen claims it provides key insights into the relationship between business risk, IT operations risk, and a wide variety of new approaches to electronic safeguards and security systems that are being used to successfully mitigate risk. The nexus of these – process automation, technological flexibility, and organizational flexibility – is making it possible for firms to drive operating improvements for core business operations while better managing risk, Hurley notes.
Some suppliers of security software solutions are helping their clients by delivering improvements in operational efficiency, technology flexibility, automation of processes, and very pragmatic financial returns for core business operations, he writes.
“The relevant questions for most decision makers is not whether one electronic security solution is better than another – although this can be demonstrated from actual experience – but should be: ” What is it that separates security as a necessary cost centre versus a source of operational excellence points of view? ” Which approaches to electronic safeguards and risk management are most likely to supercharge operational efficiencies? ” What are the relevant frameworks and metrics for valuing the contributions of pragmatic electronic risk management and safeguards?”
Hurley notes that the big security events of 2003, including the Blaster worm, the So.Big worm, the Welchia worm, the increase in spam, and the rising threat of spyware left many businesses defenceless despite increased spending on traditional security solutions.
Throughout these events, the solutions that were supposed to help – antivirus, firewalls, and LAN-based remote access systems – did not seem to be of much use in preventing business disruptions for many enterprises. The expectation of inoculation from business disruption that has normally been associated with the use of antivirus and firewalls was shattered during 2003 for many businesses.
Other than knowing that ‘security’ is important to the brand of the enterprise and in some cases continued compliance with industry regulators who could shutter business operations, most decision makers are not very sure about how to combat the new threats to continued business operations, customer servicing, and market brand and with good reason, Hurley claims.
“Harking back to basics, many IT decision makers are asking solution providers about when their products will be able to deliver on the core promises of electronic security, including: ” ensuring the availability of IT systems and networks to support critical business procedures, ” safeguarding the integrity of the IT infrastructure, along with IT and business operations.
“The reason that these ‘basics’ are more relevant today than two years ago is that for many IT decision makers, the use of the Internet by their business line peers is making it possible to realign business processes to support new initiatives,” he continues.
IT DISTANCED FROM RISK
He also points out that the disciplines involved in managing risk, which normally report to the board, the CEO, COO, business lines, and the financial officer, are rarely, if ever, located in the IT organization.
This creates a challenge for most organizations to leverage core risk management principles and a shared culture to drive a common language, operating procedures, and methodologies to deliver more predictability into electronic security operations in the enterprise.
“Unfortunately, most of the security technologies that enterprises currently employ rely on hard-bitten lessons that only the technology wizards really understand,” he writes.
“Moreover, the tools and systems used by these specialists have largely not yet been automated, making security systems less replicable and less usable by those without highly specialized technical skills.
“Although part of the new direction in electronic safeguards comes from the automation of previously hand-tooled approaches to security, it also comes from creating greater organizational efficiency and technological flexibility.”
He sees the automation of security-related processes as insufficient to deliver better protection. Rather, it is necessary to ensure that technological controls, appropriate to the threat, are in place. He argues that until organizational roles, responsibilities, and efficiencies are clearly delineated, the use of the right controls can be counterproductive.
This report released in January is aimed at C-level executives, business unit managers, IT managers and IT security specialists. It is available free to “qualified buyers” from Aberdeen Group at www.aberdeen.com.