Ten years ago IT risks were ‘contained’ within the four walls of the data center. Today, IT risks are public and they can have dramatic personal ramifications.
Take for example Pharmatrak, a US-based company that tracked Web-site visitors for pharmaceutical companies like Pfizer, Inc, Glaxo Wellcome Plc and Pharmacia Corp. From mid-1998 to late 2000, it gathered and analyzed visitors’ browsing habits for its pharmaceutical customers. Privacy legislation and contractual agreements with those companies prohibited them from gathering personally identifiable information.
Apparently as the result of an interaction between Pharmatrak’s NETcompare software and the code found on various Web pages, it collected personally identifiable information on about 232 of the approximately 18.7 million users whose activities it tracked.
In August 2000, a lawsuit filed against Pharmatrak alleged (correctly) that the company had collected personally identifiable information. Such tidbits as names, addresses, telephone numbers, dates of birth, genders, education levels, occupations, medical conditions, medications, and reasons for visiting the particular pharmaceutical Web site were later pulled off Pharmatrak’s computers by investigators.
Customers immediately canceled their contracts and Pharmatrak ceased operations in December 2000. The lawsuits reverberated around the US Federal Court of Appeals for years, burning tens of millions of dollars in legal fees and thousands of hours of senior management attention.
Was the Pharmatrak debacle an example of IT risk, or a poor business decision?
Is risk awareness worth the cost?
In a recent risk management survey we polled 130 CIOs and brought back some staggering results. It turned out that adept risk managers spend only one to two percent more of their IT budget on risk management, but gain disproportionately better levels of risk mitigation. And they seem to have much better relationships with their business colleagues and bosses to boot. How are they doing this?
It turns out that adept risk managers integrate three complementary approaches to managing risk: have a formal risk management process to spot and track risks, have the expertise to mitigate them, and simplify your installed base to eliminate lots of the common risks in the first place.
A formal risk management “process” typically keeps a risk register that records risk exposure and management decisions. In an “expertise-based” approach, skilled personnel are assigned responsibility for identifying and managing specific classes of risks. “Installed base simplification” means upgrading and simplifying applications and infrastructure to produce an IT environment that is less complex, more robust and less prone to error and failure.
Risk awareness is the key
Yet even with this brew of three techniques, our survey showed that in every case, the adept risk managers knew risk awareness was the key foundation supporting the company’s risk management approach. And one way to start building awareness was in the unglamorous area of business continuity planning. Indeed, the highest correlation found in the survey of more than 130 companies was between effective risk management overall and correcting of business continuity- related risk factors.
In other words, improving business continuity planning (BCP) has the greatest effect of all risk management activities. When CIOs begin thinking about how to improve IT risk management, they should keep in mind that BCP is the engine that pulls the longest train.
Another common theme of successful IT risk management is a sudden increase in management attention to risk following a catastrophic incident or close scrutiny by a regulator – in some cases, suffered by a competitor. As the proverb goes, a management team that has seen death – theirs or someone else’s – will accept the fever.
CIOs who manage risk well can use risk management as a relationship-building tool, strengthening IS’s credibility and influence throughout the business. It’s worth a little more to get all that.
–Andrew Rowsell-Jones is vice president and research director for Gartner’s CIO Executive Programs.