''The CIO may be responsible for risk management, but its planning and execution involves the whole company," says Ian Cook, vice-president & director of IT, Asia-Pacific Zone, Chubb Group of Insurance Companies. As one of the keynote speakers at the MIS annual IT Summit held in Asia, Cook expects risk management policies to be executed by project teams involving operational staff, IT organisations and multiple business units.
"But nothing happens without decisions from the leadership stack. That means the board, VPs, heads of business units, global regions, country heads and department managers," he adds.
Despite the complications of involving multiple parties, "the good news is that effective risk management drives value", says Cook. He notes that successful projects can lead to approval of funding for other new initiatives and growth in corporate value, profit, stock price and dividends.
"If I apply for budget approval for a [new] project, I am more likely to get the money if I am known to be a person who meets deadlines and gets under budget," adds Cook.
Protecting the mission
James Lim, IT director of United PREMAS, another speaker at the summit, agrees.
"The principal goal of an organisation's risk management should be the ability to protect their (corporate) mission, not just their IT assets," he says.
"The role of the CIO is to help the business create policy road maps that tell the business where it is going, what it should be doing and when it should do it," he notes.
"The CIO participates in risk management, because IT is involved in many business units and we get an overview of what the business needs."
While everybody is using firewalls, anti-virus and different security devices, Jussipekka Leiwo, director ICT Security Services, T-Systems, notes that only by persistently auditing the network and monitoring data, we can assess whether our security goals are met.
"I'm bored with firewalls and intrusion detection systems," says Leiwo. "The question is: Do they deliver?" Being able to monitor network traffic and determine whether an attack is in progress, IT is in a good position to work with other departments, like human resources and legal departments to work out the do's and don'ts of the policy. When corporate data is at risk, the CIO should also collaborate directly with other functions.
Dealing with corporate risk
"Risk mitigation can be practiced in three ways," says Lim. "First, by assumption. We can assume the risks and then apply security controls to try to reduce them to an acceptable level. Second, by avoidance. We can remove the wireless network, personal email accounts, notebooks and portable access. Third, by transference. We can outsource our security needs or insure against them."
"However, in practice, we must protect our organisation by balancing risk prevention with the benefits of business operations and growth," says Lim.
Nevertheless, not all companies are balancing risk and benefit, as according to Dion
Wiggins, director, Strat-etech Consulting, spending on coffee could easily exceed spending on security. "If a cup of coffee costs 40 cents, it could cost US$300 per person per year," he says. "If you have 5,000 employees and three-quarters of them drink coffee, that's over a million dollars, which could have a major impact on security. How many companies spend as much on information security? Probably not a lot."
For CIOs who wish to raise investments in risk management, they need a methodology.
"A vital first step is to obtain commitment from the executive management, and use this to establish a business continuity planning committee," says Wiggins. "The committee should carry out an equipment assessment and a risk analysis and then establish system priorities."
"People from all departments should be trained to conduct business continuity planning, and the business continuity plan should be periodically tested and updated," he adds.
At NTT Com Asia, Theo Chan, executive vice-president, business development and strategic planning, offers philosophical view for making a balanced risk management investment.
"A risk management strategy should include recognition of the risks facing an organisation; assessment of their impact and probability; development of a strategy to manage the risks; mitigation of risks and business impacts, using managerial resources," he says.
Recovering from disaster
Wiggins notes that risk management also includes efficient recovery. For example, during a major pandemic, the CIO's corporate risk management plans must embrace company-wide survival.
"Can we support key business functions remotely online, or do I need to bring people to live at the office for a while?" he says. "Communications cannot be over-emphasised. In a disaster, if you fail to restore communications between key executives, employees and customers, you are in much more trouble."
Restoring communications is the top priority for many enterprises after a disaster, like the London bombings, when all communications were disrupted.
"One company had a great plan to utilise a third-party chat room to communicate in case of disaster. Within minutes of the bombs going off, the key executives were using the chat rooms and discussing how to react," he says.
After the top priority, we need to plan for protecting the communication platform as well as the people using it.
"We need to know the cost of downtime by the hour and exactly how the business will recover. After a disaster, your infrastructure may be intact although your people cannot get to the office," he says. "During SARS, some banks provided food and bedding for their employees to live at the office. Another option is secure remote access that enables people to work from home or another location."
For the Hong Kong-based securities firm, CLSA, Wiggins notes it cleverly organised a successful 'virtual summit' using 3D technology, with holographic images of people from various markets. "CLSA got a lot of kudos for this effort and it shows risk management is about agility," he adds.
Governance and risk
The information Systems Audit Control Association (ISACA) has recently been very busy, according to Frank Yam, international vice-president of IT Governance Institute and ISACA International. He explains the reason is many IT organisations are looking to meet the compliance requirements of the Sarbanes Oxley Act (SOX). "This American legislation is being emulated worldwide and more SOX are coming your way in Asia," Yam adds.
However, compliance is not the only problem. Yam says the major challenge comes to the lack of communications between the users and IT, which is the reason why "paradoxically, we invest more and more in IT and yet only about 30 per cent succeed according to the Standish Group."
"In the past, IT projects took so many years that the people forgot the promises made at the start. Now, the board will be sceptical if the project takes more than 12 months," he adds.
The answer to these challenges is governance, Yam says.
"Governance is managing an uncertain journey towards an uncertain destination. Not too uncertain, though. The company must know where it's going."
MTR is a good example in managing this uncertain journey with a clear direction. It has an enterprise risk committee, in which legal, security and IT functions are represented. "We monitor potential hazards through advanced systems," says Daniel Lai, head of IT, MTR Corporation, "In addition, IT utilises project risk management and the CIO's responsibility is to periodically review the projects, including aspects such as programming, and apply a common management framework to them."
The risks of outsourcing
Another popular solution for dealing with risk management is outsourcing. However, CIOs need to be even more aggressive in confronting and managing the associated risks if they are taking the job externally.
"Companies may embark on significant outsourcing and fail to get value because they did not acknowledge and confront the risk head-on. Taking a partner is not about saying 'I no longer want to handle the risk of this project, so I'll hand it to you'," Cook says.
At MTR, Lai notes it outsources only whenever it is viable. "Before we start, we create a matrix to analyse the project and only outsource if the quality of service will be higher," he says. "We examine the supply chain to see where we can add value, upstream and downstream. We select our partners carefully, and work with them a long time, treating them as part of our own team."
While vendors can shoulder some of the burden in risk management, managing them for mutual benefit remains an art to master. According to Paul Gregory, director, marketing & solutions of Cable & Wireless, stringent service-level agreement (SLAs) can actually limit service.
"For example, with an SLA of 99.99 per cent network availability, the client receives a rebate for failure. That is incredibly small compared to, say, the loss to an international bank that is unable to close its position at the end of a day," he says. "It would be preferable if service providers received a bonus for enhanced service in addition to the penalty for failure."
Apart from ensuring network availability, outsourcing can also reduce risk by providing greater speed to market, adds Larry Morgan, managing director, Asia, Macquarie Telecom. He shares the story of a pharmaceutical company, which wanted to build a network at any price, as long as it could meet the date of a product launch. The product was expected to bring the company US$1 million per day.
"The company's IT department could have built the network one node at a time, over 40 weeks, but a big carrier could do it in a month, saving the client time worth many millions of dollars."
On the other hand, a big blind spot in outsourcing is often the risk of suppliers' failure, says Wiggins.
"Most businesses utilise just-in-time delivery, but if they can't deliver the widgets on-time, how do you manage that? You need to consider the risk management of your suppliers," he says.
People and security
The weakest link in risk management is often people, because they can enable viruses as easy as simply clicking an email. But they are also the strongest link because they can stop such attacks.
"We have an annual IT proficiency assessment for all staff," says Lim from United PREMAS. "We assess their competency and identify the risk groups who are not complying with our company policies. We are especially concerned with management of remote sites when security measures may be weaker than at HQ."
Gabriel Wu, country manager, Hong Kong, Macau of Secure Computing, agrees in the importance of monitoring, especially when legacy Web security is ineffective in protecting Web 2.0 applications.
"Existing security technologies are mostly reactive, they respond to recognised network threats," says Wu. "But some organisations, such as Google, are beginning to analyse and classify the communications from specific IP addresses. This proactive approach will gradually reveal which addresses should be avoided by enterprises for security reasons."
In addition to monitoring, Garry Lau, principal consultant of RSA, notes security should be enforced at the point when the data is created.
"The solution is data-centric security," says Lau. "We need to audit data security from its creation to archival and eventual deletion. A major part of data-centric security is encryption, which safeguards data in any context. However, that raises the key issue of user access."
Internal attacks can also be easily neglected, Tham Joon Nam, corporate business strategist of West Asia at Novell says.
"Probably, most of your security spending has been on the perimeter, but statistics show the most severe damage originates from inside the enterprise," he says. "The question is whether you are spending enough on monitoring the processes to see if information is protected and on educating users."
Tham states an Australian bank that neglected its process, issued a credit card to a lady's cat, with a credit limit big enough to buy premium cat food for a year. "Obviously, the bank's risk management was not working," he says.
The CIO's role has changed in recent years and it's better to be more enterprising and business-savvy and be able to read the business as well as the technical side. Due to the relationship between IT and risk management, CIOs are fast becoming the critical players in risk management.
© Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.