ERM is a discipline, not a technology, which encompasses the processes and methods organisations use in managing internal and external risks. Technology itself poses substantial risks to organisations as it changes and disrupts industries. Cloud computing is a particularly good example; it's disrupting not only end-user organisations, but the entire technological supply chain landscape. For CIOs looking to manage this risk, there are several principles involved.
You need to understand your risk, says Arie Kotze, senior manager at triVector Consulting. "Understand the context of your business (assets), operational (delivery) and technological (enablement) risks, plus the complexity added by multiple discipline, multiple process and multiple system integration risks. Risk can be mitigated by having smart, clear objectives, and by doing impact assessments," he adds.
Drew van Vuuren, CEO of specialist security and privacy consultancy 4Di Privaca, says: "The first step in ensuring risk mitigation is understanding where risk comes from. Risk treatment plans allow for the methodical and practical implementation of appropriate controls that address the identified inherent technological risks. Activities such as security health checks, risk assessments and security awareness campaigns can assist organisations to mitigate any risks associated with technology or the adoption of new, unfamiliar technologies."
Simon Bestbier, RealmDigital account director, concurs, adding: "A trend has emerged where companies are introducing new technology just for the sake of introducing new technology, rather than intending to make their business more efficient and profitable, for example. All new technology needs to be evaluated prior to integration to establish what value it is going to bring to the organisation and the impact that that change will have versus the effort and resources it will require to fully integrate it."
Technology for technology's sake is never a sound acquisition strategy. Unless there is a clear objective and goal for any new technology purchase, things are likely to end badly.
"When adopting any information system, there needs to be a methodical approach on measuring the impact it has on the organisation," Van Vuuren comments. "Metrics like complexity, support frameworks, user experience, as well as manageability are just some of the broad categories that define the risk posture of any technological system."
"Businesses need to be wary of being the pioneer of a particular technology as the risks are extremely high - often, there is less support and documentation available surrounding a new technology," adds Bestbier. Leading edge may well be bleeding edge, and a thorough evaluation of a product, and others' experience with it, is always a good starting point.
Process
Says Van Vuuren: "A detailed and formal change management process needs to be adopted by organisations. Most progressive enterprises have a defined change management process, which, if implemented correctly, ensures that risk posture impact assessments are performed prior to any required change. Many organisations operate a staging and testing environment for key information systems."
Adds Bestbier: "When such broad-scale changes are intended, the level of impact may go as far as the financial stakeholders, and therefore there needs to be very careful change control. They will need to be carried out through a set procedure before they're introduced. Clear discussions with all stakeholders will need to be had to make clear the risks and opportunities that introducing a new technology could bring about."
Small enterprises need to understand what their responsibilities are and then evaluate a service provider to assist them - look for track record, proven methodology and word of mouth recommendations.
Drew van Vuuren, CEO, 4Di Privaca
For smaller organisations that may not have formalised procedures in place, Van Vuuren says: "Small enterprises need to understand what their responsibilities are and then evaluate a service provider to assist them - look for track record, proven methodology and word of mouth recommendations."
From a security point of view, risk can get political.
"Information security and risk functions within organisations need to keep a close ear to the ground to understand the importance of adopting new security technologies and how these will affect the enterprise risk posture if and when they are adopted," Van Vuuren says. "These information and security and risk professionals need to be introspective and consider that to progress they also need to be able to objectively assess the businesses condition and what the goals of the organisation are in the medium to long term."
The most important thing to consider, says BlackBerry security advisor Nader Henein, "is mentality. You used to have a security officer. This needs to shift to a risk officer. You need to ask, 'If we do this, what's the risk? How will we quantify it?' If you ask security, for example, 'Can we use Dropbox?' you'll get a yes or no answer, rather than a, 'Yes, if you do this and that to mitigate the risk, then the level is acceptable.' Security has gotten into a yes/no mindset. It needs to be an enabler rather. And people should rather ask, 'What is the risk, how much risk is there, and can it be mitigated?' If the risk is too high, even when mitigated, and the business decides to go for it, then security needs to get that in writing. It's not security's position to say do it or not."
Risk mitigation, says Kotze, involves being informed and understanding technology trends. "Take enough time to strategise and plan instead of being reactive and chasing gadgets or flavour-of-the-day quick-fixes," he comments.
Keeping up with technology can be a challenge, however, even for technology professionals in technology companies.
"It's an attitude and knowledge thing," says Kotze. "Keeping up to date is a mindset - make a conscious effort to stay informed by and learn from industry trends, both in terms of the business the company is in, as well as the IT industry."
Henein says companies can incentivise staff to send interesting things, new technologies or ideas they comes across to someone in the IT department by rewarding them (with a gift voucher or something) if the idea is useful. BlackBerry helps its staff to patent new ideas they generate, and ensures they get rewarded if the technology goes into production.
Bestbier says companies should have a champion internally who keeps an eye on new technology - someone who tends to do it informally anyway is a good choice, as it won't be too much of a slog. Companies need to at least keep abreast of new developments that offer opportunity or threat so these can be addressed sooner rather than later.
Share