IT Strategy and Planning

Defining IT's Part of the Corporate Risk Profile

Print
Check out this page on Dell.com! Email
Rate
1 out of 5
2 out of 5
3 out of 5
4 out of 5
5 out of 5

By: David Wagner (1/10/2011)

Enterprise Risk Management (ERM) of course involves identifying all possible risks to the enterprise and formulating a plan to mitigate those risks. Many risk management plans will list IT as its own distinct line item and file things, such as lost revenue, cost of service outages and cost of disaster recovery, under that heading. However, if you want to tally up IT’s true impact on enterprise risk management, you’ve got to spread it across the entire ERM plan; not just one piece. IT touches nearly every part of the enterprise today, and as IT’s reach increases, the amount of risk it generates increases as well. Some of the major risks a company takes on today include: regulatory compliance violations, data breaches, reputation management, services outages, security and more. All have major IT aspects. With so much relying on IT, it is imperative it understands its role in each of these areas. Regulatory and Compliance issues are obviously well-understood in the IT field. Much of the brunt of the Sarbanes-Oxley compliance falls squarely on the IT department. Despite that, IT departments often don’t have control over compliance initiatives; these efforts are often directed by legal departments or non-IT C-level executives. Data Breach Prevention is also a well-known IT department issue; however, it is also a Human Resources issue. Mobile computing has created new points of data loss for the enterprise. Mobile computing has made poorly trained or forgetful employees into walking risks to the enterprise. Smartphones and tablets carrying sensitive data can be left in public places, and email containing sensitive files can sit on unprotected home networks. With cloud services becoming more common, it isn’t merely your employees you have to worry about, but your vendors as well. Data Loss Prevention (DLP) is vital in today’s enterprise. Reputation Management is a relatively new discipline for IT departments, which have had to take hold of the reins because of the impact of social networking on enterprise reputation. Once, a firm’s reputation was purely the purview of marketing and public relations. However, given the sheer number of forums, social networking sites and online product reviews, IT is the only department that can handle the workload. Monitoring what is said about your company (using social data mining) on social networks and in the media is now a critical function. Traditional IT risks such as outages are a known risk. Nevertheless, IT’s disaster recovery plans must evolve as more revenue streams shift to online sources. Security used to be a matter of physical security, but nearly all of the enterprise security budget is now in data security. Deliberate attacks, such as distributed denial-of-service and database hacking are ever-increasing threats. When a company fails to protect its sensitive data, IT also has to determine what was compromised quickly, so an appropriate response can be made. As you can see, when formulating your ERM profile, there is no way to avoid or pigeonhole IT. Even major business functions like strategy formulation, business intelligence and supply chains require the IT department to do some heavy lifting. It is time to stop thinking of IT as a mere line item in the ERM profile — and instead think of it as the major partner in nearly all of your risk decisions. This will allow you to better understand where your risk lies and respond to it. For further information, see: Data-Loss Prevention: Never Easy, but Always Worthwhile Is Mobile Security Worth Worrying About? The Evolving IT Security Threat Landscape

Enterprise Risk Management (ERM) of course involves identifying all possible risks to the enterprise and formulating a plan to mitigate those risks. Many risk management plans will list IT as its own distinct line item and file things, such as lost revenue, cost of service outages and cost of disaster recovery, under that heading. However, if you want to tally up IT’s true impact on enterprise risk management, you’ve got to spread it across the entire ERM plan; not just one piece.

IT touches nearly every part of the enterprise today, and as IT’s reach increases, the amount of risk it generates increases as well. Some of the major risks a company takes on today include: regulatory compliance violations, data breaches, reputation management, services outages, security and more. All have major IT aspects. With so much relying on IT, it is imperative it understands its role in each of these areas.

Regulatory and Compliance issues are obviously well-understood in the IT field. Much of the brunt of the Sarbanes-Oxley compliance falls squarely on the IT department. Despite that, IT departments often don’t have control over compliance initiatives; these efforts are often directed by legal departments or non-IT C-level executives.

Data Breach Prevention is also a well-known IT department issue; however, it is also a Human Resources issue. Mobile computing has created new points of data loss for the enterprise. Mobile computing has made poorly trained or forgetful employees into walking risks to the enterprise. Smartphones and tablets carrying sensitive data can be left in public places, and email containing sensitive files can sit on unprotected home networks. With cloud services becoming more common, it isn’t merely your employees you have to worry about, but your vendors as well. Data Loss Prevention (DLP) is vital in today’s enterprise.

Reputation Management is a relatively new discipline for IT departments, which have had to take hold of the reins because of the impact of social networking on enterprise reputation. Once, a firm’s reputation was purely the purview of marketing and public relations. However, given the sheer number of forums, social networking sites and online product reviews, IT is the only department that can handle the workload. Monitoring what is said about your company (using social data mining) on social networks and in the media is now a critical function.

Traditional IT risks such as outages are a known risk. Nevertheless, IT’s disaster recovery plans must evolve as more revenue streams shift to online sources.

Security used to be a matter of physical security, but nearly all of the enterprise security budget is now in data security. Deliberate attacks, such as distributed denial-of-service and database hacking are ever-increasing threats. When a company fails to protect its sensitive data, IT also has to determine what was compromised quickly, so an appropriate response can be made.

As you can see, when formulating your ERM profile, there is no way to avoid or pigeonhole IT. Even major business functions like strategy formulation, business intelligence and supply chains require the IT department to do some heavy lifting. It is time to stop thinking of IT as a mere line item in the ERM profile — and instead think of it as the major partner in nearly all of your risk decisions. This will allow you to better understand where your risk lies and respond to it.

For further information, see:

Data-Loss Prevention: Never Easy, but Always Worthwhile

Is Mobile Security Worth Worrying About?

The Evolving IT Security Threat Landscape