Developing an enterprise risk management strategy is an enormous undertaking. Despite the wealth of best-practices frameworks out there, serious planning and communication across silos are always required to create policies and processes that work for an individual organisation. Here are some tips from security and risk professionals on how to go about it.
1. Understand your risk: First and foremost, a detailed view of your organisation’s exposure is required. It may be subject to countless government and and industry regulations. Knowing exactly which affect your business — and which violations carry the greatest penalties — is crucial. And that task gets harder every day.
For example, US doctors are well aware that they’re bound by the federal HIPAA (Health Insurance Portability and Accountability Act) health data privacy statute. But they may not know that if they accept credit card payments, they’re also bound by PCI, the payment card industry standard that’s causing heartache at big-box retailers and e-commerce companies.
Figure out the “universe of threats” that affect your company and then focus on those with the highest impact on your business and those that regulators are most likely to notice, advises John Darbyshire, chief executive of security and compliance management software vendor Archer Technologies.
2. Know your people: Good enterprise risk management strategies stem from a solid understanding of operations. Understanding how your organisation does business and how your employees actually work will smoke out unrealistic or needless policies before they do harm or incite hostility among the rank and file.
Noting the details of what employees do can also reveal previously overlooked points of vulnerability. One customer of risk management vendor Orchestria tallied the ways employees on a share trading floor could communicate with the outside world and came up with almost 200, including mobile phones, BlackBerries, and instant messaging, says Paul Johns, vice president of global marketing at Orchestria.
3. Apply the framework to the need: Best-practices frameworks such as CobIT, ITIL, NIST, and ISO17799 are fabulous tools for helping to build a comprehensive risk management strategy, but they’re not equal. Before plunging into an assessment based on a best-practices framework, figure out which framework fits the needs of your organisation.
For example, both CobIT and ITIL have objectives for implementing change management within an organisation, but ITIL is narrowly focused on IT operations, and CobIT on the higher-level benefit of change management to the business.
To use both would be overkill for companies that are just looking for guidance on how to improve IT operations, says Suzanne Hall, director of IT assurance and security at AARP, the US Association for the Advancement of Retired Persons.
How to evaluate risk management solutions
Risk management is a sprawling initiative that requires a complex mix of technologies. So how should companies evaluate risk management solutions? Paul Johns, global marketing vice president at Orchestria, recommends “five proofs” for any solution:
1. Proof of precedent: Who’s using the software? Due diligence chasing down customer references, preferably in your industry, is essential.
2. Proof of integration: Can the vendor integrate with the systems your organisation uses and may use in the future? Can the vendor prove it with a working implementation, or does it just offer promises?
3. Proof of ROI: Compliance must be sustained year in and year out. Will the solution bring down management costs and earn return on investment both now and in the future?
4. Proof of policy: Can the technology help you implement, rather than merely document, detailed risk management policies? If so, using which technologies?
5. Proof of concept: Can the technology scale up to handle your data and your policies? Run your own large-scale pilot project before you buy.