Breaking With Tradition
- 22 November, 2005 17:48
- Comments
The nature of IT risk is changing, reducing the effectiveness of traditional risk management approaches
Ten years ago IT risks were "contained" within the four walls of the data centre. Today, IT risks are public and they can have dramatic personal ramifications. Take for example Pharmatrak, a US-based company that tracked Web site visitors for pharmaceutical companies like Pfizer Incorporated, Glaxo Wellcome Plc and Pharmacia Corporation. From mid-1998 to late 2000, it gathered and analyzed visitors' browsing habits for its pharmaceutical customers. Privacy legislation and contractual agreements with those pharmaceutical companies prohibited Pharmatrak from gathering personally identifiable information. Apparently as the result of an interaction between Pharmatrak's NETcompare software and the code found on various Web pages, Pharmatrak collected personally identifiable information on about 232 of the approximately 18.7 million users whose activities it tracked.
In August 2000, a lawsuit filed against Pharmatrak alleged (correctly) that the company had collected personally identifiable information. Such titbits as names, addresses, telephone numbers, dates of birth, genders, education levels, occupations, medical conditions, medications, and reasons for visiting the particular (pharmaceutical) Web site were later pulled off Pharmatrak's computers. Pharmatrak's corporate customers immediately cancelled their contracts and Pharmatrak ceased operations in December 2000. The lawsuit was resolved years later by a US Federal Court of Appeals, after tens of millions of dollars in legal fees and thousands of hours of senior management attention. Was the Pharmatrak debacle an example of IT risk, or a poor business decision? Certainly IT was indispensable to the decisions and actions that caused the company's collapse. The technology worked, but Pharmatrak ignored the confidentiality of personal information - or missed the interaction of its software with that of the Web sites of its pharmaceutical customers'. The fatal mistake was that Pharmatrak failed to recognize and address this integrated technology risk.
Is risk awareness worth the cost? A survey of more than 130 CIOs on risk management confidence, spending and practices found a pattern of effective risk management. Those CIOs that manage risk well integrate multiple approaches - formal risk management processes, expertise and installed base simplification - to manage integrated risk. Yet they all have one approach that they are particularly good at. So if you are very good at a process, you need "enough" expertise and installed base simplification to make the whole thing work. The successful CIOs also use more people to manage risk, and they put those people together to identify and assess risk more frequently. Because they face risk openly, they have the ability to act faster on opportunities as well as threats, and they enjoy stronger relationships with business executives. The results are staggering. Effective risk managers spend slightly more on risk management (between 1 percent and 2 percent more of their IT budget), but gain disproportionately better levels of risk mitigation. And they seem to have much better relationships with their business colleagues to boot.
Effective risk management involves sound process and a "risk register". Process tends to be the primary risk management approach in companies that are large or in highly regulated industries where management is keenly aware of the potential for "bottomless" risk - like pharmaceuticals and financial services - and in organizations that are subject to frequent audit.
The thing that distinguished effective risk managers from burdensome bureaucrats was their use of "enough" process - but not too much. The best processes seemed to be to convene knowledgeable experts to identify risks and then define a joint response to them. Also key is the documentation of these risks and how they will be managed. This "risk register", which records risk exposure and decisions about its management, becomes a critical risk management tool and allows future generations of risk managers to build on this knowledge.
Companies surveyed use a range of risk registers, from Web-based interfaces to risk database applications, word-processing documents and spreadsheets, to hold their risk registry. All these approaches are apparently successful so the secret seems to be to use the one that fits best with your corporate culture.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Top seven firewall capabilities for effective application control
-
Pfizer's Future Depends on IT Transformation
-
Face Time - Interview with John Brennan and Robert DiStefano
-
Maximise Software Cost Savings by License Reharvesting, Recycling & Applying Product Use Rights
Software asset management (SAM) is a complex process that enables organisations to gain control of their software estate from both a license compliance and financial standpoint. In many organisations, SAM represents one of the few remaining ways that substantial IT savings can be realised. McKinsey and Sand-Hill Group estimate that 30% or more of IT budgets are consumed by software license and maintenance costs. By optimising the SAM process, organisations can maximise software utilisation, reduce the risk of non-compliance (audits, fees, penalties), and reduce overall IT costs by as much as 5 to 10% per year. Read on. -
Endpoint Buyers Guide
In this Endpoint Buyers Guide, we examine the top vendors according to market share and industry analysis: Kaspersky Lab, McAfee, Sophos, Symantec and Trend Micro. Each vendor’s solutions are evaluated according to: Product features and capabilities, Effectiveness, Performance, Usability, Data protection and Technical support. -
Oracle Business Intelligence and Data Warehousing From Storage to Scorecard
Getting actionable data in the hands of the right decision makers translates to positive business outcomes – whether that means competing more effectively, reducing operational costs, meeting compliance requirements, or anticipating changing market conditions. To get the right data to the right people at the right time, you need an integrated business intelligence and data warehousing solution that can provide fast access to reliable information and the tools to translate that insight into actions.
-
Web Server Programming
-
Wiley Pathways
-
Systems Analysis and Design 4E
-
Visual Basic.NET Database Programming for Dummies
-
Office 2003 Visual Quick Tips
-
Symbian OS Communications Programming
-
Photoshop Elements 8 for Dummies
-
Beginning Programming
-
Microfocus Netexpress Version 5.0 to Accompany Stern Cobol
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Post new comment