Explaining IT risk to senior executives and board directors in a meaningful way has always been difficult for computer folks. Now two major independent efforts to bridge the language gap have begun, with a third to follow later this year.
Both the Open Group—long a major force in software standardization—and the International Organization for Standardization announced their gap-bridging efforts in June. The Open Group introduced its Risk Management and Analysis Taxonomy; ISO rolled out its ISO 38500 standard for corporate governance and information technology.
Both aim to reduce IT-related risks and company performance by helping top management and board members comprehend—and ultimately, react intelligently to—the risks inherent in the computer systems modern companies now depend on.
The Information Systems Audit and Control Association is the third player, which wants to tackle the language gap and more. Its proposed enterprise risk management framework will “close the gap in the whole IT governance area,” says Urs Fischer, Swiss Life’s vice president of IT governance and risk management, who is spearheading the ISACA-IT Governance Institute work.
The growing ubiquity of computer power in business and the arrival of Sarbanes-Oxley have made painfully clear just how important a solid understanding of IT risk is.
Stroud
“Risk management is a hot topic right now,” says Robert Stroud, who calls himself a “governance evangelist” at CA and also happens to be international vice president of ISACA. “One of the challenges that IT managers are trying to get a handle on is how IT risk may affect business risk and how the two are tied together.”
If management can get a strong grasp of the broader business, legal, and reputational problems an untended IT risk poses, Stroud says, then the company can beat that risk down to some tolerable level before it ends up on the financial reports as a material weakness.
“Sound risk management is dependent on the business understanding where mutual risks intercede,” he says.
IT risk management has been around for years, although under various names. It was about running a tight IT ship, with good data security, access controls, and change management processes in application development, among many examples. A slew of standards and frameworks emerged to help IT departments do the right thing: the ISO 27000 series, ISO 17799, COBIT, ITIL, PCI, NIST’s 800 series, the Center for Internet Security’s configuration standards, and others.
Some, such as COBIT, start with a strategy and have a holistic tone; ISACA, COBIT’s creator, has even mapped COBIT with ITIL, ISO 17799 and other models for good, nuts-and-bolts IT implementation and maintenance. But none really address the vocabulary disconnect between IT departments on the front lines of IT risk, and senior managers responsible for risk overall, IT and otherwise, says Jim Hietala, the Open Group’s vice president of security.
Hietala
“We looked at the landscape and realized we needed to develop a taxonomy that enabled IT folks to communicate with senior management about what risk is, to define a common set of terms that everybody agrees on,” Hietala says.
“One of the challenges that IT managers are trying to get a handle on is how IT risk may affect business risk and how the two are tied together.”
— Robert Stroud,
Governance ‘Evangelist,’
ISACA
The Open Group is in its fifth draft of the new taxonomy and expects to make it freely available in August, he adds.
The new ISO 38500 standard is available on the ISO Website for 84 Swiss francs (about $82). It stems from an ISO study group led by IT risk-management and governance expert Alison Holt of New Zealand, and is based on an Australian IT governance standards. Holt says that with the new standard, her group wants to create “what would be the absolutely core principles of IT governance we want senior management to understand.”
The forthcoming IT enterprise risk management framework from ISACA should be public by the end of the year. Fischer says the framework will develop COBIT’s relatively thin treatment of comprehensive risk management, addressing language but also delving into the “why to do it and how to do it.”
Speaking Up on IT Risk
The Open Group taxonomy is based on the “Factor Analysis and Information Risk” (FAIR) framework developed by Risk Management Insight. Alex Hutton, Risk Management Insight’s CEO, says FAIR evolved from work done by the CIO of a major financial services firm to draft common expressions for risk across business lines. The basic premise is that risk is about how often bad things can happen, and the probable loss should they happen, Hutton says.
Fred Lee, head of information risk management at National City Corp., used FAIR to traverse what he sees as two major gaps.
First, he says, is the psychological gap separating true risk management from traditional IT security, such as firewalls, encryption, anti-virus software and the like. “The traditional security model has allowed IT implementers to get away with prescribing and opining more than you had in traditional security roles,” Lee says. “If they say, ‘Hackers will come in!’ people eat it up.”
The second gap is how senior managers and IT executives fail to discuss IT risk in a common language. If corporate leaders truly understand what their IT risks entail, they can steer the right resources to prevent those risks. And the “right” amount of resources, can mean less, too.
“You have to ensure that you remain compliant, but you also have to make sure your IT performance actually matches the organizational need,” Holt says. “Because if you’re oversupplying, you’re paying, and if you’re undersupplying, you’re paying in a different way.”
The language gap has thrown a wrench in attempts to match IT risk-management supply and demand, Lee says. He points to software-jockey terms such as “threat landscape.” Top managers might think of “threat” and fear some Central Asian thugs trying to blackmail the company; IT professionals might only mean an Internet worm.
Starting last October, Lee created master taxonomies based on FAIR, the Open Group taxonomy’s foundation, for 15 National City business lines in the span of a month. “It’s just words. It’s not complicated,” he said. “It’s a few e-mails. It’s the biggest bang for the buck that I’ve done so far.”
When the language gap is finally bridged, the real work can begin, Lee says. “Once we know how to speak ‘risk,’ we can start writing them down and working with them.”
No comments yet