Companies engaged in risk assessments typically review financial and operational risks, sometimes at the expense of technical risks. We recently tracked down and spoke with Dr. George Westerman—a researcher at the Center for Information Systems Research at MIT's Sloan School of Business—to hear about his research into IT risk and effective risk management practices. An index of previous Q&As with other risk and compliance officers can be found here.
You say risks in an IT system are a corporate problem that every business executive should heed. Why?
The way I look at IT risk is to make it clear that while it’s easy to think of IT risk as an IT problem, it tends to have real business impacts. For example, delaying the upgrade of a critical system at ComAir was why the company canceled all its flights last Christmas, and the president of the company actually left two weeks later. The loss of data tapes has huge implications for privacy for financial services firms, healthcare providers and businesses like those. So although we consider this as a low-level problem, it can have real consequences for the business.
Do C-level executives really understand the issue that way?
IT people in general do understand how important this is, but I think in many cases higher-level executives want to delegate this to CIOs to manage. One thing I’ve found in my research over the last three years is that if IT executives are left to decide IT issues on their own, they’re going to make important business trade-offs they just aren’t informed to make.
What should really happen is that while many IT risks can be handled by IT people, top-level executives really should be involved when it involves business trade-offs—where one decision in IT might lower risks for keeping systems, but might actually hurt your agility. Or a major installation might open up a new market, but raise problems for security or accuracy of data across the world.
Example?
A medical transcription firm operated in a virtual world, where all the transcribers work from downloading voice files and uploading transcripts. They upgraded their systems, and had to decide: do this on the Internet, or on bulletproof IT stuff? The bulletproof stuff was great for maintaining privacy and security, but it was expensive and hard to maintain, and hard to load new clients into it. They had to make a business decision that it was actually better to use the Internet, because the Internet could be good enough on keeping the systems running and security, but also gives them much more agility to hook into new hospitals and new customers.
That was a business decision, because the IT people had wanted to go for the bulletproof stuff because of the IT risks.
But how do we put cost and benefit numbers on risks like this? What are the tools to use?
It’s very difficult to make these technical trade-offs in the isolation of a technology framework. We really need to put these risks into business terms. I think of IT risk this way: There are many sources of IT risk, from complexity in the infrastructure, to applications not talking to each other, to people not following security policies. There are many technical sources of risk within an organization.
But the way to talk about it is in terms of four major business risks. First is keeping your systems and processes running, which I call “availability.” Second is letting the right people have information and denying it to the wrong people, which I call “access”—privacy, of course, falls there. Third is the “accuracy” of the data: can we meet Sarbanes-Oxley rules? Do we have a complete view of the customer? Do we know that our inventory levels are actually correct? Fourth is “agility risk,” and whether IT can help you or hurt you when you make a major business change.
So is this a problem of technology, or of management learning to perceive risks the right way?
The difficulty arises that we make lots of decisions in IT all the time for good business reasons, but we don’t always understand the trade-off inherent in them. When we create a duplicate version of a system, or when systems don’t talk to each other … they have an immediate business need of getting that system launched, or communicating, or whatever. But we don’t often think about the tradeoffs mean in terms of those four risks to the enterprise in general.
The rules we have in our minds to make decisions tend to weigh some risks more than others, and we don’t even know we’re doing it. So the idea of having these four different kinds of risks is to make these tradeoffs more apparent as you go through them.
Has Sarbanes been helpful to provoke thought about IT risk?
I think Sarbanes has been wonderful for raising the importance of risks in the eyes of business folks, and that has given CIOs the opportunity to try to get good at this. But it’s still such a new science, there’s a lot more to be done here.
You never answered that question about quantifying IT risk. Can that be done?
It’s really a state-of-the-art management item. People have started to get a good, audit-based view of IT and understanding where the holes are that they need to fix. And some of them have started to put a risk-based prioritization there, so they’re working on the risks that matter most to the firm. But very few firms have reached the point where they can measure this.
When you think about the way we price insurance, we base it on actuarial tables and we have the good indication of the impact or likelihood of risks, because we have a history of hundreds of years of following this. In IT we don’t have that, because IT is so different from company to company and because this stuff is just so hard to track.
The state-of-the-art right now is firms tracking their own incidents and what happens. Just like banks have to report their operational losses for Basel II agreements, firms are starting to track their outages, project failures and all these things, as a way to come up with some measurement for risk.
Can we succeed at that, given the evolving nature of IT threats?
I don’t think we’ll ever get perfect numbers … but I think we’ll get a better knowledge of what pieces drive those risks up and down. My research has identified 40 items that do; a company could go through them as a checklist. But even that is still a relative number. The idea that you can say, “Our risk of incident X is 0.257” is a long way off.
What can executives do to manage IT risks now?
Two things. One is to characterize their risks as high, medium or low on the two axes of impact and likelihood; that at least allows you to plot which ones are “high-highs” or “low-highs” and whatnot. The other is to develop a weighting, or some kind of rating to rank risks, even though it’s not a real number. They at least will have a systematic way to understand which risks are bigger than others … If you’re not systematic about it, two people will look at the same risk and come up with completely different answers.
We once interviewed a power utility that created a “Top 10” list of its financial and operational risks. That’s what you mean?
Absolutely. And perhaps IT risk would be sixth on their list, but within that risk you need to separate that out: what does IT do to our disaster risk? What does IT do to our operational and integrity risks? That sort of thing.
Thanks, George.
Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.
Click here for upcoming Webcasts with compliance officers.
No comments yet