Risk management is critical for enterprises embarking on new IT projects and plans. There's the risk of offshore outsourcing -- how do you ensure your data is safe in the hands of a worker in another country? There are also risks in managing compliance efforts. These include closing down your company or losing your position if the job isn't done correctly. How do CIOs calculate and management risk? Take a look at the various resources in our latest CIO Executive Guide for insight and advice on this important topic.
This Executive Guide is part of the SearchCIO Executive Guide series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the Executive Guide section.
Table of contents
Expert's Corner
Basics
Disaster recovery
Expert advice
Security risks
Outsourcing risks
Compliance risks
More resources
 |
|
|
| George Wrenn, CISSP, ISSEP |
|
Risk management can be a broad and deep topic for CIOs. But the first step in building a risk management capability can be accomplished with a relatively easy step: conducting a business impact analysis (BIA).
Conducting a BIA can help determine where risk lives in the enterprise and help define where resources should be focused to best mitigate that risk.
Simply stated, BIA is an analytic process that aims to reveal technical, business and operational impacts stemming from any number of incidents or events.
A BIA traditionally leads to a report detailing likely incidents and their related business impact in terms of time and dollars.
To conduct a BIA, you need to understand the intersection of technical and business operations of your company in detail. You need to roll up your sleeves and reach out to operational folks to get the real picture. You will want to know what the critical business processes are and what technology supports them.
Here is a simple step-by-step approach that will put you on your way to conducting a successful BIA:
1. Document the gross revenue and net profit your organization generates per year. This data sets the upper bound for business losses related to technology operations.
2. Define the critical business systems your organization operates. This data can be entered and tracked in a spreadsheet. In many cases the revenue data can be linked to critical systems.
3. Classify each system as business critical, important or noncritical. Ask system operators what would happen if a particular system were not available for an hour, a day or a week. In most cases you can quickly classify systems based on operator responses.
4. Document which systems have cross dependencies. There may be noncritical systems that act as upstream or downstream components to critical systems.
5. Estimate the financial, revenue and nonrevenue impacts associated with each system.
6. Estimate the cost to identify, remediate, recover and resume operations for each system in the spreadsheet. Include labor, hardware and software costs.
7. Identify the maximum acceptable outage for each system.
8. Identify and document potential system threats, severity and the probability at which they may occur. For example, a data center fire severity would be 1.00 (on a .0 to 1.0 scale) but the probability may only be .01 (1%) in a given year.
9. Now you have most of the data needed to start the process. It is best to use the simple formula functions that a spreadsheet provides. For every system you have defined with a loss value, multiply the series of values from the threats listed in step eight with the combined loss values from step six to see the relative loss or impact per system. Do this on a line-item basis. For each system calculate all possible listed threats.
10. In this last step you will sort the data you have to show the top priority systems both from a business criticality and impact perspective. In the spreadsheet, select all columns in the sheet and use the "auto-filter" function on the data-sorting menu of your spreadsheet to link all the columns relationally. You can now sort on any of the variables in the sheet. Optionally, you can create a scorecard-like report by dressing up the spreadsheet, or add a narrative document and use the spreadsheet as the supporting data source.
Your BIA report can be used to request and prioritize resources and incident-response activity. If done properly, it will be in a format your CFO and finance department can understand and include impact data gathered from these very same people, thus overcoming any objections or pushback on the validity of your report and subsequent CIO resource requests. But most importantly the BIA serves as the foundation for the risk management programs that will follow now that you have insights into where the risk lives and a measure of impact for those risks.
George Wrenn, CISSP, ISSEP, is a technical editor for Information Security magazine and a security director at a financial services firm. He's also a graduate fellow at the Massachusetts Institute of Technology. He can be reached at Gwrenn@post.harvard.edu.
- Podcast: Tips for building a cost-effective risk management plan (Source: SearchCIO.com, 1/09/2007)
- Tip: Beginning the dreaded risk assessment (Source: SearchSecurity.com, 4/29/2004)
- Tip: Risk assessment steps one and two: Establishing boundaries/team building (Source: SearchSecurity.com, 5/6/2004)
- Tip: Risk assessment steps three and four: Identifying methodology and assets; assigning value (Source: SearchSecurity.com, 5/13/2004)
- Tip: Risk assessment steps five and six: Identify threats and determine vulnerabilities (Source: SearchSecurity.com, 5/20/2004)
- Tip: Identify current countermeasures and estimate likelihood of exploitation (Source: SearchSecurity.com, 5/27/2004)
- Tip: Completing the risk assessment -- steps nine and 10 (Source: SearchSecurity.com, 6/3/2004)
- Research report Selecting the risk assessment method of choice (Source: Meta Group, 7/21/2004)
- Book excerpt: Risk and trust (Source: Realtimepublishers.com)
- Ask the expert: Risk management methodologies (Source: SearchSecurity.com, 8/22/2005)
- Ask the expert: How security audits, vulnerability assessments and penetration tests differ (Source: SearchSecurity.com, 8/22/2005)
- Article: Delta CIO: Buckle up before turbulence strikes (Source: SearchCIO.com, 7/28/2005)
- Tip: BCP plans key to emergency planning (Source: SearchCIO.com, 12/16/2004)
- Tip: Need to show ROI? Fasten your seatbelt! (Source: SearchCIO.com, 5/5/2004)
- Column: Intellectual property: Six considerations to safeguard your assets (Source: SearchCIO.com, 1/09/2007)
- Article: Content monitoring tags questionable email activity (Source: SearchCIO.com, 12/13/2006)
- Feature: Look Who's Watching (Source: CIO Decisions magazine, 1/01/2007)
- Article: How secure are
you? (Source: CIO Decisions, April 2005)
- Artice: Enterprises need
to learn their security sweet spot (Source: SearchSecurity.com, 6/21/2004)
- Article: Supply chain risk:
Deal with it (Source: Harvard Business School, 4/28/2003)
- Article: Warning: VoIP
brings new security threats (Source: SearchSMB.com, 6/7/2005)
- Article: Security, privacy
keys to CRM (Source: SearchCRM.com, 3/2/2005)
- Article: Outdated
software is risky business (Source: SearchSecurity.com, 12/14/2004)
- Article: Mitigating risk in outsourcing (Source: SearchCIO.com, 6/8/2004)
- Article: When it comes to BPO, buyer beware (Source: SearchCIO.com, 4/11/2005)
- Q&A: Outsourcing firm finds lack of customer metrics 'staggering' (Source: SearchCIO.com, 10/11/2004)
- Article: Tips for managing offshore vendors (Source: SearchCIO.com, 8/9/2005)
- Article: The new offshore outsourcing rules (Source: SearchCIO.com, 5/11/2005)
- Webcast: Offshore outsourcing blunders: Common mistakes you can avoid (Source: SearchCIO.com, 11/16/2004)
- Article: Gartner: Outsourcing needs strong Rx (Source: SearchCIO.com, 4/5/2005)
- Article: Is offshore outsourcing worth the loss of IT jobs? (Source: SearchCIO.com, 10/19/2004)
- Column: Five ways to make your offshore relationship work (Source: SearchCIO.com, 4/26/2005)
- Executive Guide: Offshore outsourcing (Source: SearchCIO.com, 12/2/2004)
