Risk management is critical for enterprises embarking on new IT projects and plans. There's the risk of offshore outsourcing -- how do you ensure your data is safe in the hands of a worker in another country? There are also risks in managing compliance efforts. These include closing down your company or losing your position if the job isn't done correctly. How do CIOs calculate and management risk? Take a look at the enterprise risk management strategies in this Executive Guide for insight and advice on this important topic.
This Executive Guide is part of the SearchCIO Executive Guide series, which is designed to give IT leaders strategic guidance and advice that addresses the management and decision-making aspects of timely topics. For a complete list of topics covered to date visit the Executive Guide section.
Table of contents
Expert's corner
Disaster recovery
Expert advice
Security risks
Outsourcing risks
Compliance risks
More resources
 |
|
|
| George Wrenn, CISSP, ISSEP |
|
Risk management can be a broad and deep topic for CIOs. But the first step in building a risk management capability can be accomplished with a relatively easy step: conducting a business impact analysis (BIA).
Conducting a BIA can help determine where risk lives in the enterprise and help define where resources should be focused to best mitigate that risk.
Simply stated, BIA is an analytic process that aims to reveal technical, business and operational impacts stemming from any number of incidents or events.
A BIA traditionally leads to a report detailing likely incidents and their related business impact in terms of time and dollars.
To conduct a BIA, you need to understand the intersection of technical and business operations of your company in detail. You need to roll up your sleeves and reach out to operational folks to get the real picture. You will want to know what the critical business processes are and what technology supports them.
Here is a simple step-by-step approach that will put you on your way to conducting a successful BIA:
1. Document the gross revenue and net profit your organization generates per year. This data sets the upper bound for business losses related to technology operations.
2. Define the critical business systems your organization operates. This data can be entered and tracked in a spreadsheet. In many cases the revenue data can be linked to critical systems.
3. Classify each system as business critical, important or noncritical. Ask system operators what would happen if a particular system were not available for an hour, a day or a week. In most cases you can quickly classify systems based on operator responses.
4. Document which systems have cross dependencies. There may be noncritical systems that act as upstream or downstream components to critical systems.
5. Estimate the financial, revenue and nonrevenue impacts associated with each system.
6. Estimate the cost to identify, remediate, recover and resume operations for each system in the spreadsheet. Include labor, hardware and software costs.
7. Identify the maximum acceptable outage for each system.
8. Identify and document potential system threats, severity and the probability at which they may occur. For example, a data center fire severity would be 1.00 (on a .0 to 1.0 scale) but the probability may only be .01 (1%) in a given year.
9. Now you have most of the data needed to start the process. It is best to use the simple formula functions that a spreadsheet provides. For every system you have defined with a loss value, multiply the series of values from the threats listed in step eight with the combined loss values from step six to see the relative loss or impact per system. Do this on a line-item basis. For each system calculate all possible listed threats.
10. In this last step you will sort the data you have to show the top priority systems both from a business criticality and impact perspective. In the spreadsheet, select all columns in the sheet and use the "auto-filter" function on the data-sorting menu of your spreadsheet to link all the columns relationally. You can now sort on any of the variables in the sheet. Optionally, you can create a scorecard-like report by dressing up the spreadsheet, or add a narrative document and use the spreadsheet as the supporting data source.
Your BIA report can be used to request and prioritize resources and incident-response activity. If done properly, it will be in a format your CFO and finance department can understand and include impact data gathered from these very same people, thus overcoming any objections or pushback on the validity of your report and subsequent CIO resource requests. But most importantly the BIA serves as the foundation for the risk management programs that will follow now that you have insights into where the risk lives and a measure of impact for those risks.
George Wrenn, CISSP, ISSEP, is a technical editor for Information Security magazine and a security director at a financial services firm. He's also a graduate fellow at MIT. He can be reached at Gwrenn@post.harvard.edu.
- Tip: Disaster recovery success begins and ends with the basics
(Source: SearchCIO.com, May 30, 2006)
- Article: Reduce risks of disaster recovery testing (Source: SearchDataCenter.com, Aug. 16, 2005)
- Tip: Disaster recovery plans: Ten reasons why DR plans fail
(Source: SearchDataManagement.com, June 30, 2005)
- News: Linux disaster recovery app brings light to darkened N.Y. firm (Source: SearchEnterpriseLinux.com, Feb. 10, 2005)
- Tip: Disaster recovery spending -- How much is enough? (Source: SearchCIO.com, April 21, 2004)
- Article: Tips for managing offshore vendors (Source: SearchCIO.com, Aug. 9, 2005)
- Article: The new offshore outsourcing rules (Source: SearchCIO.com, May 11, 2005)
- Column: Five ways to make your offshore relationship work (Source: SearchCIO.com, April 26, 2005)
- Article: When it comes to BPO, buyer beware (Source: SearchCIO.com, April 11, 2005)
- Article: Gartner: Outsourcing needs strong Rx (Source: SearchCIO.com, April 5, 2005)
