Awareness is growing around the importance of risk management, and IT’s involvement in ensuring compliance. A special ARN report.
Risk management should be high on the list of priorities right now. If organisations and boards didn’t realise its importance previously, the natural disasters of Queensland, Victoria, Perth, Christchurch, Japan, and, most recently, Myanmar (it’s been a bad start to the year) should have reinforced it.
Then there’s the other, less physical disasters that can hit organisations. RSA security gets broken through, Anonymous effectively pulls Visa and MasterCard offline. Locally, Virgin runs into a PR disaster when its customers struggle with its systems.
Retailer, Lush Cosmetics, gets broken into digitally, and a host of customer data is stolen. IT is an increasingly prominent part of the risk management story, and the costs of having poor risk management grow ever higher. But it’s not necessarily getting through at all.
A recent Symantec survey found 55 per cent of small businesses only implement a disaster preparedness plan after there’s been an outage or data loss. By then, it’s too late. Beyond the initial cost of lost IT, the damage a disaster such as that can do to a brand – the most critical asset of an organisation – is significant. How many people shopped online at Lush Cosmetics straight after its security breach?
Australian School of Business (which is a part of UNSW) associate professor and head of school, Actuarial Studies, John Evans, agrees that there is simply not enough done around IT risk.
“I think what’s becoming quite clear is that IT in terms of risk management is a fairly serious area that needs to be cleaned up,” he said. Even when organisations check the various boxes around financial risk management, political risk management, or regulatory risk management, as an operational risk, they are still lacking.
Part of the problem is that boards and CEOs might still lack a proper understanding of IT and the ability to effectively engage with IT departments.
“I think project management is a big issue,” Evans said. “People in management either don’t understand it, or don’t get the right people in to tell them, or don’t listen to them if they do get them.”
Risk management is a four-stage process. From identification comes quantification (or as Evans prefers – ‘relative importance’ – grading risks and reacting to them based on the potential damage to the business), and then managing those risks down to an acceptable level.
The final stage comes in making sure the systems are in place to pick up that an event has happened, and that information is distributed to the right people quickly.
Those risks need to be constantly re-evaluated, in line with a business environment that is always changing.
Risk management is a topic that is slowly gaining more traction with organisation policy makers, despite the data to the contrary, according to Symantec director of channel sales Asia-Pacific, Jeff Arndt.
“Symantec is often asked to engage with the CFO and legal counsel to discuss risk management as it relates to regulatory compliance and legal discovery,” he said. “We’re also regularly invited to meet with executives responsible for protecting their customer’s data to discuss information risk strategy.”
The vendor sees the topic as a complementary discussion, rather than a specific focus. It fits with Symantec’s technology vision – with risk management being one problem that the vendor’s portfolio can solve.
Perhaps reflecting this increased board interest in getting risk management right, the vendor acquired two risk management technology providers in 2010. Gideon was acquired in 2010, and is a provider of standards-based information security solutions that automate and orchestrate IT security and risk management. That acquisition of Gideon Technologies’ SecureFusion product complements Symantec’s compliance offerings and integrates with the Symantec Management Platform (formerly the Altiris platform).
Symantec completed the acquisition in June 2010 of GuardianEdge and PGP with the goal of extending its ability to help customers secure and manage their most critical information. The technology works across smartphones, full-disk, email, file, folder and removable media and combines with Symantec’s endpoint security and data loss prevention offerings.
Both cases represent risk management solutions, but only after systems integration and the creation of policy.
It’s proof that risk management is a consulting – rather than product – led solution, with a great deal of value-adding opportunities, which in turn means Symantec rests heavily on its channel partners to turn it into business opportunities.
“It’s the business and channel partners that not only offer services and solutions, but help the customers identify risks and then assess the impact of those risks for their business,” Arndt said.
A case study in the success of consulting can be found with Reliance Risk. The company offers a software solution called Risk Sense, but it’s the Reliance Risk consulting practice that provides the sticking point for customers, according to founding director, Wayne Middleton. “Software won’t help them if they don’t have those fundamental principles in place,” he said.
“Sometimes we have clients who say ‘come back and help us to embed some of those rules and workflows,’ even after they’ve already been using the software for 12 months.”
That the ISV has a consulting practice should come as no surprise. According to Middleton, one of the largest accounting firms recently did a review and found there were some 90 software products around risk management available in Australia.
Differentiating yourself by products tailored for verticals will give you an edge – Reliance Risk primarily deals with events, construction and venues management, but the real opportunity for individuals and organisations to differentiate themselves is in offering services and an understanding of the specific needs of the verticals.
Middleton, whose resume includes project manager of safety for Sydney 2000 Olympics, risk consulting for the Vancouver Winter Olympic Games and the Australian Open tennis championships from 2005-2010, said IT was being used by organisations in his sector in an increasingly sophisticated manner, but the industry itself is still playing catch-up in terms of understanding how the systems work.
“There are some people who will buy software with the expectation that it will help them do risk management,” Middleton said. “If the basic fundamental principles of making people accountable for putting the data in, for activating a response or escalating an issue if a risk is of a certain profile, and then having a mechanism for ongoing reporting are followed, then the software isn’t going to help.
“We find more and more now that clients need us to help review for them where risk management is at in their business, and we have that conversation before we even start the conversation about the software.”