exact  any/all
  The original knowledge-management publication
denotes premium content | May 23 2013 

Feature

posted 26 May 2010 in Volume 13 Issue 8

Information risk

Robin Smith explains how to leverage the value of business information with an information risk management strategy

 “Too many people are thinking of security instead of opportunity. They seem more afraid of life than death.”  
James F. Byrnes

Organisations face a range of threats, including information risks to business assets, so are therefore seeking to mitigate risk and deliver value in the face of such threats during turbulent economic times. At the same time, every organisation has a vision and objectives that it needs to deliver in the face of such issues.

Information is the currency of the modern organisation. It should be valued and managed as carefully as any other corporate resource. But what happens if the value of information is not recognised by the organisation? What if the risks and threats arising from the poor management of information are dismissed as unimportant? What risk does this present to successful service delivery?

The response to these questions define how an organisation equips itself to deal with information risk. Information risk management (IRM) is an approach to organisational development, which values information and the threats and vulnerabilities to this most valuable asset.

Why information risk matters
Risk, just like death and taxes, exists as an inescapable part of everyday life. Most people view risk in purely pessimistic terms. But there are two sides to it; positive and negative. Organisations that continue to improve and succeed have learnt to consider threats and take intelligent risks. Without risk there is no reward.

This issue has been on the rise over the past few years as technology, economics and customer expectations have changed. Information risks are defined as those items that have a net negative impact on an organisation, based on reviews of probability and the potential impact of the occurrence. Information risks include security threats from malware, data breaches or failure to implement standards or best practices. IRM is a vital part of any organisation’s business development and improvement strategy. Developed and implemented effectively, it can protect business-critical capabilities from numerous threats.

The strategic, operational and financial risks arising from myriad information and records management programmes are significant and often poorly managed. In these straightened times how can organisations adapt to an array of information risks that could impact on them, ultimately leading to a firm’s demise? Should firms risk cuts now to sustain over the longer term?

Defining IRM
IRM is an approach to managing and valuing business information across an array of areas, from new information systems to external legislative demands. Key outcomes from improved IRM include higher quality knowledge assets, reduced costs and higher productivity from better-informed staff. In an uncertain time for the global economy, how an organisation establishes its IRM strategy and capability could be the difference between prospering and going under.

Better IRM enables an organisation to deliver myriad benefits including:

  • Enhanced performance management – better information products are essential to information risk reporting and quality auditing to raise standards;
  • Reduced operating costs – by reducing duplication
  • and the ongoing retention of orphan records through improved information risk scanning, an organisation
  • can make substantial savings to its digital storage
  • costs; and,
  • Improved communication and collaboration – better quality information can be shared and re-used by staff with confidence to improve networking and collaboration.

Information risk can be identified as part of every organisational activity and can never be eliminated, nor can all the information risks ever be known. In itself, information risk is not bad. In fact, it is often essential to progress. But information professionals must learn to balance the possibly negative consequences of risk against the potential benefits of its associated opportunity.

The range and costs of information risk
Information risk can be classified in accordance with a simple taxonomy, allowing information professionals to tag different types of risks for ease of reference. My proposed taxonomy for information risk is:

  • Strategic – this relates to risks and threats to the strategic position of an organisation, including economic and
  • legal issues;
  • Operational – this relates to risks and threats affecting the operation of an organisation, including capital limits or staff skills shortages; and
  • Financial – economic and capital threats are of primary concern and will include loss of earnings, limited finances, fines or other related financial issues.  

Categorising information risks should not be an exhaustive or prescriptive activity but will enable information professionals to aggregate threats and opportunities into manageable groupings prior to analysis and action.

It is clear that information has multiple values depending on which perspective is taken within an organisation – in terms of selecting the appropriate value depending on the audience and the purpose that the value is to serve in the promotion of information risk management. Valuing information within an organisation must focus on the following aspects:

  • Official value – this is established by an authority which is recognised as able to set such a value (for example, a cartel or government);
  • Bilateral agreement/contract; this is the specified commercial value agreed between parties; and,
  • Cost of creation/re-creation; this is the estimated value of constituent parts forming a corporate record or information asset.

By establishing these parameters it is possible to consider the capitalisation of information. For example, the cost of the loss of information relating to a bilateral agreement will often be set within a contract. This provides a monetary value for the potential risks arising from data breaches.

Improving IRM
Information professionals should consider the following actions to improve IRM.

  1. Establish a programme board of senior managers and change makers to oversee and monitor the implementation of information risk management. IT strategists routinely operate in a Prince2 environment, particularly in the UK. This is the standard project management methodology adopted to embed best practice standards for corporate initiatives.
  2. Establish an IRM performance plan. Defining the IRM programme’s high-level goals is critical to innovation and risk-taking as it sets out what will be delivered and when.
  3. Develop common information risk definitions. Drawing on leading IT practices, a company’s information risk assessments, based on interviews and other information-gathering techniques with selected change makers, should produce a high-level list of the organisation’s information risk priorities.
  4. Define an information risk assessment process. The programme board should sponsor common standards for evaluating information risk along several dimensions, including the threat and likelihood of impact of a risk event and the organisation’s vulnerability to the event.
  5. Prioritise and value key information risks. The programme board should identify the top-50 people across the enterprise who have specific knowledge or competencies relating to particular information risks or related threats.
  6. Develop a prioritised list of the top strategic and financial information risks to the organisation. This list should be consulted on far and wide, to gain many perspectives in relation to the threats facing the organisation. This will form the information risk and control assessment and should be communicated to all staff as part of training and induction.
  7. Identify important inter-relationships among information risks. Groups of related information risks (for example, related risks among contracts, third-party relationships, and outsourcing) must be identified and the connecting points between each of the risks explored. This requires a degree of expertise and innovation in mapping information risk.

Going forward
The ultimate objective for IRM is to deliver high-quality information products. This can help to build improved business intelligence, which can drive improvement and deliver organisational development. IRM provides both the necessary tools and supporting techniques to manage the value of business information, and in turn creating business intelligence.

Rahm Emanuel, special advisor to Barack Obama, recently stated, “A recession is a great time to begin to think differently”1. A new approach to information risk management can underpin a range of improvement initiatives and free organisations from threats and reduce vulnerabilities during challenging economic circumstances.

Robin Smith is head of information governance at the Northampton General Hosiptal NHS Trust. He is also the author of Information Risk Management: Valuing, Protecting and Leveraging Business Information, published by Ark. Robin can be contacted at Robin.Smith@ngh.nhs.uk

This article is adapted from an extract from the report. For more information, contact Robyn Macè rmace@ark-group.com

Reference
1. IDC: The Diverse and Exploding Digital Universe, IDC Publishing, 2008.
Follow us on:
Copyright ©2013 Wilmington Publishing & Information Ltd 2010, a division of the Wilmington Group PLC. Wilmington Publishing & Information Ltd is a company registered in England & Wales with company number 03368442 GB. Registered office: 19 - 21 Christopher Street, London EC2A 2BS. VAT NO.GB 899 3725 51