There are two fundamental components of effective management of risk in information and information technology: the first relates to an organization’s strategic deployment of information technology in order to achieve its corporate goals, the second relates to risks to those assets themselves. IT systems usually represent significant investments of financial and executive resources. The way in which they are planned, managed and measured should therefore be a key management accountability, as should the way in which risks associated with information assets themselves are managed.

Clearly, well managed information technology is a business enabler. Every deployment of information technology brings with it immediate risks to the organization and, therefore, every director or executive who deploys, or manager who makes any use of, information technology needs to understand these risks and the steps that should be taken to counter them.

ITIL, the Information Technology Infrastructure Library, has long provided an extensive collection of best practice IT management processes and guidance. In spite of an extensive range of practitioner-orientated certified qualifications, it is not possible for any organization to prove – to its management, let alone an external third party – that it has taken the risk-reduction step of implementing best practice.

More than that, ITIL is particularly weak where information security management is concerned – the ITIL book on information security really does no more than refer to a now very out-of-date version of ISO 17799, the information security code of practice.

The emergence of the international IT Service Management (ISO 27001) and Information Security Management (ISO20000) standards changes all this. They make it possible for organizations that have successfully implemented an ITIL environment to be externally certificated as having information security and IT service management processes that meet an international standard; organizations that demonstrate – to customers and potential customers – the quality and security of their IT services and information security processes achieve significant competitive advantages.

Information Security Risk

The value of an independent information security standard may be more immediately obvious to the ITIL practitioner than an IT service management one. The proliferation of increasingly complex, sophisticated and global threats to information security, in combination with the compliance requirements of a flood of computer- and privacy-related regulation around the world, is driving organizations to take a more strategic view of information security. It has become clear that hardware-, software- or vendor-driven solutions to individual information security challenges are, on their own, dangerously inadequate. ISO/IEC 27001 (what was BS7799) helps organizations make the step to sytematically managing and controlling risk to their information assets.

IT Process Risk

IT must be managed systematically to support the organization in achieving its business objectives, or it will disrupt business processes and undermine business activity. IT management, of course, has its own processes – and many of these processes are common across organizations of all sizes and in many sectors. Processes deployed to manage the IT organization itself need both to be effective and to ensure that the IT organization delivers against business needs. IT service management is a concept that embraces the notion that the IT organization (known, in ISO/IEC 20000 as in ITIL, as the “service provider”) exists to deliver services to business users, in line with business needs, and to ensure the most cost-effective use of IT assets within that overall context. ITIL, the IT Infrastructure Library, emerged as a collection of best practices that could be used in various organizations. ISO/IEC 20000, the IT service management standard, provides a best-practice specification that sits on top of the ITIL.

Regulatory and Compliance Risk

All organizations are subject to a range of information-related national and international legislation and regulatory requirements. These range from broad corporate governance guidelines to the detailed requirements of specific regulations. UK organizations are subject to some, or all, of:

• Combined Code and Turnbull Guidance (UK)
• Basel2
• EU data protection, privacy regimes
• Sectoral regulation: FSA (1) , MiFID (2) , AML (3)
• Human Rights Act, Regulatation of Investigatory Powers Act
• Computer misuse regulation

Those organizations with US operations may also be subject to US regulations such as Sarbanes Oxley and SEC regulations, as well as sectoral regulation such as GLBA (4), HIPAA (5) and USA PATRIOT Act. Most organizations are possibly also subject to US state laws that appear to have wider applicability, including SB 1386 (California Information Practice Act) and OPPA (6) . Compliance depends as much on information security as on IT processes and services.

Many of these regulations have emerged only recently and most have not yet been adequately tested in the courts. There has been no co-ordinated national or international effort to ensure that many of these regulations – particularly those around personal privacy and data protection – are effectively co-ordinated. As a result, there are overlaps and conflicts between many of these regulations and, while this is of little importance to organizations trading exclusively within one jurisdiction, the reality is that many enterprises today are trading on an international basis, particularly if they have a website or are connected to the Internet.

Management Systems

A management system is a formal, organized approach used by an organization to manage one or more components of their business, including quality, the environment and occupational health and safety, information security and IT service management. Most organizations – particularly younger, less mature ones, have some form of management system in place, even if they’re not aware of it. More developed organizations use formal management systems which they have certified by a third party for conformance to a management system standard. Organizations that use formal management systems today include corporations, medium- and small-sized businesses, government agencies, and non-governmental organizations (NGOs).

Standards and Certifications

Formal standards provide a specification against which aspects of an organization’s management sytsem can be independently audited by an accredited certification body and, if the management system is found to conform to the specification, the organization can be issued with a formal certificate confirming this. Organizations that are certificated to ISO 9000 will already be familiar with the certification process.

Integrated Management Systems

Organizations can choose to certify their management systems to more than one standard. This enables them to integrate the processes that are common – management review, corrective and preventative action, control of documents and records, and internal quality audits – to each of the standards in which they are interested. There is already an alignment of clauses in ISO 9000, ISO 14001 (the environmental management system standard) and OHSAS 18001 (the health and safety management standard) that supports this integration, and which enables organizations to benefit from lower cost initial audits, fewer surveillance visits and which, most importantly, allows organizations to ‘join up’ their management systems.

The emergence of these international standards now enables organizations to develop an integrated IT management system that is capable of multiple certification and of external, third party audit, while drawing simultaneously on the deeper best-practice contained in ITIL. This is a huge step forward for the ITIL world.

(1)Financial Services Authority
(2)Markets in Financial Instruments Directive
(3)Anti-money laundering regulations
(4)Gramm-Leach-Bliley Act
(5)Health Insurance Portability and Accountability Act
(6)Online Personal Privacy Act

Tag:

Add to Del.icio.us | Digg | Reddit | Furl

Bookmark WebProNews:

Alan Calder is an international authority on IT Governance and information security management. He led the world’s first successful implementation of BS 7799, the information security management standard upon which ISO 27001 is based, and wrote the definitive compliance guide for this standard, IT Governance: A Manager’s Guide to Data Security and BS7799/ISO17799.

When this happens, the IT group is confused because the technology technically works just as advertised. However, upon further examination, we often discover that the user groups are not using the technology correctly (and sometimes not at all!).

An Industrial-Strength Change Management initiative can prevent this by providing the integrated, organization-wide action that is required for the technology to succeed.

While the benefits of big technological systems like ERPs have proven to be substantial for many companies, the implementation of such systems has proven to be a risky proposition.

The size of the risk, which can run into the tens of millions of dollars for the new systems, or into hundreds of millions for potential disruption to the organization or to its customers, calls for aggressive and systematic risk management to ensure success. Risk management must address the three kinds of risks associated with big systems implementation: technical, organizational, and business risk.

Companies and technical vendors have been doing high quality risk management for a couple of decades. Most of the risks that have been managed are what we call the technical risks of the implementation project.

The best layman’s definition of the technical risk is associated with the critical questions – will the system work, will it work on time, and will it come in on budget?

This kind of technical risk, while poorly managed occasionally, is usually handled reasonably well by a combination of the company’s professionals and the vendors. To be sure of realizing full business value, companies must go beyond technical risk management. However, for really big, comprehensive technology insertions (like ERP’s, CRM or Supply Chain), other kinds of risks must be equally well-managed for the implementing company to receive the business vale they are looking for.

By “Organizational Risk,” we mean the chance the organization will not use all the planned functionality of the new system or, in some documented cases, use the new system at all. Failure to use the new system could be caused by a number of factors – two of the most commonly-found and deadly factors are “inadequate user preparation / readiness” and “workforce resistance.”

By “Business Risk,” we mean the chance the costly-to-implement system will not pay off in “dollars and cents” for the implementing company. Failure to gain the full business outcome could be caused by a number of factors. One of the most commonly-found failure factors is lack of alignment between the work processes imbedded in the system and company business strategies and priorities.

*We use Technical Risk Management to ensure ERP System works technically.

*We use Organizational Risk Management to ensure organization will use the new system.

*We use Business Risk Management to ensure organization will get the projected benefits from its use.

Change Management is the primary weapon to manage organization and business risk. Unfortunately, we typically see low-strength change management used in many system implementations. Low-strength change management seems focused only on communication and system training, barely making the user ready to accept the new system but hardly capable of using it for its business purpose.

The change management that is needed, on the other hand, must take the organization and its many users much farther to ensure that the new system can and will be fully integrated into the day-to-day operations of all affected parts of the company by the target date. We have called this extra-strength version of change management “Operations Integration.”

Operations Integration is the body of knowledge / practices that is used to ensure that a complex change, like that associated with a big technology insertion, gets the right results, in the right timeframe, at the right costs.

Operations Integration is a disciplined approach applied in all organizational units that will operate the new system to ensure acceptance and readiness to use the new system fully and proficiently at “go live.” Operations integration includes:

*Clear communication of a vision of the system being fully used in the organization

*Direct communication of expectation requirement of full and complete use by every affected worker

*Work processes altered and aligned to match the processes embedded in the system

*Work processes documented and worker instructions placed in the company’s official Policies and Work Procedures

*Roles / goal /objectives of workers modified to fit aligned processes and use of new system

*Users / workers trained on the aligned work processes incorporating the new system

*Performance management system in place to incentivize performance and to dis-incentize failure to use

*All affected workers “under contract” to be ready, willing, and able to use the new system fully at “go live.”

Operations Integration is a formidable initiative that must be aggressively managed along side the technical implementation project. The goal is to have the users ready for full use of the system just as technical implementation is complete.

Formidable or not, operations integration must be given the highest possible priority by the organization’s executives or the organization will fail to realize the full benefits of the inserted technology.

New technology can promise and often delivers important business results in today’s highly competitive business environment. But delivery of those results is highly dependent on disciplined Operations Integration that handles all three major risk categories – technical, organizational, and business risks.

Unfortunately, that kind of comprehensive change management is a tall order for many of today’s IT groups that focus only on the technical issue resolution while organizational and business risks are left to chance.

Today’s message is very clear: use Operations Integration to plan and manage all three kinds of risks effectively or keep what you have in the way of systems and business processes. Moving ahead without managing all three risks is a certain recipe for organizational disruption and even disaster.

Add to Del.icio.us | DiggThis | Yahoo! My Web | Furl

Get a free copy of the 250-page change manifesto Change is the Rule: Free Change Management Book

Dutch Holland is principal and founder of Holland & Davis, specializing in helping clients implement change.