Information risk management, a business imperative

Information risk management is a crucial business issue in the digital age. This piece describes a systematic and proactive approach to information risk management with a healthy dose of pragmatism.

It is obvious that serious incidents such as ransomware can disrupt operations, severely damaging an organisation's reputation, brands and customer trust, threatening its financial stability and longevity ... but that's not all. Even relatively minor incidents can accumulate significant costs over time, starving other important business activities of resources. Given that practically everything depends on information, the starting point is to embed information risk management fully into the organisation's business strategy and routine operations.

Most organisations have basic information security controls in place. However, a strategic approach is less common, while a truly comprehensive business-oriented approach to information risk management remains quite rare. 

Information risk management focuses on identifying, evaluating and treating risks to the organisation's valuable business information including: 

• Digital data plus the associated IT systems, networks, cloud services etc.;
  
  
• Financial information - company accounts, profit and loss statements etc.;
  
  
• Personal information on employees, supplier contacts, customers and others;
  
  
• Intellectual property - trade secrets, know-how, creative/innovative concepts and designs, brand names and logos;
  
  
• Strategies, tactics and plans to secure competitive advantage;
  
  
• Business relationships   

Systematic information risk management involves:

• Identifying risks to information. Ransomware is a topical example but there are many more risks to consider, both deliberate and accidental. Aside from incidents the organisation has already experienced, other relevant information sources include:

• Near-misses - incidents avoided through sheer good fortune;
  
  
• Newsworthy incidents affecting less fortunate industry peers, neighbours and other organisations;
  
  
• Advice from information risk and security experts, suppliers, regulators and standards bodies.

• Evaluating the information risks, estimating their probabilities and business impacts in order to determine priorities for action.

• Reducing, avoiding or sharing unacceptable information risks using appropriate technologies and processes to enable and ultimately achieve business objectives.

• Monitoring the risks and risk treatments, responding to changes and improvement opportunities.

Proactive information risk management shifts the focus from responding retrospectively to past incidents, towards predicting and reducing the risks ahead. It requires: 

• A clear understanding of the business context;
  
  
• An appreciation of the risks, their potential impacts and the organisation's ability to respond to them;
  
  
• A strategy for managing these risks effectively in line with business objectives. 

Proactive information risk management erxtends beyond the basics such as satisfying external obligations imposed by laws, regulations and contractual obligations. Avoiding penalties is certainly worthwhile but mere compliance does not adequately protect the organisation. Adopting appropriate information security controls reduces the possibility of, and increases the organisation's resilience and capacity to cope with, incidents.

Pragmatic information risk management further acknowledges that risk is an inherent and inevitable part of business. Excessive information security increases costs and constrains activities and is therefore counter-productive. Information risk management is not just about avoiding or mitigating risks, or worse still attempting to eliminate it (a fool's errand). Management must balance the benefits and costs of information risk management, minimising the overall net impact on business performance. Incident and business continuity management, for instance, complement conventional information security management, forming a comprehensive approach.  

We can help you find the sweet-spot between 'inadequate' and 'excessive' where information risk, security and compliance activities are 'sufficient'. Guiding the business through these complexities can break the deadlock of management indecision, while avoiding irrational, sub-optimal approaches to information risk and security. Our approach is to work with senior business and IT managers, providing expert advice on how best to manage information security risks in today’s complex and dynamic business environment, building on established frameworks such as ISO/IEC 27001 and our decades of experience.