It is essential to recognise the benefits of information risk management (IRM) investments, even though many of them may not be direct, says Pravin Mulay, head of risk management and compliance at KPIT Cummins Infosystems, India.
Mulay will be a keynote speaker at ITWeb's risk management conference.
He argues if IRM is embedded in the organisation's DNA and treated as a continuous process, as opposed to a one-time activity, it will add value to any organisation.
"IRM initiatives need demonstrative support from the top management; without it and without their direct involvement, such initiatives will not succeed," says Mulay.
Participation from an executive level is only one of the many challenges organisations face when approaching an integrated information risk strategy.
"Quantification of risks is always a challenge," he says, adding that measuring and assessing information risk needs to be addressed both quantitatively and qualitatively. "Many of the practices involved in IRM remain semi-formal or informal, which makes the creation of a process-oriented approach challenging."
Mulay believes human resources is a critical link in the IRM chain, but he says for many businesses, this remains the weakest link.
IRM lends itself to enterprise risk management (ERM) in two dedicated areas. "On one hand, the availability of suitable IT systems to support the ERM strategy is a must, and on the other, there are also risks related to the information itself and this must be managed suitably to fit into the bigger picture of ERM," he says.
Mulay will expand on the IRM concept at ITWeb's 2007 Enterprise Risk Management Conference to be held at Gallagher Estate in Midrand on 24 July.
He will be joined by Michael Rasmussen, VP of governance, risk and compliance research at Forrester Research, who will focus on how technology is changing businesses by taking them from a state of risk ignorance to risk agility.
Related story:
ERM education necessary
Share
