It is well known that with the interruption of key business processes due to technical or human error, a company can encounter dissatisfied customers, lost business, or even legal liabilities and a loss of reputation.
However, when it comes to operational and IT risk management, businesses no longer have a choice. Faced with an ever-increasing array of regulations, it is essential for executives to understand and measure risks in new and diverse ways.
Complying with regulations can be a nuisance, yet many companies are now realising the knowledge gained regarding risks can produce valuable insights about the organisation. In fact, a strategic approach to operational and IT risk management can bring high returns on investment.
By pursuing a strategic approach, companies can take an active stance against risks through anticipating and effectively addressing threats at their source. However, for many companies, understanding how to properly analyse and quantify operational and IT risks in terms of real business impacts remains a major challenge.
Guiding philosophy
The difficulty of effective risk management lies in gaining a full understanding of how IT systems and other resources support business processes, how possible disruptions of these resources will cause the business processes to fail, and the resulting impact on the business. In many cases, companies lack reliable data and practical frameworks for assessing risks and the impact to business practices.
The guiding philosophy regarding this dilemma is to take a functional, process-centric view of the organisation. At the enterprise or business line level, this involves looking at the principal business components of the company and characterising the risks associated with each component using key risk indicators and risk profiling surveys.
A heat map of the organisation locates the business components that pose the greatest threats, which can then be probed more deeply.
Mapping risk
Faced with an ever-increasing array of regulations, it is essential for executives to understand and measure risks in new and diverse ways.
Chamu M'Kombe is manager of IBM Business Continuity and Recovery Services.
When it comes to looking more closely at the drivers, indicators and impacts of risk within each business component, it is best to begin by identifying the causes and effects of systems failures, as well as the business processes which are affected by these failures.
Based on this mapping of risk, the impacts of failures can then be quantified using sophisticated mathematical techniques for a comprehensive forecast of likely business impact.
Once these forecasts have been established, a cost versus benefit or return on investment-based analysis can then be performed to help executives decide how to optimally manage operational risk and whether to change processes or resource usage.
At a business process level, this layered, functional approach identifies and maps the business processes that contribute to the key impact metrics of a company, such as cost, service delay, quality and liability. Key resources supporting each activity in the business process are identified based on the impact of resource failure on the process. These resources may include individual IT components such as devices, network connections and applications, as well as other resources such as trained personnel and key documents.
Failure scenarios
For each resource, a catalogue of various possible failure events is compiled, along with the likely root causes of these events. This mapping can then be used as a basis for scenario analysis to ask hypothetical questions regarding effects of process changes or added controls.
At the resource level, root causes of failures can be traced to failure events in specific resources via a mapping of the interdependencies among the various IT systems, low-level processes and human resource elements. Here, process-centric analysis maps and computes the risks posed to these resources under various possible failure scenarios.
Such an analysis breaks down the cascading effect of failures, and failure events may be characterised in terms of frequency and severity. This model also allows for identifying the impact of various possible reconfiguration and optimisation scenarios.
Analysis can be performed at any given level or a combination of levels. In addition, there are two distinct approaches to this process-based risk quantification.
Top-down process-based approaches map risks at a business line versus process level and seek to mitigate them through analysis of underlying systems and processes. Such approaches would be taken by a business-line manager or financial officer who wants to know the risk impacts for a given business unit or the enterprise as a whole.
Bottom-up process-based approaches map risks at the level of resources and IT systems, and seek to quantify their aggregate risk impacts on business processes. This approach would be used to provide answers for information officers in the company who want to know what the total risk impacts of a data centre, server farm or network they manage might be.
Whether taking a top-down or bottom-up approach or merely analysing risks at a particular level in the organisation, start reaping the benefits of active risk management, rather than passively employing controls and measurements to satisfy regulatory standards. Take charge and transform the company into a risk-aware, protected, and resilient organisation.
* Chamu M'Kombe is manager of IBM Business Continuity and Recovery Services.
Share