We are a connected society, and that connection is growing.  When you look around your office, your home, the room you are in you will notice that numerous items are technology enable, vast number of daily appliances, tools and equipment that we take for granted have embedded chips: microwaves, refrigerators, washer & dryers laptops, automobiles, music players, telephones, mobile and smart phones, lighting systems….. the list goes on and on.

It is hard to deny that technology is pervasive.  Often we don’t realize how much so until there is a loss of enabling power or supporting systems.  Then our dependency becomes readily apparent.

The integration of technology, which is very portable, creates a new challenge for managing technology and security risks.  In this world where one key control was to “defend the perimeter” finds that the logical perimeter of our business environments is expanding.  It is connected to the internet, business partners, mobile computing and smart phones and the ability to move data (USB, DVD, CD, print, email, etc…) in a fast and often undetected manner.

Do you know what devices are connected to your network, what can be connected and what they can do?  Until you know where your assets are and how they might reasonably “gotten to”, you are not able to truly protect them.  Awareness becomes the first line of defence.

When you looking at your business in this evolving world are you aware, and maintaining that awareness, of what you are the custodian of, who could access it, how it may be access and what you are doing to protect it?

Internal controls are one mechanism to help guide and manage an organization and create value, but more and more as companies deal with other emerging issues I am seeing the foundations of internal control crumble and give way to  the tyranny of the urgent.  On the frontlines of internal control management puts forth its expectations and guidelines in the form of policy.  These policies are one of the key components of the overall control environment and tone which management conveys.

Legislated compliance put many organizations in a position where they had to dust off their policies and re-establish their tone.  However, as time has passed many organizations are experiencing a widening gap between what they have said they expect and the reality of what they are doing.  Policies are getting out-dated and fast.

Sometimes the policies need to be updated for reality changes.  Sometimes they were too cumbersome in the first place and need to be simplified.  Sometimes we think we know what’s in them, but don’t.  Sometimes they just need to be applied.

Overall, when policies become outdated, irrelevant or not maintained it can have a detrimental impact.  First, there is a greater risk that you actually have compliance concerns – in documentation, assessment or in the gap in the entity controls – where what you say and do differ.  Secondly, not keeping things relevant sends the message that they don’t really matter.  Thirdly, you create a circumstance where accountability is unclear and can be hard to hold people to. Fourthly, you are doing a disservice to those in your organization by not providing them with direction, or worse, providing them with differing directions.

All in all, to guide your organization and maintain the right organizational control environment, you need to maintain accurate and relevant policies, yes, even IT policies.

leadership creates the compelling vision,

governance provides the context, authority and empowerment and

management is used within this environment to deliver the vision successfully

It may seem logical to conclude that without good governance, management’s actions are executed in a vast universe with little or no guidance.  Governance provides that guidance, or as Alan Calder says “oversight”.  However, like any business activity, there needs to be some benefit to balance the cost of our actions.

Governance over information and technology may enable us to more readily contain and identify management issues.  Governance provides feedback and awareness of operational, financial and strategic alignment and execution.

From a value perspective, Peter Weill and Jeanne W. Ross state that “Effective IT Governance is the single most important predictor of value an organization generates from its investment in IT.” in their book IT Governance.   In addition, Weill points out that higher profits are aligned good governance of information technology.

So are you ready to consider the value you can generate by providing the right context and oversight?

Seems like there are a lot of different perspectives with varying points of reference.

When trying to understand and frame what governance is; it is important to understand where it fits in with leadership and strategy.

Leadership: the ability to guide, direct, or influence people (Encarta dictionary)

Governance: is the set of processes, customs, policies, laws, and institutions affecting the way a corporation (or company) is directed, administered or controlled. The Institute for Governance provides the following guidance: “The need for governance exists anytime a group of people come together to accomplish an end. Most agree that the central component of governance is decision-making. It is the process through which this group of people make decisions that direct their collective efforts.”

Management: Is the act of planning, executing and delivering a desired results.  Management is the administration of a business towards a successful and desired result. (Encarta)

In this understanding leadership creates the compelling vision, governance provides the context, authority and empowerment and management is used within this environment (the direction/boundary that leadership and governance provide) to attempt to deliver the vision successfully.

There have been, and often still are, many areas under the IT Risk Management umbrella that various people, departments, groups and companies understand differently – such as the actual level detailed definition of an IT risk, how focused/specific should an IT risk be, how broad should it be, what is the best approach, how do I measure the impact/likelihood, mitigation.

Today, there are more merging IT Risk Management enabling concepts/frameworks than ever before, and for that resource we should be grateful, but sometimes, too much choice can also be debilitating.  Currently, there are elements of RiskIT, COSO ERM,  Calder-Moir, GAIT, NZS/AS4360 - ISO31000, ISO27002, ISO27005, OCTAVE, ISF, CRAMM, Basel II, Basel II and IT Control Objectives, CERT SNSP, and several others available.

Each of these frameworks offers assistance in your IT Risk Management efforts, but at the end of the day the people on the ground actually executing that tasks to manage/mitigate the risks need to understand the specific risks areas they are responsbile for, what they are empowered to do, and to what extent they need to manage the risk to.  This could mean being as specific as the unique risks related to a specific router and its configuration.  For some organizations, this is not an impractical extreme; however, when you take the 12 risks related to this router to an executive management or board level audience and extrapolate it out by all the other risk areas you are left with an overwhelming mass of information that is meaningless to its audience.

You need to ensure that your IT Risk Management solution is:

(1) integrated into the existing risk management culture and practices of an organization – depending on circumstances you may be a leader, championing change, but if you are too far ahead of the pack you may find you are adrift on your own. Also, be wary of the leading the change in a culture where when something is labelled IT and it is therefore thrown over the wall to IT and no one else concerns themselves with it.  Managing risk, is a business activity, even those related to information and technology.

(2) meaningfully articulated to each level of management and employee responsible

(3) vertically integrated so that the various detailed risks, which are meaningful to the IT operations team can be translated into higher level IT risk for the IT leadership team and then into succinct and relevant business risks for the executive management team and the board.

One significant caution when executing such a vertically integrated approach it to be cautious of the tendency to re-scope the risk at every level.  Once the business risk is assessed and the impact determined the risks underneath are often in jeopardy of being re-scoped, but remember, more often than not these are actually processes/activities in place in the organization to help manage/mitigate the high level business risk.  What are often labelled as new risks at this level are really, the things that  “could go wrong” with the process/activity impairing its ability to deliver on its responsibilities for mitigating the real business risk.