Have you seen Integrated Risk Management in practice, where Information Risk Management reports were merged with financial and operations risk?
What did the final reporting model look like? What are the current challenges and limitations of information risk management reporting?
Good Answers (3)
Nathaniel "Ned" D
Associate Portfolio Manager at UBS Financial Services
Best Answers in: Career Management (6), Using LinkedIn (5), Government Policy (3), Education and Schools (2), Market Research and Definition (2), Starting Up (2), Regulation and Compliance (1), Job Search (1), Mentoring (1), Occupational Training (1), Mergers and Acquisitions (1), Compensation and Benefits (1), Internationalization and Localization (1), Internet Marketing (1), Public Relations (1), Equity Markets (1), Quality Management and Standards (1), Personal Investing (1), Personal Real Estate (1), Professional Networking (1), Enterprise Software (1), Web Development (1)
You might try contacting the Global Association of Risk Professionals; they might be able to refer you to a member with appropriate expertise if you don't find it here first....
Links:
Eduardo V
Operations Manager at Conviso IT Security
Best Answers in: Travel Tools (1), Risk Management (1), Project Management (1), Career Management (1), Information Security (1)
Karl,
For sure, but this is a consequence of a long process where the information risk management concept was presented to business leaders as a business tool and the concept worked by several areas (e.g. risk management, insurance, financial risk) to create one framework that satisfies all needs.
The core of this approach is to define a base value for each asset and establish a harm level for the possible impacts. At the end when you cross these values, you will have a report where the loss expectancy is expressed in money value and other harm references.
My opinion? Facilitated my life as a charm but my director had to liaise for a couple years with several big guys to achieve this result.
Michael S
Information security survivor
Best Answers in: Information Security (12), Software Development (2), Education and Schools (1), Risk Management (1), Personnel Policies (1), Ethics (1), Using LinkedIn (1)
Karl:
I have been fortunate to be exposed to the Factored Analysis of Information Risk (FAIR) methodology as the method for measuring Information Risk. The methodology has been specifically been designed to allow the apples to apples comparison of Information Risk to other forms of business and financial risk. I have attached a link to a whitepaper where you can read up on the methodology.
Links:
More Answers (3)
Jia Jin P
VP Risk Management at Islamic Bank of Asia Ltd
Best Answers in: Economics (2), Risk Management (2), Change Management (1)
Hi,
Erm...well...yes & no. It depends on your definition of "Information Risk Mgt". I have seen reports which include simple things like results of ethical hacking, attempted breaches, downtime, response time etc - stuff which an IT head would be concerned with anyway.
What is does boil down to is - what are the risks (in this case regarding information) which the management has concerns over? Usually, these would be on the mgt report agenda anyway (commonly without being even given the title of a "risk" report).
The challange (as with any other risk report) is to push info which you think is important to mgt. You will need to convince mgt that
a) they WANT to know this
b) WHY is it important to them; and
c) WHAT the info actually tells them
Bear in mind what is important to you may not necessarily be important to them! Good luck!
Just my two cents - hope that helps!
Dear Karl,
Integrated risk management is the integration of the management of risk at each level of management into all business and strategic planning and decision-making processes.
Integrated risk management brings together all risks that impact on each level of management. It means:
* helping staff identify the likelihood and consequences of activities
* identifying risks that impact on strategic and operational outcomes
* making informed decisions about the best way to achieve objectives
* targeting resources appropriately towards high-rating risks
* understanding the upside and downside of new activities.
Action taken to manage risks should be integrated with existing planning and operational processes. As a part of decision making, risk management is supported by other management techniques such as performance management and continuous improvement.
Hope to have answered all questions above,
More on subject :
Links:
Bala R
Sr.Consultant
Best Answers in: Quality Management and Standards (4), Business Analytics (1), Organizational Development (1), Planning (1), Career Management (1), Using LinkedIn (1)
Hi Karl,
I was leading a team in carrying out enterprise wide information risk management for a large financial institution. This was the first time the customer organization was doing this and there were buy in issues with Business also.
So we had a high level management meeting and we developed an integrated risk management model. This motive behind this model was that the stakeholder was receiving too many reports from Audit, legal, compliance, risk dept and Info sec dept.
This was a tough task since, we need to protect the interest of all the relevant functions involved. They felt that each other dept was stepping into each other's shoes.
We started with saying that all non-conformities / non- compliances are to be classified as RISKS and each identified RISK will have a risk tracking sheet. then we created a common platform (database) wherein all the reports will be made available in the categorized repository with adequate access controls defined. So whenever any function (either audit, risk or info sec) wanted to carryout their tasks, they will check the repository and the relevant risk tracking sheet and know the status.
Assuming if Audit dept. is scheduling an audit, they would first access the repository and verify with their questionnaire as to whether any RISKS identified in the checklist, exists. If so they look at the status of the relevant Risk tracking sheet else they audit the controls related to the identifed RISKS and send the reports to the stakeholder ( copy of the report available in the repository).
By proposing this, we achieved the following:
1. We did not make any changes to the org. structure or roles.
2. The stakeholder still received many reports but there were no duplication of RISKS.
Hope this helps.
Bala Ramanan
