SAN FRANCISCO—IT executives face more risks than ever to system security, their budgets and corporate reputations. But the most they can hope for is to focus the most resources and technology investments against the worst threats and hope the lesser concerns dont leap up to bite them.
This was the focus of the discussion this week at a Robert Frances Group conference on “reducing risk, restoring trust: a leadership role for IT.”
Most of the IT executives participating in the opening panel focused on operational risk assessment and management work in the banking and financial services industry where IT is the first line of defense against a multitude of hazards.
These executives work in an industry where IT keeps the cash flowing smoothly through the economy. Serious hang-ups in a check clearing system or a back-office investment application can literally cost an institution billions of dollars and bring probing questions from the Federal Reserve and congressional committees.
Measuring and assessing risk is the best way for IT department to ensure they will get the money they need to fix high-priority problems, said Bruce Lee, CIO with European banking group BNP Paribas.
IT managers have to assess operational risk with the same diligence that bankers gauge credit and market risk, Lee said. When it comes to identifying risks that are at the core of a banks operations, such as fraud, theft or catastrophic equipment failures, it is easy to get the resources to fix the problem.
“[If you] find sufficient risk you can kill any objections to committing money” to fix the problem, Lee said. But risk assessment and mitigation isnt a just a point solution; it has to be “a new operational strand” of each IT department, he said.
Then there are risks that can also threaten an IT departments reputation and operations, but are more difficult to get money and resources for, he said.
Building trust in IT
For example, a company can have a policy that no user can install illegal or unlicensed software on their PC, Lee said. The IT department can also order that no PC user can have administrative rights on the network. But “these policies are hard to enforce because there are no tools to monitor compliance,” he noted.
Its also hard to get resources to solve a potential problem if the threats are measurable and perceived to be limited, Lee suggested. For example, if an organization faces the risk of incurring a $50 million fine if a particular IT administration system isnt implemented, Lee said. But the risk of incurring the fine will still be measured against the cost of implementing the system.
In effect, you “cant scare people into spending money” when the risks are measurable and you can assess potential tradeoffs of the cost versus the risk, he said.
For Wachovia Corp., managing risk involves carefully assessing and categorizing the potential risks to try to address the ones that have the most potential to cause problems, according to Doug Sappenfield, senior vice president of the banking giants risk management group in Charlotte, N.C.
Wachovia has more than 11,000 servers running more than 20,000 databases, Sappenfield said. Assessing all the potential risks to the operation of all these IT resources is a challenging task.
It became a matter of weighing inherent risks against mitigating controls to winnow the potential list down to residual risks that needed to be addressed with new policies or systems, he said. In the end, IT was left with a list of 63 items that posed acceptable risks that didnt require prompt attention, he said.
Aside from carefully weighing the potential risks, Ted Knodel, vice president and senior consultant with the Robert Frances Group, said there are a number of measures that IT executives could carry out to reduce operational risks and increase corporate trust in the IT department.
IT departments need to focus on the problems that are uppermost in the minds of senior corporate executives and then make sure that they know what IT has done to solve problems, reduce risks, and help the organization make and save money, he said.
Knodels management mantra is “trust begets communication and communication begets trust.” Without this virtuous cycle, senior management will retain the same impressions that bedevil many corporate IT departments: that projects are always late and too costly, there is never enough money for the most important projects, IT isnt aligned to the most strategic needs or IT doesnt deliver value for the money it spends, he said.