COSE 2206.

qxd 11/09/2003 11:46 Page 487

Operationalizing IT risk
management
global organisations conducted during 2002, it of all of the key risks, and three of the four had Robert S. Coles &
was found that all conducted some form of risk major gaps. The approaches to risk and the
assessment to assist in the management of major gaps identified in the approaches are
Rolf Moulton
security risks. However, when we analysed summarized in the table below: robert.s.coles@kpmg.co.uk
the risks that they addressed, three of the four
In each of the organisations that we examined RMoulton@ptd.net
organisations had major gaps in their risk
there were clear deficiencies in the process
assessment coverage that could result in In a study of four major
whereby they:
significant risks being missed . We wondered:
why did the gaps exist; are there inhibitors to 1. Focussed on IT issues rather than risks
effective risk assessment; are there blind related to the business
spots; are approaches to risk assessment
2. Did not:
deficient in some way; how could we make the
process of risk assessment more robust but • get clear and unambiguous ownership by
easier to do? This paper seeks to address some the real risk owners;
of these questions. • did not get clear buy-in from those who
must implement the safeguards;
The gaps
• follow through with aggressive
Many organisations struggle with risk confirmation that the controls had
assessment and some believe that it shouldn’t been implemented and operated as
be practiced at all! Many do some form of designed.
risk assessment, but often badly, or
incompletely. Some just don’t bother, Having established that risk assessment
seems to be very difficult to do well, we
preferring an approach which relies on
searched for why this might be so. We
standards and baselines to manage the common
found a number of inhibitors to risk assessment
risks, some just ignore the problem and trust to
which either encouraged organisations to
hope. We looked at four major global
do nothing, or resulted in the gaps that we
organisations and found that although they all
found in the content and process of risk
undertook risk assessment in one form or
assessment.
another, no organisation had a good overview

Table 1

Company Risk Approach Adopted Major gaps in Approach

1 Adopted an effective risk management approach based on
business process leaders with input from other stakeholders.
2 Risk management approach led by IT. Business Process Managers assumed that all of the risks
related to information in IT applications belong to IT and
therefore did not seek to assess or manage any IT risks.
3 Adopted a risk management approach based on business Business Process management did not participate in the IT
process leaders. Business process leaders assumed all risks aspects of risk management. They assumed that IT did
related to information in IT operations belonged to the this.
IT division.
4 Informal team based approach risk management was Missed key risks related to infrastructure, and possibly
adopted, including business and IT people. others.

0167-4048/03 ©2003 Elsevier Ltd. All rights reserved. 487

COSE 2206.qxd 11/09/2003 11:46 Page 488

Robert S. Coles & Rolf Moulton

Operationalizing IT Risk Management

Robert S. Coles MBA, MBCS, Inhibitors just to get some management attention to
CISM address some of the known problems.
Robert is the Security Service There seems to be a number of “inhibitors” or
Leader for KPMG LLP in the reasons why organisations are either poor at Sometimes the reason given is that there is no
UK. He is responsible for the assessing risks, or don’t bother at all. clear link between specific risks and controls
development and delivery of that can be implemented to manage those risks.
a wide range of security The main reason for doing nothing appears to As an example, the information security
services from strategy and be management perceptions about how big a manager at Company 1 commented that
architecture to managed problem information risks actually are, time and
security services, “business people don’t always understand
resources needed to study the issue, and why security issues and therefore can’t see the point
implementation and testing
and certification services. any more effort was needed. For many in spending money up front to get it right.”
Robert is also a member of managers, we believe, the decision making goes Others give the reason that technology is
the Certified Information something like this: changing so quickly that there just isn’t time to
Security Manager exam board
1 we have suffered no significant losses in the undertake proper risk assessment and
and BDD2 and Panel 3 the UK
committees responsible for past, so: implement the desired level of control. By the
the development of BS7799. time the assessment and design is finished – the
2 the current protection level must be about technology has all changed and you have to
Rolf Moulton, CISSP, CISA, right, therefore: start again.
CCP
3 risk assessment should not be a top priority The reasons for doing risk assessment badly
Rolf Moulton is Director of
Risk Reduction Solutions, Inc., for us right now. seem to be related to flaws in the processes
where he provides risk and/or approaches and tools used. There are a
Of course, the flaw in this logic is that this is
management and security number of different approaches to risk
consulting services to clients. effectively a blind gamble. There is no real
consideration of specific risk events, or their assessment, and when and how they are used
He serves on the
International Board of potential impact. They are relying on luck may be related to the background and/or
Referees of Computers & rather than judgement. The logic changes training of the person facilitating the approach.
Security, and is a member of pretty quickly when an organisation gets hit –
the Board of (ISC)2. He was • Most from a security background generally
there can be a knee jerk reaction to throw take a traditional risk assessment approach
formerly Head of IT Risk
Management, and responsible some money at resolving the immediate focusing on Confidentiality, Integrity and
for information security at problem, recovering from the incident, but Availability risks. The approach either starts
Unilever; as well as a member often this doesn’t address the route cause, just with examining assets, and prioritises threat
of BDD2 the UK committee the effects. What is really needed is a and vulnerability activity focused on the
responsible for the
continuing investment of time, money and largest assets; or it starts with threats and
development of BS7799. He
also has served as Director of energy to ensure that the risk management prioritises activity based on the largest
the Computer Security process is working. threats. The security perspective often
Services Unit at the excludes business processes entirely and
Sometimes the reason given for not undertaking
Department of Investigation,
risk assessment is the cost “we just don’t have focuses specifically on technical threats and
City of New York, as was a
senior security consultant at enough time/energy/money to do it properly” – vulnerabilities.
BP America. however, this is really just a manifestation of • Additionally, those from a computer
the logic noted above. It is just not high up security background often focus on specific
enough on the management agenda because infrastructure platforms or systems and don’t
significant problems haven’t hit in the past. generally address business processes.
Some of the security managers that we spoke to
in this study, as well as during interviews with • Those from an audit background take a
other companies, said that they sometimes different approach from those with a
wished that they had a really big security breach security background, sometimes focusing on

488
COSE 2206.qxd 11/09/2003 11:46 Page 489

Robert S. Coles & Rolf Moulton

Operationalizing IT Risk Management

business processes – and not really getting • Initiate – this is the starting point. The
down to the technical detail. purpose of this phase is to make sure that
the focus is on determining what the
All of these approaches seem to be flawed as
business process is trying to achieve, what is
the different perspectives all miss important
needed to get the job done, and what could
elements. So we synthesized a new approach,
adversely impact hitting the targets. Kick
which we named Business Process: Information
off must start with the business process –
Risk Management. This approach combines
this is where all of the impact of the risks
what we felt was the best of the pure security
ultimately hit. We start with an initial step
focus, together with the best of the pure
of identifying the purpose and goals of the
business focus, to come up with an approach
process. Without these it is difficult to assess
to address all of the gaps in the organisations
how any individual risk which impairs the
that we examined. It is a pragmatic approach
process would ultimately affect the business.
that relies on an examination of potential
We also look define and consider any
losses as the key driver for controls design,
external environmental factors to provide
rather than a theoretical examination of
the context for the risk assessment, and any
potential impacts and probabilities of threats
resource constraints that could affect the
and vulnerabilities.
approach that we might take.

Business Process: Information • Define – this phase identifies the

Risk Management (BPIRM) requirements. Requirements might be
information requirements (such as the need
Our approach has two elements:
for key information to be generated on
• a process for ensuring “ownership” of time, completely and accurately), process
information risks by the real risk owners, requirements (such as requirements for all
identifying the risks to be managed, customer orders to be met within a certain
agreeing priorities and a very strong time period) or IT requirements (such as
requirement for a feedback loop to ensure
that controls are implemented as designed Figure 1

and monitored to ensure that they continue

ASSESS
to function as implemented.
Assess risks, create risk profile
• a content model which provides focus to for process and applications

ensure that all the right people are involved

IM
Im ontro

PL

in the decision making and all the right risk

ple l s
c

EM
me olu

areas are considered, and that those

nt
goals, environmental factors

Define process, information

E
Identify business process

an ions

NT
and resource contraints

RISKS
and IT requirements

dt

decisions are communicated and

t

Opportunities
es
t
DEFINE

implemented effectively. Standard Service

INITIATE

Contraints
Threats
Level Agreements (SLAs) between business Technologies
els
lev e
rvi anag

process owners and “IT” are seen as a key Interdependance

ce
fy ls, m

component of the communications,

se
, v ntro

GE

implementation and follow-up process.

nts co
eri

NA
ide te
inc pera

MA

The process
O

Confirm adequacy of
controls / redefine
The overall BPIRM process has six components,
linked by a feedback loop, as follows: CONFIRM

489
COSE 2206.qxd 11/09/2003 11:46 Page 490

Robert S. Coles & Rolf Moulton

Operationalizing IT Risk Management

peak response times not to exceed a certain there is an ongoing process that takes into
maximum limit). These requirements relate account new risks that may have arisen
to the key objectives that could fail to be since the last assessment.
met if a risk was to occur. They allow us to
The content
focus our risk assessment in the key areas
of loss. The BPIRM content model is used to guide the
process to cover all of the key risk loss areas.
• Assess – this is the core of the process which
The model is based on a “value-chain”
relates the requirements to how well the
standardised picture of a business which seeks to
controls address them. This examines each
capture all of the key elements of a business
of the loss areas and looks at how to control
process.
or otherwise mitigate/transfer any potential
losses – either through minimising the Specifically, the BPIRM model provides the
impact, minimising the likelihood of the loss means for the risk manager to define and
occurring, changing the business process, or develop absolute clarity of risk ownership. It is
transferring the risk. It looks at how controls intended for use within business processes.
can detect breaches and quantify losses However, the model may be used with business
and/or prevent them from happening. This applications where business processes are not
process relies on using Reasonable adequately defined and/or to facilitate looking
Information Protection Levels (RIPLs) to at subprocesses or components of larger
allow easy configuration of rules to meet integrated applications.
standard protection requirements that relate
In the outer layer, the executive leadership of
sensitivity of the information to controls
an organization seeks to maximize the overall
within the overall business process, as well as
enterprise performance. It is also the overall
the IT application and the infrastructure.
business owner of risks related to the
• Implement – this is the process of organization. Business processes are used to
establishing and testing the controls in facilitate management of the organization.
operation. This phase of the process is the The number of processes and the complexity
doing element – making sure that what has of the processes will vary. As an example,
been designed is actually put in place and a process may involve product fulfillment.
that service levels for the operation of the It could include making, delivering a product
controls are realistic. or service to a customer, as well as collecting
a fee for that product or service. In turn,
• Manage – this is the daily operation of the
customer expectations may be influenced
controls. This part of the process is designed
by perception of a need(s), what is required
to ensure that control expectations are
to meet that need, the products and services
consistently defined in a Service Level
that are available to meet the need, and
Agreement (SLA); that service delivery is
perceived “value.” For branded products, a
monitored that expectations are met; and
perceived value that is higher than a
that any incidents are reported, documented
competitor’s product is critical to long term
and effectively managed through to
brand value and reputation, and hence
conclusion.
enterprise performance.
• Confirm – this is the process of ensuring
At the core of the model is the process itself,
that risks and associated controls are
and its constituent sub-processes and elements –
actually being managed and are effective at
these are made up from the data, information
the specified level(s). And, especially that

490
COSE 2206.qxd 11/09/2003 11:46 Page 491

Robert S. Coles & Rolf Moulton

Operationalizing IT Risk Management

and applications upon which the process is Figure 2

reliant. The model also considers the staff and
management who operate the processes and the OVERALL BUSINESS OWNERSHIP

EN
Business process leadership and people resource
IT, and the technology and infrastructure upon

TE
Information and IT (sub) process leadership
which the applications are operated.

RP
Information and IT people resource

RI
Consideration is also given too those outside of

SE
PE
the organisation – the third-parties (customers

FO
Bra
and suppliers) who are the inputs and outputs of

RM
nd
Priva

AN
val
the process.

GOVERNANCE

GOVERNANCE

u
Reassurance

CE
cy

e
Subprocesses
The model has 7 layers within a business Data Information

ices
Applications
process ownership framework; some layers have

ion
serv

CE
multiple subcomponents. They are:

tat

AN
&

pu
ucts

Re

M
Business process leadership and people

OR
Prod

EF
resource

P
Infrastructure

SE
This is the primary activities function that has NIGT. Op-system Network Server Workstation

RI
RP
overall responsibility for making and delivering Third parties / suppliers

TE
Technology
the product or service; governance is an implied

EN
part of leadership. The employees who make
and deliver the product or service are included and control. Governance is reflected as a
within this layer. The IT process leadership is cross layered component to ensure that this
assumed to have little or no control of the is not overlooked. The governance and
management of this resource. reassurance roles are fundamental issues
Governance and Reassurance note: that the model seeks to differentiate and
address.
Governance, which may also be termed as “due
diligence,” is the assurance part of the process IT process leadership
where quality control, adherence to corporate IT process leadership is directly responsible for
policies, and external laws and regulations are
meeting overall business process information
addressed.
and IT requirements. This specifically includes
Reassurance is an after the fact check to ensure the IT policies and guidance, as well as the IT
that the governance function is properly executed compliance checking needed to meet overall
by business leadership. The assumption is that
corporate governance requirements. This
reassurance is performed by an independent
function and the IT process may be fully or
function, such as an internal audit department,
that is not directly involved in management of the partially integrated into the business process, as
business process itself. depicted by the dashed line. Or, as noted
above, business process leadership may treat IT
In the BPIRM model, process management as an isolated “blue box” and attempt to ignore
has primary responsibility for risk management the related values, liabilities and risks associated
including responsibility for IT governance, with the IT function and process.
even if it may be delegated to IT leadership
for direct implementation as secondary risk IT people resource
owners. Where business process owners treat The people who are directly involved with the
IT as a “blue box,” governance of the IT IT process/application(s) that converts data
function may simply be cost minimization into information, as depicted in this layer. The
with a lack of any adequate risk management layer includes the people who directly work on

491
COSE 2206.qxd 11/09/2003 11:46 Page 492

Robert S. Coles & Rolf Moulton

Operationalizing IT Risk Management

the process/application and may extend into communications equipment and services,
the infrastructure layer. IT people may also as well as information services.
include third parties and suppliers. Job
Technology
functions can include information
Technology has been shown as a layer to
management, application designers,
represent the value and risks related to the use
programmers, and software support. (Data
of technology itself.
entry would normally be performed by
people as part of the business process, as The BPIRM implementation approach
described above.) Network support, desktop addresses the weaknesses that we have found in
support, and other staff collectively referred other approaches in that:
to as “operations support” would normally be
• Business risk takers own the process – the
part of the infrastructure layer as described
buy-in approach adopted by other models
below.
often does not fully engage with the risk
Data>Subprocesses/Applications> takers;
Information
• There is absolute “clarity of responsibility” –
IT subprocess/application are used to transform
the content model of BPIRM provides a
data into information. This is similar to the
modelling tool to help ensure that risks do
production line of a factory, except that it may
not “slip through the gaps” of unclear
be a continuous loop where the information
ownership;
may be stored and become input as data to the
next cycle in the process. • The process is “minimalist” and “practical”
to get key stakeholders to fully engage and
Infrastructure
participate;
Infrastructure includes IT operations people
plus the communications and equipment that is • “Risk based SLAs” are used to ensure that
needed to process data into information. This risks and control requirements are fully
may layer may include: specified, then met by the controls in
operation.
• infrastructure management;

• information center(s) to physically house Summary and Conclusions

the equipment;
The objective of risk management is not to
• operating system and support; calculate a risk score value. Rather, the
• communications network that connects objective of risk management is to enable a risk
people and equipment; owner to manage risk(s) by getting appropriate
controls in place where they are needed.
• servers, which are computers used to store
and process data/information; To do this, risk owners need to understand the
real risks that the organisation is up against so
• desktops, laptops and other devices used to that they can manage them in the context of
access the process/application.
the losses that are likely to be incurred. This
Third parties/Suppliers requires that there be absolute clarity of
Personnel who are not company employees responsibilities and an ongoing firm
and who are part of the IT process are determination to make sure that appropriate
considered as third parties. Third parties and cost effective controls are implemented and
include the suppliers of IT and continue to function as intended.

492
COSE 2206.qxd 11/09/2003 11:46 Page 493

Robert S. Coles & Rolf Moulton

Operationalizing IT Risk Management

Risk management needs to be properly focused We believe that the BPIRM model and
on business processes that generate both approach provide a practical alternative to
revenue and liabilities so that the expected approaches that are currently being used. They
returns obtained are worth the resources spent. focus on the real business risks and the owners
Conducting risk assessments should not be of those risks. They are practical and
long, protracted and painful for business minimalist, and they are intended to reduce the
process managers, nor should they become an likelihood of the risk manager becoming
expensive and all-consuming end unto itself. consumed with the process and risk score
Where a BPIRM analysis indicates further values.
work is needed for information systems, IT
This article is part of a planned series of articles
managers may then wish to use detailed on BPIRM and how to implement it. The
quantitative tools to work through the value authors will welcome comments from readers,
and return on investment of alternative especially those related to implementing the
security measures. BPIRM model and process.

493