The risk management challenge

The services provided under Customer First Programme and its local government partners handle many millions of personal data records through its IT systems housed within the Scottish National Infrastructure (SNI). It is imperative that this data is kept secure and handled in line with legislative controls and requirements. Formal and centralised risk management is fundamental if these obligations are to be met so that any potential threats are identified and dealt with in a credible, robust and professional manner.

Tom McHugh, Customer First’s Programme Manager explains, “These threats can be as diverse as an external attack by a computer hacker, a simple administrative mistake by an employee or the application of an untested application patch by internal IT staff. Significant reputational damage, with a consequent lack of confidence in our systems by the public, is a very real possibility if these threats are allowed to materialise.”

The Customer First Programme has already developed a set of technical and procedural controls to help keep data and other information assets secure. However, the increasing complexity of technological change, growing number of hosted systems and the large number of people and organisations involved, meant that managing threats and implementing the required controls was becoming an even greater challenge.

Tom McHugh adds, “Until recently, the defined standard for risk management across the Customer First Programme needed to be reviewed. Each programme board, lead authority and service provider use a preferred framework to identify, manage and maintain copies of risk reports within its own network. With the Customer First Programme consisting of many inter-related projects, this only serves to create the potential for additional risk. The collation of risks from individual programme managers for upward reporting was proving time-consuming and inefficient.”

A solution was required to enable the Improvement Service to develop a standard for identification, recording, management and reporting of risk, within a central location - across the whole Customer First Programme. This solution needed to provide more control of how risk is managed across the programme, and help identify how risk in one area may potentially impact another. Those involved in risk management needed access to the appropriate level of information quickly and easily.

The solution

The Improvement Service selected in a pilot phase Citicus ONE, a leading web-based risk and compliance management software product that uniquely bases its methodology for managing risk on 20 years of rigorous research, including detailed analysis of the most comprehensive data available on what drives key areas of risk up or down.

The key objective of the Improvement Service was to establish if Citicus ONE could provide a standardised risk assessment framework and single point of storage for risk identification, recording, management and reporting across the Customer First Programme. A pilot project was undertaken to improve risk identification and management for the different systems and programmes within Customer First, focussing initially on three key systems:

• Citizen Account System - enabling the Scottish councils to access and maintain a definitive electronic record of all their citizens through a voluntary citizen account
• OneScotland Gazetteer - providing an accurate, up to date database of land and property data/assets for all Scottish councils and also for other parts of the public sector
• Customer Service Professional - supporting an accredited training and qualification scheme for council employees who deal directly with members of the public

Customer First’s ‘risk owners’ participated in risk workshops using Citicus ONE’s succinct criticality assessments and risk scorecards to help them measure risk and compliance of their individual programmes in an objective and consistent way. This enabled Customer First’s management team to collate and report information about risks from the different interdependent elements of the overall programme.

The highly visual, informative results, generated by Citicus ONE include risk and compliance status reports, heat maps, dependency risk maps, risk dashboards, risk league tables and action plans. The software’s multi-level reporting, from high-level executive summaries - to a detailed technical level, ensure that all Customer First’s management are kept informed of the status of risk and compliance in their areas of responsibility.

Results & Benefits

Citicus ONE has provided a single, centralised and informed view of risk across key elements of the Customer First Programme.

As well as reducing the likelihood and impact of incidents, Customer First’s risk, compliance and regulatory obligations can now be managed efficiently and business oriented results can be produced for decision-makers. This now gives risk managers the means to roll out consistent risk programmes swiftly.

Carol Peters the Customer First Programme Security Advisor says “I first started looking at risk management software as it soon became obvious that the lack of a single risk management solution was causing operational and security risks in its own right. I was looking for a solution that would address one of our biggest issues which was the ability to prove how our security and privacy design features comply with the increasing number of legislative, regulatory and policy obligations for privacy and security within the public sector.

With its strong pedigree in information assurance, Citicus ONE was a valued choice. Not only does it provide an important centralised single framework, but it also provides a fast and easy solution to responding to compliance requests. The reporting structure allows us to provide reports to meet various requests at both summary level down to a more detailed analysis of a particular type of risk.

Another important function however is that it can easily be adapted to incorporate new standards that will be invaluable over the next 12 to 24 months as new privacy and security policies are defined for the public sector.”

One of the key goals of the new risk management initiative was to encourage and support the involvement of business managers responsible for managing risks in different parts of the overall programme. One of these, Martin Brown, programme lead on the development of the Customer Service Professional says, “Though initially sceptical, the Citicus-supported risk assessment workshop converted me to the value of the Citicus software capabilities. I found the risk assessment workshop a really useful and positive exercise and it surfaced a number of areas where we might wish to strengthen our approach.”