Citicus : Why managing information risk is important

Our software

Why managing information risk is important

How Citicus ONE works

What makes Citicus ONE so special?

Software capabilities

Product availability

Platform requirements

Request a demonstration

Customer case studies

Why managing information risk is important

Good corporate governance and corporate self-interest both demand sound processes for managing business risk. But there's no single method for managing all risks; and few, if any, organisations have a sound method of managing information risk - one of the biggest and fastest growing areas of risk around.

Scale of the problem

Social and economic activity is ever more dependent on IT-based information systems. As a result, employers, investors, regulators, governments, employees and private citizens nowadays expect and demand that such systems handle information correctly and protect it from accidental or deliberate abuse.

Too often, however, information is unavailable when needed, incorrect or disclosed to the wrong people. To put some numbers on this, in leading organisations today:

minor information incidents are a regular feature of day-to-day activity (mission-critical systems suffer 225 incidents a year on average, according to Citicus analysis)
major information incidents are common (on average, there is a 58% chance of a mission-critical system suffering a major incident over the course of a year).

An idea of the scale of loss can be gained from the right-hand column of the chart below.

Financial impact of worst-case incidents

Financial impact of worst-case incidents

Source: Citicus analysis of data drawn from the Information Security Forum’s 2000-02 information security status survey.

The data covers 181 business-critical systems and the chart shows the average financial impact of the most-damaging incident experienced over the course of a year by those with controls in good, all-round condition compared with those that do not.

The chart as a whole shows that losses are generally high - but damaging incidents are not an inescapable feature of business life: their effect can be dramatically reduced by getting controls in good all-round condition.

Need for improvement

Good information risk management not only yields substantial ‘bottom-line’ savings, it is also a key requirement of corporate governance according to influential bodies such as the OECD, US Treadway Commission and UK Turnbull Committee.

For example, the OECD’s Principles of Corporate Governance, 1999 states that boards of directors should ensure that “systems of control are in place for monitoring risk, financial control, and compliance with the law”; the Committee of Sponsoring Organizations of the Treadway Commission states that “management must focus carefully on risks … and take necessary action to manage them”; and Turnbull requires that “management should identify and evaluate the risks faced by the company”.

For some areas of risk (eg credit risk), companies generally have mature risk management processes in place. However, the subject of information risk is generally poorly understood and inadequately controlled.

However, companies all over the world are now coming under regulatory pressure to improve control over this key area of risk (eg from international thrusts such as Basel II and US legislation such as Sarbanes-Oxley, HIPAA and GLBA).

Note: These terms are defined in our Glossary of risk terms (PDF 908KB). If you want to learn more about governance issues, you may find our Sarbanes-Oxley white paper (PDF, 606 KB) helpful. This outlines the requirements of the Sarbanes-Oxley Act of 2002 and explains how Citicus ONE can help you evaluate the controls applied to business applications and IT infrastructure reliably, efficiently and in a way that enhances the ‘bottom line’ of your business.

Getting information risk under control

As outlined above, external pressure and self-interest are both putting companies under pressure to get information risk under control.

Is this possible? Well, rigorous analysis of data about thousands of business-critical systems collected by the independent Information Security Forum shows that the risk posed by IT-based information systems can be cut substantially by getting system ‘owners’ to ensure that their systems are developed, run and used in line with recognized good practice. Doing so will halve the number of incidents experienced and slash the chances of suffering major ones.

So why don’t businesses routinely do this? The answer is behaviour: to drive information risk down people have to be motivated and equipped to do so.

Top management can play a part in this. But exhortation from the top, by itself, won’t work. In fact this may simply add to the cost-burden on a company.

To drive this risk down in practice, you need a reliable method of quantifying information risk, and a risk management process that is constructive, efficient, and can be integrated into the way business is done.

That’s where Citicus ONE comes in. Our web-based risk management software is specifically designed to motivate and equip system ‘owners’ to do what needs to be done to drive information risk down constructively, and in an efficient business-oriented manner. Introducing our ground-breaking software will help your organisation satisfy external demands and boost its prosperity, thereby making a real contribution to business success.


	Home \| Our software \| Services \| Resources \| News/events \| Customers \| Partners \| Company \| Contact us \| Privacy policy \| © 2008 Citicus Ltd