Risk management, security, and standards
What is the research problem and why is it important?
Business faces many risks which must be managed or mitigated to avoid undesirable outcomes. The lessons learnt by the distillation of best practice and proven tools and techniques encapsulated in standards can support businesses in mitigating these risks. Only 10% of organisations have a formal and well integrated IS/IT risk management framework.
The ubiquitous and pervasive nature of information systems in business suggests that businesses would be well advised to apply standards to mitigate at least the known risks. There are many standards which can usefully be applied to information systems. There is a need for an accessible, scalable route map through standards to assist all sizes of business to avoid undesirable outcomes. This would create a beneficial environment for innovation and a stable, sustainable business 'ecosystem' for existing business practices and production to be optimised - weaker links can be strengthened encouraging trust and security.
It turns out that hindsight in risk and incident reporting is not applied because there is often no shared data/information sources about risk within an organisation and the opportunity is often not taken to connect to, and learn from, wider resource outside the organisation such as:
- Unified Incident Reporting and Alert Scheme (UNIRAS)
- Warning, Advice and Reporting Point (WARP)
It could be useful to learn lessons from the peripheral industries from experiences encountered by the insurance industry, which is focused on identifying and catching incidents early (for example, having a culture which encourages openness in reporting risk events or near misses can lead to minor problems being 'nipped in the bud' before they become out of control - a point noted in rogue trader incidents). Issues here for scrutiny include:
- Digital risk
- Corporate governance
The research will identify organisations and standards to be included or involved covering:
- Inclusion of complementary activity
- Standards for reference within the framework and interested parties
- Standards and publications such as:
- ISO/IEC 21827:2002 Information technology
- Systems Security Engineering
- Capability Maturity Model
- IT Infrastructure Library (ITIL)
- and organisations such as:
- Office of Government Commerce (OGC)
- Central Sponsor for Information Assurance (CSIA), Cabinet Office
- British Standard Institution (BSI)
1.Swann, The Economics of Standardization. 2000
2.The National Computing Centre, Survey: Risk Management in IT, 2003 (pdf - 61KB)
3.See catalogues for BS/CEN/ISO/IEC et. al
4.As agreed at an NCC workshop with delegates with a specific interest in 'Basel II' compliance
What are the objectives of the research?
An accessible, scalable route map through standards to assist all sizes of business to avoid undesirable outcomes that will:
- Integrate and supplement existing standards and best practice
- Comply with ongoing changes in risk regulation and governance such as Higgs/Basel II/Turnbull/Sarbanes Oxley etc.
- Apply a scalable model for risk management across entire organisations
- Pass the lessons learned in Financial Services to Central and Local Government and the Private Sector.
The research is not proposing a standard per se but a generic framework to guide information system users (and providers) through the risk management standards and tools currently available (and upcoming) so that informed choices can be made by users as to:
- What approach to take in managing the operational risk in information systems
- What tools, methods and standards are available to:
- Identify risks in their organisation
- Assess those risks
- Report those risks
- Mitigate those risks
- What codes or standards are they obliged to apply (if any)
- Identify and fill the gaps in their existing internal (and hopefully) integrated risk management framework for information systems
This is similar (but wider in scope) to the e-Government Interoperability Framework published by the Cabinet Office e-Government Unit (EGU) which catalogues the standards and codes of practice necessary for the interoperability of electronic government systems (and by default) electronic business in general. At the risk (sic!) of becoming too tied down to labels and epithets - an integral part of the research will settle on a common risk management vocabulary - the research will deliver a 'standard of standards'.
The approach should ensure:
- Wheels will not be reinvented
- New layers of complexity will be avoided
- Old areas of confusion will have paths charted through them
- The results are embedded within the organisation and not just bolted on
- Tendency for 'tools' and 'method' owners to 'market' their proprietary information as the weltanschauung rather than the toolbox approach that is needed to recognise the diversity of organisation types, sectors, and sizes, and the reality that one-size does not fit all.
The research will create an open communications platform for trust and confidence between organisations and their auditors - both internal and external, and between the stakeholders in an organisation including those who may only live in its thrall.
With the support of:
Under the supervision of Professor Bob Wood, University of Manchester