Gordon Smith talks to Kevin Knight, chairman of the ISO Risk Management Working Group that drafted the ISO 31000:2009, risk management – principles and guidelines. The new standard is intended to help organisations of all types go beyond compliance and demonstrate effective risk management.
Do organisations recognise the risk that IT represents, as well as the opportunity?
The banking and finance industry tends to recognise the role of IT because IT must be working as and when required and they need to have good backup practices because if the computers break down, the whole system breaks down. A lot of organisations assume that IT is terribly important but what we’re saying to them is, what are your objectives, and then what parts of IT does that affect?
By focusing on what are the objectives of the organisation, you start to look at what parts of the IT system do you need to put good business continuity and backups onto. Suddenly you may find you can get the money to put in better business continuity processes.
By focusing on what were the objectives of the organisation, and coming back, then what are the risks to be managed, you are able to identify where you need to put those in. When it came to contingency planning and practices, did you trial it under load or did you do testing and three o’clock on a Sunday morning?
Did senior management get involved? In many cases no, but by focusing on what your objectives are, driven from the board downwards, suddenly the IT people found that the board risk management committee interested in what they were saying and approving their requests for further funding to be able to effectively manage it.
Can IT make a contribution to positively affecting risk, and if so in what ways?
Well, for starters, look at having good information systems. The problem in so many organisations is that there’s lots of data, but how do we pull it together to make useful information for management to make decisions? I think that’s one of the big challenges for IT.
In Australia, we’ve been talking for years about the concept of information warehousing. I’ve yet to come across where it works well. It’s been tried and it tends to set out more problems than it’s worth.
That’s an opportunity for IT to start looking at how they add value and to say ‘from this point forward we’re able to get at information like this which we are able to do a lot more with’. OK, the historic stuff stays historic stuff so for the first couple of years we’re not going to have all that much, but after that we will now have quite a body of information to be able to tap into to make decisions so that you have good corporate or enterprise information system rather than all these little individual systems.
It’s also saying then, what parts of the business are we working to and will require the greater degree of support, or is it a case of one size fits all – do we provide vanilla IT across the organisation? There’s parts of the business have a greater need for good IT.
In the same way that different parts of an organisations will have different levels of risk?
That’s right. The encouragement should be for IT to say, let’s look at how we can put in an enterprise-wide information system so that when we want to test new products or go into new business areas or we want to look at what the risks are to something, we’re actually able to tap into some corporate knowledge and corporate memory.
When you change the CEO, you change the Pretorian guard around them, and in Australia you’re hard pressed to find a corporate memory of better than five years. So how do you manage the business? If IT are able to provide us with a good management information system … then you can churn people over but at least the corporate knowledge base stays intact.
I know the risk standard is not prescriptive, but are there IT tools out there that can help you manage risk more effectively?
There’s lots of IT tools to help you manage risk but what you’ve got to work out first is what sort of reports you need to produce and where you have to gather the data. What I keep saying to people is, play around with Excel spreadsheets, even the back of an old envelope, until you’ve worked out exactly what sort of reports you want to produce and where the information’s got to come from so you can draw up a fairly serious specification.
Otherwise it’s like wandering into a car dealer saying ‘I’d like a car please’. Well, do you want three doors, four doors, diesel, petrol, turbocharged, hybrid, electric, manual or automatic? Once you’ve got your specification, there’s lots of suppliers to meet it.
Can it be off the shelf?
No, it has to be tailored because if I go out and buy your system, I plug it in and suddenly find our management system for our organisation is different to the one they’ve written. Now, do we totally change the way we manage the business because we bought this IT package, or do we get it modified? There’s an old saying in Australia: builders don’t get their Mercedes from the contract, they get it from the variations to the contract, and the same applies with our IT providers.
If you’ve got a clear idea of what you need delivered and you go out as an informed buyer, the suppliers are able to easily modify their systems if they know what you want.
So you could draw a comparison with the PPARS debacle in Ireland where the software ended up being asked to do far more than what was ever intended of it at the start?
We have a wonderful thing in Australia – you’ve got to be old like me to remember it – where many years ago when big computer systems took up an entire room, they came up with a data program for the federal public service. This was designed to pick up 250,000 people that worked for the federal government right across the nation.
They could never actually get the software and the hardware to work together. The thing went on for seven years, cost millions of dollars in those days and finally had its brain blown out because it was getting nowhere fast.
We still see those sort of problems because government, for whatever reason, cannot buy a package, it always has to want some modification and we’ve seen this with payroll systems in the last couple of years in Australia where they’ve wanted a few modifications and then of course it doesn’t work as well as it did.
What’s the moral of the story from a risk management perspective?
Understand what you want to purchase and what it needs to do, and (ask) can you purchase it off the shelf. Does it provide you with all you really need as distinct from what you want – and that’s a good risk management question.
If it doesn’t provide what we need, then let’s go back to tender, or proceed knowing the risks, but that can create a problem. If you have to replace something, make sure you’ve got something that meets your needs rather than always wanting something that bit better.
And what role does a risk manager play in all this?
The risk manager’s there merely as a champion, as a coach, as a facilitator. It’s line managers, so if the CIO wants to bring in a new system, then it’s the CIO that must manage the risks and be held accountable. But how often does this happen? But that’s the problem – sometimes IT puts this proposition to the board, and who on the board knows what they (IT) are talking about?
The IT people need to understand that they have to able to explain it to managers who are not IT people. It’s no good expecting managers and senior board members to understand the latest geek talk and yet so often they do. And if you can’t make your case, people are less inclined to open their wallets.