It is not an exaggeration to say that the lifeblood of today's organisation, whether it be in the private or public sector, is information. All organisations handle information. If it is not effectively managed and controlled then potentially it can lead to both financial and reputational loss.
Sadly one only has to pick up a newspaper or listen to a media report to become aware of instances where information has been mishandled or lost, leaving an organisation exposed to regulatory and legal failures resulting in stiff penalties and often also in staff dismissals.
Information risk is becoming a key agenda item for senior managers and is an area receiving much attention. As an organisational discipline it is still evolving. If an organisation is to get the best out of its information, it needs to be confident that appropriate checks and balances are in place to ensure that its information is being handled correctly.
Defining information risk
Information is now rightly recognised as a valuable organisational asset - it is the basis upon which day-to-day operations are undertaken and critical decisions made. All organisational stakeholders, internal and external, need to be sure that the information they are using is accurate, up-to-date and complete.
There are many ways in which information can be compromised, damaged or destabilised, leading to a wide range of problems. These range from those which are merely an inconvenience to those which can cause significantly harm to the organisation.
All organisations, small, medium or large, face risks on a daily basis. In fact, a certain level of risk is a necessary component of a healthy business. The key is to determine the organisation's appetite for risk and manage risks accordingly. It is quite possible that an organisation may decide to take a high level of risk as part of a deliberate strategy -- and there is nothing wrong with this approach, so long as decision-makers are aware of potential consequences and have strategies in place to minimise any adverse impact.
Information risk includes all the issues that arise from the need to protect and control information. Many organisations have a risk management strategy for a variety of issues e.g. financial, environmental, health and safety; it follows therefore that a strategy for managing information risk should be approached in similar ways.
Why should information risk be defined?
By defining information risk, an organisation identifies where attention should be focused and can then develop policies to manage information effectively and be pro-active in responding to any threats. Deciding what level of risk must be treated and what level can be tolerated is the basis of policy formulation. What is tolerable for one organisation may not be for another, so a bespoke strategy is needed.
Board directors are accountable to shareholders for safeguarding all organisational assets and can be held personally liable if they do not discharge their duties in accordance with legal and regulatory provisions. Employees too have a duty to carry out their activities in line with organisational policies as well as statutes and laws.
Whilst directors are responsible for driving forward information policies, information is all-pervasive. So everyone in the organisation needs to understand their duties in handling information and the role they play in fulfilling the organisation's obligations in this key area.
Risk management processes
Organisations that operate in the same industry sector face common risks and may choose different strategies to manage those risks. These differences are part of what give each business its unique character. But regardless of the strategies employed, one thing is consistent: Proper continuous risk management processes are becoming an essential feature of business. Whilst each organisation must decide for itself what its strategy will be, good practice suggests that it will involve:
Identifying the risks by undertaking an assessment exercise, involving all employees as well as possibly externals, e.g. auditors, risk management consultancies
Evaluating the risks by risk mapping and determination of risk appetite
Selecting the appropriate risk management treatments from the ‘Four T's' - Tolerate, Transfer, Treat or Terminate
Implementing strategies and business controls to manage the remaining risks
Monitoring the effectiveness of the risk management strategies
Learning from experience and revising as appropriate.
Software for risk management
Many software programmes on the market enable organisations to manage and monitor risk. These include:
Audit tools to manage all internal and external audit activities
Analysis and modelling tools to facilitate ‘what if' scenarios
Decision support systems to filter and prioritise information from different sources to perform risk analysis. Can be set to focus on key areas e.g. financial, social, environmental
Incident management tools to track, manage and resolve incidents - a repository for a complete record of events/actions
Non-compliance alerts to flag issues at an early stage so that prompt action can be taken to ensure compliance
Project management tools to identify project risks, quantify and track to minimise risk exposure
Risk mapping tools to identify what risks need to be monitored, depending upon the likelihood of occurrence and impact
Reporting tools to produce customised reports - can be configured to present information in a variety of formats e.g. graphs, diagrams, text.
A growing number of risk management software vendors and consultancies are available in the market place. As with knowledge management offerings, consider carefully what your specific needs are when considering the purchase of technology solutions to help you manage risk.
How can information risk be used to pursue business goals?
There is often a perception that information risk is a straitjacket which prevents the organisation from pursuing its business goals. However, there is little truth in this.
Whilst it is apparent that many organisations have started to take information risk seriously only as a consequence of having to comply with direct legislation, regulatory frameworks, corporate governance etc. there is an increasing recognition that wider information risk management can become a core competence, which if developed effectively, enhances processes and procedures.
Information risk does not seek to stifle operations; on the contrary it seeks to enhance them.
The benefits accruing from good information risk management include:
Being confident that the foundation upon which activities are undertaken is based on information that is accurate, up-to-date and complete
Having the right information, in the right place, at the right time available to the right people in the right format which in turn facilitates faster decisions and the right actions
Employees have the best information available to them making them more effective in discharging their responsibilities
Establishing and maintaining a reputation for reliability and openness in transactions with all stakeholders
The organisation does not leave itself exposed to claims of information malpractice
Being confident that the organisation has met its obligations in terms of compliance needs and can confidently withstand any challenges made in this regard.
Good information risk management can and does lead to enhanced customer experience. It can also help with innovation and expansion policy.
The benefits will vary from organisation to organisation - you may well be able to identify other areas where your particular organisation can benefit from having a robust information risk strategy.
Summary
Information risk management is becoming an increasingly important organisational discipline. Every organisation should give this area a good deal of consideration and having defined what it means to them, establish strategies and policies to address the issues highlighted.
Good information risk can be used as an enabler for a myriad of organisational activities. Good information risk management brings many benefits; bad information risk management can result in severe sanctions and penalties. Which scenario would you prefer to face?
Jela Webb, via her business, Azione, is a freelance strategic advisor and consultant in information and knowledge management, working with private and public sector clients in the UK, continental Europe and the US. She also works as a University Lecturer, is an Associate of Ashridge Business School and presents at IKM conferences. As a writer, Jela has regularly contributed articles to KM journals, written Reports and in 2008 her book ‘Strategic Information Management: A Practitioner's Guide' was published. Jela is ACIB qualified, holds an MBA and an MSc Information and Knowledge Management. She may be contacted via http://www.azione.co.uk.
The FreePint Family is a family of resources to help information workers be more effective, raise the value of information in their organisations and contribute to success.
'FreePint... provides most of my professional development because it won't come through work and [other resources] just don't cut it.'
FUMSI Forum: Do you have a research question? Post it to the FUMSI Forum, where professionals share Q&A and useful tips on how to Find, Use, Manage and Share Information. It's free.
![[Reuse options]](http://license.icopyright.net/images/icopy-w.png){kind=small}
It is not an exaggeration to say that the lifeblood of today's organisation, whether it be in the private or public sector, is information. All organisations handle information. If it is not effectively managed and controlled then potentially it can lead to both financial and reputational loss.
FreePint Shop:
VIP LiveWire:
