|
By Jela Webb
It is not an exaggeration to say that the lifeblood of today's organisation, whether it be in the private or public sector, is information. All organisations handle information. If it is not effectively managed and controlled then potentially it can lead to both financial and reputational loss.
Sadly, one only has to pick up a newspaper or listen to a media report to become all too aware of instances where information has been mis-handled or lost leaving an organisation exposed to regulatory and legal failures resulting in stiff penalties and often also in staff dismissals.
Information risk is becoming a key agenda item for senior managers and is an area receiving much attention. As an organisational discipline, it is still evolving and if an organisation is to get the best out of its information it needs to be confident that appropriate checks and balances are in place to ensure that its information is being handled correctly.
Defining Information Risk
Information is now rightly recognised as a valuable organisational asset - it is the basis upon which day-to-day operations are undertaken and critical decisions made. All organisational stakeholders, internal and external, need to be sure that the information they are using is accurate, up-to-date and complete.
There are many ways in which information can be compromised, damaged or destabilised leading to a wide range of problems. These range from those which are merely an inconvenience to those which can cause significantly harm to the organisation.
Information risk includes all the issues that arise from the need to protect and control information. Many organisations will have a risk management strategy for a variety of issues e.g. financial, environmental, health and safety; it follows therefore that a strategy for managing information risk should be approached in similar ways.
Why should information risk be defined?
By defining information risk, an organisation identifies where attention should be focused and can then develop policies to manage information effectively and be pro-active in responding to any threats. Deciding what level of risk must be treated and what level can be tolerated, is the basis of policy formulation. What is tolerable for one organisation may not be for another so a bespoke strategy is needed.
Board directors are accountable to shareholders for safeguarding all organisational assets and can be held personally liable if they do not discharge their duties in accordance with legal and regulatory provisions. Employees too have a duty to carry out their activities in line with organisational policies as well as statutes and laws.
Whilst directors are responsible for driving forward information policies, information is all-pervasive so everyone in the organisation needs to understand their duties in handling information and the role they play in fulfilling the organisation's obligations in this key area.
How can information risk be used to pursue business goals?
There is often a perception that information risk is a straitjacket, which prevents the organisation from pursuing its business goals, however, there is little truth in this.
Whilst it is apparent that many organisations have started to take information risk seriously only as a consequence of having to comply with direct legislation, regulatory frameworks, corporate governance etc. there is an increasing recognition that wider information risk management can become a core competence, which if developed effectively, enhances processes and procedures.
Information risk does not seek to stifle operations; on the contrary, it seeks to enhance them.
The benefits accruing from good information risk management include:
-
Being confident that the foundation upon which activities are undertaken is based on information that is accurate, up-to-date and complete.
-
Having the right information, in the right place, at the right time available to the right people in the right format which in turn facilitates faster decisions and the right actions
-
Employees have the best information available to them making them more effective in discharging their responsibilities.
-
Establishing and maintaining a reputation for reliability and openness in transactions with all stakeholders
-
The organisation does not leave itself exposed to claims of information malpractice
-
Being confident that the organisation has met its obligations in terms of compliance needs and can confidently withstand any challenges made in this regard.
Good information risk management can and does lead to enhanced customer experience. It can also help with innovation and expansion policy.
The benefits will vary from organisation to organisation - you may well be able to identify other areas where your particular organisation can benefit from having a robust information risk strategy.
Summary
Information risk management is becoming an increasingly important organisational discipline. Every organisation should give this area a good deal of consideration and having defined what it means to them, establish strategies and policies to address the issues highlighted.
Good information risk can be used as an enabler for a myriad of organisational activities. Good information risk management brings many benefits; bad information risk management can result in severe sanctions and penalties. Which scenario would you prefer to face?
By Jela Webb
Written by Jela Webb
FUMSI articles by Jela Webb »
Click here for copyright permissions!
Copyright 2010 Free Pint Limited
Related articles:
You may also be interested in:
|