An understanding of information risk is vital for organisations to manage the data they hold effectively. I’m going to look at some basics of ensuring that your organisation takes a mature approach to its risks.
Risk appetite
In your personal life you take risks all the time. Indeed it would be impossible to do anything at all without accepting a degree of risk! For example, before leaving the house we (often subconsciously) undertake a risk analysis.
Risks when I leave the house
- I get hit by a bus
- A dog bites me
- I get rained on
We then consider how likely these risks are to occur and how large the impact would be upon us; this allows us to decide if the risk is acceptable. For example if it’s cloudy and thundering outside then there is a high likelihood I will get rained on. Given the high likelihood of the risk and the impact it will have on me, I may decide not to leave the house. Alternatively I may decide that the benefits of going out outweigh the risk of getting rained on. In so doing I have set a personal risk appetite regarding getting rained on.
Information risk in the workplace
In the same way it is not possible for organisations to have a zero tolerance attitude to information risk. All business activities have a degree of risk attached to them. What we need to do is understand what the risks are and the impact of them materialising, and then decide whether we think the risk is acceptable or not. The board of an organisation will often set a corporate risk appetite; line managers and heads of service will then be expected to have a good understanding of the risks relating to the specific data they work with.
Organisations can approach the management of risk using the following steps:
- define and articulate risk appetite; this could be most easily achieved by linking it to ‘outcomes’ for example intolerance of departmental ‘failure’ or being branded ‘not fit for purpose’
- identify the possible causes of negative outcomes
- understand the likelihood of these outcomes occurring and ways to reduce their likelihood
- review these regularly with stakeholders while reflecting on lessons learned
Information risks are typically placed in one of three categories:
- confidentiality: ensuring only properly authorised persons can access information and proper controls are in place to prevent unauthorised access
- integrity: assuring the authenticity, accuracy and completeness of data throughout its entire life-cycle
- availability: assuring that authorised people can access the information when they need to, at the right times in the right ways
Managing risk
Once you have identified the potential risks to your information assets, you can then think about strategies to help manage the risk, such as:
- assessing what can go wrong (how, how often, how much damage)
- keeping staff up to date and agile with new technology
- taking special care over sensitive information and transfer arrangements
- ensuring staff are able to identify risks and escalate them
Risk management is a balancing act between ensuring that we are exploiting the information we hold effectively and protecting high value assets. Working on these basic principles can ensure that an organisation manages its information risks appropriately.