Best practices for managing IT risk

Get to know what your employees are really doing all day and create a hierarchical list of your greatest points of exposure

Developing an enterprise risk management strategy is an enormous undertaking. Despite the wealth of best-practices frameworks out there, serious planning and communication across silos are always required to create policies and processes that work for an individual enterprise.

The security and risk professionals interviewed by InfoWorld offer a wealth of knowledge about how to get up and running with enterprise risk management. Here are a few of their recommendations:

Understand your risk. First and foremost, you need a detailed view of your exposure. Your organization may be subject to countless federal, state, and industry regulations. Knowing exactly which affect your business -- and which violations carry the greatest penalties -- is crucial. And that task gets harder every day. For example, U.S. doctors are well aware that they’re bound by the federal HIPAA health data privacy statute. But they may not know that if they accept credit card payments, they’re also bound by PCI, the payment card industry standard that’s causing heartache at big-box retailers and e-commerce companies. Figure out the “universe of threats” that affect your company and then focus on those with the highest impact to your business and those that regulators are most likely to notice, advises Jon Darbyshire, CEO of Archer Technologies.

Know your people. Good enterprise risk management strategies stem from a solid understanding of operations, according to the executives we interviewed. Understanding how your organization does business and how your employees actually work will smoke out unrealistic or needless policies before they do harm or incite hostility among the rank and file. Noting the details of what employees do can also reveal previously overlooked points of vulnerability. One customer of risk management vendor Orchestria tallied the ways that employees on a trading floor could communicate with the outside world and came up with almost 200, including mobile phones, BlackBerries, and IM, says Paul Johns, vice president of global marketing at Orchestria.

Apply the framework to the need. Best-practices frameworks such as CobIT, ITIL, NIST, and ISO17799 are fabulous tools for helping to build a comprehensive risk management strategy, but they’re not equal. Before plunging into an assessment based on a best-practices framework, figure out which framework fits the needs of your organization. For example, both CobIT and ITIL have objectives for implementing change management within an organization. But ITIL is narrowly focused on IT operations, and CobIT on the higher-level benefit of change management to the business -- overkill for companies that are just looking for guidance on how to improve IT operations, says Suzanne Hall of AARP.