Risk Management Merits Another, Closer Look

Vendors of risk-management software want you to believe that risk assurance can be achieved through the use of their products. But companies are realizing that managing risk isn't a destination; it's a challenging journey.

Businesses have to look beyond packaged and proprietary software to ensure business processes continue. Companies must establish effective rules and baselines pertaining to risk, identify and prioritize the most-critical company assets, and involve tech professionals in risk-related decisions.

Few companies have taken these steps, according to a recent survey conducted by InformationWeek's sister publication, Optimize magazine. Nearly half of the 100 companies surveyed report that management tends to overlook the importance of IT in discussions of risk. An equal number of companies also say management strategies aren't developed enough to protect against legal, regulatory, or business risks.

Necessary steps range from the obvious--coordination and monitoring of information-security efforts--to the essential, such as setting policies that mitigate risk and monitoring and updating disaster-recovery and business-continuity programs. Steps must extend across enterprise firewalls to include risk planning and policy making with partners and outsourcing providers. Failed business ventures can be just as damaging as an employee's unintentional release of a worm or virus.

Having a comprehensive risk-management program seems like common sense, but only a third of companies surveyed have such a program.

Besides threats from hackers, worms, and viruses, what one area of risk management is worrying you the most this year? Share your thoughts with us at the address below.

Helen D'Antoni, Senior Editor, Research [email protected]

Hot Spots

Has risk management increased in importance at your company in the last 12 months?

While companies generally can't brag about having a comprehensive risk-management program, business-technology managers will soon have to make the time to implement one. Risk management is increasing in importance, due mainly to the high volume of worm and virus attacks. In fact, four out of five business-technology professionals surveyed say that managing risk has increased in importance at their companies in the last 12 months. And 14% plan to implement an enterprise risk-management program in the coming 12 months.

Risk Precautions

What risk-assessment software does your company use?

Risk-management software might not be the end-all to preventing system failures, but it's an effective way to identify and monitor potential threats. Instead of taking a holistic approach to risk, however, businesses are relying on risk-management software to safeguard two principal areas of management. Overwhelmingly, those areas are technology and financial processes. Only one in five companies surveyed uses risk-management software to guard data mining.

Tech Evaluations

Does your company assess the risk of its IT deployments?

Companies are being proactive about the rollout of technology so it doesn't put existing systems at risk. Two in five leave no room for error and check all initiatives before they go live. Nearly 30% test only large projects that could result in the most damage should their deployment go wrong. A third of sites must have great faith in their service-level agreements or their vendors as these businesses report bypassing risk assessments of IT products and services entirely.

Review Cycles

How frequently does your company assess the effectiveness of its risk-management processes?

Besides implementing risk-management policies, executives also have to regularly review their risk-management processes. Assessments most frequently occur in response to an event such as a security breach or the purchase of a product or service. Regularly scheduled evaluations tend to be done quarterly or annually. Less than 10% of companies conduct reviews on a monthly basis.