Assess and Manage Data Risks with Total Information Risk Management

by   |   December 23, 2013 6:04 am   |   0 Comments

The article below is excerpted from Total Information Risk Management: Maximizing the Value of Data and Information Assets (Morgan Kaufman, 2013) with permission from the publisher.

Data and information are such important assets for organizations that it is vital to understand the impact they have on business performance. Not taking these business impacts seriously can lead to risks damaging the organization.

Related Stories

Developing a legal risk model for big volumes of unstructured data.
Read the story »

Tips for aligning business, IT and strategic goals for analytics gains.
Read the story »

Focus on: opeational analytics.
Read the story »

How data profiling improves management of storage media, risks, costs.
Read the story »

Total Information Risk Management (TIRM) is a collection of concepts, methods, and techniques that we have developed to address these new challenges. Our research was undertaken in collaboration with many other international universities and organizations in a number of industrial sectors. TIRM draws upon the extensive body of knowledge in the well-established discipline of risk management, as well as the newer discipline of data and information management. It provides organizations with the tools necessary to understand, measure, and control the business impact of data and information assets effectively and efficiently.

What follows are examples of how you can assess and treat information risk by following the TIRM best-practice procedures for managing information risks. The TIRM process can be divided into three stages:

  • Establish the context
  • Information risk assessment
  • Information risk treatment

Every organization follows business processes, which Tom Davenport defines as, “a specific ordering of work activities across time and place, with a beginning, an end, and clearly identified inputs  and outputs: a structure for action.” An information risk management process focuses on controlling and monitoring organizational risk that arises through data and information assets inside and outside an organization.

The TIRM process aims to systematically manage risks arising from data and information assets of all possible types and sources—that is, external and internal, tacit and explicit, and structured and unstructured. It is based on the widely accepted ISO 31000 risk management standard.

What Does “Total” Stand for in TIRM?

We believe that you should consider all types of information used in all operational and management processes that are important to your business, no matter whether they are stored in:

  • Databases
  • Word-processed files
  • Slideshows
  • Spreadsheets
  • Videos
  • Audio recordings
  • XML and HTML files
  • Social networks
  • Twitter
  • Websites
  • Paper hardcopies
  • Email
  • Mail
  • Fax
  • Telephone
  • Face-to-face communications

The only condition is that the information you consider in the TIRM process issignificant to your business. All core business processes have to be considered in the information risk management process, making TIRM an enterprise-wide program rather than a local one. However, you may choose to begin implementation in a single defined area.

Stages of the TIRM Process

The TIRM process consists of three main stages and two continuous activities that are executed throughout these stages, as illustrated below.

TIRM has three main stages and two continuous stages

TIRM has three main stages and two continuous stages

When starting a TIRM initiative, the first step is to establish the context—stage A. Every organization exists in internal and external environments that are specific to it. To understand an information risk, establishing the organizational context is absolutely necessary. A major risk in one organization—for example, due to regulatory requirements, a particular competitive environment, or organizational culture—can be a low risk in another organization that operates in a different context.

Information risk is assessed in stage B. Information risks have to be identified and analyzed qualitatively or quantitatively and then evaluated.  This is the heart of the TIRM process. In this stage, you will collect the inputs that are needed to model and quantify data and information risks.

In stage C, you examine, select, and implement information risk treatment options.

Communicate and consult is the basis of the process needed in all three stages. Without support of relevant stakeholders, your efforts are destined to fail. You also need senior management backing for the TIRM process.

The TIRM process should be constantly monitored and reviewed to verify and improve the effectiveness of the process and adapt it to the organizational context.

If you are already familiar with the ISO 31000 standard, you might have observed that the stages of the TIRM process do not differ much from the ISO 31000 risk management process stages. This is because the TIRM process is based on and refines ISO 31000.

Communicate and Consult

It is absolutely essential to communicate and consult with all relevant stakeholders for the success of the TIRM process. Relevant stakeholders can include personnel from the business functions involved,  IT management, risk management, as well as senior  executives. As the TIRM process crosses functional boundaries, it is a key requirement that senior management is committed to the information risk management initiative.  It is also important that the IT and risk management executives are aware of and willing and able to support the initiative.  The goals and benefits of the information risk management program need to be clearly communicated to all the people involved in, or affected by, the TIRM process to gain active support.

To assess risk, information has to be gathered from across the whole organization. If it is not clearly and transparently communicated how information risk is assessed, people  will not believe the figures and  findings  from the assessment,  and  it will be very hard  to convince  them  to support information risk treatments that are required  or beneficial. Communicating and consulting has to be done in parallel with all other stages.

A case in point: A senior executive is hostile and blocks your efforts to implement an information risk management program. You start to investigate and find out that a failed information governance program in the past has turned the senior executive into a strong opponent of any further initiatives related to information governance. The communication plan has to incorporate solid arguments that are communicated to this executive to convince him why the mistakes that occurred in the past will not be repeated.

Identifying Information Stakeholders

Make a list of all stakeholders that are relevant for your TIRM initiative. Stakeholders might include:

  • Information producers
  • Data intermediaries
  • Knowledge workers
  • Process owners
  • Business information stewards
  • Internal and external auditors
  • Business partners
  • End customers
  • Third-party information providers
  • Distribution channels
  • Regulatory bodies
  • Communities and the general public

Investigate and document the attitude of each stakeholder group toward the initiative (e.g., supportive, enthusiastic, neutral, or opposed) and what you think  might  motivate  their attitude, and draw up a plan that articulates how to effectively communicate matters to each of the stakeholders to best gain their support. Also, organize presentation and training sessions so that they are tailored to each specific group of stakeholders.

Stakeholder involvement in stage A: Check  needs  to  be  made  to  identify whether  the  perceptions of the  external  and  internal environment of the organization, the business objectives, and risk criteria are shared among key stakeholders.

Stakeholder involvement in stage B: Stakeholders   are    involved    during    information risk assessment to get additional information and advice, and to ensure that everyone accepts the findings from this stage. In particular, the validity and plausibility of results   from   the   information risk assessment stage should be validated with stakeholders.

Stakeholder involvement in stage C: During information risk treatment, it needs to be explained with care why particular options have been chosen or not chosen and why a particular way is selected in which to implement the option. A participative approach is of benefit here. Potential information risk treatment options should be discussed with all involved parties to better understand their weaknesses, risks and strengths,  and to get support during implementation.

Monitor and Review
Finally, the implementation of the TIRM process itself should be constantly improved based on the experiences gained during its application in your organization. Some problems can be more easily identified from an external perspective. By interviewing a wide range of stakeholders, the TIRM process can be better enhanced and improved.

The ISO 31000 risk management standard highlights the purpose of monitoring and review:

  • Ensuring that controls are effective and efficient in both design and operation.
  • Obtaining further information to improve risk management.
  • Analyzing and learning lessons from events (including near-misses), changes, trends, successes, and failures.
  • Detecting changes in the external and internal context, including changes to risk and the risk itself, which can require revision of risk treatments and priorities.
  • Identifying emerging risks.

Putting It Together: The TIRM Model
The figure below shows how the components of the TIRM model are integrated and interlinked. Each business process contains any number of tasks that are carried out as part of that business process. To execute a task, data and information assets are required. Each piece of information may contain information quality problems, such as having missing entries (completeness of the data), which result in direct consequences. Further undesirable ramifications may result from the direct consequence, and each of these may still have any number of other, intermediate consequences. This, in turn, could adversely impact the achievement of a business objective.

The TIRM Model

The TIRM Model

There are also parameters that specify the link between the components in the model. The first parameter is the frequency of task execution, which is recorded for each task that is part of a business process and is the number of times (e.g., per month) that the task is actually carried out. Each time the task is executed it may require  different  data and  information assets, and  the probability that  the data  and  information asset is needed  is recorded  for each  task–information pair.

Furthermore, the specified information quality problem may not always appear in the particular subset of information used. For example, for a particular type of part, the information (asset) could list all of the suppliers without gaps, so the problem would not manifest itself in some cases. Therefore, the likelihood that the information quality problem appears in the information that is used for the task needs to be specified. In a similar manner, the likelihood that the problem leads to the direct consequence is recorded along with the likelihood that each consequence leads to other, intermediate, consequences. The last parameter is the severity of the impact in the impact on business objective component.

There are three options to provide quantitative estimates as part of the TIRM process:

Option 1: Estimating the expected value: Often the expected value is not known accurately or is volatile. In these  cases, option 2 or 3 can be more suitable.

Option 2: Estimating a lower and an upper boundary: There is a high likelihood that between these boundaries will be the real value. In this case, it is assumed that the expected value is equally distributed between the two boundaries (i.e., it is distributed uniformly). A slight possible variation to option 2 is that one assumes that the values are distributed normally between the two boundaries (i.e., a normal distribution is used in this case).

Option 3: Estimating the most likely value (mode) and a lower and upper boundary: The advantage
of having these  three estimates is that they can be used to calculate  the so-called  triangular distribution.
If the task is executed by somebody other than the business  process representatives participating in the information risk assessment workshop, this information can be obtained by asking the person  who usually  executes the  task. This can sometimes also  be supplemented with  data  that  documents the execution  of the task, if it is available.

The TIRM model  is used to support the assessment and quantification of information risks in stage B of the TIRM process. The required  parameters for the TIRM model will be gathered  as part of the process steps in stage B. The risk totals can then  be calculated  for each information risk.

Determining Risk Appetite for TIRM

Before starting with the TIRM process, you need to determine the risk appetite. Once the risk appetite has been determined, the organization will be on its way to establishing a robust  TIRM process. The risk appetite will be needed to set up risk criteria in step A of the TIRM process. Providing clarity about tolerance  levels and who is responsible will:

  • Ensure that better-informed business decisions are made.
  • Provide clear communication channels, alerting senior levels of management to potential information risks at an early stage.
  • Alleviate the possibility  of being exposed to unmanageable information risks.
  • Allow the organization to prioritize  actions in those areas where risk is deemed to exceed the defined appetite.
  • Help to develop  a culture where information risk awareness becomes  embedded in day-to-day operations.
  • Establish the right balance  between  being bold and being cautious.

You can of course decide how to measure  your risk appetite, but you may wish to consider  the following  suggestion  of a 1 to 4 scale, an example  of which  is shown  in the table below.

Level 1:
No Risk Appetite
Level 2:
Low Risk Appetite
Level 3:
Medium Risk Appetite
Level 4:
High Risk Appetite
Not willing to accept risks in any circumstancesNot willing to accept risk in some circumstancesWilling to accept risk in some circumstancesWilling to accept risk in any circumstances

Sample Risk  Appetite Scale

Communicating the tolerance  level in this way should also be accompanied by guidance  in terms of the discretion available. For example, who can make the decision  to tolerate the risk? When does a decision need to be escalated to a higher level of management?

More tangible scales are set in the form of risk criteria for each business  objective in step A during the establish  the context stage.

Boundaries need to be established with clear guidelines put in place so that misunderstandings and bad risks are mitigated. And expect the level of risk appetite  will vary, not  only in respect of specific issues but also over time.

About the Authors

Alexander Borek 150x150Alexander Borek, the inventor of Total Information Risk Management, is a senior strategy consultant at IBM’s corporate headquarters. Previously, he led a team at the University of Cambridge to develop the TIRM process.

Ajith Kumar Parlikad 150x150

Ajith Kumar Parlikad is a senior lecturer in industrial systems at the University of Cambridge. His work focuses on examining how asset information can be used to improve performance through effective decision-making.

Jela Webb 150x150Jela Webb is a senior lecturer at the University of Brighton who specializes in information and knowledge management.

Philip Woodall 150x150

Philip Woodall is a research scientist at the University of Cambridge specializing in information management.


Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>