The article below is excerpted from Total Information Risk Management: Maximizing the Value of Data and Information Assets (Morgan Kaufman, 2013) with permission from the publisher.
Data and information are such important assets for organizations that it is vital to understand the impact they have on business performance. Not taking these business impacts seriously can lead to risks damaging the organization.
Total Information Risk Management (TIRM) is a collection of concepts, methods, and techniques that we have developed to address these new challenges. Our research was undertaken in collaboration with many other international universities and organizations in a number of industrial sectors. TIRM draws upon the extensive body of knowledge in the well-established discipline of risk management, as well as the newer discipline of data and information management. It provides organizations with the tools necessary to understand, measure, and control the business impact of data and information assets effectively and efficiently.
What follows are examples of how you can assess and treat information risk by following the TIRM best-practice procedures for managing information risks. The TIRM process can be divided into three stages:
- Establish the context
- Information risk assessment
- Information risk treatment
Every organization follows business processes, which Tom Davenport defines as, “a specific ordering of work activities across time and place, with a beginning, an end, and clearly identified inputs and outputs: a structure for action.” An information risk management process focuses on controlling and monitoring organizational risk that arises through data and information assets inside and outside an organization.
The TIRM process aims to systematically manage risks arising from data and information assets of all possible types and sources—that is, external and internal, tacit and explicit, and structured and unstructured. It is based on the widely accepted ISO 31000 risk management standard.
What Does “Total” Stand for in TIRM?
We believe that you should consider all types of information used in all operational and management processes that are important to your business, no matter whether they are stored in:
- Word-processed files
- Audio recordings
- XML and HTML files
- Social networks
- Paper hardcopies
- Face-to-face communications
The only condition is that the information you consider in the TIRM process issignificant to your business. All core business processes have to be considered in the information risk management process, making TIRM an enterprise-wide program rather than a local one. However, you may choose to begin implementation in a single defined area.
Stages of the TIRM Process
The TIRM process consists of three main stages and two continuous activities that are executed throughout these stages, as illustrated below.
When starting a TIRM initiative, the first step is to establish the context—stage A. Every organization exists in internal and external environments that are specific to it. To understand an information risk, establishing the organizational context is absolutely necessary. A major risk in one organization—for example, due to regulatory requirements, a particular competitive environment, or organizational culture—can be a low risk in another organization that operates in a different context.
Information risk is assessed in stage B. Information risks have to be identified and analyzed qualitatively or quantitatively and then evaluated. This is the heart of the TIRM process. In this stage, you will collect the inputs that are needed to model and quantify data and information risks.
In stage C, you examine, select, and implement information risk treatment options.
Communicate and consult is the basis of the process needed in all three stages. Without support of relevant stakeholders, your efforts are destined to fail. You also need senior management backing for the TIRM process.
The TIRM process should be constantly monitored and reviewed to verify and improve the effectiveness of the process and adapt it to the organizational context.
If you are already familiar with the ISO 31000 standard, you might have observed that the stages of the TIRM process do not differ much from the ISO 31000 risk management process stages. This is because the TIRM process is based on and refines ISO 31000.
Communicate and Consult
It is absolutely essential to communicate and consult with all relevant stakeholders for the success of the TIRM process. Relevant stakeholders can include personnel from the business functions involved, IT management, risk management, as well as senior executives. As the TIRM process crosses functional boundaries, it is a key requirement that senior management is committed to the information risk management initiative. It is also important that the IT and risk management executives are aware of and willing and able to support the initiative. The goals and benefits of the information risk management program need to be clearly communicated to all the people involved in, or affected by, the TIRM process to gain active support.
To assess risk, information has to be gathered from across the whole organization. If it is not clearly and transparently communicated how information risk is assessed, people will not believe the figures and findings from the assessment, and it will be very hard to convince them to support information risk treatments that are required or beneficial. Communicating and consulting has to be done in parallel with all other stages.
A case in point: A senior executive is hostile and blocks your efforts to implement an information risk management program. You start to investigate and find out that a failed information governance program in the past has turned the senior executive into a strong opponent of any further initiatives related to information governance. The communication plan has to incorporate solid arguments that are communicated to this executive to convince him why the mistakes that occurred in the past will not be repeated.
Identifying Information Stakeholders
Make a list of all stakeholders that are relevant for your TIRM initiative. Stakeholders might include:
- Information producers
- Data intermediaries
- Knowledge workers
- Process owners
- Business information stewards
- Internal and external auditors
- Business partners
- End customers
- Third-party information providers
- Distribution channels
- Regulatory bodies
- Communities and the general public
Investigate and document the attitude of each stakeholder group toward the initiative (e.g., supportive, enthusiastic, neutral, or opposed) and what you think might motivate their attitude, and draw up a plan that articulates how to effectively communicate matters to each of the stakeholders to best gain their support. Also, organize presentation and training sessions so that they are tailored to each specific group of stakeholders.
Stakeholder involvement in stage A: Check needs to be made to identify whether the perceptions of the external and internal environment of the organization, the business objectives, and risk criteria are shared among key stakeholders.
Stakeholder involvement in stage B: Stakeholders are involved during information risk assessment to get additional information and advice, and to ensure that everyone accepts the findings from this stage. In particular, the validity and plausibility of results from the information risk assessment stage should be validated with stakeholders.
Stakeholder involvement in stage C: During information risk treatment, it needs to be explained with care why particular options have been chosen or not chosen and why a particular way is selected in which to implement the option. A participative approach is of benefit here. Potential information risk treatment options should be discussed with all involved parties to better understand their weaknesses, risks and strengths, and to get support during implementation.
Monitor and Review
Finally, the implementation of the TIRM process itself should be constantly improved based on the experiences gained during its application in your organization. Some problems can be more easily identified from an external perspective. By interviewing a wide range of stakeholders, the TIRM process can be better enhanced and improved.
The ISO 31000 risk management standard highlights the purpose of monitoring and review:
- Ensuring that controls are effective and efficient in both design and operation.
- Obtaining further information to improve risk management.
- Analyzing and learning lessons from events (including near-misses), changes, trends, successes, and failures.
- Detecting changes in the external and internal context, including changes to risk and the risk itself, which can require revision of risk treatments and priorities.
- Identifying emerging risks.
Putting It Together: The TIRM Model
The figure below shows how the components of the TIRM model are integrated and interlinked. Each business process contains any number of tasks that are carried out as part of that business process. To execute a task, data and information assets are required. Each piece of information may contain information quality problems, such as having missing entries (completeness of the data), which result in direct consequences. Further undesirable ramifications may result from the direct consequence, and each of these may still have any number of other, intermediate consequences. This, in turn, could adversely impact the achievement of a business objective.
There are also parameters that specify the link between the components in the model. The first parameter is the frequency of task execution, which is recorded for each task that is part of a business process and is the number of times (e.g., per month) that the task is actually carried out. Each time the task is executed it may require different data and information assets, and the probability that the data and information asset is needed is recorded for each task–information pair.
Furthermore, the specified information quality problem may not always appear in the particular subset of information used. For example, for a particular type of part, the information (asset) could list all of the suppliers without gaps, so the problem would not manifest itself in some cases. Therefore, the likelihood that the information quality problem appears in the information that is used for the task needs to be specified. In a similar manner, the likelihood that the problem leads to the direct consequence is recorded along with the likelihood that each consequence leads to other, intermediate, consequences. The last parameter is the severity of the impact in the impact on business objective component.
There are three options to provide quantitative estimates as part of the TIRM process:
Option 1: Estimating the expected value: Often the expected value is not known accurately or is volatile. In these cases, option 2 or 3 can be more suitable.
Option 2: Estimating a lower and an upper boundary: There is a high likelihood that between these boundaries will be the real value. In this case, it is assumed that the expected value is equally distributed between the two boundaries (i.e., it is distributed uniformly). A slight possible variation to option 2 is that one assumes that the values are distributed normally between the two boundaries (i.e., a normal distribution is used in this case).
Option 3: Estimating the most likely value (mode) and a lower and upper boundary: The advantage
of having these three estimates is that they can be used to calculate the so-called triangular distribution.
If the task is executed by somebody other than the business process representatives participating in the information risk assessment workshop, this information can be obtained by asking the person who usually executes the task. This can sometimes also be supplemented with data that documents the execution of the task, if it is available.
The TIRM model is used to support the assessment and quantification of information risks in stage B of the TIRM process. The required parameters for the TIRM model will be gathered as part of the process steps in stage B. The risk totals can then be calculated for each information risk.
Determining Risk Appetite for TIRM
Before starting with the TIRM process, you need to determine the risk appetite. Once the risk appetite has been determined, the organization will be on its way to establishing a robust TIRM process. The risk appetite will be needed to set up risk criteria in step A of the TIRM process. Providing clarity about tolerance levels and who is responsible will:
- Ensure that better-informed business decisions are made.
- Provide clear communication channels, alerting senior levels of management to potential information risks at an early stage.
- Alleviate the possibility of being exposed to unmanageable information risks.
- Allow the organization to prioritize actions in those areas where risk is deemed to exceed the defined appetite.
- Help to develop a culture where information risk awareness becomes embedded in day-to-day operations.
- Establish the right balance between being bold and being cautious.
You can of course decide how to measure your risk appetite, but you may wish to consider the following suggestion of a 1 to 4 scale, an example of which is shown in the table below.
No Risk Appetite
Low Risk Appetite
Medium Risk Appetite
High Risk Appetite
|Not willing to accept risks in any circumstances||Not willing to accept risk in some circumstances||Willing to accept risk in some circumstances||Willing to accept risk in any circumstances|
Sample Risk Appetite Scale
Communicating the tolerance level in this way should also be accompanied by guidance in terms of the discretion available. For example, who can make the decision to tolerate the risk? When does a decision need to be escalated to a higher level of management?
More tangible scales are set in the form of risk criteria for each business objective in step A during the establish the context stage.
Boundaries need to be established with clear guidelines put in place so that misunderstandings and bad risks are mitigated. And expect the level of risk appetite will vary, not only in respect of specific issues but also over time.
About the Authors
Alexander Borek, the inventor of Total Information Risk Management, is a senior strategy consultant at IBM’s corporate headquarters. Previously, he led a team at the University of Cambridge to develop the TIRM process.
Ajith Kumar Parlikad is a senior lecturer in industrial systems at the University of Cambridge. His work focuses on examining how asset information can be used to improve performance through effective decision-making.
Philip Woodall is a research scientist at the University of Cambridge specializing in information management.