Factor risk management into compliance assessments

A risk management approach to compliance assessments has significant benefits. It's difficult to measure risk value (or risk abatement value) without understanding

    Requires Free Membership to View

More on risk management
GRC software alone won't break down risk management silos

Avoid legal issues in disaster's wake
business-process value. In many cases, key risk indicators (KRIs) are complements to key performance indicators (KPIs). Defining one provides a base line for defining the other, and that base line is, in turn, a costing base line that supports more broadly strategic business decisions.

How does this work in regards to calculating risk-based compliance? As a brief example, let's consider one of the trickier compliance-value connections: information security's value to business operations. Here's a conventional information security risk equation:

Because this equation caps the value of an information asset at the cost of a particular machine, it underrepresents the business risk of the information.

A more complete risk equation also considers the operational value of information on the system:

+ Revenue value of system operations ($/period)
+ Business value of system availability ($/period)
+ User hours * User cost/hour ($)

And factor in degradation of information assets in the case of an information breach:

+ Business value of information confidentiality ($)
+ Business value of information integrity ($)

And, finally, liability costs associated with public notification of data loss:

+ Legal costs + Litigation costs + Potential regulatory penalties ($)
+ Labor costs + resource opportunity costs + forensics and other service fees ($)
+ Customer communications + credit monitoring + other remuneration ($)
+ Stock devaluation -- generally 1.5% to 5% over at least six months ($)

(As a side note, one incidental benefit of virtualization is the challenge it poses to the calculation of risks based on individual computer costs. Since a single machine may contain parts of many processes or just one part of a larger process, risk managers will increasingly be forced to valuate IT processes in terms of the business processes they support, not the information systems they run on.)

Note that some of the additional factors I mention above are business risk equations. Revenue value of systems operations is a KRI; however, the value of those operations is derived from KPIs tied to the business process that the system supports.

This is a simplified example, of course. The risk and business intelligence required to quantify factors such as operational risk or the confidentiality value of information can be magnificently complex -- more complex than regulatory deadlines might allow. Managers can still derive a general sense of KPIs and KRIs by using specific business-case models and analyzing existing data from transactional and source systems.

While you might not want to base major business changes on such limited case models and limited data sources, the results of even broad-stroke risk analyses can be sufficient grounds for intelligent, risk-based compliance scoping.

If a particular scoping decision seems questionable based on known risk characteristics, management can decide whether further analysis or simply moving ahead with an indicated control is a better use of organizational resources. Either response would still be an improvement on checkbox compliance.

Cass Brewer is founder of Truth to Power Association, a research and advisory community that lets business, IT, audit and legal professionals collectively improve individual corporate governance, risk management and compliance practices. Let us know what you think about the story; email: editor@searchcompliance.com

This was first published in January 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.