Mitigating the risk factors

In an uncertain and constantly changing environment, having an effective risk mitigation plan and strategy is essential for the growth of any business, writes Nivedan Prakash

Risk mitigation is basically a process to bring the level of risk to one that is acceptable and can be dealt with by an organization. Once the risks are identified, it is imperative to prioritize them and develop a risk mitigation plan.

Organizations can cost-effectively mitigate risks to the confidentiality, integrity, and availability of the IT systems and assets that support critical business processes. They can do so by cutting down on operational costs, converting capital expenditure to predictable operational expenditure, getting more from existing infrastructure as well as improving productivity and reducing staffing pressure.

Risks can also be mitigated either in-house or by outsourcing. If huge investments are required for mitigating risks, they can be outsourced to a third party who has the requisite domain knowledge in the ‘risk area’ and could help reduce the cost by leveraging its infrastructure and experience.

Industry experts believe that organizations do a cost-benefit analysis while selecting controls to mitigate the risk arising from threats that exploit weaknesses within a system. The cost-benefit analysis suggests the use of a strategy to either accept the risk or transfer it.

Besides, to effectively mitigate risks, companies also need to focus on educating their employees. It is critical that every employee understands the importance of confidentiality, integrity, and availability of IT systems and assets.

Developing an effective strategy

An effective risk mitigation strategy involves identifying the nature of risks associated with each activity and prioritizing them; assessing and evaluating the practicability and effectiveness of the risk mitigating solutions, which is further scrutinized through a SWOT analysis; and finally, selecting and implementing the most cost-effective solution, which is then deployed by assigning specific tasks to the team which has the expertise and skill sets to conduct them.

Manohar Ganshani, Practice Partner - Governance, Risk and Compliance, Wipro Consulting Services, said, “The risk mitigation plan will broadly have the strategy in terms of implementation, tracking and reporting of the controls selected to mitigate risk. The strategy might be to accept the risk or to transfer it. In some cases the risk is so insignificant that it can be avoided but that is equivalent to accepting the risk at that particular level.”

While building a complete strategy to mitigate risks associated with a major disaster, or more common risks in the areas of business operations or data availability, organizations need to take a comprehensive and methodical approach in risk mitigation to ensure business continuity.

Such an approach needs to evaluate and address the priorities and capabilities of the business along three dimensions of risk mitigation. Primarily, understanding the reach and range of the risks in an organization and its impact within and outside the company is vital. Secondly, perceiving the resilience level of the environment to mitigate risks by identifying the vulnerable areas in the organization and the capabilities that it possesses to predict, prevent and recover from risks is crucial.

Finally, there has to be an appropriate strategy to recognize and respond to organizational risks while improving the resilience level of the current environment and achieving the desired state of buoyancy in the company.

“Developing an effective risk mitigation strategy is a multi-pronged approach which involves listing out the risks that the organization is affected by, sieving out those risks which businesses would want to accept and run its operations with while devising a strategy to mitigate those risks that are unacceptable. Lastly, finding out which risks can be mitigated cost-effectively and which can be outsourced for effective operations is vital,” added Chandrasekhar Balasubramanian, Country Manager - Infrastructure Risk Management Services, IBM India/South Asia.

Moreover, a comprehensive and methodical approach to risk mitigation empowers organizations to make informed decisions. The systematic approach would provide a thorough insight into the various anticipated risks and their possible business impact. Organizations will then be able to better evaluate the pros and cons of adopting any particular solution to manage business continuity.

C Kajwadkar, Chief Architect and Vice President – Availability Services, Netmagic Solutions believes that companies need to critically look at the outcome of structured Risk Analysis and Review (RA&R) and build a risk mitigation strategy followed by a risk mitigation plan. A risk mitigation strategy includes elements such as risk avoidance, risk transfer, risk limitation, etc. One has to recognize that a risk mitigation plan may be a combination of different elements of risk treatment. However, despite deploying several strategies and risk treatment measures, there is always a threat of disaster and that’s the key point to note.

Need for a structured governance framework

In risk mitigation strategy, the role of both IT governance and corporate governance are important. IT needs support from corporate to implement a risk mitigation strategy and both need to be incorporated at the same time.

Akila Krishnakumar, COO and Country Head (India), SunGard Technology Services, was quick to point out that the structured governance framework had significant advantages in risk mitigation. It enables organizations to control planning, development, improvement, and management of incident responses thorough risk assessment. Therefore, a structured governance framework helps in achieving compliance by means of structured auditing and assessment of the risk mitigation processes.

Once an organization understands the reach and range of the risks to its enterprise, it needs to evaluate its current ability to mitigate those risks. Due to the inherent complexity of most organizations, such an analysis should break down the different aspects of the organization into multiple layers that can each be viewed separately to see how they can be used to mitigate certain risks.

We would like to mention here that in order to help with this analysis; organizations like IBM have developed frameworks such as the IBM Resilience Maturity Assessment Framework, which deconstructs a client environment into six layers that include strategy, organization, processes, technology, applications and data, and facilities.

“A structured governance framework helps the entire organization to work in a synchronized fashion towards the common goal of risk mitigation. It also enables uniform enforcement across the organization by a CIO organization. By adopting a structured framework, we can get good references and case studies and also assistance from the standards bodies,” opined Ramesh Ajjampur, Sr. VP – Global Delivery, Mindteck India.

Plans falling short?

Here, we would like mention that risk mitigation plans at many organizations fall short simple because they are not comprehensive and fail to take into account the reach and range of all the risks that they face.

This is also true because the nature of risks is quite diverse. While previously risks were thought of only in terms of technological glitches, the last year and a half showed us that it can be man-made, natural and even from internal sources. Therefore, it is never too late for an organization to put together a risk mitigation plan. It can bank upon its past learnings to build robust risk mitigation systems.

Also, unless the structured governance framework is properly institutionalized, the solution could end up being incomplete and the results would only be visible when the organization in question tried to recover from a disaster. Besides, the other aspect here is that if the risk mitigation strategy is not aligned with the organization’s business goals then it would be bound to fail and would compromise the organization’s as well as stakeholders’ value.

It is, therefore, important to understand the business objectives and provide IT and infrastructure risk management and business resilience expertise, to assess a range of risks to the IT resources and assets on which business processes depend. The whole point here is that companies have to be alert in anticipating possible risks and be quick to learn from their mistakes as well as from those made by others.

A CIO’s perspective

B Murli Nair, CTO – Lakshmi Vilas Bank on risk mitigation Given what has gone on worldwide recently, do you think that there is a greater need for organizations to come alive to various risks—from natural catastrophes to internal and external threats, from audits to legal requests? If yes, then is it possible to make your information systems more risk aware? There is a definite need for creating more awareness on the risk factors involved in various transactions. In a banking environment, the domain from which I hail, the risk perception is much higher. The role of a CISO in such organizations gains importance and they have to work in coordination with the risk management departments to arrive at methodologies to mitigate risk and internalize processes. It also should be a part of a company’s change management processes. Does this change/expand your job role? If yes, then could you explain how? It definitely changes the profile of the job. Each transaction has to be analyzed from the risk vs. benefit angle apart from the cost vs. benefit angle. Assessment of risks becomes part of the process which in turn requires bringing in people with the skill sets to understand these perceptions. The availability of skill sets in this area is not easy to come by since you need a combination of skill sets in risk and technology. The ongoing financial turmoil has encouraged enterprises to put in place a risk aware IT/information strategy in place. What sort of changes does this entail to how you run your IT? During the course of time, we have identified lot of gaps in the applications from the risk point of view. In the changed circumstances, what was a normal risk earlier has converted into a major risk in the present time. Unfortunately the application or solution vendors have not been able to plug these risks. It should have been a natural outcome of the workflow application that these risks are identified and plugged but the vendors are treating these as enhancements or customization etc adding to the cost of operations. With the increase in delivery channels, such gaps are increasing and consequently also the cost. Risk mitigation refers to prioritizing, implementing and maintaining the appropriate risk-reducing measures. Please comment. I agree with it totally. Prioritizing and implementing is a lesser challenge than sustaining the measures implemented on a continuous basis. Why should a CIO take a lead role in executing structured processes to improve IT’s risk awareness and ability to prepare for, analyze and respond to risks? I think the choice ultimately falls on the CIO since he understands both business and technology and hence is able to create the awareness, prioritize the issues and plan for mitigating risks. IT being the favorite punching bag in the company, everybody tries to ensure that the role finally falls on the CIO.

End-to-end solutions

Risk mitigation is an integral part of an organization’s risk management process. This process will also involve some technological tools and templates to make the process a consistent and reliable one.

Therefore the solution lies in selecting a standard, developing the methodology for risk assessment, framing a risk mitigation plan and defining the mechanism to track and report on risk levels. The solution has to adopt a consultative approach towards risk mitigation. Therefore, there is no unique solution. Various vendors offer their services to provide this consultative approach for designing a risk mitigation strategy.

Satish Joshi, Executive VP, Patni, asserted, “Risk mitigation solutions provided by vendors are aimed at creating systems, processes and controls to prevent the occurrence of events that may put the organization at risk and to recover from disasters should these preventive measures fail. The solutions consist of assessment and creation of a risk profile, designing a framework for risk management, selection of technology, definition of management processes, control mechanisms, systems for periodic testing and audits of the processes, and the creation of a business continuity infrastructure.”

There are standard frameworks such as ISO27000 available for providing end-to-end risk mitigation solutions which cover all aspects of the same. Many service providers comply with these standards to give the benefits of the same to their customers and for themselves.

Additionally, vendors should be capable enough in assisting companies in the end-to-end implementation of DR and BCP services. That is right from helping them analyze the risk to creating a plan to giving an assurance that the plan will be implemented.

Onus on IT decision makers

In a CIO study conducted by IBM, it was found that 76% of Indian CIOs have ranked risk mitigation among the topmost priority for their organization to enable future business growth. A CIO’s role in maintaining a smooth risk mitigation process is paramount to ensuring business continuity and minimizing negative financial exposure.

Much of an enterprise’s risk mitigation falls to the CIO, who must ensure IT continuity, resilience, compliance, and security to safeguard assets and help minimize negative financial exposure. In fact, organizations look up to the CIO/CTO to mitigate the risk as soon as it is identified by the user department.

The bigger challenge for them is to address the matter within a particular timeframe which is not easy to adhere to. This also should be seen from the fact that the more time that it takes to mitigate risks, the longer the organization is exposed to negative financial implications.

Moreover, the risk mitigation activities primarily involve infrastructure-based solutions which are governed by the CIO organization in any enterprise. It also involves institutionalization and strict adherence and governance by every department and the members who belong to them. So indirectly the entire organization needs to be participating in making the risk mitigation plan a success.

nivedan.prakash@expressindia.com