Total Information Risk Management (2014)
What you will learn in this chapter:
The purpose of this book
Structure of this book
How to use this book
We are living in exciting times. The notion of Big Data has become a much discussed topic in the business world. Almost every chief executive officer (CEO) who regularly reads business magazines has to ask: “Am I on the right track with data and information management and utilization in my company?” In most organizations there are several new technologies emerging on top of what is already a myriad of old technologies, and this brings with it specific challenges. Many organizations are desperately seeking to hire data scientists to help weave through the complexity now being seen, and the new discipline of data science is evolving at a fast pace.
Data becomes the focus of executives because it is the essential material to generate the information insights that a business needs to strive in today’s increasingly competitive environment. Information insights allow commercial businesses to allocate resources more profitably, satisfy their customers more effectively, reduce costs, save energy and materials, and offer better products and services that consumers really want and that are priced competitively. Public authorities, governments, and local communities can use analytics to minimize the financial burdens placed on taxpayers, reduce crime, optimize transportation, improve reliability and quality of utility and citizen services, and diminish environmental pollution. Nonprofit organizations are also able to take considerable advantage of information insights to increase the speed of support logistics in crisis regions, achieve a better allocation of resources to solve global challenges, and speed up medical progress in fighting diseases. It is not an overstatement to say that advanced data analytics will drive a smarter and hopefully better planet.
As much as data and information are becoming key assets for all organizations, however, its use does undoubtedly bring with it many potential risks from strategic, operational, financial, compliance, governance, environmental, and societal perspectives. Information governance is increasingly exercising the minds of many organizations, not least because of more stringent legal and regulatory requirements being imposed on both private and public sector entities. All organizations handle information. The governance of information is absolutely vital to the early identification of potential risk, the prevention of risk, and ensuring business continuity in the event of adverse risk. Accurate data records and the maintenance of such records is critical not only for meeting compliance requirements but for the longer-term survival of the organization. Organizations that fail to manage information risk effectively leave themselves open to fines, sanctions, and other penalties, not to mention loss of reputation and potential failure of the business.
Poor information management is not an option. There are many ways in which information can be compromised, damaged, or destabilized, leading to a multiplicity of problems. These range from those that are merely an inconvenience to those that can cause significantly harm to the organization. Nevertheless, the management of information risks is often poorly achieved because organizations give it low priority and, indeed, low visibility. Many view information risk an as intangible and do not know how best to manage it. Consequently, and due to the challenges it brings, it is not given all the time and attention that it rightly deserves. The fact is that in today’s increasingly intensive information-driven economy, new risks derived from information with poor-quality levels can and do appear quickly.
Organizations should recognize information risk management as being of vital strategic importance and a key component of overall business strategy. Managing information risk is important for all organizations regardless of size or structure—people within organizations need to be encouraged to manage the associated risks and regard such management as part and parcel of their day-to-day operations. Without an appreciation of the role they play, employees may either undertake activities or conversely fail to undertake activities, which consequently leave the organization exposed to unnecessary risks. Many organizations struggle to understand how to measure and quantify the impact information quality has on performance.
Luckily, the well-established discipline of risk management offers a variety of recognized concepts and methods to control the impact of uncertain events. In the data and information management discipline, thus far, risk management has been used in the past either to manage risks connected to disclosure of information or that arise from the failure of IT systems, but not directly to manage the risks when data and information assets are of poor quality. Therefore, existing information risk management processes address only a very small subset of the range of risks that are caused by poor data and information management.
The core idea in this book is to provide managers with a practical guide on how to apply risk management methods and principles more directly to data and information management. The journey to effectively manage information risks will undoubtedly require some initial investment in time and resources. But we also believe that managing information risk is an imperative for all organizations that want to protect themselves from malfunctioning. And there is a very positive side of managing information risk too: in the long term, the rewards for those organizations that manage information risk effectively will be significant, ranging from higher profitability, happier customers, and improved operational efficiency, to better investment decisions, and eventually leading to a sustainable competitive advantage.
What is Total Information Risk Management?
Managers have to address the new challenges posed by the rising importance of data and information being viewed as key assets. Data and information are such important assets for an organization that it is vital to understand how they impact the business performance of an organization. Data and information have an impact in every part of the organization; not taking these business impacts seriously can lead to risks that damage the organization.
Total Information Risk Management (TIRM) is a collection of concepts, methods, and techniques that we have developed to address these new challenges. The TIRM process has been advanced after conducting ground-breaking research at the University of Cambridge, funded by the British Engineering and Physical Sciences Research Council (EPSRC). Our research was undertaken in collaboration with many other international universities and many different organizations in a number of industrial sectors.
TIRM draws upon the extensive body of knowledge in the well-established discipline of risk management, as well as the newer discipline of data and information management. It provides organizations with the tools necessary to understand, measure, and control the business impact of data and information assets, effectively and efficiently.
Purpose of This Book
In our view, current approaches to data and information management do not create a clear enough link between data and its actual business value. Many of the existing data management books deal with the technicalities of data management but only a few discuss in detail how data and information should be governed. This emphasis is well described in the following recommended texts: Danette McGilvray’s “Executing Data Quality Projects”, David Loshin’s “The Practitioner’s Guide to Data Quality Improvement”, Thomas C. Redman’s “Data-Driven: Profiting From Your Most Important Business Asset” and John Ladley’s books “Data Governance” and “Making Enterprise Information Management (EIM) Work for Business”.
One of the most integral questions about the management of data and information currently remains unanswered: it is very hard to provide real evidence as to where data and information really impact the business, and it is even more difficult to say to what extent an organization might be affected. This book offers an innovative approach to TIRM, which achieves a clear link between data, information, and the business. We demonstrate how best to achieve this by integrating risk management methods and techniques with the discipline of data and information management.
The target audience for this book is people who want to learn how to make closer linkages between data and information and business value—that is, people who want to ensure that poor data and information do not threaten the well-being of their organization. The readership is targeted at both students and professionals in data management, business intelligence, and in the management of information systems and IT. This book will also be of interest to general managers and risk management practitioners. The book is written in a language that does not require readers to have any specific technical knowledge. Additionally, if readers are interested in how best to integrate the concepts in this book into a new or existing software system, Chapter 12 on software tools offers valuable guidance.
Structure of This Book
This book is divided into four parts:
In the first part of the book, we introduce general concepts in information and risk management to bring you up to speed with the concepts that TIRM is based upon.
In the second part of the book, we explain the TIRM process in detail and how it can be implemented within an organization; we use a case study example to aid with understanding the process.
In the third part of the book, we present advanced risk assessment techniques and software tools, and ways to establish organizational support and employee engagement, which can be used to support and enhance TIRM.
The fourth part of the book offers a conclusion and outlook.
How to Use This Book
The first part of the book discusses existing concepts in data and information management, data and information quality, and risk management. We recommend that you assimilate Chapter 3 because it explains the fundamentals that underpin the whole text. If you are new to data and information management and/or risk management, it is important to also read the remaining chapters in Part 1; they provide the basis for a general understanding of the rest of the text. If you are already familiar with some or all of the concepts, you can just read the parts that you are currently unfamiliar with and then move on to Part 2.
The second part of the book contains the new and most essential material: the TIRM process and how to apply it in an organization. This part should be read from beginning to end. When you later apply the TIRM process in your organization, this part of the book can be used as a facilitator’s guide and you can refer to each step of the process, on an individual basis, as and when required.
The third part of the book on risk assessment techniques and software tools, and organizational support and employee engagements for TIRM, can be read either from beginning to end or you can select topic areas that are most relevant for you during the implementation of TIRM in your organization.
Chapter 1: Data and Information Assets
This chapter introduces key concepts about data and information assets and includes a discussion about the characteristics of data and information assets. This chapter also considers key concepts of data and information quality and explores the impact of having low-quality data and information assets.
Chapter 2: Enterprise Information Management
This chapter introduces the concept of enterprise information management (EIM) and discusses the key challenges and pressures for EIM today.
Chapter 3: How Data and Information Create Risk
This purpose of this chapter is to explain how data and information create risk in an organization. It starts with a short introduction to the anatomy of information risks, explores ways in which to mitigate risks, discusses how risk does not always have to have negative connotations, and moves on to explain why quantifying risk is worth the effort, before concluding with an explanation as to how risk management can help improve EIM.
Chapter 4: Introduction to Enterprise Risk Management
This chapter explores the well-established discipline of risk management, explaining what is risk, the processes associated with risk management, how to determine your organization’s risk appetite, and how risk can be assessed and treated. It concludes with a description of the role of a key player in TIRM: the chief risk officer.
Chapter 5: Overview of TIRM Process and Model
This chapter gives an overview of the various stages of the TIRM process and dicusses general aspects that need to be considered when applying the TIRM process. We also give an overview of the TIRM model, which is needed for stage B of the TIRM process.
Chapter 6: TIRM Process Stage A: Establish the Context
This chapter is the first of three that explain the three stages of the TIRM process. Here, you are shown how to set the motivation, goals, initial scope, responsibilities, and context of the TIRM process. Key areas, including how to establish the external environment, how to analyze the organization, and how to identify business objectives, measurement units, and risk criteria, are explained in this chapter. It also explains how to gain a thorough understanding of the information environment in which your particular business operates.
Chapter 7: TIRM Process Stage B: Information Risk Assessment
This chapter provides a step-by-step guide for implementing the information risk assessment stage of the TIRM process. The chapter demonstrates how to quantify the business impact of poor data and information quality, as well as illustrates how to identify information risks, analyze and quantify information risks, and evaluate and rank information risks.
Chapter 8: TIRM Process Stage C: Information Risk Treatment
This chapter provides a step-by-step guide for implementing the information risk treatment stage of the TIRM process. It covers the identification of causes of information risks, finding appropriate information risk treatments, calculating the costs and benefits, selecting and implementing information risk treatments, and verifying their effectiveness after implementation.
Chapter 9: Integrating the TIRM Process Within the Organization
This chapter gives a comprehensive illustration of how to integrate the TIRM process within an organization. It clarifies the roles and responsibilities that lead to successful integration and offers guiding principles for successful implementation.
Chapter 10: TIRM Process Application Example
Using a case study based on the authors’ experience of implementing TIRM in an energy utility, this chapter shows the practical application of the TIRM process. It also demonstrates the significant benefits that can accrue from improving the quality of data and information holdings.
Chapter 11: Risk Assessment Techniques for TIRM
This chapter examines the popular techniques used for risk management and goes on to explore how they may be used in the context of information risk management. Some of these may be familiar and some less so.
Chapter 12: Software Tools: Automated Methods for TIRM
This chapter considers how automated software solutions can support the TIRM and examines how some of the TIRM process stages can be automated. It continues with a discussion about what information management tools and technologies are currently available for detecting and mitigating information risks.
Chapter 13: Establishing Organizational Support and Employee Engagement for TIRM
This chapter discusses strategies and concepts to overcome organizational resistance and increase employees’ support for TIRM. It draws on models published in the literature to show how employee “buy-in” might best be achieved.
Chapter 14: Conclusions and Outlook
In the final chapter, we gather together our thoughts on the book and hope that you and your organization will gain benefit from the book as a whole.
What is the Value of Reading This Book?
Most senior managers are interested in seeing the quantitative business value of an investment. Thus far, business value has been particularly hard to measure for data and information because they are usually considered as being too “intangible” to be quantified. This book removes the mystique that currently prevents organizations from managing information risks by introducing you to the discipline of TIRM. TIRM will help you to measure the benefits of improving the level of data quality and information insights in your organization and furthermore demonstrate how this provides real business value–driven recommendations.
In our research and consultancy with organizations in many different industrial sectors we found that there were many benefits attributable to the application of the TIRM process and we believe that your organization will similarly reap real business value from its implementation.
Building a Convincing Business Case for Any Type of Project, Program and Initiative that Aims to Improve the Quality of Data and Information Assets
The program, project or initiative can be anything from data management, data governance, data warehousing, data quality, business intelligence, business analytics, Big Data, social media analytics to more basic IT investments in infrastructure, services and software. It actually really does not matter what kind of project, program or initiative you want to run, you will need to convince the senior management in your organization of the business value of your planned undertaking. And for most of these projects the business value is that the business will be supplied with higher quality data and information assets, which improve business performance and reduce risk. We have good news for you: TIRM can help you to build a convincing business case for what you plan to do.
Focusing on Problems that Really Matter
Within organizations, TIRM can substantially leverage the success of information quality initiatives. Focusing on the information quality problems that cause the biggest issues and putting in place mitigation procedures to overcome these issues can reap significant rewards and provide organizations with high quality data and information assets.
Changing the Attitude of Your Employees Toward Information Quality
Information risk assessment illustrates to employees in their own task area the value of having a high level of information quality; this transmission of value can change the way employees think about information. As many information quality problems are attributable to people’s behavior during data collection and processing, this can make a positive contribution to performance.
Fine-tuning Your Information Systems
Understanding how information is combined and used in an organization in a given context and knowing the information risks helps organizations fine-tune their information systems for optimum performance in the given context of the organization.
Investing in IT Only When it is Truly Valuable
Many effective solutions to mitigate information risks are nontechnical; they are, in fact, organizational. To avoid unnecessarily “throwing” an expensive IT solution at problems that can be better solved with less expensive methods, TIRM will help you identify the true root causes of the business problems and find the optimal solutions taking a holistic, interdisciplinary perspective. The number of wasted IT projects could be reduced in the long run as information systems are continuously optimized to deliver best value.
Protect Your Organization from Exposures
Data and information are such vital assets that they can do major harm to your organization if not managed correctly. TIRM can help you to protect your organization from regulatory fines, mis-investments, damages to your brand and other major risks that can arise from poor data and information assets.
A Relatively Inexpensive but Very Effective Way to Manage Information
TIRM does not require a huge investment in additional resources. In fact, it can be integrated into daily business routines in such a way that it is hardly noticeable. The benefits mentioned earlier can provide long-term, sustainable competitive advantage for organizations.
In this book, we will show you how to set up an effective TIRM program in your organization, which can be a valuable source of sustainable competitive advantage. We will help you address the new challenges presented by the rising importance of recognizing and managing data and information as key organizational assets. We will show you how to maximize the value of data and information assets.