Total Information Risk Management (2014)
PART 2 Total Information Risk Management Process
CHAPTER 9 Integrating the TIRM Process within the Organization
This chapter discusses important aspects that need to be considered before, during, and after the implementation of the TIRM process to ensure a successful integration within the organization.
Roles and Responsibilities for TIRM; Integration with EIM; Integration with ERM; Management Principles
What you will learn in this chapter
How to integrate the TIRM process within your organization
The roles and responsibilities that can be set up for the TIRM process
Guiding principles to ensure successful implementation of the TIRM process
In the last few chapters, the most important elements of TIRM were introduced in detail. In this chapter, we give recommendations on the integration of TIRM within the organization. We consider where responsibility for TIRM should lie, how those responsibilities might be assumed, and also explore the role that organizational culture has to play. TIRM is essentially a process to steer Enterprise Information Management (EIM) in a way that promises to create the best business value for information. We will, therefore, also clarify the relationship between EIM and TIRM in this chapter. Additionally, we cover how TIRM should be integrated with the enterprise risk management (ERM) function in the organization.
Roles and responsibilities for TIRM
Who is responsible for TIRM? The correct answer to this question is “everybody in the organization.” At a time when information is driving the economy as never before, it is important to have a well-implemented TIRM program where everyone has responsibility for ensuring that information is managed effectively. From IT to finance to human resources to marketing, from the CEO to staff working in the field, it should be incumbent upon everyone to regard TIRM as an integral element of day-to-day business. This may be achieved by, for example, encoding TIRM into business processes, performance measures, etc., and communicating it in ways that are relevant to individual employees and their role within the organization.
The view that the management of risk is a collective responsibility is supported by ISO 31000, which states: “Risk management is not a standalone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and part
TIRM is not the specific responsibility of IT. It is the collective responsibility of the whole organization to manage information risks.
of all organizational processes, including strategic planning and all project and change management processes” (ISO, 2009).
While the board of directors has overall responsibility and accountability for the strategic direction of the organization and for delivering performance (and profitability), the responsibility for TIRM may in many instances be placed firmly at the feet of the chief risk officer (CRO) or chief compliance officer (CCO). While this is understandable, it means that there is the potential danger of everyone else in the organization thinking that they have neither responsibility nor accountability for TIRM, and that is not a good situation for an organization to be in. Therefore, representatives from all corners of the organization should be involved in the TIRM program. In particular, we suggest the specific roles and committees to manage the transition to an organization that effectively manages information risks; these are discussed in the following sections.
TIRM should be a collective responsibility with each manager being accountable for managing information risk within his or her sphere of responsibility. Yet, it is important in the early days of implementation to give responsibility for the implementation of activities to a few key individuals, supported by a team if appropriate, in the longer term. There are a number of roles that should be allocated to kick off a successful TIRM program:
1. TIRM process sponsor
2. TIRM process manager
3. TIRM process facilitator(s)
4. Business process representatives
5. IT system and database representatives
If similar roles already exist as part of the enterprise information governance program, it would be appropriate to align TIRM with information governance roles and responsibilities. TIRM is integral to EIM. The roles do not require a full-time position to be created, but rather should be executed in addition to current job activities by capable employees. Depending on the scale of your organization and the scope of the TIRM process, the number of people needed can increase when the size of the TIRM program is big. In very large organizations you might even consider creating full-time positions for some of the roles. Each role is discussed in the following.
Specific roles give structure to the TIRM program; ensure that all the key parts of the business are represented in the TIRM committees (under consideration of the scope of the TIRM process).
TIRM process sponsor
The TIRM process sponsor plays the most important role. This individual should be a senior executive who has the authority to start and maintain a TIRM program within the organization. He or she should understand the importance of managing information risks.
The TIRM process sponsor should be a senior executive with enough organizational power to convince other business divisions to implement TIRM. The job title of a potential TIRM process sponsor usually starts with C (e.g., CEO, COO, CFO, CIO). Alternatively, it might be a president, vice president, or director.
The TIRM process sponsor is the advocate for implementing TIRM within the organization and provides the necessary resources and establishes the political support. The TIRM process sponsor heads the TIRM steering council, the role of which will be described later.
TIRM process manager
Whereas the TIRM process sponsor makes resources available, the TIRM process manager manages these resources to ensure the effective implementation of the TIRM process. This individual should be familiar with all concepts of TIRM and also have experience in information governance and management, and should ideally have worked in the business side of the organization. He or she should be familiar with and knowledgeable about all key business divisions in the organization. He or she is responsible for ensuring that TIRM policies are implemented and sustained, and therefore heads up the TIRM managing committee and leads the team of TIRM process facilitators to achieve this. Moreover, the TIRM process manager communicates with business process and IT system and database representatives to coordinate their efforts. The TIRM process manager has to report to the TIRM steering council.
TIRM process facilitators
The TIRM process facilitators are dedicated personnel trained in TIRM concepts and methods and support the implementation of the TIRM program with their expertise. These individuals prepare, facilitate, and analyze the results of workshops and process the insights gleaned from workshops into a format that is easy to understand by decision makers. They work directly with the TIRM workgroups as well as with business process and IT system and database representatives.
TIRM process facilitators should bring expertise in data management and be familiar with the business, how it operates, and what targets and goals the organization as a whole is striving to achieve. The TIRM process facilitators are strongly advised to read this book from cover to cover, as it will help them develop a a good understanding and expertise of the necessary background, the TIRM process and the available techniques.
Business process representatives
Each important business process in the scope of the TIRM program should have at least one business process representative. If a business process involves several business functions, a representative from each relevant function should be chosen. One of the business process representatives should be selected as the spokesman and coordinator, and represent the business process through membership of the TIRM managing committee.
IT system and database representatives
An IT system and database representative should be chosen for each major IT system and database. This should be someone who is knowledgeable about the data within the system and is able to use data quality software tools, such as data profiling (see Chapter 12). Information technology can both cause and prevent information risks and therefore plays an important role in TIRM. An IT system and database representative should be knowledgeable about the IT system or database he or she represents and assist in analyzing where IT hardware and software applications can create failure, security problems, and information risks. The representative also provides support when the analysis of the causes of information risks is undertaken. Additionally, he or she provides support when the identification and implementation of information risk treatment options that involve information technology are being considered. An IT system and database representatives can be, for example, a data steward or information quality manager, but could also be somebody from the IT function who is responsible for data rather than application management.
In general, there can be three levels of responsibilities that are carried out by three different committees:
1. TIRM steering council
2. TIRM managing committee
3. TIRM workgroups
The optimal number and structure of responsible committees will obviously differ from organization to organization. Some larger organizations might need more levels of responsibility, whereas for smaller organizations, it might suffice to have just one committee. Also, if you implement the TIRM process in a relatively small scope, fewer structures and resources will naturally be required. Each of the three proposed levels is described in more detail in the following subsections.
Program leadership: TIRM steering council
A steering council should be formed of senior executives from preferably each business division that operates at a very strategic level. The head of this council should be the TIRM process sponsor. The steering council decides the goals and scope of information risk management and sets the policies. It also decides which information risk treatment options should be implemented based on the recommendations of the TIRM managing committee. It gives authority to the TIRM program. The TIRM manager should report regularly to the steering council and should therefore be a permanent nonvoting member of this council.
Program management: TIRM managing committee
A TIRM managing committee should be established that operates at a tactical level. The TIRM process manager should head up the managing committee. The committee consists of the TIRM process facilitators and of selected business process and IT and database representatives. The committee manages and coordinates the TIRM activities within the workgroups. It also decides what needs to be reported to the TIRM steering council and prepares decisions that need to be made by them. The committee monitors whether or not the information risk management policies are being complied with and verifies the effectiveness of the implementation of the (chosen) information risk treatments.
Program implementation: TIRM workgroups
A TIRM workgroup operationally leads the implementation of a specific part of the TIRM program. For example, a workgroup can be responsible for overseeing and coordinating information risk assessments. Other workgroups can focus on the implementation of more complex types of information risk treatments. Therefore, there will be a number of workgroups operating simultaneously. A workgroup should consist of business process and IT system and database representatives and a TIRM facilitator—each one selected on the basis of their suitability and expertise in the type of task that the workgroup is responsible for. Each workgroup reports to the TIRM managing committee.
Advice for small- and medium-size organizations
If you are working for a small- or medium-size organization, you are rightly thinking that it is going to be too costly to implement the TIRM process in your organization. The good news is that due to the smaller size of your organization, it will take less effort to implement a successful TIRM program. Therefore, fewer roles and committees need to be created to implement the TIRM process.
In smaller organizations, the roles can be reduced to a minimum. For example, in an organization that has 20 to 30 employees, one person could take on the roles and responsibilities of the TIRM process sponsor, process manager, and expert. Also, instead of having three levels of committees, one TIRM managing committee would suffice.
Advice for large organizations
Very large organizations need much more structure to ensure that the TIRM program is delivered with success. We recommend following the advice in this section. If the TIRM process is initially implemented in a smaller scope, fewer resources are required and it can be sufficient to proceed with a much-reduced number of roles and committees. Deciding to merge the roles, responsibilities, and committees with other related councils and roles (e.g., for enterprise information management, data governance, and ERM) to reduce the overhead costs would be a prudent move. The relationship to these functions is discussed next.
The relationship between TIRM and EIM
Relationship of TIRM to EIM strategy and governance
The role of TIRM is to focus the EIM efforts on the things that matter most for the business. EIM is steered by the information strategy and governance. The strategy is the set of goals and objectives for EIM that should be followed; these should be aligned with the business strategy and goals. Information governance sets and monitors the rules, standards, and policies for EIM to ensure that the information strategy is actually followed. If your organization has not started an information governance program, we highly recommend John Ladley’s book (2012), which discusses all of the important fundamentals of information governance. Information governance requires the definition of roles and responsibilities, principles, policies, functions, metrics, technology, and tools. Note that the roles and committees in information governance can overlap with the ones in TIRM, which is not a problem, but is encouraged since it reduces communication problems. The relationship between the TIRM program and information strategy and information governance is shown in Figure 9.1.
FIGURE 9.1 TIRM influences EIM strategy and governance.
The TIRM process allows organizations to understand where poor information hurts the business most and where better information could open up the biggest business opportunities—that is, which risks related to information need to be managed. The information strategy formulates the approach to manage these risks and information governance and then ensures the execution of the information strategy. Information governance is essential to make sure that the information strategy is delivered and enables the successful implementation of projects to treat information risk. The TIRM process then allows for regular monitoring of any changes in information strategy and governance, and whether these have led to the expected results by reducing the negative risks and increasing opportunities for the effective management of risks.
Sometimes, there is a perception that information governance could be a straitjacket that prevents the organization from pursuing its broader goals; however, nothing could be further from the truth. While it is apparent that many organizations have started to take the management of information risk seriously only as a consequence of having to comply with legislative and regulatory frameworks, there is an increasing recognition that wider information risk management can become a core competence, which if developed effectively, enhances processes and procedures.
Information policy and implementation strategy
Information policy is an overarching statement setting out why information management is mission-critical to the organization and how it sits within a wider organizational expression of (organizational) objectives. Implementation strategy articulates how the policy is going to be operationalized.
Organizations adept at managing information risk recognize the importance of formulating and implementing robust policies and strategies for its management. Without this, employees might improvise and manage information risk in disparate ways that could lead to inefficiency, duplication, poor decision making, security breaches, compliance failure, and ultimately in the severest cases put the organization out of business (Webb, 2008).
TIRM should be a component of the information policy and its implementation strategy, as well as risk assessment procedures. Any strategic plan should be a tangible expression of measurable outcomes—remember the adage “what gets measured, gets managed.” While information policy and implementation strategy can be formulated without TIRM, they may be better if information risk is considered.
Relationship between information governance and corporate governance
As discussed, TIRM informs information governance. Moreover, the TIRM program will fall within the auspice of the wider information governance program, and information governance will fall within the broader corporate governance program. Corporate governance is very firmly in the spotlight since the impact of economic liberalization and deregulation of business (through globalization) has brought a demand for transparency and compliance with regulatory and legal frameworks. Organizations are constantly being pressured to be more transparent and accountable to their stakeholders. Pressure from government, consumer groups, and nongovernmental organizations, as well as shareholder activism, is “forcing” organizations to be more open about their operations.
Investors, particularly institutional investors (e.g., pension funds, insurance companies), are increasingly willing to pay a premium to invest in organizations that have good governance procedures in place. These institutional investors are, of course, interested in seeing continuing profitability, but these days are also concerned about how profits are made, how internal governance is carried out, and the organization’s relationship with other stakeholder groups. Good governance leads to better management of risk; better management of risk leads to good performance and higher returns for investors. Many companies now provide commentary in their annual reports about their governance procedures.
Governance codes have been developed in different countries and are issued by a variety of entities, such as stock exchanges, trade bodies, professional associations, institutional investors, governments, and international organizations (e.g., International Monetary Fund). Generally speaking, law does not mandate compliance with such codes and principles, but there may be some legal requirements for some organizations. Each organization should be fully cognizant of what their regulatory and legal obligations are and ensure that they are compliant with them.
According to Crowther and Seifi (2010) there are four principles of corporate governance:
1. Transparency—it needs to be apparent to all what the governance procedures are.
2. Accountability—reporting structures must be clear.
3. Responsibility—someone must be accountable for all parts of the effect and a clear chain of actions is required.
4. Fairness—systems must operate impartially and without prejudice.
Corporate governance currently focuses on how an organization conducts itself in relation to all its stakeholders.
Specific EIM projects
TIRM can also support specific EIM projects. It can help make decisions about which EIM projects should be implemented based on their impact on information risk. EIM can calculate the benefits of the projects and compare them to the costs and risks. TIRM can help to select and guide which projects should be implemented and also help prioritize the projects by providing a reasoned grounding in the business impact of poor information that could be improved by the EIM project. The relationship between TIRM and specific EIM projects is visualized in Figure 9.2.
FIGURE 9.2 TIRM process related to specific EIM projects.
Understanding which risks are created by poor information and quantifying those risks by, for example, expressing them as an annual financial impact, can be used to build business cases for the specific EIM projects and improve the effectiveness of EIM as a whole.
A company considers buying a master data management (MDM) software tool and alongside that the purchase of consulting services to successfully implement the changes in the business processes that are deemed necessary. Such a project can be very costly. By analyzing which information risks are treated if the project is implemented, the benefits of the project can be calculated with the help of TIRM. TIRM can also help the organization to make better-informed decisions about which EIM projects actually make sense, both from a financial perspective and a nonfinancial perspective.
TIRM integrated with ERM
ERM is the enterprise-wide framework for dealing with uncertainty in the organization. Hopkin (2010) defines five principles for ERM:
1. Risk management activities must be proportionate to the risk level faced by an organization.
2. Risk management activities need to be aligned with the other activities in the organization.
3. Risk management must be comprehensive.
4. Risk management activities must be embedded within the organization.
5. Risk management activities must be dynamic and responsive to emerging and changing risks.
According to Hopkin, ERM requires a set of risk management–specific policies, strategy, and architecture, and protocols and guidelines. Moreover, organizational culture is an important element for risk management. The organization’s risk appetite needs to be defined and ERM should be integrated with corporate governance activities. Risk management activities should be documented, and responsibilities for risk management need to be assigned. The CRO, if existent in the organization, plays a key role for TIRM and is a potential candidate for the TIRM process sponsor role besides the CIO. The CRO should at least be a member of the TIRM steering council.
What is the relationship between TIRM and ERM?
Protecting the value of core business assets and ensuring that harmful risks are minimized applies to information just as much as it does to the protection of other types of organizational assets. TIRM manages the risks that arise from information and reports them to the ERM function. By improving the information quality in the organization, the overall effectiveness of ERM can also be improved. ERM often concentrates on the extreme uncertainties in an enterprise such as stock market crashes, economic recessions, shifts in technology and markets, earthquakes, and fires. Many information risks would therefore not be significant enough to be managed under the ERM umbrella, but are often still very important for the competitiveness and success of an organization. Therefore, they should be reported to the ERM function, but often they need to be handled separately and in a different level of granularity. To summarize, TIRM is on the crossroad of ERM and EIM, with both functions playing an important role, but, as emphasized at the beginning of this chapter, the responsibility for managing information risks should lie in everyone’s hands across all business functions.
This chapter discussed how, at a high level, an organization can implement the TIRM program. In particular, roles and committees have been proposed that can be adapted to give structure to the TIRM program. We have also shown how TIRM interrelates with EIM and ERM in an organization.
1. Crowther D, Seifi S. Corporate Governance and Risk Management. 2010; Available at www.bookboon.com; 2010.
2. Hopkin P. Fundamentals of Risk Management: Understanding Evaluating and Implementing Effective Risk Management. 2010; London: Kogan Page, p. 47.
3. International Organization for Standardization (ISO). ISO 31000:2009 Risk Management—Principles and Guidelines on Implementation 2009; Available at http://www.iso.org/iso/catalogue_detail?csnumber=43170; 2009.
4. Ladley J. Data Governance: How to Design, Deploy, and Sustain an Effective Data Governance Program. 1st ed. San Francisco: Morgan Kaufmann; 2012.
5. Webb J. Strategic Information Management: A Practitioner’s Guide. Oxford: Chandos Publishing Ltd; 2008.