Introduction to Information Risk Management

Organizations are increasingly embracing data governance tactics to address data quality and availability. However, the growing dependence on a wide array of data sources (of which many originate outside the administrative control of the organization) exposes several vulnerabilities associated with what I refer to as “information risk.” In this post, I introduce the concept of information risk as well as recommend the need for establishing an information risk management program to understand data vulnerabilities and mitigate information risk.

According to Wikipedia there are several definitions of risk, including “the potential for uncontrolled loss of something of value,” and “(Exposure to) the possibility of loss, injury, or other adverse or unwelcome circumstance; a chance or situation involving such a possibility.” Using this definition, “information risk” would be the potential for loss of value due to issues associated with managing information.

Exposure to any kind of risk affects the way that a business operates. There are operational affects, impacting corporate ability to execute due to data availability or accessibility issues. There could be numerous financial impacts, such as increased operational costs, decreased revenues, other financial losses associated with execution failures caused by flawed data. There is certainly the potential for reputation damage that can lead to decreased confidence and loss of customers associated with processes impacted by data issues. Information issues can lead to losses associated with fraud, waste, and abuse, as well as disrupting business continuity.  Data issues affecting regulatory non-compliance can lead to penalties and necessary remediation activities.

Most organizations implement some kind of risk management program to understand and identify any threats of quantifiable damage, injury, loss, liability, or other negative occurrence that may be avoided through preemptive action.

The same should be said for information risk. In most cases, organizations conflate the concept of information risk and data protection. But information risk comprises so much more, including:

• Exposure of any type of sensitive information,
• Compliance with a broad array of regulations and laws,
• Loss of accessibility to needed information,
• Nonobservance of data retention and disposition directives,
• Decreased corporate agility, or
• Delays in decision-making.

Organizations need a framework for understanding, assessing, identifying, and mitigating information risks, such as the one that we call data policy governance. Directives that impose constraints on information production and use form the basis for defining data policies that operationally govern all aspects of information management, and the objective of this framework is to surface and clearly defined data policies and then institute processes and technologies for their operationalization. The benefits of data policy governance include:

• Simplifying reporting: Auditable processes for data asset assessment and classification simplifies compliance reporting.
• Building trust: Demonstrating auditable processes for protecting personal and private data builds trust with your customers.
• Automating monitoring: Discrete specifications of data sensitivity enable automated application of data protection policies.
• Reducing exposure: Knowledge of the data landscape improves ability to apply data protection applications (such as encryption and masking).
• Data awareness: Knowledge in the “hidden” areas of the data landscape provide insight into corporate operations and business opportunities.

Information risk management consists of four phases:

• Information risk assessment, which engaged stakeholders are interviewed to review business uses of identify the most critical risks related to information management and use. Data directives (such as data privacy laws or industry standards) are reviewed to identify the sources of data policies.
• Data policy specification and prioritization, in which specific operational data policies are distilled out of the data directives and are prioritized in relation to the business impacts.
• Data policy strategy, in which we draft a technology stack and accompanying process architecture to ensure implementation such that data policy compliance can be continuously monitored.
• Data policy governance, where the technology and process architectures are implemented and put into production.

Organizational leaders must acknowledge the need for information risk management. In my upcoming posts I will provide additional details about how we have helped our clients assess data vulnerabilities and mitigate information risks.