During disasters like the financial crisis, 9/11 or Hurricane Katrina it was clear that although enterprise risk management policies were in place, they either proved to be ineffective or hazardous themselves. Avoidance or containing of the problem was too late, too poorly managed or the actions taken were simply wrong. But not always are these Black Swans – disasters of major economic impact throughout industries – the focus of risk management, nor should they be. A tighter security could have prevented hackers from stealing 40 million credit card numbers from MasterCard in 2005 [1] and thus reduced the damage their reputation took in its occurrence. Another example would be the data loss by T-Mobile in 2009, when T-Mobile lost personal information, contacts, calendar entries and other information during an incident [2]. This not only damaged their reputation and creating heavily disgruntled Sidekick-users, but also lost customers and subsequently revenue.
In the current wake of the financial crisis, many risk management consultancies come up with new solutions and ideas of how these risks could have been avoided or reduced effectively [3]. But the problem companies are now facing is: How do we know that these technologies and policies are indeed helping in reducing the risks during an incident without waiting for it to happen? How do we know that the money we spent is having a positive Return on Investment?
In this blog, I would thus like to address the issue of Enterprise Risk Management policies, the best practices and regulations that need to be considered and then give an overview of the techniques and applications that can be used in auditing these policies and proof them to add value to the company with an emphasis in the IT environment.
The outline for the Blog is:
- Disasters, their consequences and how these could have been circumvented with the right policies and technologies
- Best Practices in designing IT Risk Management Policies
- Auditing tools and techniques that can help to proof these policies correct
References:
[1] ZDNet, "Hackers steal 40 million credit card numbers", June 20, 2005, http://www.zdnet.co.uk/news/security-management/2005/06/20/hackers-steal-40-million-credit-card-numbers-39204631/
[2] Ars Technica, "T-Mobile and Microsoft/Danger data loss is bad for the cloud", October 12, 2009, http://arstechnica.com/business/news/2009/10/t-mobile-microsoftdanger-data-loss-is-bad-for-the-cloud.ars
[3] A.E. Feldman, "Risk Management Watch: Financial Crisis Big Opportunity for Risk Professionals", http://blog.aefeldman.com/2009/01/27/risk-management-watch-financial-crisis-big-opportunity-for-risk-professionals/
