Risk Intelligence: Applying KM to Information Risk Management

Transcription

1 Research Publication Date: 19 September 2007 ID Number: G Risk Intelligence: Applying KM to Information Risk Management French Caldwell Risk intelligence is the alignment of information governance and information risk management to business priorities. Not only does this alignment help mitigate the risks to business goals, it also leads to direct savings in legal and compliance costs, especially when knowledge management (KM) principles are applied. Key Findings KM principles can be applied to information risk management. Information risk management and information governance are symbiotically interlinked. Effective information governance reduces storage, legacy application and legal discovery costs. Recommendations Link information governance and information risk management strategies to help reduce the costs and business impediments that arise from regulatory and legal risks. To effect the linkage, borrow principles from KM focus on business value, establish accountability for information risks and enact adequate operational support. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

2 WHAT YOU NEED TO KNOW The core KM principles of business focus, accountability and operational support can be applied effectively to link information governance and information risk management, thereby establishing risk intelligence. Developing risk intelligence maximizes the return on value from information risk management investments. These KM principles focus on business value, accountability and operational support will require some adaptation to apply effectively to information risk management. ANALYSIS Risk Intelligence Strategy in Information Governance A risk intelligence strategy must deal with the dual drivers of business pressures and regulatory risks. For legal and regulatory risks, the easier and quicker relevant information can be provided to regulators, auditors and litigants, the less money is spent on labor to find the documents. In the case of increasing business pressures, the better the information provisioning, the more informed critical business decisions will be. KM ensures that the right information is provisioned to the right people at the right time, making it a critically important means of achieving proactive rather than reactive information governance. However, legal and regulatory information governance adds many different considerations to the KM strategy. Regulatory and legal developments are placing a greater focus on information governance. The traditional response of most organizations to information requests from regulators and discovery actions from litigants is to place a hold on a vast amount of information, which can impede normal business information flows. Organizations then comb through the troves of information to find the requested or discoverable information, as well as any related information. This reactive approach is expensive, with teams of employees, auditors, accountants, IT personnel, consultants and attorneys sifting through massive repositories, archives and databases to find the information demanded by outside parties and seeking to ensure that any related incriminating information or exculpatory evidence is found. KPMG, an international auditing firm that provides discovery services, estimates that a typical legal-discovery action can cost more than $3 million, with most of this spent on labor to review documents and s for discoverable material. In large companies, teams of IT personnel have been created to support these legal and compliance activities. In addition to legal and regulatory information risks, ongoing business pressures are forcing CIOs to focus more on provisioning information than on provisioning technology. As industries consolidate and competition increasingly globalizes, the business stakes are high. Decisions on mergers and acquisitions, product launches and terminations, R&D investments and emerging market initiatives all require solid information to manage their associated business risks. This information most often has legal and regulatory controls that affect its management; thus, as the business stakes grow, information risks become an ever larger element of business decision making and business risks. Fundamental KM Principles A KM strategy establishes what information is needed to support important business processes, how the information will be managed and maintained, to whom it will be provisioned and how it will be provisioned. KM architecture, processes, operational support and technologies are derived from the strategy surrounding them. In implementing the architecture, it is important to focus on the sets of information most important to the business processes being supported through the KM Publication Date: 19 September 2007/ID Number: G Page 2 of 5

3 strategy. KM resources are limited, and establishing and maintaining a focus on information value is an essential element of KM strategy execution. The three KM principles of business focus, accountability and operational support help ensure the alignment of the KM architecture to business needs. Focus A central principle of KM is that value is derived by focusing on important business processes rather than starting with tools and technologies. In applying KM principles to information governance, this central principle is extended to focusing on important business risks. The following five steps start from high-level business risks, then drill down to specific and detailed information risks, thus focusing on the information governance investment. 1. Start with key business risks. For most enterprises working on regulatory and legal information governance, the effort to determine the information risks can begin with the annual report. In the annual report, auditors have established the critical risk areas for the enterprise. 2. Prioritize the business risks. The annual report will list two dozen or more risk areas. Rank these areas by their importance to the business strategy, their level of regulation and how subject they are to legal discovery and litigation. With these criteria, fewer than six and no more than 10 risk areas typically emerge as high-risk. 3. Identify information sources for high business risk areas. Determine the business processes that are related to the business risks and what information is important to these processes. 4. Identify at-risk information sources. Determine what information is critical to the business process needed for regulatory compliance and possibly subject to legal discovery. 5. Establish risk-mitigation strategies. Once the risks are known, risk-mitigation strategies can be developed. The solutions to implement the strategies can vary from improved IT security to the implementation of enterprise content management, records management and archiving. Knowledge-centric risks can be addressed through improved knowledge workplace strategies as detailed in Gartner research (see the Recommended Reading section). Action Item: Take a top-down, business-oriented approach to information risk management. Accountability A second core KM principle that can be extended to information governance is accountability. An effective KM architecture requires that domain experts be assigned to work with knowledge managers to maintain various information sources. When extending this concept to information governance, information risks must be addressed. Although the domain expert may be held accountable for the KM architecture, this expert typically does not have the skills or tools to manage the associated information risks. Instead of the domain expert, the information architect or risk manager often is accountable for information risk management strategies. Specific individuals, IT security personnel, records managers, knowledge managers, application managers and database administrators will be responsible for taking action to implement specific controls on the applications, databases, and systems and repositories they manage. Likewise, operational personnel and managers must be consulted and informed about information risk; they could be business, IT, audit and legal managers and domain experts. Publication Date: 19 September 2007/ID Number: G Page 3 of 5

4 Action Item: Build a responsible, accountable, consulted and informed (RACI) chart for information risks. Operational Support The third KM principle is that, to obtain value, operational support must be provided. Operational support is critical to information governance as well. Getting beyond the "save everything" concept that most enterprises follow to manage information risks can save the increasing costs associated with storage and maintaining legacy systems in case information access is needed. A centralized function is required to execute the information risk strategies that can help enterprises focus on the highest-risk information sources and to oversee the implementation of controls for risk mitigation. With so many people and different strategies for the various types of risks, there must be a central coordination function that establishes policies, assesses risks and ensures that those who are accountable and responsible are engaged in effective risk management. This function could report to the compliance office, enterprise risk management function, internal auditing or legal department. Action Item: Establish a centralized function to maintain information governance policies and oversee information risk mitigation. Tactical Guidelines Enterprises can implement a risk intelligence strategy by doing the following: 1. Focus information risk management on business risks, including regulatory and legal discovery risks. 2. Assign a specific individual to be accountable for information risk management, and designate the appropriate business, legal, audit and IT personnel responsible for implementing and maintaining controls for information risk mitigation. 3. Establish governance for a centralized information risk management function, and provide adequate operational support. RECOMMENDED READING "KPMG FORENSIC: A Revolution in e-discovery: The Persuasive Economics of the Document Analytic Approach" "Governance Is an Essential Building Block for Enterprise Information Management" "Hype Cycle for Legal and Regulatory Information Governance, 2007" "Knowledge Management Risk Analysis Framework" "The Knowledge Workplace Risk Analysis Framework" Publication Date: 19 September 2007/ID Number: G Page 4 of 5

5 REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Publication Date: 19 September 2007/ID Number: G Page 5 of 5