Risk Intelligence: Applying KM to Information Risk Management



Similar documents
Gartner's Business Intelligence and Performance Management Framework

Knowledge Management and Enterprise Information Management Are Both Disciplines for Exploiting Information Assets

2010 Gartner FEI Technology Study: Planned Shared Services and Outsourcing to Increase

Key Issues for Data Management and Integration, 2006

The Five Competencies of MRM 'Re-' Defined

Key Issues for Identity and Access Management, 2008

2010 FEI Technology Study: CPM and BI Show Improvement From 2009

Business Intelligence Focus Shifts From Tactical to Strategic

Research Agenda and Key Issues for Converged Infrastructure, 2006

Managing IT Risks During Cost-Cutting Periods

The Current State of Agile Method Adoption

Eight Critical Forces Shape Enterprise Data Center Strategies

Cost Optimization: Three Steps to Saving Money on Maintenance and Support for Network Security Products

IT asset management (ITAM) will proliferate in midsize and large companies.

The Value of Integrating Configuration Management Databases With Enterprise Architecture Tools

Best Practices for Confirming Software Inventories in Software Asset Management

How Eneco's Enterprisewide BI and Performance Management Initiative Delivered Significant Business Benefits

Deliver Process-Driven Business Intelligence With a Balanced BI Platform

Integrated Marketing Management Aligns Executional, Operational and Analytical Processes in a Closed-Loop Process

The Hype Around an Integrated Talent Management Suite Outpaces Customer Adoption

2009 FEI Technology Study: CPM and BI Pose Challenges and Opportunities

The EA process and an ITG process should be closely linked, and both efforts should leverage the work and results of the other.

Successful EA Change Management Requires Five Key Elements

Gartner Defines Enterprise Information Architecture

Prepare for the Inevitable With an Effective Security Incident Response Plan

Real-Time Decisions Need Corporate Performance Management

When to Use Custom, Proprietary, Open-Source or Community Source Software in the Cloud

Now Is the Time for Security at the Application Level

Overcoming the Gap Between Business Intelligence and Decision Support

Vendor Focus for IBM Global Services: Consulting Services for Cloud Computing

Business Intelligence Platform Usage and Quality Dynamics, 2008

Iron Mountain's acquisition of Mimosa Systems addresses concerns from prospective customers who had questions about Mimosa's long-term viability.

Ensure Emerging Trends and Technologies Advance Your Marketing Strategy

Key Issues for Business Intelligence and Performance Management Initiatives, 2008

Governance Is an Essential Building Block for Enterprise Information Management

Gartner Clarifies the Definition of the Term 'Enterprise Architecture'

IT Operational Considerations for Cloud Computing

BEA Customers Should Seek Contractual Protections Before Acquisition by Oracle

Q&A: The Many Aspects of Private Cloud Computing

For cloud services to deliver their promised value, they must be underpinned by effective and efficient processes.

Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users

Backup and Disaster Recovery Modernization Is No Longer a Luxury, but a Business Necessity

Roundup of Business Intelligence and Information Management Research, 1Q08

An outline of the five critical components of a CRM vision and how they contribute to an enterprise's CRM success

The What, Why and When of Cloud Computing

The Role of Enterprise Architecture in Technology Research

Research. Mastering Master Data Management

Government 2.0 is both citizen-driven and employee-centric, and is both transformational and evolutionary.

Transactional HR self-service applications typically get implemented first because they typically automate manual, error-prone processes.

Organizations Must Employ Effective Data Security Strategies

Global Talent Management Isn't Just Global

IT Architecture Is Not Enterprise Architecture

2009 Gartner FEI Technology Study: XBRL in the U.S. Enterprise

Data in the Cloud: The Changing Nature of Managing Data Delivery

Clients That Don't Segment Their Network Infrastructure Will Have Higher Costs and Increased Vendor Lock-in

Tactical Guideline: Minimizing Risk in Hosting Relationships

Essilor Increases Business-to-Business and Businessto-Consumer

The Seven Building Blocks of MDM: A Framework for Success

Case Study: New South Wales State Department of Education Adopts Gmail for 1.2 Million Students

Discovering the Value of Unified Communications

Make the maturity model part of the effort to educate senior management, so they understand the phases of the EIM journey.

CDOs Should Use IT Governance and Risk Compliance Management to Advance Compliance

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

Toolkit: Reduce Dependence on Desk-Side Support Technicians

Organizational Structure: Business Intelligence and Information Management

Repurposing Old PCs as Thin Clients as a Way to Save Money

Bankinter Differentiates Itself by Focusing on Innovation and CRM

IT Procurement Best Practice: Leverage Services to Buy Products More Competitively

Five Business Drivers of Identity and Access Management

GARTNER EXP CIO TOOLKIT: THE FIRST 100 DAYS. Executive Summary

Cloud, SaaS, Hosting and Other Off-Premises Computing Models

Case Study: Social Networking Tool Becomes Essential Workplace Infrastructure at Deloitte

Case Study: Australian Bank's IT-Business Alignment Leads to New Product and System Development Process

Consider Identity and Access Management as a Process, Not a Technology

Document the IT Service Portfolio Before Creating the IT Service Catalog

How to Develop an Effective Vulnerability Management Process

The IT Service Desk Market Is Ready for SaaS

MarketScope for IT Governance, Risk and Compliance Management, 2008

Transcription:

Research Publication Date: 19 September 2007 ID Number: G00151742 Risk Intelligence: Applying KM to Information Risk Management French Caldwell Risk intelligence is the alignment of information governance and information risk management to business priorities. Not only does this alignment help mitigate the risks to business goals, it also leads to direct savings in legal and compliance costs, especially when knowledge management (KM) principles are applied. Key Findings KM principles can be applied to information risk management. Information risk management and information governance are symbiotically interlinked. Effective information governance reduces storage, legacy application and legal discovery costs. Recommendations Link information governance and information risk management strategies to help reduce the costs and business impediments that arise from regulatory and legal risks. To effect the linkage, borrow principles from KM focus on business value, establish accountability for information risks and enact adequate operational support. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

WHAT YOU NEED TO KNOW The core KM principles of business focus, accountability and operational support can be applied effectively to link information governance and information risk management, thereby establishing risk intelligence. Developing risk intelligence maximizes the return on value from information risk management investments. These KM principles focus on business value, accountability and operational support will require some adaptation to apply effectively to information risk management. ANALYSIS Risk Intelligence Strategy in Information Governance A risk intelligence strategy must deal with the dual drivers of business pressures and regulatory risks. For legal and regulatory risks, the easier and quicker relevant information can be provided to regulators, auditors and litigants, the less money is spent on labor to find the documents. In the case of increasing business pressures, the better the information provisioning, the more informed critical business decisions will be. KM ensures that the right information is provisioned to the right people at the right time, making it a critically important means of achieving proactive rather than reactive information governance. However, legal and regulatory information governance adds many different considerations to the KM strategy. Regulatory and legal developments are placing a greater focus on information governance. The traditional response of most organizations to information requests from regulators and discovery actions from litigants is to place a hold on a vast amount of information, which can impede normal business information flows. Organizations then comb through the troves of information to find the requested or discoverable information, as well as any related information. This reactive approach is expensive, with teams of employees, auditors, accountants, IT personnel, consultants and attorneys sifting through massive repositories, archives and databases to find the information demanded by outside parties and seeking to ensure that any related incriminating information or exculpatory evidence is found. KPMG, an international auditing firm that provides discovery services, estimates that a typical legal-discovery action can cost more than $3 million, with most of this spent on labor to review documents and e-mails for discoverable material. In large companies, teams of IT personnel have been created to support these legal and compliance activities. In addition to legal and regulatory information risks, ongoing business pressures are forcing CIOs to focus more on provisioning information than on provisioning technology. As industries consolidate and competition increasingly globalizes, the business stakes are high. Decisions on mergers and acquisitions, product launches and terminations, R&D investments and emerging market initiatives all require solid information to manage their associated business risks. This information most often has legal and regulatory controls that affect its management; thus, as the business stakes grow, information risks become an ever larger element of business decision making and business risks. Fundamental KM Principles A KM strategy establishes what information is needed to support important business processes, how the information will be managed and maintained, to whom it will be provisioned and how it will be provisioned. KM architecture, processes, operational support and technologies are derived from the strategy surrounding them. In implementing the architecture, it is important to focus on the sets of information most important to the business processes being supported through the KM Publication Date: 19 September 2007/ID Number: G00151742 Page 2 of 5

strategy. KM resources are limited, and establishing and maintaining a focus on information value is an essential element of KM strategy execution. The three KM principles of business focus, accountability and operational support help ensure the alignment of the KM architecture to business needs. Focus A central principle of KM is that value is derived by focusing on important business processes rather than starting with tools and technologies. In applying KM principles to information governance, this central principle is extended to focusing on important business risks. The following five steps start from high-level business risks, then drill down to specific and detailed information risks, thus focusing on the information governance investment. 1. Start with key business risks. For most enterprises working on regulatory and legal information governance, the effort to determine the information risks can begin with the annual report. In the annual report, auditors have established the critical risk areas for the enterprise. 2. Prioritize the business risks. The annual report will list two dozen or more risk areas. Rank these areas by their importance to the business strategy, their level of regulation and how subject they are to legal discovery and litigation. With these criteria, fewer than six and no more than 10 risk areas typically emerge as high-risk. 3. Identify information sources for high business risk areas. Determine the business processes that are related to the business risks and what information is important to these processes. 4. Identify at-risk information sources. Determine what information is critical to the business process needed for regulatory compliance and possibly subject to legal discovery. 5. Establish risk-mitigation strategies. Once the risks are known, risk-mitigation strategies can be developed. The solutions to implement the strategies can vary from improved IT security to the implementation of enterprise content management, records management and archiving. Knowledge-centric risks can be addressed through improved knowledge workplace strategies as detailed in Gartner research (see the Recommended Reading section). Action Item: Take a top-down, business-oriented approach to information risk management. Accountability A second core KM principle that can be extended to information governance is accountability. An effective KM architecture requires that domain experts be assigned to work with knowledge managers to maintain various information sources. When extending this concept to information governance, information risks must be addressed. Although the domain expert may be held accountable for the KM architecture, this expert typically does not have the skills or tools to manage the associated information risks. Instead of the domain expert, the information architect or risk manager often is accountable for information risk management strategies. Specific individuals, IT security personnel, records managers, knowledge managers, application managers and database administrators will be responsible for taking action to implement specific controls on the applications, databases, and systems and repositories they manage. Likewise, operational personnel and managers must be consulted and informed about information risk; they could be business, IT, audit and legal managers and domain experts. Publication Date: 19 September 2007/ID Number: G00151742 Page 3 of 5

Action Item: Build a responsible, accountable, consulted and informed (RACI) chart for information risks. Operational Support The third KM principle is that, to obtain value, operational support must be provided. Operational support is critical to information governance as well. Getting beyond the "save everything" concept that most enterprises follow to manage information risks can save the increasing costs associated with storage and maintaining legacy systems in case information access is needed. A centralized function is required to execute the information risk strategies that can help enterprises focus on the highest-risk information sources and to oversee the implementation of controls for risk mitigation. With so many people and different strategies for the various types of risks, there must be a central coordination function that establishes policies, assesses risks and ensures that those who are accountable and responsible are engaged in effective risk management. This function could report to the compliance office, enterprise risk management function, internal auditing or legal department. Action Item: Establish a centralized function to maintain information governance policies and oversee information risk mitigation. Tactical Guidelines Enterprises can implement a risk intelligence strategy by doing the following: 1. Focus information risk management on business risks, including regulatory and legal discovery risks. 2. Assign a specific individual to be accountable for information risk management, and designate the appropriate business, legal, audit and IT personnel responsible for implementing and maintaining controls for information risk mitigation. 3. Establish governance for a centralized information risk management function, and provide adequate operational support. RECOMMENDED READING "KPMG FORENSIC: A Revolution in e-discovery: The Persuasive Economics of the Document Analytic Approach" "Governance Is an Essential Building Block for Enterprise Information Management" "Hype Cycle for Legal and Regulatory Information Governance, 2007" "Knowledge Management Risk Analysis Framework" "The Knowledge Workplace Risk Analysis Framework" Publication Date: 19 September 2007/ID Number: G00151742 Page 4 of 5

REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 19 September 2007/ID Number: G00151742 Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information