atos whitepaper - strategic system for risk management models and growth phases

Strategicsystem forrisk management

Your business technologists. Powering progress

Whitepaper

Strategic system for risk managementModels and growth phases

1. Introduction

Using simple models, we outline the route to the desired objectives and the desired growth based on a phased, natural growth path. This article is written against the background of a number of experiences with which the reader is probably familiar. First and foremost, it appears to us that the ‘board’ is going to make constantly higher demands for demonstrable compliance. That is a logical consequence of the changing legislation and regulations in this area. But the term ‘compliance’ is not really complete if no accepted reference framework is given. Following on from this we have noted that the board requires a reference framework in order also to be able to communicate externally over the system of control measures and their operation.

Then there is the experience that professionals often know to report based on assessment that there are elements missing in the system for internal control without having an objective reference framework. Thus the statement ‘there is a need for a formalised methodology for risk assessment’ is misplaced for the small shopkeeper, but more obvious for a multinational bank. But the question, of course, is what device is appropriate for the type of organisation. Further experience is that organisations that are faced with the need to catch up, for example, by a sudden drastic escalation in external demands for compliance, often desperately aim for this new level without regard for the way to it. This leads to loss of support within the organisation and, at best, the mechanistic implementation of misunderstood procedures. The comparison with the high jumper is easy: if ‘the bar’ started at 1 metre, and the new target is 2 metres, it is better to achieve this goal by gradually going up from the ‘1 metre’ situation and not immediately set the bar at 2 metres.

The structure of my article is as follows. Section 2 outlines developments in the concept of risk and control over recent decades. Section 3 goes into the models and growth phases in data security and risk management. Our closing remarks are included in Section 4.

Dr. Abbas Shahim RE

Dr. Abbas Shahim RE is a partner at Atos Consulting where he is in charge of practice in the area of IT risk management. He is also associate professor and director of studies at the Free University and vice chairman of ISACA in the Netherlands.

What is the most appropriate system of data security and risk management for a specific type of organisation and what is the desired objective? We would like to share our baseline requirements with you.

Strategic system for risk management – Models and growth phases 3

Strategic system for risk management – Models and growth phases4

2. Strategy for risk management: developments in the concept

Anyone who does not adequately control the risks associated with operational management in this turbulent and continuously changing market, is simply not a serious business partner. Actually it is no longer acceptable to approach risk management in the traditional way (i.e. defensive conduct, technical approach) or to regulate it in an ad hoc way. There is a major need for a new approach applying strategic and structural consideration to risk management and the system for it. This section looks at a model that is applied in practice in order to bring organisation of information communication technology (ICT) in line with the corporate objectives, and to bring this up to the desired strategic level gradually and in a measurable way. We consider the thinking behind this approach in the following sections with the aim of achieving this with risk management organisations so that these are structured and managed based on the corporate vision, set up and strategically managed based on measurable results.

2.1 Focus on risk managementThe increasing focus on risk management is a trend that is mainly the consequence of three key aspects.

The first aspect is the continuing growth of ICT whereby this field has evolved into a fully-fledged industry which has now penetrated the core of our information society. On the one hand, the explosive use of this new technology in organisations has led to more efficient implementation of day-to-day activities resulting in a great reliance on it. On the other hand, use of ICT has introduced new risks which must be mitigated by means of various types of measures.

The second aspect concerns customer specifications for (ICT) security. In practice it appears that clients mostly have high, fixed and comprehensive security requirements which, in most cases, are essential preconditions for concluding business-like service contracts. Security has become a knock-out criterion in the selection of providers.

The final aspect relates to the issues surrounding ‘compliance’ as a consequence of the changing legislation and regulations. For this, organisations need to demonstrate with hard evidence that, among other things, they are adequately managing the risks associated with ICT.

The aforementioned developments have resulted in risk management having to develop rapidly and in a refined way in recent years. This evolution has meant that the previously technical and operational image of this crucial subject has now become a strategic issue. It is now the rule rather than the exception for risk management to be on the agenda of senior management, and to be regarded as an important element of operational management. It is therefore necessary that the enhanced strategic image of risk management be defined more closely and given a higher profile. For this, a more modern approach, as set out in Fig. 1, is a requirement to secure the three key factors which together contribute to enhancing the added value of risk management.

Firstly, the aims covered by risk management need to be separated from and subordinated to the business demands and aims. These will be appropriately linked to the vision and objectives of the organisation.

Secondly, risk management should be routinely implemented according to a structured approach. With this model system, clear, achievable milestones can be laid down with the associated stages and interim results.

Finally, indicators should be defined to measure performance and to use as input for reporting on the results achieved. Using these, risk management can be aimed for and corrected in a timely way so that the intended goals are pursued in a visible way.

Today, risk management is not just a subject of interest to colleagues but of strategic importance for organisations and therefore requires a renewed approach.

Toegevoegde strategische waarde

Ris

k m

anag

emen

t

Ris

k m

anag

emen

t

Measuring performance & reporting

Vision & objectives of the organisation

Systematic approach

Syst

em

Business requirements and aims

Organisation

IndicatorsStartin

g poin

t

Strategic system for risk management – Models and growth phases 5

Figuur 1. Een modernere benadering van risk management

Strategic system for risk management – Models and growth phases6 Strategic system for risk management – Models and growth phases 7

2.2 Generations of risk managementThe evolution of risk management has manifested itself in four generations. As well as rapid technological developments, each generation has focused on a different aspect with intrinsic business value and with specific security problems. When organisations started using computers in the 1960s, the main focus of suppliers was on processing power and functionality. Hardware and software were only accessible to individuals with special privileges. They had access to centralised computer systems which were located in physically secure surroundings. These systems were run using punchcards and produced printouts as a result of this batch processing. The computer systems at that time were expensive and also vulnerable to human error and environmental changes such as temperature. Centralised computer systems were therefore located in an area with restricted access which was only granted to authorised individuals. Security was a simple task as, owing to the processing restrictions, and circumstances, it was not possible to gain free access to computer resources. This offered added value to business which did not make such high demands (Amoroso, 1994). Automation supported operating processes and tried to follow operating processes as closely as possible.

As hardware became smaller and cheaper and with the rapid development of network technology, in the 1970s and 1980s it became possible to access computer systems remotely with the result that the primitive physical security measures were inadequate. Batch processing was enhanced by what is known as ‘multi-programming’ whereby computer systems were able to carry out a number of tasks simultaneously. This required controlled access to programs and data stored on computer systems. For this, initially Job Control Language (JCL) was used to prevent unauthorised access to data sets and hard drives. This security measure was adequate until it was made possible for end users to type in their own commands on the terminal linked to the computer system. The arrival of this interactive processing option introduced new security challenges as the initiated processes competed with each other for resources and processing time. Identification and authentication of end users behind the terminal then attracted most attention. Separating their processes from those of others, protecting their data against unauthorised use and security of communication between the terminal and the computer system also became relevant problems to be fixed by implementing adequate security to offer business value. Operating processes are increasingly moduled around the ICT options.

Fig. 2 requires a method that offers the chance to take into account the vision and objectives of the organisation, outlines the steps for managing a systematic approach, and offers aids to achieve the intended goal and to display the results achieved. In this way it can be ensured that there is an adequate risk management organisation that supervises the achieving and maintaining of a balanced coordination between business requirements and aims (demand) and the technology in use (supply), and that initiates and monitors any actions required. We have opted for a proven strategic model to shape risk management as a crucial part of today’s progressive organisation, to plan requirements and wishes in a balanced way and demonstrably to measure the performances achieved and to report at the correct aggregation level.

2.3 Growth modelThe high-level transformation of ICT organisations was initially discussed in the late 1980s. This reorganisation and growth included the fundamental reorientation of ICT related products and services. The aim was to make this innovative technology more adaptable for organisations so that it could meet demands and requests more flexibly in the long-term. A model was then used principally to facilitate growth of ICT organisations in an integral and structured way so that the intended strategic level is achieved. Using this growth model it is thereby possible to systematically create a a gradual, controlled transformation process. The ICT organisation can thereby be made sufficiently adaptable and be adequately coordinated with the future direction and objectives of the organisation. Any growth phase of the model illustrated in Fig. 3 has its own features, areas of interest and performance indicators of which the most important are explained in brief.

The first growth phase, technology-driven, symbolises the situation in which users follow business demands and wishes, there is little formal attention to problems and modifications, and management is not affected by the processes. The ICT organisation is interested in the technology and places emphasis on creating and maintaining the data supply. The processes

The exponential use of the Internet in the 1990s led to the large-scale adaptation of this medium by organisations, mainly for doing business and communicating with the outside world. Operating processes were set up for Internet use. This way of working required the internal ICT structure to be connected to the non-secure Internet, whereby organisations were confronted with what were then to some still unfamiliar risks, including hacking and viruses. It then became clear to organisations that the infrastructure and other key operating properties (e.g. data) needed to be protected in a structured way against risks of various kinds. ICT security thereby attracted the attention of senior managers and found a place on their agenda. Consequently, the use of methods and standards became popular as a routine approach to security. This then resulted primarily in the implementation of the Code voor Informatiebeveiliging (CIB) and Information Technology Infrastructure Library (ITIL). Security Management to meet the demands and requests made by business.

Awareness is now greater than ever that risk management is not only an ICT issue as was previously the case in the past generations shown in Fig. 2. This subject has undergone an impressive evolution resulting in a move from technology to business-orientation. This is seen as logical and is actually a movement that is sincerely applauded by many. To most modern organisations, therefore, risk management is regarded as an essential business aspect and is therefore incorporated in processes.

Due to this in some ways revolutionary change, a strategic dimension has been added to the way in which organisations interpret risk management. Risk management has therefore acquired greater significance and has become a fixed element of any go-ahead and risk-aware organisation. This has resulted in the dawn of a new era where risk management is seeing a clear strategic focus and prioritisation and offers clear added value to the organisation.

are therefore focused on the technology with most resources spent on operations and management. The project and service activities are carried out ad hoc and there are no formalised procedures, cost estimates and planning for work. The available aids are not uniformly applied and the defined performance indicators are aimed only at technical performance.

The second growth phase, control, reflects the situation in which the role of the users appears different compared to their role in the previous phase, the technology is under control and there is sufficient focus on aspects of controllability with the aim of efficient production. In this phase users start to make choices instead of passively following. Processes are reasonably controlled and documented, and are not customer-oriented. The ICT organisation is preoccupied with creating efficiency through responsible planning and budget control. Operations and management make optimum use of available resources and focus on the process quality using standards. Project processes are replicable and the responsibilities for the service activities are defined with an internal focus on costs and efficiency among other things. In the control phase, the performance indicators are directed towards the scope of application of norms and standards.

The third growth phase, service-oriented, represents the situation in which users fulfil a more active role, processes are not yet fully client-orientated and the focus is on short time-to-market (internal focus), and on delivering quality products and services, and production achieves a good price/quality ratio. Users are not just allowed to but do make choices as in the previous growth phase. These also determine the required and desired products and services to be supplied, and provide tangible form on this issue. The ICT organisation is well aware of the standard of products and services that it can supply and defines the required performances for the issue. Operations and management offer quality services and are cost-effective processes. Project activities are thus such that the process can still be implemented in the same way in an emergency situation and there is a basis for optimising it. With regard to service activities, Service Level Agreements (SLAs) are concluded and the services thereby focus more and more on the client. Performance indicators are not yet based on innovation but are mainly focused on processes whereby services can be measured using the agreed SLA’s, on the finances giving a better understanding of the cost/service ratio per SLA and in the encroachment per service area, and on the client whereby it can be measured to what extent requirements and wishes are taken into account in the concluded SLAs.

Fig. 2. Generations of risk management

Fig. 3. The growth phases of ICT organisations

Physical security

Renewed approach and integration in processes

Attention to structured method of working

Focus on authorised access

Ad hoc measures

Bu

sin

ess

valu

e

Generation

Identi�cation & authentication

Systematic approach

Strategic dimension

“Proactively contribute”

“Translate customer demands”

“Guarantee availability”

Business-oriented

Customer-oriented

Service-oriented

Control

Technology-driven

“De�ne performance”

“E�cient production”


The fourth growth phase, client-oriented, denotes the situation in which users play a prominent role, processes are client-oriented and focus on short time-to-market (external focus). Users do not just indicate which products and services are to be offered but have also taken ownership of this. The ICT organisation makes arrangements for the products and services to be provided and is able, through its client-oriented processes, to implement the set requirements and to anticipate the client’s wishes (reactive). The account management process is defined so that a suitable, appropriate contact partner is present to ensure that the end result is in accordance with the client’s expectations and specifications. The project activities are managed in such a way as to achieve a noticeable improvement in quality. Service activities are carried out internally and externally so as to offer maximum ‘value for money’. Performance indicators from the previous growth phase can also be used for this growth phase.

Using this growth model it is thereby possible to systematically create a gradual, controlled transformation process.

The fifth and final growth phase, business-oriented, is the situation in which users occupy a dominant position, primary processes are self-explanatory and optimally set up, and constantly updated. The openness of management and personnel over ‘lessons learned’ and the willingness to apply this accumulated experience is rewarded, and testing with different methods and approaches is encouraged. Users are not just the owner of the ICT products and services, but also dictate developments in the ICT organisation. This organisation proactively delivers added value to the client’s primary process, continuously follows developments in the subject and is able to implement radical changes. Project activities are enhanced by continuously adjusting them. In this phase the focus is on the coordination of the process in contrast to the previous growth phase where attention was mainly focused on optimising products and services. Service-oriented activities are in the nature of a partnership and are proactively directed towards the changing user organisation. Performance indicators for the processes are based on optimum management of any overheads, and the finances focus on the cost/benefits of the ICT organisation. As regards the client, it is measured how this organisation offers support. Blank indicators are also used to monitor the progression of process optimisation.

Management & Organisation

ICT infrastructureEectiveness of

risk management

Processes

Humans & Culture

Vision & objectives

Start plateau

Plateau I

Plateau N

Management & Organisation

ICT infrastructureEectiveness of

risk management

Processes

Humans & Culture

Vision & objectives

Start plateau

Plateau I

Plateau N


2.4 Process modelIn Fig. 3 different growth phases are shown with the associated features and points of focus. Using this, ICT organisations are able to determine the current and the target position so that they can achieve any desired growth. Based on the vision and objectives, a route should be mapped which is used to specify how to pass from one growth phase to another. The well-known Nolan process model, the cloverleaf model, is used for this purpose and presents the aspects that should be in balance so that an effective ICT organisation can be discussed. The process model is split into two parts, i.e.: supply and demand. The demand side reflects the processes and their connection and emphasises the end users and their dominant culture which together form the demand side. In other words, the demand side, also known as the business side, stipulates the demands and wishes that must be met in order to be able to achieve the vision and objectives of the organisation. The supply side relates to the way in which ICT is managed and organised whereby special attention is given to policy, structure, planning, procedures and work instructions. This part also relates to the infrastructure on which the actual ICT operations are carried out in order to be able to deliver the required functionality. In other words, the supply side, also known as the ICT side, offers the support required and desired by the demand side in order to facilitate achieving the vision and objectives of the organisation. We have tailored the process model to the risk management organisation and illustrated it in Fig. 4.

A self-assessment is carried out using the process model, the result of which provides a picture of the phase in which the ICT organisation is situated. Taking into consideration the vision and objectives of the organisation the target phase can be established after which a route to this desired position should be planned. Plateau plans can be made for this, taking the Nolan process model as a basis and adapting it to go through anticipated growth in a phased, controlled and balanced way. For any transformation it must be clear what indicators are to be met in order to reach a subsequent phase. These indicators are spread over the aspects of the process model on which the plateau planning per growth is phased towards a subsequent phase. A graphic representation of this starting point is presented in Fig. 5.

Fig. 4. Nolan process model

Fig. 5. Plateau planning model


This phase is suitable for (parts of) organisations for which information and ICT are under control and play a general supportive role to the primary operating processes. It is not at the heart of the organisation but appropriate care based on norms and standards is desirable on which performance indicators are based. The use of data and ICT is reasonably uniform: no major risks should occur.

Note that this phase is also very suitable for situations in which organisations share data or ICT resources with each other, for example, in a collaborative arrangement. Thus almost all multinationals have defined a basic level of security for data and the ICT infrastructure which the various units within the organisation share with each other.

3.1.3 Service-orientedThe service-oriented phase is the first phase in which risk analysis plays a real part. There is an awareness of the risks to one’s own organisation associated with services or products. The risks are not specific to the purchaser of the services or products but are generic and/or are concentrated on the provider organisation. An example is an email service provider. General risks that this provider must confront because otherwise it is out of business relate to continuity and availability of the service. For some years now, virus detection has been added but more as a service to the client than as a recognised risk.

This phase is suitable for organisations that provide a general service with associated services for which an SLA is concluded. General ICT service providers, telecom providers and other providers of general infrastructure belong to this phase.

3.1.4 Customer-orientedIn this phase risk management is specifically tailored to users of the services who are regarded as the prominent client for whom a fixed contact is appropriate. In addition risk management is organised for the benefit of the client and the effectiveness of the operation of the security measures is made transparent to the client. The client knows in advance what the client-related risks are and formally registers these. This registration normally takes place in the form of a security agreement in which agreement is reached. This client demands to be informed by its contact over compliance with the arrangements made and over the agreed specific performance-indicators. ‘Separation of duties’ and contrasting technical and regulatory duties are an integral part of this.

Organisations with a more than average high risk belong in this phase. Examples of these are certain parts of the administration and organisations with a social role and significance; organisations that have external liability and organisations with major financial interests. Service providers to this type of organisations also fit in this phase. Note that these service providers are willing to offer the service tailored to the client’s risk.

To expand the example of the previous phase: a provider of email services should not just manage the general risks but also conduct an analysis based on the concluded security agreement into the client’s use of the email service. If, so to speak, stock orders are placed by email there are then relevant risks over the identity of the sender of the email, the confidentiality and integrity of the content, prompt delivery, etc. This provider should also offer the associated security services and make the operation of these services transparent.

3.1.5 Business-orientedIn this phase risk management is aimed at added value and confidence in the entire sector, chain or part of the company. There is talk of consistency and ‘governance’. The conduct of the organisation is proactive and is predictable and transparent such that this trust in continuity is guaranteed. The framework of standards for this is mostly specifically developed or is often laid down in external, public standards or in legislation and regulations. Compliance with this framework of standards is organised within the sector. There is often an external regulator.

Naturally, banks and insurers belong in this phase. Regulation here is carried out by De Nederlandsche Bank (DNB), under the Financial Supervision Act (Wet op het financieel toezicht - Wft). Listed companies are also expected to be in this phase. The Code Tabaksblat (Dutch corporate governance code) relating to sound business management, the Sarbanes-Oxley (SOx) legislation and regulation by the Financial Markets Authority (FMA) are decisive here.

Fig. 6. Application of the growth phases to data security

3. Growth phases in data security and risk management

As already explained, there is a need for a more modern method for the strategic dimension of risk management with the aim of making data security and risk management more adaptive. Using this new approach it should be possible to take the organisation’s vision and objectives as a starting point, apply a systematic approach, set the desired goals in a phased and controlled way and demonstrate the achieved performances. In our view the growth model and the process model can adequately meet these requirements.

Risk management organisations may be in various growth phases and aspiring to the required change in order to achieve the intended goals. This growing transformation requires a tool that balances supply and demand. The process model is adequate for achieving the required aspects for the desired balance and serves as a basis for gradually and systematically achieving the required and desired growth.

3.1 Growth modelThe growth model is based on the ‘thinking in growth phases’ principle with the associated features, focus areas and performance indicators. Depending on the type of organisation and its vision and objectives, the model can also provide a better view of the most suitable system for data security. In our opinion, using the growth model, organisations can assess the current quality of the package of control measures and activities, and whether this package is adequate, inadequate or perhaps excessive for the type of organisation. In addition, the model also shows what the next step may be to achieving the level of ambition, if this has not yet been achieved. We would stress that the level of ambition must be appropriate to the organisation. Specifically, this means that the aim is not the maximum growth phase but the phase that is best suited to the organisation. Fig. 6 shows a number of features and points for consideration for the various growth phases, together with the type of associated performance indicators. These aspects apply to data security and are explained in more detail below.

3.1.1 Technology-drivenIn this phase, data security is controlled based on incidents. If something goes wrong, repair work is carried out. Whether a structural improvement takes place depends on the individual professionalism of those following up the incident, often those who have been most affected by it. There are ad hoc actions and ‘what happened is just a glitch’.

This phase is suitable for organisations who approach information and ICT from a technical perspective and manage these key elements in an informal way. The key security measures are creating a back-up, and dealing with security incidents and the performance indicators are of a technical nature.

3.1.2 ControlIn this phase there is at least a basic level of data security. This basic level may be accepted based on an external standard, such as the Dutch Data Security Code (Code voor Informatiebeveiliging), or based on ‘gut instinct’. The vision of the organisation is that the importance of data and ICT is such that there must be basic security, in line with what is customary for this type of organisation. The motto is ‘following in the steps’ of others. Security is not so systematic but more measure-driven. There is no basis for action per se other than that the collection observes ‘good practice’. This collection of measures is controlled: the organisation checks the on-going implementation of the measures at given times. The performance on quality of the implemented measures is predictable.

“The objectives must be appropriate to the organisation and do not need to be top level per se”

“Chain management”

“Demonstrate compliance”

“Risk analysis”

“Baseline”

“Incident-driven”

Business-oriented: Risk management is aimed at chains. Compliance is in accordance with legislation and regulations. Performance-indicators focus on governance.

Client-oriented: Client recognises risks. Risk management and compliance is client-specific. Performance-indicators tailored to client-specific service and security agreement.

Service-oriented: Which risks pertain to the service. Risk management is generic and is directed at the provider. Performance-indicators focus on general service and SLA.

Control: There must be a basic level. Do what is normal. Keep in step with others. Risk management is focused on measures. Performance indicators based on norms and standards.

Technology-driven: Non-formalised and technical management of ICT. Risk management is focused on dealing with incidents and providing good back-up. Performance-indicators focus on technology.


Management & organisation: ultimate responsibility for data security rests with ICT or the information security manager. The other responsibilities of staff departments and the operational departments are also specified. There is a form of organisation in which there is coordination of activities, e.g. a project or implementation group.

ICT infrastructure: External links are controlled. For example, there are firewalls. Identification and authentication for access to network, platforms and applications always takes place. Logical access security and authorisation control are set up based on line management control.

Humans & culture: The human factor is not forgotten. Regular campaigns take place to promote awareness among personnel when handling threats to data and ICT (security awareness). There are also rules of conduct, e.g. for handling emails, Internet use and other services provided.

Processes: The process of data security or Information Security Management System (ISMS), is outlined and implemented. It is the starting point for day-to-day activities. Audits take place and there is the option of certification. The basic level is referred to in communication with partners, clients and suppliers. Because this is based on a public standard the stakeholders know what to expect overall. Additional assurance can be offered, as stated, through certification or through Third Party Audit (TPA). Within the organisation joint processes are defined for, at least, incident management, authorisation control and continuity. The organisation is aware of general statutory requirements relating to, for example, privacy, computer crime and intellectual property rights.

3.2.2 Business-orientedThere are legislation and regulations specific to the sector which are aimed at protecting the stability of this sector as a whole, including the interests of chain partners and those of consumers. There is a governance system set up to ensure continued compliance, or the reporting of non-compliances.

Management & organisation: There is an external regulator. Governance is organised in the sector. Participating organisations require a license from the regulator. It is compulsory for companies within the sector to take part in the governance process. The organisational form provides for periodical accountability to this regulator as well as compulsory reporting of specific incidents / disasters. Key officers are made known to the regulator. Their personal integrity is examined. Regulation is carried out based on ‘comply and explain’ (demonstrable compliance). The compliance structure provides for all officers to be held accountable for their control over internal control measures which must take into account compliance in their design and effect.

The responsibility of senior management includes: reporting on management supervision of risk management, including accountability of actions to natural persons, policy and control for risk management. Senior management is responsible for and confirms externally that it has approved the risk management process and is informed of the effective implementation. Responsibilities of senior management also include external reporting of on-going control of the risks of outsourcing and third party interests.

ICT infrastructure: The senior management of the organisation reports, backed by audit results and internal control declarations, on the policy and guidelines as well as the scope of implementation with regard to authentication, non-rejection, integrity, division of duties, audit trails and confidentiality of specific information. The security architecture allows for a transparent interpretation of the functional requirements into a technical implementation, including the associated control processes. Classification is carried out in the ICT infrastructure.

Humans & culture: Personnel may also be asked explicitly to declare that they comply with specific codes of conduct. An example is that personnel are not permitted to hold any stake in clients of the organisation. Adequate information is issued to clients. The responsibilities of the organisation and the consumers are made explicit.

Processes: There is a transparent internal governance process that is aimed at on-going, demonstrable compliance with the legislation and regulations from the external regulator. There is a joint governance process within the sector in which the compliance of all players is relevant, e.g. due to public confidence in the sector. Compliance management is integral to the relevant processes; control of aspects of compliance is possible. The managers within the company processes are accountable to senior management by means of In Control or some other management declaration. Risk management is also aimed at risks in respect of the whole sector and the social interest. Public confidence and politics are examples of risks that may be taken on board. Authorisation control is set up in accordance with external legislation and regulations. Division of duties integrated in authorisation control; authorisation desk; maintenance of authorisations. Senior management endorses and accepts responsibility for the effective system of continuity management (capacity management, business continuity and contingency planning). There are periodic ‘walk-throughs’ and ‘emergency drills’, if necessary with the chain partners. If the sector is closely interconnected or has become concentrated in one place, sector-wide continuity exercises also take place. With regard to incident management too, senior management confirms that it has set up effective incident management, and senior management accepts responsibility for the operation of this process.

There is a structure for external and internal auditing that allows for all relevant audit items to be periodically covered based on the external and internal framework of standards. An audit of the chain is also organised. Chain partners have their own audits conducted. The external regulator has issued regulations. The organisation demonstrates compliance with these. There is awareness of other legislation and regulations for the sector. Senior management accepts and also confirms which specific legislation and regulations are recognised.

Fig. 7. Approach for transforming risk management organisations

3.2 Process modelThe Nolan process model is based on the balanced-thinking principle which means that organisation of risk management should take into consideration the aspects that influence the balance between supply and demand. Depending on where the risk management organisation is and where it wishes to go, plateau plans can be created following a natural growth path to achieve this objective. We present a simple approach for this comprising four stages which are briefly described below:

Stage 1: Objectives. The aim of this is to determine the goal. The required and desired objectives (i.e.: technology-driven, controlled, service-oriented, client-oriented or business-oriented) are analysed, delimited, defined and recorded at this stage. To do this, interviews are conducted with senior managers, Chief Information Officer (CIO) and Chief Security Officer (CSO) with the aid of questionnaires.

Stage 2: Baseline measurement. The aim of this stage is to determine the starting point, to plan the route to the goal and to document this. Here, the gap between the current situation and the objectives is defined and laid down. To do this, interviews are held with CIO, CSO, business representatives and technical personnel. Questionnaires based on the process model are used for these sessions.

Stage 3: Interim measurement. The aim of this is to analyse progress. Progress in implementing the measures taken to achieve the objectives is analysed and documented. The relevant activities are based on the results of the baseline measurement with discussions held with CIO, CSO, business representatives and technical personnel.

Stage 4: Final measurement. The aim of this stage is to indicate whether the intended goal has been achieved and/or any remaining risks are acceptable. Based on the results from the preceding stages the interviews required for the final measurement are conducted with senior managers, CIO and CSO, the outcome of which is recorded and distributed.

Use of this approach may encourage a dialogue between the different levels of the organisation. This means that senior managers responsible for risk management, together with the rest of the interested parties, must jointly determine the desired and achievable objective and work towards it together. On the one hand this regulates sponsorship and on the other the involvement of various desired levels of the organisation. It is therefore a shared goal for strategically defining risk management jointly. Fig. 7 provides a graphic illustration of this approach. In this illustration it is assumed that the result of Stage 1 (objectives) is the business-oriented phase and the result of Stage 2 (baseline measurement) is the controlled phase. Based on these assumptions, the planned route to the desired goal and the scope of Stage 3 (interim measurement) are specified. It is also assumed that the intended goal is achieved (Stage 4) and that any remaining risks are acceptable.

For clarification, we briefly explain the aspects of the process model for risk management organisa-tions in controlled and business-oriented phases respectively. A number of features from each phase are clarified giving a better picture of the balanced approach to the system of risk management.

3.2.1 Control There is a security manual that contains at least the policy and a basic level for security. The organi-sation has introduced a basic level of security. The measures are based on external standards and tailored to the organisation. The measures are not selected based on any analysis of what is required but on good practices in the market combined with an instinct of whether a measure is appropriate to the organisation or not. A sort of simple risk analysis at measure level. The organisation wants to keep in step with similar companies in the market. The organisation has a clear view of the imple-mentation of this basic level because an audit is also conducted at this basic level. Any deviations are systematically corrected.

Business-oriented

Customer-oriented

Service-oriented

Control

Technology-driven

“Chain management”

“Demonstrate compliance”

“Risk analysis”

“Baseline”

“Incident-driven”

Destination

Starting point

Destination

reached

Pro

gres

s an

aly

sis

Route p

lannin

g


For some time now, risk management has not focused just on identifying and analysing technical risks and is also no longer a specific subject for colleagues. Risk management has now become an important part of day-to-day operational running and enjoys the attention of senior management of organisations in different sectors. The high standards of legislation and regulation and of this dynamic market together with the continued growth of ICT have meant that the traditional approach to risk management is no longer adequate. A new method is required taking into account the business vision of the organisation, a systematic approach is encouraged and the performances achieved can be measured. This approach is really necessary in order to continue living up to the strategic image now gained by risk management. In this article for this purpose we have used standard models and growth phases of the ICT industry with the aim of bringing risk management organisations up to the required strategic level. To do this, we have combined the theoretical knowledge of the models and phases with our own practical experience. We thereby hope to make a contribution to positioning risk management in organisations so that its added strategic value becomes and remains more obvious.

4. Closing remarks


Bibliography

Amoroso, E.G., Fundamentals of computer security technology, Englewood Cliffs, New Jersey, Prentice-Hall International, Inc., 1994.

Bladel, P.J.C. van, Bremen, R. van and Schoubroeck, R.H.I. van, Van aannemer naar architect: Informatievoorziening in perspectief, Deventer, Kluwer Bedrijfs- Informatie B.V., 1996.

Coumou, C., Kroeze, H. and Zwan, K. van der, Trends in IT-beveiliging 2006, Platform Informatiebeveiliging / Sdu Uitgevers bv, 2006.

Daanen, H.T.M. and Koning, M.S., Uitbesteden vraagt om volwassen partijen, Compact 2000/3.

Delen, G., World Class IT: Investeren in ICT: alléén met Benefits case, KPMG Consulting / Uitgeverij Tutein Nolthenius, 2001.

Heemstra, F., and Snel, R., Veel misverstanden over risicomanagement, Automatisering Gids #14, 7 April 2006. Overbeek, P.L., Towards secure open systems, 1993.

Overbeek, P.L., Security matters: Mata Hari aan de Vliet, IT beheer, June 2006.

Overbeek, P., Roos Lindgreen, E. and Spruit, M., Informatiebeveiliging onder controle, Pearson Education Uitgeverij BV, 2000, ISBN 90-4300-2895.

Overbeek, P., Roos Lindgreen, E. and Spruit, M, Informatiebeveiliging onder controle: Grondslagen, management, organisatie en techniek, 2nd edition, Pearson Education Benelux, 2005.

About AtosAtos is an international information technology services company with annual 2011 pro forma revenue of EUR 8.5 billion and 74,000 employees in 48 countries. Serving a global client base, it delivers hi-tech transactional services, consulting and technology services, systems integration and managed services. With its deep technology expertise and industry knowledge, it works with clients across the following market sectors: Manufacturing, Retail, Services; Public, Health & Transports; Financial Services; Telecoms, Media & Technology; Energy & Utilities.

Atos is focused on business technology that powers progress and helps organizations to create their firm of the future. It is the Worldwide Information Technology Partner for the Olympic and Paralympic Games and is quoted on the Paris Eurolist Market. Atos operates under the brands Atos, Atos Consulting & Technology Services, Atos Worldline and Atos Worldgrid. For more information, visit: atos.net

For more information:Please contact [email protected]

atos.netAtos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud, Atos Healthcare (in the UK) and Atos Worldgrid are registered trademarks of Atos SA. April 2012© 2012 Atos.