Information Risk Management
A friend recently asked me to describe in three words what Castlebridge Associates does. After a nanosecond of pondering I said that what we do is help manage Information Risk, and how we do it is by helping people think differently about information in their organisations.
Warming to my theme I went on to develop my thought a little further to illustrate how this idea of “Information Risk” embraces the three focus areas of Castlebridg Associates, as well as touching on the technical aspects of Information Security. I’d like to share some of those thoughts here.
Information Quality Management is, ultimately, focussed on managing the risks to operational failure or avoidable cost of operational delays or rework arising from defects in the information assets that are used to achieve the organisation’s objectives. It is central to the management of operational risk (see this reference here).
- You need good quality information to assess the probability and impact of risks
- You need to understand the information value chain in the organisation to correctly assess the impact of data quality risks on the operational success of an organisation
- You need to manage the quality of information just like any other raw material in an organisation to ensure that the final product meets expectations and that avoidable risks in production and consumption are avoided and “black swan” accidents can be learned from.
- Applying statistical quality control techniques and practices to managing information can help ‘de-risk’ the life cycle of information in your organisation.
However, it is also important to bear in mind that the Risk Management aspect of Risk (the operational impact, the operational costs etc.) are the key drivers of the answer to your “So What?” questions when trying to get executive sponsorship and buy in to an Information Quality initiative in your organisation.
As with any Regulatory Compliance driver, the key driving factor with Data Protection compliance is to manage and mitigate the risk of, at a minimum, a breach of statutory duties relating to how you obtain, process, store, distribute, and dispose of personal data about living people. At its broadest, Data Protection compliance is about managing the risk that you are infringing on the privacy rights of an individual through your use of data about them. There is a subtle difference between Data Protection Compliance and Data Privacy Rights, but that is a subject for another day.
Data Protection compliance is about understanding what things might happen that will put you at risk of breaching legal controls on the use and application of data and also understanding and managing the risk of brand damage or ‘soft impact’ arising from the way you implement and control your use of data. Of course, the way this should be managed by thinking of Data Protection as yet another perspective of the Global Quality System for Information. It is no co-incidence that the Data Privacy community world wide is embracing the idea of “Privacy by Design” and “Data Protection by Design”. This is the same as telling an Information Quality person that you need to design quality into a system as you can’t inspect it in.
Deming was saying that since the 1950s.
Data Governance is the glue that holds things together and helps organisations manage their Information Risk, undertand the Information Value at Risk, and ensure that the appropriate actions are being taken to manage and mitigate that risk, through the implementation of clear decision rights, roles and responsibilities, and the definition and management of a vision for well behaved data.
You can’t tame risk without putting in place controls that are detective and preventative. If your approach to managing risk is purely to react to it… you aren’t managing risk you are manaing crisis. Once you start putting in place controls, writing down principles and procedures, and documenting decision rights and accountabilities, you are beginning to look a lot like someone doing Governance. And that governance is on your information.
Of course there must be a recognition of the risk arising from poor quality information in the first place, hence the relationship to Risk Management. Often this recognition comes from a Regulator or government saying “That is a Risk… you must manage it”. Examples of this are Basel II, Solvency II, and Data Protection regulations. And at the heart of good Data Governance is a key vision and mission of ensuring that bad things don’t happen to good people because of bad data created through defective processes and broken thinking.
Castlebridge Associates doesn’t do the technical aspects of information security. There are people out there far better than us at it who we refer people to and whose judgment and advice we defer to. In my view it’s too easy to call yourself an Information Security. We do look at the data governance aspects of information security in the context of data protection compliance… we try to help secure the human by changing thinking.
However Information Security is very much about managing the risk to Information in organsiations, in the same way as engineers in manufacturing organisations help design better production lines that reduce the risk of catastrophic failures or architects might be asked to design buildings with a focus on physical security risks. Information Security professionals help organisations manage Information risk by making sure that systems are designed with the appropriate padlocks and controls to limit the risk of unauthorised entry, in the same way as a building would be built with secure doors and swipe card locks. In Castlebridge Associates we try to help ensure that the people in the organisation don’t do the technical equivalent of leaving a secure door propped open with a fire extinguisher (something I’ve actually seen happen).
Securing information helps ensure the quality of the information and the reliablity of the decisions taken with that information because it helps mitigate the Information Risk that the data would be altered without authority or stolen or held hostage. Information Security requires appropriate Data Governance to be in place to ensure that everyone knows what to do to stop a bad thing from happening or to respond to the bad thing when it happens. The Governance needs to include detective and preventative controls, not just reactive crisis handling.
And Data Protection and Privacy require a focus on Information Security – because that is the law.
Information is an asset to the organisation if the various risks to the asset, from the asset, and as a result of the asset are recognised and managed. Whether it is the risk to the organisation bottom line from incorrect, inaccurate, incomplete, or just plain crappy data and poor quality data design, or the risk to the organisation of having no-one in charge and leading the focus on managing information as an asset, or the risks from playing fast and loose with data about people, or the risks that arise simply from having an asset that is of value, it is all about the Information Risk.
What we do: We help manage Information Risk
How we do it: We help change how people think about Information in Organisations
Why we do it: Because unmanaged risks are a danger to the individual, the organisation, and to society.