Mindsets, Techniques & Tools. My friend, Muthukumar U and I had a long phone conversation on the 14th. Muthukumar is a risk analyst for HSBC Bank Middle East (he works in the Sharjah, UAE offices). Our conversation was interleaved with catching up on personal stuff, a project he and I were working on with Thinking Minds, Inc. for Bank of Baroda (India), and some of the challenges that Muthukumar was facing as a risk analyst. Naturally, risk was a recurring topic throughout the conversation. After we hung up I began thinking about risk management and how it relates to our profession.
As IT professionals there are four core skills in which we all are required to master:
- Project management
- Analysis and assessment
- Measurement and metrics
- SecurityRisk management is an integral element of each, and as IT professionals this element needs to be an integral part of our mindset.
Risk Management Mindset. Risk management is one of the key processes in project management, which is evidenced by the fact that it's a project management knowledge area with six associated processes in PMI's Project Management Body of Knowledge (PMBOK). This is the US national standard for project management.
If you're using the UK standard for project management called PRINCE2, then you already understand the importance of risk management because it permeates the processes, with a requirement to be included in project start-up, initiation, and stage boundary management, as well as a key activity throughout PRINCE2's directing a project process.
In our analyses and assessments we would be remiss if we didn't factor in risk. For example, we need to constantly ask questions like:
- What is the probability of occurrence (or non-occurrence) of an event and what is the impact?
- What are the dependencies between and among systems, processes or other subjects of analysis and assessment?
- What are the risks of being wrong in an assessment?
- How confident are we in our findings, and how can we mitigate uncertainties in our findings?
Measurements and metrics are the foundation of quality. Quality is a key factor in both applications and service delivery. It's also a PMBOK project management knowledge area as well as a foundation of PRINCE2, which focuses attention on quality of deliverables.
Uncertainty manifests itself in measurements and metrics, especially when we need to define the scope of what we're measuring or of the metrics we're collecting. Dealing with this uncertainty (risks) in measurements and metrics requires a good understanding of basic probability and statistics. This is especially true if you're working with or for a company that employs TQM or is at or above CMM level 3.
Attaining an effective security posture requires that security be everyone's business. The foundation is awareness. At the risk of sounding Zen-like, awareness encompasses risk concepts - if you think in terms of risk you'll be enlightened.
If you ponder the core skills and common tasks, you'll see they're interrelated. Try to imagine project management without analysis and assessment. How can analysis and assessment tasks be accomplished without measurements and metrics? And can you conceive of an effective security posture that does not include analysis and assessment?
From the above discussion, another skill that is directly related to risk management emerges: auditing. In fact, as you delve into risk management you keep bumping into auditing. Moreover, auditing in some form is an element of each of the four core skills. I view auditing as a task element rather than a core skill for IT professionals. This does not diminish the important role of IT auditors and their profession. Instead, it underscores their importance as professionals, and also recognizes that risk management cannot stand by itself without auditing. Nor can the four core skills I cited.
Techniques. Which came first, auditing or risk management? Instead of pondering that question I am going to recommend a resource on the integration of auditing and risk from an auditor's perspective: Activity Based Risk Evaluation Model of Auditing. This is a powerful framework and one that adds structure and clarity to auditing. If you add this to your knowledge and skill sets you'll find it will enhance your abilities in each of the four core skills.
Another resource for professional auditors, but useful for IT professionals in general, is Risk Management: Defining a New Paradigm for Internal Auditors. An article that specifically addresses the integration of risk management and auditing is Changing the Paradigm (integrating risk management and internal auditing).
IT-specific auditing resources include:Tools. One of the most useful tools for implementing a process is an example. The Treasury Board of Canada has an Integrated Risk Management Framework in MS Word format that can be adapted to meet your organization's requirements and will kickstart a risk management process implementation.
As you become more familiar with IT auditing as an element of risk management, you're going to begin seeing the term, COSO crop up. The term stands for Committee of Sponsoring Organizations. The sponsoring organizations are: the American Institute of Certified Public Accountants, the Institute of Internal Auditors, the American Accounting Association, the Institute of Management Accountants, and the Financial Executives Institute.
In practice, however, COSO is commonly used to refer to Internal Control - An Integrated Framework. The best way to understand the significance of COSO is to see how it's used by real organizations. The University of Texas System Institutional Compliance Program, addressed in a set of PowerPoint and Word documents that describe that institution's use, are valuable examples.
How COSO applies to IT is illustrated in Network Auditing: A Control Assesment Approach by Gordon E. Smith. A glimpse into how that book uses COSO as a foundation can be seen in an article by Mr. Smith titled Securing the Internet for 2002.
Another book that is more focused on risk management, but has the same general theme, is Information Security Risk Analysis by Thomas R. Peltier. Linda reviewed this book on Amazon on 25 September 2001, and I reviewed it on 22 April 2001.
If your statistics are a bit rusty you can get up-to-speed on the basics with Statistical Sampling Refresher. If your interests are project risk related tools and techniques, my special project management page and my [now defunct] project management newsletter are sources of information.
A compelling example of why auditing is important to IT is the SF Gate article, Risky Business: Tangling with the Business Software Alliance. This exercise in fear, uncertainty and doubt will get your attention if you're in management. An exercise for those of you who use MS IE5 or above will show in practical ways how risk and auditing go together.
Late Note: 18:00 US Pacific time 15 February - I just posted related material, with an emphasis on software quality, in our Notes from the Field weblog.