My near philosophical musings about the world in general its problems and possible ways out.

2010-07-02

No risk no business

Just recently the Gartner group reported shrinking IT security budgets – by 3 – 6%. Only identity Management makes an exception. Identity Management – or, let’s be a bit more specific: Identity- & Access Management (IAM) - part of IT security? Hmmm …

Maybe the IT security budgets ware already inflated? Gartner further writes that on the other hand the related threats to IT security have increased. But allow rising threats for a satisfactory justification already? Well, not really.

No risk no fun we once tended to respond to our parents when they were hinting us at the dangers of life. No risk no business we could translate this term into the economical space. It’s true, that we can only have total online security if we cut all lines to the cruel outside world. And if we follow the advice of the IT security professionals in our own companies we could as well shut down our business.

But is there a right measure? There must be an adequate response to IT security threats, right? But how to find it?

Well the answer is simple. But it is not as easy to follow the advice: IT security measures can only be argued to be adequate if they are defined and implemented on top of a functioning operational risk management (OpsRisk).

This is not an easy task. That’s what we can conclude from observations in market sectors where (some kind of) risk management is mandatory, e.g. banking or the insurance sector. Let’s take the compelling suggestions from the Basel II accord to introduce a sound management for credit risks, market risks and – well, if there is still time and capacity – for the 3rd pillar: OpsRisk. Or the insurance sector: risk management is the very heart of the insurance business. This is true for the probability of damages (=risk) to the insured objects like cars, houses or living human bodies. But when it comes to OpsRisk most of them find themselves barely covered.

Why?
  1. At first risks are tied to a stochastic view of the world – rather uncommon for most of us – even the few mathematicians among us.

  2. Second operational risk, as implied by its very name, refers to all operations which are performed in our day-to-day business – I dare to say often unconsciously. And those are quite a lot.

  3. Third OpsRisk is a very basic discipline at the very basis of the corporate pyramid. It is hard work, touches a running business (which you should never touch) and doesn’t deliver quick wins.
But once we have established an OpsRisk Management function and made it running and – finally - delivering. When we have established a database covering all classes of damages that looks sufficiently long back to the past. When we have customized our risk model that hopefully goes beyond the common VaR approach and covers the “fat tail” of rare but high damages as well. And when business even understands the signals emitted those esoteric risk people. Well, then finally we have a valid basis to justify risk mitigation – and IT Security measures are just a part of it.

Are IAM investments then covered by this justification as well? Good question. But this post is already too long. So you better stay tuned and look for my next post.

No comments: