In 1654, when people hand-wrote letters instead of subscribing to e-mail list services, Blaise Pascal and Pierre de Fermat exchanged missives that established the basic principles of probability and ushered in the notion of risk management. Pascal's motive was to gain an edge in gambling, but he unwittingly helped improve a CIO's odds at venturing into new operations, such as e-commerce, as much as lending a hand to a chief financial officer's investments.
Risk management is a venerable tool in finance. Bankers have long used risk-management techniques to determine whether you're creditworthy of a home or business loan. One of the most basic tenets in taking risk for a bank is to assure that the officers who sell loans aren't the same ones who approve credit. And they're rewarded accordingly: loan officers for loans approved, credit officers for sound loans.
"Historically, when financial institutions thought about risk, they focused on credit risk," says Bob Kafafian, chief advisory officer at Lancaster, Pa.-based Hopper, Soliday, an investment banking and brokerage division of Tucker Anthony Inc. in Boston. But that has changed dramatically, he says. Risk is understood to be everywhere in business, finance, information technology and just getting out of bed in the morning.
"We live with an uncertain future," says Randy Payant, vice president and director of research at the IPS-Sendero Institute in Scottsdale, Ariz. "The difference between uncertainty and risk is that you can quantify the impact of risk but not uncertainty."
Complexity of Risk
The complexity and pervasiveness of risk make it critical for executives to be aware of it and to have ways to identify and control it. For example, Kafafian says, banks need risk-conscious executives managing more than a loan portfolio.
He says most good banks apply risk-management techniques throughout an enterprise, evaluating everything from complying with regulators to Y2K conversion work. He says even human resources and marketing departments must be prepared to handle risk, from choosing marginal employees in difficult hiring times to launching controversial advertising campaigns.
Misjudging risk in any area can be crippling, he says. For example, when Victoria's Secret was planning to air a commercial during last year's Super Bowl, the company's IT team didn't conduct a risk-management analysis of what effects advertising to the world's largest audience of men would have on its Web servers. As a result, systems were overloaded and the company suffered a loss of orders and a public relations disaster.
IT always has operational risk issues. But IT professionals also have to be aware of risk in another area, one that's particularly hazardous in these days of e-commerce. "CIOs don't have to worry about financial risk, but they have to be concerned with data security," Kafafian says.
Stephen Pozgaj, CIO at Mackenzie Financial Corp. in Toronto, says he agrees but points out that more than data security is involved. "IT risk management encompasses everything," he says.
Last month, Mackenzie officially recognized the importance of overall IT risk management when it broadened the charter of its Security and Standards Committee and renamed it the IT Risk Management Committee. Pozgaj says IT management involves a steady diet of managing risk. "To think that one would conduct one's affairs without risk management would be foolish," he says.
Pozgaj says moving an operation onto the Internet using open systems creates greater business opportunities than adopting a closed technology. But he also says it raises the stakes for data security. "Open systems are a double-edged sword," he says. In an e-commerce application, you have to be particularly vigilant, Pozgaj says, because "the bowels of your systems are open."
Protecting customer data becomes more complex when outsiders conduct business directly on your computers.
Risk-management principles, he says, are key to defining policies and procedures in the area of keeping data secure through managing multiple levels of access controls for thousands of users. Applying risk-management principles to data-security procedures also means implementing effective authentication and authorization processes throughout the network and within applications.
Risk management is an unending program, Pozgaj says.
Emily Freeman says she agrees. She's the senior vice president and national leader for electronic business at New York-based Marsh Inc., which consults and insures businesses. "When you had a closed data center, that was a castle. It was a lot easier world to manage. Once you open the environment up, you have a lot more exposure," she says.
But "ultimately, information security is not about technology. Technology is only one element," she adds.
When Freeman consults at an e-commerce site, the first thing she wants to see is the company's data security plans. "I look at a company's policies and procedures as much as I do a firewall," she says.
She says she applauds initiatives like Mackenzie's Risk Management Committee and adds that the more detailed the data security policies and the better the oversight procedures, the more risk an insurer is willing to shoulder. The more risk an insurer will cover, the more flexibility management has in business decisions.
A common problem Freeman encounters is when a traditional company embraces online business. "When brick-and-mortar moves to brick-and-click, they forget that their old insurance does not take the Web into account," she says.
Organizations that permit confidential information, such as private customer data, to be accessed online had better apply rigorous risk-management techniques to data security, Freeman says. "It's not just about protecting yourself from lawsuits. You could lose the confidence of your customers. Your public image is at stake," she says.
Risk management is a process that helps determine an organization's exposure to risk in areas such as finance or technology. It is then used to minimize, control or eliminate the risk exposure. For example, IT managers can follow risk-management procedures to gauge security concerns on an e-commerce site.