Avoid the Five Common Dangers of IT Risk Management

Important issues include business continuity planning and protecting infrastructure.

by , / February 8, 2010
Risk Management Illustration by Tom McKeith

Citizens and watchdog groups are clamoring for greater efficiency and transparency from government agencies, and governors expect their CIOs to find ways to improve both. Given such demands, it's natural for government CIOs to implement changes that will reduce costs while still providing their internal clients with the computing resources they need. But they also must fully assess and mitigate the risks of changing their IT environment.

As government CIOs look to make changes and improvements to their IT infrastructure, they can't overlook the need to closely manage IT risk. The following are five common pitfalls to avoid when rightsizing or revamping government IT resources in today's economic environment.

1. Taking a checklist approach to IT risk management.

In too many state and local governments, CIOs take a tactical, rather than strategic, approach to IT risk management.

Organizations can't manage IT risk effectively by going down a list of internal controls -- howsoever comprehensive -- and checking them off as they would a weekend to-do list: clean the gutters, rake the leaves and straighten up the garage. True risk management requires a unique public sensitivity combined with a business perspective. The checklist approach to risk management ignores the critical dimension of a government's business processes and treats all risks with the same importance -- whether or not they merit it.

State and local governments should take a broad, top-down approach to IT risk management that typically comprises five steps:

  1. Document the overall environment by taking an inventory and linking major governmental processes, technologies and vendors.
  2. Define the risk factors, criteria and risk tolerance levels to be uniformly applied to the inventory in step No. 1. This ensures consistent assessment across all governmental processes. When logically grouped, the risk factors, criteria and risk tolerance levels help determine inherent risk at a device or process level.
  3. Assess each technology component, using the drivers and criteria developed in the previous two steps, to produce an objective risk ranking (high, medium or low).
  4. Define the necessary internal controls and create a corresponding framework for managing them.
  5. Put new changes and enhancements through the aforementioned steps to assess the real risk and controls before finalizing them.

A governmentwide, top-down approach must include elements of IT risk assessment to evaluate systems under the public CIO's control. Government organizations that use this approach will end up with more effective and efficient controls that help mitigate these risks and still serve their constituents.

For example, Indiana is taking a proactive approach to IT risk management. The Indiana Department of Homeland Security, in partnership with the Indiana CIO's office, developed an IT cyber-security risk framework that can be used statewide. All state agencies will be asked to use the framework in assessing IT risk. This is an important, fundamental step in taking a strategic approach to IT risk management.

2. Playing a nonstrategic role in selecting a GRC platform.

Just as it's important to take a comprehensive view of IT risk management, it's also important for the public sector to strategically approach the selection of integrated technology platforms for governance, risk management and compliance (GRC).

From a management perspective, governments resemble conglomerates -- companies with multiple lines of business and subsidiaries that operate with a certain amount of independence to compete effectively in their market segments. The interrelationships among GRC beg for an integrated, enterprisewide solution -- one that's consistent across all agencies and departments.

In some cases, government CIOs make quick selection decisions that automate GRC processes without first assessing the effectiveness of the processes themselves. Automating bad processes is never a good idea.

In other cases, government CIOs take a hands-off approach to GRC and leave the selection of technology platforms for these three critical areas to the agencies. This results in redundant systems and inefficient investment and prevents top government officials from having an enterprisewide view of their technology's vulnerabilities and weaknesses.

3. Giving inadequate attention to business continuity planning.

Most government organizations have sound disaster recovery plans, but their business continuity plans are often outdated or missing. Disaster recovery plans deal with the technology infrastructure, while business continuity plans focus on the people who run the government.

Both types of plans are necessary for meeting the recovery objectives of hurricanes, earthquakes and other natural disasters. In recent months, many government organizations have updated their plans to include the potential effects of pandemic illnesses, such as the H1N1 flu.

Although not solely the responsibility of government CIOs, they need to take a leadership role on the people side of these plans and work with agency heads to create comprehensive business continuity plans. Periodic testing of the business continuity plan in tandem with the disaster recovery plan will assure that they meet their objectives in the event of a disaster.

4. Assuming that protecting critical infrastructure is Washington's responsibility.

The protection of critical infrastructure, while important to our national leaders in Washington, D.C., is ultimately state and local governments' responsibility.

In 2007, the U.S. Department of Homeland Security (DHS) identified 17 types of critical infrastructure that must be protected, including transportation, communications and IT systems. In addition, the DHS issued sector-specific plans defining critical infrastructure protection roles and responsibilities for all levels of private industry and government -- including state and local government.

The DHS also provided state and local government agencies with funds to facilitate implementation of these plans. But how much of this money has actually been applied to infrastructure protection? The news media has been rife with reports of imprudent and poorly tracked spending.

A risk-based approach to identifying the most critical elements of state infrastructure will help the states achieve keep citizens safe.

5. Underestimating the risks associated with cloud computing.

The U.S. National Institute of Standards and Technology defines cloud computing as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

In September, the Obama administration unveiled a sweeping plan that allows federal government agencies to use cloud computing technology to reduce IT costs and lessen the environmental impact of government computing systems.

By allowing federal agencies to use hardware and software maintained by third parties, Washington, D.C., is setting a standard for state and local government to follow. But before state and local government CIOs follow, they should consider the risks.

Distilled to its essence, cloud computing is nothing more than outsourcing. While organizations can outsource a function, they can't outsource the responsibility to protect the data used by that function.

Many companies, schools and other organizations initially experience cloud computing by outsourcing their enterprise e-mail systems to a third party. While the hardware, software and staffing savings can be considerable, so too is the risk if classes of protected information -- such as Social Security numbers, credit card data and the like -- are involved.

This isn't to say that state and local governments shouldn't consider cloud computing. They should tread carefully, however, by testing the concept with a low-risk function, such as compiling software code that government programmers write for custom development projects.

Balancing Risk and Reward

The unwritten qualification of a CIO's job description is his or her ability to balance risk and reward. Even if it were possible to eliminate all IT risk, no organization could afford to do so. The costs would be prohibitive. The question then becomes, how much risk can we afford to take?

Avoiding the five pitfalls discussed here can help government CIOs manage risk more effectively and achieve the balance between risk and reward that organizations must have to operate efficiently.

Bert G. Nuehring Contributing Writer
Bert Nuehring is a partner with Crowe Horwath in the Oak Brook, Ill., office. He can be reached at 630/706.2071 or bert.nuehring@crowehorwath.com.
Raj Chaudhary Contributing Writer
Raj Chaudhary is a principal with Crowe Horwath in the Oak Brook, Ill., office. He can be reached at 630/586.5127 or raj.chaudhary@crowehorwath.com.