How do you get your head around 'risk'?

Understanding where risk exists is a challenge for all businesses and one which can never be put to rest as new demands, regulations, technologies and trends come along. Will Sturgeon explores the best approach.

Often the problems businesses face are regarded in simple terms. For example in recent years security has been looked at from a binary perspective of 'secure' or 'insecure'.

To have told somebody of a technical disposition there is such as a thing as a tolerable, or even operationally beneficial level of insecurity would be like telling the most evangelical vegan it's alright to eat a little bit of meat.

However, recently the waters have become murkier as the word 'risk' has increasingly cropped up in conversation.

Businesses have started to realise understanding risk isn't just about working out what security vulnerabilities or weaknesses need to be shored up but about finding a point of balance where performance is not compromised by too little or too heavy-handed a consideration of liabilities.

As Dave Martin, principle information security consultant at LogicaCMG, puts it: "If you haven't undertaken risk analysis, then how can you know that you have spent your time and money covering the real threats rather than just your 'gut feel' perception of the threats?"

Therefore companies must identify all areas of potential IT risk - from staff taking their laptops home to large amounts of data residing in third party data centres - and understand what risks are actually posed and how they can be managed or mitigated.

Companies must ask themselves: is a risk operational - might it stop you working? Or is it more far-reaching? Does it involve the loss of intellectual property and therefore competitive edge, or the loss of customer data and therefore serious damages in terms of future business, reputation and possibly even punitive measures?

It's those risks at the more far-reaching end of the scale which likely account for the greatest consideration and going through appropriate due diligence is no mean feat. But in order for businesses to get the benefit of such a risk assessment it must be comprehensive and structured, so the methodology can be replicated and the process becomes scalable.

Alan Calder, risk expert and author of Risk Assessment for Asset Owners, told silicon.com: "There are five core requirements for a best practice risk assessment. It needs to be 'bottom up', looking at the individual information assets that make up the whole infrastructure, namely hardware, software and data.

"It needs to be systematic - analysing threats, the vulnerabilities they might exploit, the likelihood of this occurring and what the potential impact is. Naturally, the method needs to be repeatable because threats will change and controls therefore need to be reviewed.

"It should give rise to control decisions that are proportionate to the value at risk and lastly, it needs to take account of the business need for the assets, making sure that they are available to the people who need them for their work, as and when they need them."

Companies must also recognise technology is no longer entirely separate from the rest of the organisation. Email archiving, for example, should be as much a consideration for the CEO and board as it is for the IT department.

Whether or not staff are using IM, or breaching email usage policies, or bringing their iPod to work or leaking vital intellectual property - these are all issues that should have been addressed ahead of time by IT as well as HR, legal and line managers.

Although no two companies share the same risk profile, some risks are universal in a knowledge economy.

Guy Bunker, chief scientist at security software maker Symantec, said businesses need to thoroughly understand what they do, how they do it and what data is created and processed in the course of doing it.

Next, they need to understand where that data is stored, who has access to it and when, why and what they can do with it.

"Once these questions are answered, the company can start making an assessment on the possible risks including the latest, high-profile issue: data leakage," said Bunker.

"As technology evolves, organisations need to look out for new threats. For example, with more and more organisations implementing email on mobile communications devices, there is a greater need for organisations to protect this data. Additionally, companies must consider inadvertent loss, such as when someone sends the wrong data through email to someone outside the company, and malicious loss, such as sending confidential data through web-based email for personal gain, in their risk planning," added Bunker.

As new technologies come along their use must be assessed in terms of risks and the benefits they can deliver to the business. At all times those two considerations must be looked at side by side.

Because, for example, if something delivers no discernible value to the business and yet poses a huge risk then the risk assessment is that the technology has no place within the company. Or if something delivers huge business benefits and poses no risks then what are you waiting for in installing it? But very rarely is something so clear cut and within the huge grey areas between those two extremes businesses must assess the right fit for them.

It's certainly not a black and white issue and understanding risk certainly isn't easy. But it is essential.