Corporate Counsel
  • Home
  • News
  • Surveys
  • Resources
  • Lawjobs
  • Advertise
  • Subscribe
  • Bookstore
  • Contact

Topics » IP Insider | Labor & Employment | From the Experts | On the Job | Moves | DC Watch | International

Home > Taking Steps to Improve Information Risk Management

Font Size: increase font decrease font

Taking Steps to Improve Information Risk Management

By Catherine Dunn Contact All Articles 

Corporate Counsel

March 5, 2013

  •    
  •    
  •    
  •       Comments (2)
 

© AVAVA - Fotolia.com

Related Items

  • Cybersecurity Report Spotlights Risks to U.S. Business from China
  • Employees May Be a Company's Greatest Cybersecurity Vulnerability

Securing information couldn’t be a more pressing topic for companies right now, with the overlapping threats of external hacking and weak internal security practices by employees. At the same time, of course, the volume of data and information flowing through many businesses continues to grow.

With all of this as a backdrop, a new paper from the member-based advisory firm CEB, “Maximizing the Business Value of Information: New Principles for Using and Securing Information,” puts a question to legal and compliance officers: How can companies best safeguard the various types of corporate information and allow business units to innovate with data?

It’s a multimillion-dollar question, according to the consultancy, that points to the “cumbersome” nature of policies and controls that can potentially slow workflow, decrease innovation, or even derail major business projects. “Overall, CEB estimates that outdated, overly restrictive information risk approaches can cost a large company more than US$20 million a year—most of that hidden off the balance sheet, quietly dragging down revenue,” say the authors.

There are a number of steps companies can take to formulate a more balanced approach to information risk management, according to CEB. Here’s a look at a few of their suggestions:

  • Get risk managers on the same page: From IT and human resources to legal and compliance, “Everyone must focus on a unified goal of maximizing information’s business value,” CEB states. “ ‘Tone from the top’ matters, and senior leaders should clearly reinforce their expectation that risk will be assessed and managed in a coordinated fashion.”
  • Establish a formal statement on the company’s risk appetite: In other words, what are the risks the business is—and isn’t—willing take with its information? “A formal statement of the firm’s risk appetite provides stakeholders a blueprint to help balance the value of information use against the costs required to minimize risk,” according to the paper. CEB recommends that such statements include concrete examples of difficult decisions and guidance on how to assess information risk in practice.
  • Revamp policies to help employees make good decisions: Employees need to understand the company’s overall risk appetite, but they also need to be able to make smart decisions while on the job. So some companies, for example, “have moved away from polices that ban social media use on the job and replaced them with training on safely and effectively using social media,” the paper points out. “Instead of being a list of ‘dos and don’ts,’ this scenario-based training instills good judgment in the situations employees will encounter in their day-to-day work.”
  • Make the business side accountable for risk management decisions: The paper argues that risk managers “are often too far removed from the day-to-day business context to make effective risk decisions.” To counter that, CEB says business leaders should be enabled to make those decisions—and held responsible for them at the same time: “Decision rights should be clear, and specific business owners of the information must take final accountability for information risk decisions.”
  • Make risk managers accountable for risk management processes: The business side can’t do it alone. Risk managers, working jointly, “will continue to be accountable for key elements of the risk assessment process,” the paper recommends, “including identifying risks, leading assessments, proposing risk treatment plans, and monitoring compliance.”


Subscribe to Corporate Counsel

You must be signed in to comment on an article

 

Reader Comments

  • Caroline Schroder

    March 07, 2013 03:43 PM

    The key problem really has been the 'silo-ization' of the entity, and not just in business. Granted that the increasing complexity and the overwhelming mass of data and change across all disciplines has forced specialization and hyper-specialization in business, law and technology, silo-ization has had two pernicious effects: isolation of the technical professionals from the business model and territoriality of all silos which give rise to not only a death grip on their own silo's information but an obstinate rejection of other silos' analysis and perspective. The more marginalized a silo, the more obstinate the territoriality.

    CIO's and IT have complained for years of being isolated from the business strategies, plan and model. Increasingly counsel have complained of being isolated from daily operations and "tactical" level activity, if not strategies, plan, and model. HR and other silos have increasingly complained that HR gets thrown in over its head, perhaps for the HR 'seal of approval'. Certainly Risk Management and Business Continuity planners are not a coherent, internally consistent element of the business model. The solution has to come from the top of the organization, as alignment of reality to "tone at the top" and be aligned from C-suite, and preferably board and C-suite down.

    As CEB is corporate membership entity, perhaps this report demonstrates a growing consensus on cross-silo risk identification and management.

  • applying infonomics

    March 05, 2013 11:50 AM

    Great piece. Content about valuing information assets always gets my attention. At Gartner we have introduced the concept of "infonomics" (information economics) -- recognizing or at least behaving as if information was an actual corp asset (despite current arcane accounting regs disallowing the capitalization of info assets). This includes valuation models we have developed. For more on infonomics, there's a Wiki site with links to articles in Forbes, FT, WSJ and other research & resources (http://en.wikipedia.org/wiki/Infonomics). Note that from a legal perspective, courts are split around the world on whether electronic data constitutes "property". We are aware of a couple dozen rulings. --Doug Laney, VP Research, Gartner, @doug_laney

Comments are not moderated. To report offensive comments, click here.

Post a Comment »
Find similar content

Companies, agencies mentioned

    
  • Business Value

Key categories

    
  • Law Firm Management

Most viewed stories

    
  1. Best Legal Departments 2013
    •      
  2. 3-D Printing: The Next Big Thing in IP Law?
    •      
  3. U.S. Legal System Ranked as Most Costly
    •      
  4. Managing Relationships With Legal Project Management
    •      
  5. 6 Things In-House Counsel Must Know About E-Discovery
    •      
lawjobs.com

TOP JOBS

MORE JOBS

POST A JOB

From the Law.com Network

The General Counsel and the Compensation Committee

Your Company's Been Hacked -- What Comes Next?

Simpson Helps Yahoo, Tumblr Connect for $1 Billion Deal

Kasowitz Benson Launches in Los Angeles

Contrite Companies Can Win Forgiveness in Bribery Cases
  •      
    • Subscription Required

Plaintiffs Want to See Toyota's 'Crown Jewels'
  •      
    • Subscription Required

Collaboration Is Key to Defending Cyberattacks

Stanford Law Builds on Role as Legal Tech Incubator

Prolific ADA Plaintiff Faces Nemesis in Harassment Suit

Ullyot Exit Closes Chapter for Facebook

Fla. Attorneys Lead Force-Placed Insurance Fight

Lawsuit Names Missing Fla. Attorney for Alleged Fraud
  •      
    • Subscription Required

Circuit Voids $3 Million Judgment Against Girls Gone Wild Producer

Judge Says Boston Bombings Had No Effect on Terrorist Sentences
  •      
    • Subscription Required

The Affordable State-Specific Practice Solution
Available in NY, NJ, PA and CT editions - research, draft and prepare even the most complex cases with ease.

Court System, Counties Agree on 3 Court Facility Upgrades

Guardian Who Delayed Final Account Must Pay Referee Fee
  •      
    • Subscription Required

Lawsuit Testing Federal Porn Regulation to Proceed

Ex-Quarterback Can Press Claim Over EA's Video Game
  •      
    • Subscription Required

Law Schools Are Looking Beyond LSATs, Says Mich. Dean

Is Freezing Your Eggs the Solution?

Advising Clients on Weather and the Workplace
  •      
    • Subscription Required

Texas Sues BP, Transocean, Halliburton, Anadarko Entities
  •      
    • Subscription Required

Insurer Beats Bid By Bilked Client
  •      
    • Subscription Required

Barnes Asks For Court-Appointed Lawyer To Help Defend Brooks

Corporate Bribery Case Part Of National Trend
  •      
    • Subscription Required

Court Continues To Grant Lawyers Fraud Immunity
  •      
    • Subscription Required

  • About |
  • ALM Properties |
  • ALM Reprints |
  • Customer Support |
  • Privacy Policy |
  • Terms & Conditions |
  • ALM User License Agreement
ALM Media