Securing information couldn't be a more pressing topic for companies right now, with the overlapping threats of external hacking and weak internal security practices by employees. At the same time, of course, the volume of data and information flowing through many businesses continues to grow.
With all of this as a backdrop, a new paper from the member-based advisory firm CEB, "Maximizing the Business Value of Information: New Principles for Using and Securing Information," puts a question to legal and compliance officers: How can companies best safeguard the various types of corporate information and allow business units to innovate with data?
It's a multimillion-dollar question, according to the consultancy, that points to the "cumbersome" nature of policies and controls that can potentially slow workflow, decrease innovation, or even derail major business projects. "Overall, CEB estimates that outdated, overly restrictive information risk approaches can cost a large company more than US$20 million a year — most of that hidden off the balance sheet, quietly dragging down revenue," say the authors.
There are a number of steps companies can take to formulate a more balanced approach to information risk management, according to CEB. Here's a look at a few of their suggestions:
• Get risk managers on the same page: From IT and human resources to legal and compliance, "Everyone must focus on a unified goal of maximizing information's business value," CEB states. "'Tone from the top' matters, and senior leaders should clearly reinforce their expectation that risk will be assessed and managed in a coordinated fashion."
• Establish a formal statement on the company's risk appetite: In other words, what are the risks the business is — and isn't — willing to take with its information? "A formal statement of the firm's risk appetite provides stakeholders a blueprint to help balance the value of information use against the costs required to minimize risk," according to the paper. CEB recommends that such statements include concrete examples of difficult decisions and guidance on how to assess information risk in practice.
•Revamp policies to help employees make good decisions: Employees need to understand the company's overall risk appetite, but they also need to be able to make smart decisions while on the job. So some companies, for example, "have moved away from polices that ban social media use on the job and replaced them with training on safely and effectively using social media," the paper points out. "Instead of being a list of 'dos and don'ts,' this scenario-based training instills good judgment in the situations employees will encounter in their day-to-day work."
•Make the business side accountable for risk management decisions: The paper argues that risk managers "are often too far removed from the day-to-day business context to make effective risk decisions." To counter that, CEB says business leaders should be enabled to make those decisions — and held responsible for them at the same time: "Decision rights should be clear, and specific business owners of the information must take final accountability for information risk decisions."
• Make risk managers accountable for risk management processes: The business side can't do it alone. Risk managers, working jointly, "will continue to be accountable for key elements of the risk assessment process," the paper recommends, "including identifying risks, leading assessments, proposing risk treatment plans, and monitoring compliance."
