Arthur Cole spoke with Faith Boechter, senior consultant, BITS Shared Assessment Program.
Cole: Many people view enterprise risk management as strictly a network security issue. While that is certainly part of the equation, what are some of the other kinds of risks that IT managers should be concerned about?
Boechter: From a financial services perspective, we look largely at how government regulations define risk. We look primarily at risk to reputation, strategic risk, client/legal risk and interest rate liquidity. We look at risk areas that impact service to clients, disrupt operations or damage earnings or an organization's reputation. It's also important to evaluate the strategic importance of investments and the level of expertise required to manage them. It's important that as an organization looks at internal or external management, the assessment has a cost/risk approach. Make sure that when you're deploying processes, you understand the cost of exposure and ensure that it doesn't exceed the value of the investment.
Cole: What are the key considerations when evaluating risk management software or solutions?
Boechter: Let me be clear up front that we have not done any evaluations of individual solutions. Our program is designed to establish the criteria on which to base decisions. But one of the key considerations is to understand the components of any given solution. What does it manage, and what does it not manage? Is it just a document repository, or does it include policy and risk management oversight? How far does it go in managing information? What can be reported and analyzed? It's also important to know the expertise of the provider. Does the company incorporate within its tools the regulatory requirements, compliance risk management and operational risk management that will be needed? Also, what is the maturity of the organization's product? Where has it been deployed, and how? What is the financial stability of the company, and will there be a financial liability to provide service on an ongoing basis?
Cole: The BITS Shared Assessment Program is designed for financial institutions. Can it be applied to other industries?
Boechter: Absolutely. Unlike other industries, the financial services industry looks at third-party providers in terms of regulatory requirements. We can outsource the process, but not the risk. But we also need to comply with our own individual processes, so we're very much focused on developing voluntary guidelines and success strategies. We've made our program available to the public because we want other industries to benefit from these strategies as well. Our feedback is that it's been helpful for managing risk in other industries, whose risks are not much different than the ones we face. It provides a uniform questionnaire and assessment testing to assess reputation risk, transaction risk, customer risk. ... It has applications for any industry looking at shared service providers.