Dated approach to information risk costing businesses

Companies’ restrictive, outdated approaches to managing information risk are quietly costing those businesses dearly.

That’s a key takeaway from research by the Corporate Executive Board (CEB), which estimates that larger companies can lose $20 million annually by failing to overhaul their strategies on information risk.

“The value of information to business success is increasing rapidly,” the report says. “But a complex regulatory environment, outdated and ineffective risk management practices, and rising threats from sophisticated attackers have tremendously magnified the information risks businesses face.”

While plenty of news coverage has been devoted to online fraud and data breaches, the CEB report says that greater internal use of data also brings about the potential for greater risk. Policies devoted to preventing data breaches are outdated: 93% of employees admit to violating those policies, and often rules about employee-owned devices are not flexible enough to keep pace with the latest technology.

More companies are using information strategically; the CEB report says 79% of senior executives point to new uses of information as critical to their companies’ growth plans. However, businesses limit the power of the information, CEB says, which leads to friction that reduces employee productivity and leads to decisions that curtail innovation.

John Sibson, vice president of corporate strategy at the technology and industrial products and services company Johnson Controls, spoke Friday about his company’s approach to enterprise risk management at the ERM Roundtable Summit in Raleigh, N.C., an event put on by North Carolina State University’s Poole College of Management. Sibson said that more risks facing businesses today shouldn’t keep companies from being too risk-averse.

Risk is “more a part of our dialogue in the last five years than it’s ever been before,” Sibson said. “We’re careful to say that it’s not about taking risk out of the process, because there’s no doubt that there’s still a gap between what’s desired and where we’re performing. We’re still taking risks.”

CEB said that 53% of companies alter major business projects three times or more because of risk and compliance concerns. “Information risk concerns cause companies to avoid, delay, or even cancel major business projects with alarming frequency,” the report said.

The report says three attributes of poor management of information risk add friction between the risk “reducers” (eg, IT) and the business unit (eg, the sales department):

  • Inflexible, check-the-box requirements: Compliance with regulations such as the US Sarbanes-Oxley Act has resulted in approaches that fail to allow deviation when considering business needs, the report says.
  • Overly technical processes: The traditional risk managers have kept their hands in the process of managing information, and the business unit is either prohibited from or discouraged by learning how to access information.
  • Uncoordinated governance and management: Departments tend to take a siloed approach, and they fail to understand the business value of collaborative management of information risk.

CEB says that top companies are shifting to a more business-led approach in two ways:

Managing risk to maximise the business value of information

Risk reduction is confused with risk management. “Risk reduction’s dominance in a company’s approach to information risk coincides with overly siloed roles and an adversarial relationship between the business line and the professional risk managers,” the report says. At extremes, business-line leaders are focused on reward, while risk managers are viewed as rigid, focusing on rules instead of potential business gain.

Companies with strict policies against social media use while at work, for example, should install scenario-based training that gives employees guidelines for using judgement instead of a list of “thou shalt nots.”

Redefining roles and responsibilities

“Good risk decisions require balancing risk and reward, and risk managers who lack business context struggle to achieve this balance,” the report says. There’s a balance to be struck between the IT employee who wants to go by the book on all risk decisions and the regional sales rep who wants unfettered access to others’ sales numbers. Those “who best understand the reward side of information use” should be educated on making decisions about risk, the report says.

For example, the employee who uses a personal tablet at work needs to be taught that virus protection on that device probably isn’t business-grade.

The amount of data businesses generate has increased more than tenfold in the past five years, the report says. In closing, CEB recommends that businesses should focus on the wide-ranging value of information instead of the broad reduction of information risks.

Related CGMA Magazine content
Business Shifts Require Refreshing of Risk Management Techniques”: As global markets shift, companies are making major changes in strategies and operating models. These business transformations require a bolstering of risk management techniques as a shaky global economy, tax increases, technology and expansion to new markets and geographic areas all present new risks to businesses.

Why More Data Does Not Guarantee Better Business Decisions”: While the amount of data that companies collect can be good for business, the numbers themselves are not a guarantee of success. Human expertise is needed to parse the data.

Neil Amato ( is a CGMA Magazine senior editor.