Risk mitigation

According to the IBM landmark Global CEO Study, "The Enterprise of the Future," chief executive officers and other senior business leaders foresee an exciting new business environment that will be energized and driven by change—including new business designs, disruptive innovation and continuing economic globalization. As a CIO, you are responsible for transforming IT applications, services and infrastructures into nimble, automated environments that will enable your organization to exploit the opportunities of an increasingly dynamic marketplace.

Like many CIOs, you may feel that IT security and compliance could be significant roadblocks to this vision. After all, you're in a position to see how forces of technological change are already driving the spiraling cost and complexity of security and compliance. Change could easily be regarded as the antithesis of security, yet the future is all about embracing even greater change. Questions such as, "How will you ever get full control over risk management and business continuity?" and "How will you improve your adaptability and effectively balance risk, complexity and cost when security and compliance continue to be moving targets?" become top of mind. Chances are, you wish the whole security and compliance issue would simply go away.

For too long, security technology has been developed and deployed apart from the mainstream of IT infrastructures, applications and processes—with little concern from vendors as to how it should be integrated into that mainstream, or how it adds complexity to business processes. It's no wonder that security and compliance costs continue to grow at a rate three times faster than that of IT budgets.

The Enterprise of the Future demands a dramatic transformation of how security and compliance solutions are conceived, applied and managed.

Risk mitigation plans at many organizations fall short simply because they fail to take into account all the risks they actually face.

Abstract: A successful governance and risk mitigation strategy must operate at multiple levels with broad coverage. Risk mitigation plans at many organizations fall short simply because they are not comprehensive and fail to take into account the reach and range of all the risks that they actually face. Often this occurs when organizations only focus on specific areas of risk categories, only plan for certain types of risk or don't understand all the different areas in their organization that particular risks will impact. For example, in the area of disaster recovery, most plans fail to account for the following areas of concern:

• Human issues — Plans are often inadequate for ensuring communication with, support for and mobilization of employees, decision makers, suppliers and customers, as well as providing the means to protect families.

• Infrastructure issues — How will the organization deal with prolonged power failures, travel and transportation restrictions and logistics disruptions? Are there adequate fuel supplies? Are resources such as generators staged in safe locations?

• Business issues — The traditional view of disaster recovery has primarily been focused on data and the IT infrastructure, but many of the impacts of a disaster are business-related issues that affect people, business processes, facilities, transportation, communications and regulatory compliance.

• Community issues — Organizations must not neglect their responsibility to help employees and their local communities and regions recover from major disasters.

This white paper discusses common types of risk, the considerations for each and the steps organizations must take to develop an effective risk mitigation strategy.