As a soccer enthusiast, you would know what it means to do tackle drills. It’s simply getting back to the basics. All the defensive schemes, strategies, expensive coaches or best gears cannot come to your rescue when you simply can’t tackle.

This is what happened at the Bangalore office of FMCG major Hindustan Unilever Limited (HUL). A couple of months back, a man posing as a visitor entered the HUL office on the pretext of meeting an employee. This person casually loitered around the premises and quietly picked sensitive documents. It happened for two consecutive days.

“Had the information got into the hands of our competitors, they would have made a killing from the data,” says Subramaniam Narayanan, Senior VP, IT, HUL.

Luckily, this was a security drill and the mysterious man was an insider. HUL was trying to get its basics right — spot the risks and mitigate them.

PROACTIVE APPROACH
An important challenge for enterprises this year would be to focus on the overall security of business information and not merely secure their computer systems. This would involve developing a holistic approach to risk identification and management.

“No enterprise can completely eliminate risks associated with IT systems and business. What organisations need to do is manage them to an acceptable level so that their impact on business is minimised. More and more CIOs are adopting a proactive approach to managing risks rather than a reactive one; this trend is likely to get more popular this year,” says NSN Pillai, Head Risk Management and Security of Chennai-based Ashok Leyland.

One such approach that gathered momentum last year and would continue to see adoption within enterprises this year as well is enterprise risk management or ERM. According to industry sources, ERM is a process of planning, leading and controlling the activities of an organisation in order to minimise the effects of risk on capital and earnings. Recently, external factors such as prominent data leakage cases and increased regulation in light of the economic crisis have fuelled a heightened interest by organisations in ERM.

According to a recent Ernst & Young (E&Y) study, the number of risk management functions has grown to the point where most large companies have seven or more separate risk functions — not counting their independent financial auditor. This has created inefficiencies in the system.

The E&Y study states that “as risk functions increase, coordination becomes more difficult and results in coverage gaps and overlapping responsibilities. The demands and various reporting requirements placed on the business by these risk functions can become significant and burdensome.”

“Our job is to protect information, regardless of its state (electronic, paper, verbal, etc.). The risk gaps need to be filled through proper coordination and individual responsibility,” says K M Asawa, General Manager, Projects and IT, Bank of Baroda.

According to a study conducted by Aberdeen Research last year, there would be three critical drivers for making investments during the coming years — governance, risk and compliance. In the case of governance, the initiatives would be directed towards reducing the total cost of compliance, bringing in greater visibility for better decision-making and cutting down on technical and operational risks across enterprise functions.

Many enterprises have already expanded the scope of their risk assessment efforts by scanning a broader business environment to identify emerging risks. Many other enterprises are likely to follow suit this year. Through more comprehensive risk assessments these organisations are examining their entire value chain to define emerging risks and find ways to mitigate them.

Many analysts believe that organisations need to constantly challenge their approach to risk management. This is especially true in the current scenario when risk function heads are being asked to do more with less or existing resources.

CIOs also want to better understand risks associated with loss, disruption or damage of data and data sources due to disasters, both natural and manmade.

“Lack of a data recovery (DR) and business continuity plan (BCP) can severely affect the survival of an organisation,” says Shailesh Joshi, Associate Vice President - IT, Godrej Properties, who is currently looking at BCP/DR and is planning to adopt a two-pronged strategy to minimise risks within the organisation this year.

The first would be to put in place process controls through IT security management, employee training and awareness. The second would be to deploy technology controls that would cover management of data across its lifecycle, configuration and change management as well as network and physical security.

CIOs have found that it is better to strengthen some basic ideas in a system that is working well than to wait until everything falls apart. Though there is no doubt that risk management has matured, there is still considerable opportunity for improvement. Taking a tackling drill, the way HUL does, is just one example.

ashwani.mishra@9dot9.in