Managing Risk
Information Management (IM) is in the first place risk management. If there was no risk related to the information, then there is no reason to manage it. Making clear that IM is related to risks already will make it more likely that people change their behaviours with respect to information.So one of the first measures to take in IM is to understand 'where do we feel the heat'. Only where there is heat, we should take measures, because putting a 50,000 dollar fence around a 5,000 dollar horse does not make sense.
So step 1. is: Understand what is valuable information
Step 2. is to understand where there are risks - think risks related confidentiality, integrity (quality) of the information, accessibility or legal issues
These risks can relate to all steps in the whole lifecycle of the information (during the steps when information is Created or acquired, QC-ed and stored, retrieved and used, reviewed and
disposed.
Then step 3. is to think about the impacts of these risks (financially, HSE, reputation, ... ) and the likelihood of occurence.
And finally you can check what controls are already in place to deal with these risks and see if they are sufficient.
This whole process looks like a pretty elaborate piece of work and the truth is - it is! Please note that when you get a consultant in, then you will a lot more elaborate version of this based on the internation standard from COBIT. I would say - don't even try to implement this, since your business will be broke before you have read all the recommendations.
But if you focus on the top valuable information and the top risks (highest impact), then you can create a pretty good story on what needs to be done to manage this information - with a clear link of running your business.
Labels: Information Management, Risk Management
posted by Evert Ruijs @ 3:39 AM
0 Comments:
Post a Comment
<< Home