For years, corporate governance meant a myriad of dull regulations and an exercise in seemingly endless box-ticking. To some extent that is still true, but there is at least a relative flurry of excitement around the concept today, generated by a series of financial scandals and a raft of new rules and regulations. These include the so-called Sarbanes-Oxley Act, the Basel II Accord, the new Capital Adequacy Directive and the Turnbull Report.
Any organisation with good corporate governance processes will not wait for new rules and legislation, however. Rather, it will have these processes running through the business from top to bottom “like a stick of seaside rock”, says Colin Dixon,
a project manager with the Information Security Forum (ISF), a not-for-profit association dedicated to clarifying and resolving security matters for its 260 members worldwide.
One of the most important roles in setting good practices of corporate governance is played by the information risk manager, says Dixon – a role that id not exist in most organisations until a few years ago. But IT, HR and finance staff also play key roles.
When it comes to addressing information risk, the starting point is to define precisely what this means. The ISF acknowledges it can be broadly defined, and suggests that it refers to “all of the risks that affect or are generated by the use of information and its related information systems or communications services”.
Once defined, information risk must then be evaluated and ranked in order of ‘acceptability’. In other words, says Dixon, all information risks need to be managed “within the organisation’s risk appetite”. That means regular monitoring of the risk management process for both effectiveness and integrity.
A process for reporting risks to stakeholders has to be established – preferably by an independent risk management function answerable directly to the board of directors. Dixon argues that the most common approach – in which risk managers report only to the audit committee – adds an unnecessary layer of bureaucracy that can slow down the process of recognising problems and putting them right.
But what kind of data should be shared with the board? There are many candidates, says Dixon, many reflecting a particular industry focus. For example, the boards of pharmaceutical companies will want to be told if new drug regulations have been breached. But there are more generic areas of security that should be regularly reviewed with senior management, issues the ISF has grouped into five categories: a list of serious information risk incidents; the status of incident management procedures; an assessment of information risks; an evaluation of the cost effectiveness of the organisation’s information risk management procedures; and the threat of litigation arising from an incident.
The information risk manager’s job is never done. The security process must be reviewed and refreshed over and over again, says Dixon. “Corporate governance will not go away, that much is clear,” he says. “In fact, it is going to increase in prominence as the low equity values of recent years begin to recover and stakeholders look to legislators to protect their increasing investment value.”
It is also clear, he argues, that the integrity of individual processes is as important as the process itself. “The new challenge to the information risk management specialists is not just to implement good processes, but also to prove that they are both consistent and repeatable under all foreseeable circumstances.” And that, Dixon concludes, is “a very tall order”.