Managing Risk Is Its Own Reward

CHICAGO -- When TJX Cos., the operator of more than 2,500 retail stores, including the TJ Maxx and Marshall's chains, suffered a security breach in 2007, at least 45.7 million customer credit- and debit-card numbers were compromised. Damage to the retailing giant may exceed $250 million in fines and settlements once the dust clears, according to Richard Hunter, a vice president and fellow at industry research firm Gartner, who shared the cautionary tale at the Gartner Business Continuity Management Summit here earlier this month. Yet avoiding quarter-billion-dollar Band-Aids shouldn't be the only goal, he told the crowd. "The enterprise that manages IT risk well can pursue valuable opportunities that other firms would consider too risky," Hunter explained. "Management, not technology, is the key to controlling vulnerability to risk." External threats will always exist, Hunter said, but a company that can effectively manage its vulnerabilities -- simplifying (and cutting expense out of) its technology infrastructure when necessary -- is also better able to focus its risk management resources on those vulnerabilities. That kind of forward-thinking management will open up potential revenue sources -- revenue that competitors, overestimating the risk, may never capitalize on. At the same time, successful handling of risk -- and preparation for business continuity -- also involves keeping a company from taking unwarranted risks, Hunter said. Understanding which risks are worthwhile -- and which ones are reckless -- means a company "can look for ways to push the [business] envelope," Hunter added, but the company shouldn't try without knowing the potential business risks. Therefore the technology staff and management need to work together to identify risks and to determine the tradeoff between risks and business objectives. The most dangerous risks are the ones that are never considered or considered too late, Hunter added. But trying to avoid all risks means lost business opportunities. In assessing that tradeoff, a company needs to look at both short- and long-term factors, Hunter said. For example, some companies have their CRM information embedded in such a way that it can't be separated if necessary (e.g., to sell a business unit). Therefore, Hunter recommended that firms embed IT risk management into every business decision. He further suggested that companies conduct quarterly risk assessments -- using simple spreadsheets -- to help determine which risks are most in need of attention. In doing so, enterprises will build risk-aware cultures rather than risk-averse ones, he said -- and risk-aware business cultures have a high degree of "psychological safety." Technology personnel and others within the risk-aware organization can conduct open discussions about risks and strategies for managing them. In risk-averse cultures, no one wants to talk about risk -- which means no business continuity solutions are planned or ready in the event of a disaster. Risk-aware companies accept calculated risk, and share both risk and risk management throughout the organization, Hunter said, meaning that risks and opportunities are managed on an enterprisewide basis, rather than department by department. At TJX, for example, the breach reportedly occurred because the company was using the relatively weak Wired Equivalent Privacy (WEP) security standard rather than stronger, readily available standards, according to Hunter. An open discussion about what could happen if someone broke through the WEP security could have alerted the company to the potential risk. In that kind of risk-averse scenario, a company misses out on opportunities -- as well as a chance to potentially avoid problems -- because it is avoiding risk rather than managing it (i.e., with stronger security protocols).

Related articles: Businesses Protect Data by Sending It Out More companies are hosting key segments of their IT systems to ensure better disaster recovery and less system downtime. When Disaster Strikes CRM technology can help put the pieces back together. Enterprises Risk End Point Exposure Definitions of end point security vary among managers; instant messaging poses a growing threat to sensitive info. Feature: Planning Ahead for Data Disaster In the age of e-business, anything that interrupts your data systems can spell disaster -- from acts of nature to human interference to mechanical failure. So advance planning is more important than ever. Fear and Loathing in the Database A company's CRM system might make it vulnerable, but with risk comes opportunity. Viewpoint: Mission Possible: Secure Remote Computing It plays a key role in reducing costs and improving productivity for today's CRM initiatives. Remote Resolution Finds Business Continuity Business continuity, security concerns, and the expanding mobile workforce are the main drivers behind the projected growth of the remote access services market. Viewpoint: Disaster-Proofing Customer Care Take effective measures to protect your centers.