Another Study Supports The Need for Awareness and Executive Support

I’m always interested to read survey results related to information assurance. Of course the readers need to take the interpretations and summaries with a grain of salt; very few surveys are statistically representative of all organizations.

I ran across a recent risk management survey done by The Economist Intelligence Unit that provides some conclusions that reinforces what many information assurance leaders have been preaching about a lot lately, and what I’ve blogged about many times; the insider threat is significant and must be addressed through awareness, and executive leaders must strongly support risk management efforts.
A little background about the survey and report:

“In February 2007, The Economist Intelligence Unit surveyed 218 executives around the world about their approach to risk management and their perception of the key challenges and opportunities facing the function. The survey was sponsored by ACE, IBM and KPMG. Respondents represent a wide range of industries and regions, with roughly one-third each from Asia and Australasia, North America and western Europe. Approximately 50% of respondents represent businesses with annual revenue of more than US$500m. All respondents have influence over, or responsibility for, strategic decisions on risk management at their companies and around 65% are C-level or board-level executives.”

The major conclusions and findings:
* Risk management must be embedded within every area and level of the business.
* The risks that businesses are not addressing well are those from human actions, regulatory compliance, reputation and IT.
* “the key determinant of success in risk management has become the need to ensure that a strong culture and awareness of risk permeates every layer of
the organisation.”

* It is increasingly common to appoint a Chief Risk Officer (CRO).
The study results also support the need to have risk management initiatives clearly and consistently supported by executive leaders.

“With a strong culture and awareness of risk cited as being the most important factor in determining the success of risk management, close integration between risk and other functions in the organisation is clearly important. At present, however, progress on embedding risk in other parts of the business appears to be patchy.”

Indeed this seems it should be common sense, but yet it is so rarely accomplished.
To successfully mitigate risks to an acceptable level appropriate to the business, all members of an organization must be aware of *WHAT* the risks are, *WHY* they are of concern to the business, and *HOW* to perform their job responsibilities in such a way to reduce the risks.
All personnel must receive regular training and ongoing awareness communications to keep the issues at the forefront of their minds, and help them to incorporate practices to safeguard information assets and preserve privacy into their day-to-day work activities.

Tags: , , , , , , ,

Leave a Reply