The CFO’s guide to IT Risk
In many organisations, the IT function reports directly to the CFO or FD, yet few finance professionals are equipped to understand the technical complexities of IT. Add to this the barrage of reports on common software vulnerabilities, sensitive data leaks and malicious software ('malware' or 'ransomware'), along with the importance IT systems have in virtually all organisations today, and you may begin to despair.
Despite this bleak picture, the CFO is in fact ideally placed to monitor and manage IT risk. The discipline is little different from managing risk in other areas of the business, which CFOs should be quite familiar with. KPMG's recent article on cyber security highlighted a number of areas boards need to consider, including:
- Board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT.
- Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach.
Business Continuity Planning
CFOs are often viewed by IT managers as the holder of the purse strings, yet if the functions work more closely together there can be great benefits for both parties. The CFO can guide the IT manager in where the greatest risks lie within the business and where to focus their attention, and can then work as the advocate within the business for necessary expenditure. In looking at alternative solutions, the IT manager can often make significant operational savings for the business.
A good place to start such a fruitful relationship is in reviewing the Business Continuity Plans of the business. Reviewing and questioning these plans, how they work for each IT system and the business impacts in each case, will invariably lead to productive debate. This should enable risks to be clearly identified and quantified.
The areas outlined by the KPMG report provide a good structure around which to address these risks.
Many CFOs will be surprised at the level of risk mitigation which is common in even the most rudimentary IT implementation. 'Redundancy' is a familiar word to all IT managers, with failure of multiple elements of any system simultaneously often allowed for.
Within these multiple-redundancy implementations, areas of risk can be difficult to identify, and are often not immediately apparent. Replication across two sites, for example, ensures the loss of one site shouldn't excessively disrupt your IT systems. But what if a ransomware attack is replicated across both sites? Even in a replicated environment, a backup is still required to mitigate some risks.
Further, it's important to ensure all processes within the system are being followed as documented. Manual tasks such as changing backup tapes and moving them off site will often look good on paper but may not be followed in practice. Automated systems with daily reporting will often prove more efficient and more easily verified.
In all cases, regularly testing and challenging the existing Business Continuity Plans is essential.
Avoiding risk in IT will often be achieved by choosing the correct solutions. Before committing to hardware or software projects or expenditure, the changes should be viewed in the light of the existing Business Continuity Plans. In many cases, no changes will be necessary and no additional risks will be introduced. Occasionally a more detailed review will be required.
Moving to cloud software from on-site implementations for the first time may fall under the latter category. This can be a challenging area for both the CFO and the IT manager.
Nobody can ever guarantee a complete removal of risk, however choosing the correct cloud provider can provide comfort in this risk. ISO certification demonstrates that a provider implements appropriate policies and processes to manage risk, and should be seen as desirable in any cloud provider.
In many cases, a cloud provider will have greater resources and expertise than an IT department to provide network and systems security. In this respect, cloud implementations shouldn't be considered the highest risk option without first scrutinising the alternatives.
Accepting risk is often a neglected option, particularly within IT implementations. Data breaches, for example, do not have to represent significant risk to the business; sensitive data breaches should be the focus of concern.
It may be appropriate to create separate IT systems with varying degrees of security and risk management, and to segregate company data and processes within these systems. This can be a complex process to initiate, but can provide significant cost savings and improved risk management if correctly implemented.
Outsourcing systems and processes, or moving to cloud providers, will often result in a transfer of processes and costs, however it will rarely result in a genuine transfer of all risks. In these cases, a detailed assessment of the risks is still required, with particular attention paid to contract terms.
A more effective and robust method of transferring IT risk is in ensuring adequate insurance is in place. Most businesses will already have some form of insurance in place, however it's important to read the fine print. Some insurers are now excluding cyber attacks from their standard liability insurance, for example, but this can often be covered at extra cost.
The way forward
While risk management in IT is a subject many would prefer to avoid completely, it is an area which will impact almost all businesses. Ignoring the risks that exist, will do nothing to prevent the consequences when things go wrong.
The IT market is dynamic and fast-moving, with many suppliers and products presenting alternative methods to achieve the same end. CFO's must work closely with IT managers in reviewing these products from a cost and risk perspective, which will often result in cost-effective solutions which are suitable for the business.
By Gareth Dyson, CFO at Redstor