The Non-IT Manager’s Role in Enterprise IT Risk Management

The impact of IT on business operations cannot be ignored in today’s business environment. Not only has IT infused innovation, but it has also enabled enterprises to reach new markets, create new business models, provide more efficient customer service and integrate supply chains. For example, incorporating drone technology reduces logistical challenges and expedites distribution for organizations such as Amazon and Walmart.^{1, 2} However, the proliferation of IT in every business process has increased associated risk. For example, in October 2016, a cyberattack on Twitter, Amazon, Spotify and Reddit caused service interruptions and outages for approximately two hours.³ Further, cyberattacks on Anthem, Home Depot and Target have cost organizations millions of US dollars in settlements and lost customers.⁴

Although many business managers tend to believe that protecting an organization from cyberattacks is the responsibility of the IT department alone, most threats to information systems are a result of policy, procedure and control failures in non-IT functional departments. For example, hackers obtained network credentials for the Target attack through a third-party vendor that provided refrigeration, heating and air conditioning services.⁵ In another example, malfunctioning equipment that controlled electricity was the cause of a Delta system failure in 2016.⁶ Therefore, IT risk management must become an enterprise effort that spans all functions of the value chain rather than just remain an IT functional responsibility. To reduce IT risk exposure, organizations should not only focus on the technical infrastructure, but also create a risk-aware culture across the organization and, accordingly, manage people, processes and policies. Consequently, it is essential that non-IT functional managers become champions of IT risk management and assist the IT department in mitigating IT risk.

IT Risk Concerns

The primary goal of most organizations is to realize profits by providing value to their customers. Value is largely derived through the primary activities of the value chain (i.e., inbound logistics, operations, outbound logistics, marketing and sales, and services).⁷ Although the value chain may look different based on the nature of the industry (e.g., a manufacturing organization vs. a service organization), it is central to the overall business function of any organization. Therefore, a breakdown in the value chain can have catastrophic consequences. With the integration of IT in all aspects of the organization, IT risk factors are prevalent across the value chain.

Inbound Logistics
Technology is used to increase the efficiency and effectiveness of activities related to receiving, storing and distributing inputs for operations. Many of today’s enterprises use vendor-managed inventory systems and electronic data interchange to communicate with their suppliers. However, there are threats associated with heavy dependence of IT on inbound logistics. IT threats increase when system boundaries are blurred as a result of integrating with external parties. Further, system vulnerabilities increase by providing access points to external parties. For example, in June 2016, CHI Franciscan Health Highline Medical Center in Burien, Washington, USA, reported a data breach on a network server affecting more than 18,000 individuals. The breach was a result of one of its vendors leaving patient information accessible over the Internet from April to June 2016.⁸ Consequently, vendor compliance is an important factor that affects the security of an enterprise’s information system.

Operations
Operations includes the transformation activities that change inputs into outputs. A major objective in operations is minimizing costs while maximizing efficiency and effectiveness. Most organizations today depend heavily on automation and standardization to achieve these objectives. However, the increased use of technology to manage operations amplifies the risk exposure. For example, a hotel in Australia had to revert to traditional locks and keys for guest rooms after facing several cyberattacks on their electronic lock system.⁹ Hackers are increasingly interested in obtaining sensitive information and intellectual property.¹⁰ Therefore, both investing in new technology that does not have a proven solution against cyberattacks and continuing to use legacy systems that do not have adequate cyberprotections increase IT risk. In addition, vulnerabilities in other functional areas can trigger threats to information systems that will impact operations. For example, as a result of a system failure caused by a power outage in one location, Delta airlines canceled more than 400 flights over three days.¹¹

Outbound Logistics
Outbound logistics include processing orders, storing, transporting and distributing products/services to the customer. An objective in outbound logistics is to minimize costs while increasing accessibility and value to customers. Consequently, IT can be used to improve inventory management, shipping activities, delivery schedules, etc. Amazon announced a successful trial delivery of products to one of its trial customers in London, United Kingdom, using a drone.¹² Further, Walmart has begun testing drones for inventory management.¹³ There are tangible benefits of using technology in outbound logistics. However, if not properly planned and executed, the adoption of new technology can lead to failures, thereby increasing business risk. For example, the installation of a new automated fulfillment system at Sainsbury, one of the largest supermarket chains in the United Kingdom, failed and resulted in a loss in profits.¹⁴ Therefore, non-IT managers should educate themselves on risk associated with each alternative and be more involved in assessing the right technology for the enterprise.

Marketing and Sales
Marketing and sales involve the methods used to promote and sell products and services. Customer data, an essential component of an effective marketing and sales strategy, are critical for revenue generation. The use and storage of vast amounts of customer data using technology brings the added burden of protecting sensitive customer information. In 2014, Home Depot experienced a data breach that affected 56 million customers' data due to malware installed on cash registers across 2,200 stores.¹⁵ The data breach cost the company US $19.5 million in reimbursements and identity protection services for its impacted customers.¹⁶ The potential damage due to legal settlements, lost reputation and other costs necessitates that marketing and sales managers have thorough understandings of cybersecurity, privacy and confidentiality laws in addition to knowledge of protocols to effectively reduce IT risk exposure.¹⁷

Services
Service activities include providing customer support, warranty service, responding to customer inquiries and customer training. The objective of services is to enhance the customer experience to increase customer satisfaction, repeat purchases, sales of complementary products and services, and referrals. IT is extensively used to improve customer relationship management. Many enterprises are introducing mobile applications (apps) with access to customer accounts and other online tools to enable a better customer experience. Due to these new techniques, organizations are able to reduce cost by not having to maintain large call centers. However, customer activities, such as connecting to unknown networks, installing unknown mobile apps on their devices and setting low-security levels on their devices, cannot be easily monitored by the enterprise. Thus, these uncontrolled customer activities create significant vulnerabilities to an organization’s network, operating systems and databases.

Even though IT can be used to improve efficiency and effectiveness of activities across the value chain, there are definite risk factors associated with heavy dependence on IT. These IT risk factors, if ignored, can threaten the integrity, confidentiality and security of the organization’s information, hence increasing business risk. To aid the IT department in managing such risk, non-IT managers can use a best practice framework such as COBIT 5¹⁸ to help identify risk sources.

COBIT 5 Framework

COBIT 5 is a comprehensive framework that addresses all aspects of IT governance and management. The framework guides organizations on how to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.¹⁹

The framework is based on five principles that are built on an enterprise-level perspective of IT governance (figure 1). Guided by the five underlying principles, the framework introduces seven enablers, each of which has four dimensions, which, individually and collectively, work together to achieve a set of IT goals and objectives.

It is important to recognize the enablers and their unique applicability to each organization. To realize the benefits, organizations must ensure that the enablers are functioning as desired. To this end, COBIT 5 encourages managers to measure the performance of the enablers along the four dimensions by asking whether stakeholder needs are met, enabler goals are achieved, the life cycle is managed, and good practices are applied and followed. To be effective, the COBIT 5 framework must be applied in all areas of the organization.

Application of the Enablers to Assess and Reduce IT Risk

Apart from measuring performance, the seven enablers can be used to help identify, assess and reduce IT risk exposure throughout the organization. Therefore, in collaboration with the IT department, non-IT functional managers can use the seven enablers to address and guide IT risk management practices within their department and across the value chain.

Principles, Policies and Frameworks
While policies provide detailed guidance on how to align decision-making with principles, frameworks provide guidance on how to organize activities within an enterprise. A policy should outline what is expected of employees, how to handle exceptions, how to measure performance and what consequences to expect for noncompliance. Managers should identify and balance the conflicting needs of internal and external stakeholders and design policies that are aligned with the organization’s strategy. When setting policies, managers should also consider how policies are related to other enablers. For example, processes are the means of executing policies, organizational structure helps implement policies, and policies help or can hinder communication of information in an organization.

Managers need to assess whether existing policies and frameworks in their respective departments are following good practices, complying with laws and regulations, adapting to specific situations, and securing the information. Managers should also understand how all activities are interconnected and how all departments need to work together with other divisions to achieve a common goal. For example, operations managers should be aware that vulnerabilities in other divisions can directly impact operations. At the same time, weaknesses in their own IT systems can negatively influence inbound/outbound logistics, marketing and sales, and services divisions. Therefore, in addition to implementing policies that meet the needs of the department, functional managers should also assess general policies that have to be consistent across the enterprise as well as unique policies established in other departments and incorporate those policies in their respective departments where appropriate. For example, a general IT policy would be changing passwords regularly.

Processes
Processes are a collection of practices influenced by the enterprise’s policies and procedures that take inputs from a number of sources (including other processes), manipulate the inputs and produce outputs (e.g., products, services). A process has a life cycle (i.e., a process needs to be designed, implemented, monitored and redefined when required), and each process should have a goal (i.e., a desired outcome). These goals must be intrinsic (e.g., How do they align with principles, policies and good practices?), contextual (e.g., Is the process flexible, customizable and adaptable to various situations?), and accessible and secure (e.g., Is the process accessible only to authorized users?). Once the goals are identified, metrics should be defined to measure whether stakeholder needs are met, enabler goals are achieved, the enabler life cycle is managed and good practices are applied. It is important to understand how the processes enabler is connected to other enablers. Processes need information to function and produce information as an output, depend on organizational structures to operate, require infrastructure and applications to produce outputs, and connect and trigger other processes. Further, the culture of the organization influences how well processes are implemented and followed consistently.

Through a comprehensive analysis, managers should identify the critical processes within each primary activity of the value chain. Each individual manager can assist by creating a list of existing processes and categorizing them into primary and secondary processes or high, medium or low based on the criticality of the process to the primary activity. Second, since processes can span various departments, managers should identify and establish process ownership. By doing so, organizations will be able to assess the risk exposure of each of the core processes and identify who is responsible for implementing and maintaining risk reduction measures.

Organizational Structures
The organizational structure facilitates decision-making and information flow within an organization. To optimize this enabler, an enterprise should consider not only its own organizational structure, but also its clients’, suppliers’, regulators’ and other stakeholder entities’ organizational structures. Managers should evaluate the adequacy of the organizational structure to facilitate the efficient functioning of processes; escalation and distribution of information for decision-making; timely prevention, detection and correction of IT threats; and appropriate representation of department needs in IT investment selections through membership in steering committees.

Consequently, organizational structures should be established where the functional managers are able to work closely with IT leadership so that they are informed about the current state of technology and information systems. It is important to implement and evaluate the delegation of authority, escalation procedures, span of control and operational procedures, such as frequency of meetings and documentation. Functional managers should work closely with IT to identify information within each department that could alert to potential risk and establish a reporting structure to communicate information from the line staff within each department to IT and vice versa. Organizational structures are critical to the enterprise because they facilitate the function of other enablers.

Culture, Ethics and Behavior of Individuals
These are a set of individual and collective behaviors that determine the behavior of the organization as a whole. The cultural environment has an impact on technology adoption, use and risk management. For example, more risk-taking organizations may exploit innovative technologies to develop new business models, markets and production methods to gain a competitive advantage. However, lack of expertise with new technologies, lack of security protocols and rushed implementations can increase IT risk exposure.

Therefore, functional managers should be acutely aware of IT risk attributed to the adoption of new technologies and set protocols to mitigate those risk factors. They should set an example by following the direction set from top management, addressing IT risk issues within the department, communicating and collaborating with IT, and encouraging employees to follow established processes and best practices. Managers should consider incorporating aspects of IT in performance evaluations to reward employees for exceptional use of systems. Further, managers should consider how unacceptable behavior can be addressed swiftly and what appropriate actions should be taken.

Information
An organization has structured, unstructured, automated or nonautomated information that creates knowledge and adds value to decision-making. The goal of this enabler is to provide information that is accurate, relevant and secure. Good practices adapted for information can vary based on the unique aspects of each industry and/or organization. However, when developing good practices, managers should consider where information is stored, how information is accessed, who can access the information, what is the level and type of information, and what other information is needed to make the available information useful.

Managers must evaluate the different types of information collected, processed and distributed from each process. In particular, managers should recognize sensitive information collected and stored within their respective department and assess the adequacy of controls to protect that information from unauthorized users. Consequently, managers should identify who owns, processes and uses the information.

Services, Infrastructure and Application These are resources in an organization that influence the delivery of IT-related services and can be provided by internal or external stakeholders. Functional managers should establish goals for applications, infrastructure and technology based on organizational and departmental needs. Good practices related to this enabler are technical in nature and include establishing architectural principles (such as reuse, build vs. buy, simplicity, agility and openness), definitions, repository and service levels.

Managers must identify and evaluate IT resources (e.g., equipment, machinery, apps, hardware and networks) used in each department. Since infrastructure and apps are important resources, timely maintenance of these resources is imperative for the organization’s continuing performance. For example, malfunctioning or obsolete equipment can cause threats to the enterprise’s information systems by catching fire, providing an access point for hackers, or by deviating from the normal configuration and causing quality issues for products. Therefore, by identifying critical services and planning and providing adequate maintenance to equipment, functional managers can help reduce IT risk.

Even though most activities in this regard can be technical in nature, functional managers should be aware of the interrelatedness of these IT resources, recognize internal and/or external stakeholders who interact with the resources, and understand the impact of departmental choices regarding IT resources on the overall business. Another important aspect that needs management’s attention is end-user computing. With the increased use of personal mobile devices at work, employees may be exporting data into outside apps to organize and report certain information in an understandable manner. Even though these apps may be harmless, managers should understand that stand-alone apps can increase IT risk exposure. Consequently, managers should make an inventory of individual apps used, educate themselves on the danger of exporting data to other systems, and monitor whether employees use stand-alone apps such as spreadsheets and access databases, to maintain information. Further, managers should be aware of and communicate the dangers of downloading and maintaining various entertainment-related mobile apps such as various games and apps to watch TV/movies and listen to music, on devices used for organizational activities.

People, Skills and Competencies
This enabler emphasizes the importance of having capable employees not only internally, but also externally, with those including suppliers, distributors and recruiters. The goal is to find and retain qualified individuals with the right education, technical skills, experience, knowledge and behavior required to effectively perform their responsibilities. Good practices need to be established at various stages of acquiring and developing the skill level of employees. These practices may include tools such as background checks, competency tests, personality tests, training, continuing education and performance evaluations. In addition, managers should assess whether an appropriate level of staff is maintained and also plan for employee turnover to ensure that skills and competencies are retained within the organization.

Managers should conduct periodic audits to assess if employees have the necessary skills to effectively perform their responsibilities. Unskilled workers can cause disruptions to machinery and hinder the enterprise’s value-chain activities. Further, not having the right skills within the organization may also force the enterprise to use legacy systems when more efficient and effective systems are available, restrict the ability to invest in new technologies, and/or hinder the ability to maximize the benefits offered by the existing systems. Foregoing these opportunities not only has a negative impact on the organization’s performance, but also may increase its IT risk exposure. Therefore, managers should assess the necessary skill level within each functional area, work together with IT to identify the skills needed to optimize the existing technology, plan for the future based on technological changes, provide adequate job-related training and educate employees on how their jobs impact the performance of other functional areas.

Conclusion

IT risk is not necessarily technical and can originate in various forms throughout the organization. Although protecting an organization from IT risk is primarily the responsibility of the IT department, given the numerous access points to an enterprise’s IT system across the value chain, it has become increasingly difficult for the IT division alone to sufficiently mitigate IT risk exposure. Therefore, non-IT functional managers should more closely collaborate with the IT department and be the first line of defense against IT risk. However, identifying IT risk, especially for nontechnical managers, can be a daunting task.

Non-IT functional managers should evaluate the adequacy of principles, policies and frameworks used in each department and understand the impact of those policies on IT risk management. Moreover, managers must establish data ownership in processes and understand how processes within the department are interconnected with other processes outside the department and overall organizational IT risk management. Since organizational structures and culture influence all other enablers, managers need to establish structures that facilitate IT risk management and build an IT risk-aware culture within each functional area. Each functional manager should identify information that is gathered and processed in each of their departments that may be useful for IT risk management and communicate this information with the IT department. Further, infrastructure, equipment, software, hardware and apps used in each department should be evaluated to identify any sources of risk that can impact the information systems within and outside the department. Finally, hiring and retaining skilled employees and providing adequate training with regard to IT risk is critical to reducing IT risk exposure.

Endnotes

¹ Johnson, K.; D. Martinez; “Keeping Up With the Drones(es),” JDSupra Business Advisor, 11 January 2017, www.jdsupra.com/legalnews/keeping-up-with-the-drones-es-74395/
² O’Brien, M.; “Walmart Testing Drones for DC Inventory Management,” Multichannel Merchant, 6 June 2016, http://multichannelmerchant.com/news/walmart-testing-drones-dc-inventory-management-06062016/
³ O’Brien, S. A.; “Widespread Cyberattack Takes Down Sites Worldwide,” CNN Money, 21 October 2016, http://money.cnn.com/2016/10/21/technology/ddos-attack-popular-sites/
⁴ Pierson, B.; “Anthem to Pay Record $115 Million to Settle U.S. Lawsuits Over Data Breach,” Reuters Business News, 23 June 2017, http://www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-record-115-million-to-settle-u-s-lawsuits-over-data-breach-idUSKBN19E2ML
⁵ Krebs, B.; “Target Hackers Broke in Via HVAC Company,” KrebsonSecurity, 14 February 2014, http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
⁶ Sasso, M.; T. Black; “Delta System Failure Marks Wake-Up Call for Airline Industry,” Bloomberg Technology, 9 August 2016, http://www.bloomberg.com/news/articles/2016-08-10/delta-s-systems-failure-marks-wake-up-call-for-airline-industry
⁷ Porter, M. E.; Competitive Advantage—Creating a Sustaining Superior Performance, The Free Press, USA, 1985
⁸ Landi, H.; “Vendor Error Left 18,000 CHI Franciscan Hospital Patients’ Information Accessible Online,” Healthcare Informatics, 12 September 2016, www.healthcare-informatics.com/news-item/cybersecurity/vendor-error-left-18000-chi-franciscan-hospital-patients-information
⁹ Smith; “Ransomware Locked Hotel Out of Its Electronic Key Lock System,” Network World, 29 January 2017, www.networkworld.com/article/3162764/security/ransomware-locked-hotel-out-of-its-electronic-key-lock-system.html
¹⁰ Sikich, “2016 Manufacturing Report: Key Finding; Manufacturers Are Vulnerable to Cyber Threats,” April 2016, http://www.sikich.com/insight/2016-manufacturing-report/
¹¹ Op cit Sasso and Black
¹² Op cit Johnson and Martinez
¹³ Op cit O’Brien, M.
¹⁴ Clark, L.; “Sainsbury’s Writes Off £260m as Supply Chain IT Trouble Hits Profit,” ComputerWeekly, 25 October 2004, http://www.computerweekly.com/news/2240058411/Sainsburys-writes-off-260m-as-supply-chain-IT-trouble-hits-profit
¹⁵ Bose, N.; “Home Depot Confirms Security Breach Following Target Data Theft,” Reuters, 9 September 2014, www.reuters.com/article/us-usa-home-depot-databreach-idUSKBN0H327E20140909
¹⁶ Stempel, J.; Home Depot Settles Consumer Lawsuit Over Big 2014 Data Breach,” Reuters, 8 March 2016, www.reuters.com/article/us-home-depot-breach-settlement-idUSKCN0WA24Z
¹⁷ PricewaterhouseCoopers, “The Evolving Boardroom: Signs of Change,” www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/assets/pwc-2015-annual-corporate-directors-survey.pdf
¹⁸ ISACA, COBIT 5, USA, 2012, 4crt.rf518.com/COBIT/Pages/COBIT-5.aspx
¹⁹ Ibid.