Mid-market firms are not managing their information risk effectively, stopping growth
Businesses are failing to apply effective information risk management practices because information risk remains widely misunderstood by chief executives and board members, according to GR’s sister title StrategicRISK.
As a result, firms are missing out on the benefits and strategic advantages that effective information risk management has to offer, according to the latest report by PwC and Iron Mountain, Beyond Good Intentions.
The report highlights a prevalent disconnect among mid-market firms across Europe and North America, between the intent to manage information risk more effectively and the procedures being practiced by the company.
Furthermore, the responses from chief executive, financial and information officers and directors indicate a significant misunderstanding of where the responsibility for information risk lies within the company, with 46% of European and 32% of North American respondents citing the IT security manager as having ultimate responsibility for information risk.
As a result, mid-market firms remain inhibited by ineffective information risk management where a strong focus on protection means valuable information is locked down and unavailable to serve for innovation and growth.
PwC risk assurance partner Claire Reid said: “Companies are still focussed on protecting their information risk, rather than seeing the value that can be derived from managing their information well.
“Organisations need to join up much better because information risk is not owned by the IT department and it needs to be brought into the key board decisions.”
Iron Mountain head of information risk Christian Toon believes firms need to spread responsibility for information risk across the company.
He said: “One thing to come out of the study as one of the best practices was this sharing of responsibility for information insurance, which correlates a lot with risk.
“It shouldn’t be just one part or area of the business that is the responsible owner for the risk. It needs to sit across the organisation because everybody deals with risk on a day-to-day basis, they probably just don’t know it.”
Understanding information risk is the first challenge for many firms, according to Toon, who said locking down a company’s critical information is an easy solution for executive decision makers to take when they lack fundamental understanding of the risks attached.
Implementing appropriate practices for critical information according to the firm’s profile and risk appetite should be recognised as a board level issue, Reid said.
However, only 37% of survey respondents have an information risk strategy in place that is effectively monitored and only 27% have a company policy for the safe security, storage and disposal of confidential information.
Reid said: “In a well-structured governance, responsibility falls on the chief executive and the risk manager will facilitate around that but, ultimately, the board will always pay the price.”