Managing Risk
eBook - ePub

Managing Risk

  1. 209 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Managing Risk

About this book

Managing Risk: Technology and Communications is a practical guide to the effective management of technology and communications risks. Frequent high profile scares, like the Sasser worm and WiFi vulnerabilities, make a proactive approach essential and this book shows you how to put in place expedient checks, balances and countermeasures. Business networks are threatened by a host of factors, from employee abuse to non-compliance with data protection and libel laws, from hacker attacks to viruses and from extortion and terrorism to natural disaster. The costs of failing to manage systems risks can be immense and go beyond simple loss of productivity or even fraudulent losses to brand damage, theft of business secrets, expensive litigation, diminished customer confidence and adverse impacts on personnel and share value. This practical handbook includes examples, checklists and case studies to help you manage such hazards. The book covers: • accessibility of information; • acceptable use of information; • directors' legal duties; • general legal compliance; • protecting networks from external and internal threats; • encouraging security awareness at management and employee level; • reputational risk management; and • national and international risk and security standards. Managing Risk: Technology and Communications is the indispensable work of reference for IT and technology managers, HR managers, IT legal advisors, company secretaries and anyone seeking practical guidance on technology risks and their management.

Trusted by 375,005 students

Access to over 1 million titles for a fair monthly price.

Study more efficiently using our study tools.

Chapter 1
Security – Why Bother?

Foreword
by Richard Hackworth
Computer and communication systems are now central to the success of most, if not all, significant organisations. For the majority of large businesses dependence on information technology (IT) has become critical. If the technology falters then the business is at risk – inability to process transactions, reduced customer service and, potentially most seriously, loss of management control.
Businesses trust IT to protect their business information – information integrity and confidentiality for example. If computer systems fail to provide this protection, the core business benefits of IT are at risk. Effective management control of computer systems is therefore essential. If you doubt this, consider what damage might be caused to the organisation by decisions based on misleading and unquestioned business information (and perhaps ask when the accuracy of the information delivered by the computer systems was last checked).
Rapid increases in use of the Internet, whether for publishing information or for delivering direct transactional services, means that IT mediates the complete relationship between the business and its Internet customers. To an extent, the technology is the customer experience and directly represents the organisation’s brand, its values and its integrity.
Computer and communication systems are, therefore, a core business asset and management has a fundamental responsibility to protect assets. Company and criminal law and (where relevant) industry regulators have recognised this and have placed direct responsibilities on boards of directors and senior management to safeguard information systems. These include responsibilities to protect the privacy of personal information about staff, customers and possibly others. Failure to fulfil these obligations might risk breaking the law as well as risking the success of the enterprise.
IT is, therefore, no longer a backroom activity taking place out of site of customers and competitors (if it ever was). It is in the front line and must be managed accordingly. This chapter presents a concise guide to the main issues and the kinds of practical action that the board should take to address them.
(Richard Hackworth, Group Head IT Security HSBC Holdings)
Introduction 1.1
Only five years ago, any company director, when asked to identify the core assets of his or her business, would almost certainly have answered that it was its products or its workforce. Today, more and more businesses are recognising that one of their most valuable assets is the information they hold. Whether that information is customer databases, know-how or accounting records, the ability to securely store, retrieve and manipulate that information is key to an organisation’s success. Information technology (IT) plays a pivotal role in the utilisation of information assets.
The events of the last few years, with damage caused to large organisations on a scale seen before only in disaster movies, have lead corporate responsibility for an organisation’s assets to assume paramount importance. This was clearly demonstrated by the US Congress’ approval in November 2002 of a $903 million measure to improve cybersecurity in the US. As a result, information technology is no longer the exclusive preserve of programmers, technicians and associated specialists, but has moved out of the basement and into the boardroom.
During this period, events at Worldcom, Enron, Arthur Andersen and, most recently, Parmalat have seized the attention of financial regulators, the general public and the press with the result that the actions of companies and their directors are being scrutinised as never before.
This scrutiny is not simply aimed at ensuring proper accounts are kept, but also at ensuring that directors act appropriately in all aspects of their roles, including looking after the assets of the company. In the UK and elsewhere, directors and boardrooms should be looking to ensure that they are fulfilling their duties and obligations to their companies and shareholders.
In broad terms, the list of directors’ duties is well established and can be found in the relevant legislation or case law. However, this list is growing and the number of factors that directors must consider when making decisions is increasing as the environment in which companies operate becomes more complex.
This chapter considers the general scope of a director’s duty, the changes that are imminent and their duties specifically in the area of IT. This will provide the context for the remainder of the book which will look at how to protect a business from specific threats posed in the arenas of IT and communications and offer practical advice on managing these risks in a way that does not have a negative impact on a company’s business imperative. It should be remembered that over-management of these risks, ie overly complex and expensive systems, can be as detrimental to reaching business goals as under-management. The aim is to ensure that risk management is efficient and effective.
Directors’ existing duties 1.2
A director is obliged to comply with all of the duties which an employee must comply with. However, directors are elevated to a greater level of authority and responsibility. A director represents the company both internally and externally and must therefore act properly at all times. The law relating to a director’s duties has been developed through case law and statute.
A director has three primary duties which apply to all areas of his or her work.
1. A fiduciary duty to act and exercise all his or her powers in good faith and in the best interests of the company 1.3
This is a broad duty and includes many aspects, although not all, at first sight, are of the most relevance to IT and communications. First, a director must act in good faith in the best interests of the company. Second, directors have a duty not to put themselves in a position where there is an actual or potential conflict between their personal interests and those of the company. Third, they must exercise their powers for a proper purpose. This means exercising their powers over the company’s assets (including, for example, IT infrastructure) only for the purpose for which those powers are intended or for the benefit of the company. The final aspect is that a director must not make a personal profit from any opportunities that may result from his or her position without the consent of the company, even if he or she is acting honestly and for the good of the company.
2. To exercise such skill and care as may reasonably be expected of the role 1.4
The duty of skill is judged on a subjective basis and a director is expected to display a level of competence that it would be reasonable to expect from a director with his or her knowledge and experience. In other words, a director with a particular skill in IT will be required to pay closer attention to IT issues than perhaps a fellow director whose experience lies in manufacturing.
The standard of care that is expected of a director is judged objectively. He or she must display a standard of care which would be expected of a reasonable person.
3. To carry out the duties imposed by statute 1.5
A wide range of statutory provisions impose a number of duties on companies and their directors. The most obvious is the Companies Act 1985 and all directors should be fully aware of the requirements imposed on them by the Act. These largely relate to matters of internal management.
There are many other important pieces of legislation which directors need to be aware of in their daily work. Failure to comply can frequently lead to a director being personally liable. For example, the Health and Safety at Work Act 1974 states under section 37 that:
‘where an offence under any of the relevant statutory provisions committed by a body corporate is proved to have been committed with the consent or connivance of, or to have been attributable to any neglect on the part of any director, manager, secretary or other similar officer of the body corporate or person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence.’
Proposed reform 1.6
The duties outlined in 1.3 and 1.4 above were set to be codified as part of the Companies Bill which was published by the Government in 2002. In the White Paper, the Government made clear its intention to codify directors’ duties in order to clarify the often complex rules, which are currently laid down by inaccessible case law. However, the Government’s intentions are taking some time to come to fruition and the Bill is yet to be enacted.
Nonetheless, the Companies Bill certainly reflects the view shared by many, including the Government, that directors must be made more aware of their duties. Deciding on an appropriate method of promoting such awareness has brought its own controversies. The steering committee appointed to review current company law recommended that directors should be required to sign a statement confirming that they had read and understood their statutory duties, in much the same way as under the US rules on financial probity. Instead, the White Paper expressed the Government’s view that this kind of statement would ‘give a false impression that it was a comprehensive statement of directors’ responsibilities’. This would not be the case because, for example, the statement would not include directors’ obligations to make returns to Companies House. The Government also believed that there would be a technical problem if directors were made to sign this statement as the obligation to comply with their duties would be binding whether or not they signed the statement; signing would have no legal effect. The Government decided instead to build on the existing procedure of Companies House of sending all new directors a leaflet setting out the procedural information directors must file at Companies House.
A schedule to the Companies Bill sets out the general principles by which all directors (whether executive or non-executive) are bound and a brief summary of these principles can be found at APPENDIX ONE. The Bill signifies a continuing trend towards holding boards of directors to greater account for their actions and for those of their company. It is easy to see how some of these principles have a clear relevance to IT. For example, the implementation of suitable IT systems can have a huge positive impact on the promotion of a company’s objectives. Conversely, an improper use of technology can have seriously detrimental consequences to both the company and its directors. As with the current law, the Bill lays down the principle that an IT director must pay greater attention to issues involving IT than his or her fellow directors and may be held to account for a failure to do so. For example, an action could be brought against an IT director by fellow directors and/or shareholders for any loss suffered by the company as a result of his or her failure to exercise the skill expected from a director with knowledge of IT. These civil remedies are laid down by case law and there are no plans to codify them.
Attention is particularly, and intensely, focused on the way large companies conduct themselves at the moment following the major corporate failures at Enron, Worldcom and Parmalat. A Private Member’s Bill (Performance of Companies and Government Departments (Reporting)) is currently before the House of Commons. Amongst other changes, it seeks to make social, financial and environmental reporting mandatory as well as establishing a regulatory body to oversee environmental and social standards. It also seeks to place specific duties and liabilities on directors and companies with respect to social, financial and environmental issues. At the time of writing, the Bill has not been timetabled to proceed to committee, however, the Bill is indicative of a move towards codification of the duties imposed on companies and their directors in order to improve the transparency and accountability of corporate governance. This is also true of the Companies (Audit, Investigations and Community Enterprise) Bill, which has been before committee and is currently progressing through the House of Lords. This strives to restore investor confidence in companies following the financial scandals of the past few years. It will implement the recommendations put forward in a number of reports following Enron and Worldcom, principally on the strengthening of audit regulation and creating improved answerability in corporate governance.
IT 1.7
As mentioned above, the correct use of IT can enable a business to fully exploit its informational assets thereby increasing efficiency, customer service and, ultimately, its profits. However, IT poses specific problems to a company and a company’s involvement with IT can have a significant detrimental impact on its business in a myriad of ways if it is not managed properly. These include the following.
System crashes 1.8
Sudden computer failure can cause chaos resulting in business interruption and significant loss. Many of us who work in offices will be all too familiar with the effects the failure of a computer system can have. Those effects are even greater where a system crash results in an interruption in the supply of goods and services to customers, often leading very quickly to severe damage to reputation and to a loss of business. The Chartered Management Institute (CMI), in association with the Business Continuity Institute, Colt Telecom and Nortel, has recently undertaken research into how well prepared UK companies are for events that may cause disruption to their business. The results were rather worrying; only 47 per cent of organisations have any kind of business continuity plan, meaning that more than half of the businesses in this country would be totally unprepared for a disaster, large or small. The business continuity plans that are in place were found to concentrate heavily on disruption caused to business from a loss of IT or telecommunications services. Although this is a vital area to cover in any continuity plan (nearly half of the incidents of disruption to business were found to be caused by an interruption or failure of these services), it must be borne in mind that there are a number of other disruptive events that should be gi...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Preface
  5. About the Authors
  6. Contents
  7. Table of Cases
  8. Table of Statutes
  9. Table of Statutory Instruments
  10. 1. Security – Why Bother?
  11. 2. Risks to the Network
  12. 3. Employee-Related Risk
  13. 4. Transaction-Related Risk
  14. 5. Online Reputational Risk
  15. 6. Other Communications Risks
  16. 7. Managing Operational ICT Risk with Standards and Best Practice
  17. Appendices
  18. Glossary
  19. Further Reading
  20. Index

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Managing Risk by Jonathan Armstrong,Mark Rhys-Jones,Daniel Dresner in PDF and/or ePUB format, as well as other popular books in Computer Science & Information Management. We have over one million books available in our catalogue for you to explore.