Add to this the barrage of reports on common software vulnerabilities, sensitive data leaks and malicious software (“malware” or “ransomware”), along with the importance IT systems have in virtually all organisations today, and you may begin to despair.
Despite this bleak picture, the CFO is in fact ideally placed to monitor and manage IT risk. The discipline is little different from managing risk in other areas of the business, which CFOs should be quite familiar with. KPMG’s recent article on cyber security highlighted a number of areas boards need to consider, including that board directors need to understand and approach cyber security as a business risk issue, not just a problem for IT. Discussions of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer, as well as specific plans associated with each approach. Business continuity planningCFOs are often viewed by IT managers as the holder of the purse strings, yet if the functions work more closely together there can be great benefits for both parties. The CFO can guide the IT manager in where the greatest risks lie within the business and where to focus their attention, and can then work as the advocate within the business for necessary expenditure. In looking at alternative solutions, the IT manager can often make significant operational savings for the business. A good place to start such a fruitful relationship is in reviewing the business continuity plans of the business. Reviewing and questioning these plans, how they work for each IT system and the business impacts in each case, will invariably lead to productive debate. This should enable risks to be clearly identified and quantified. The areas outlined by the KPMG report provide a good structure around which to address these risks. Mitigating risk Many CFOs will be surprised at the level of risk mitigation which is common in even the most rudimentary IT implementation. “Redundancy” is a familiar word to all IT managers, with failure of multiple elements of any system simultaneously often allowed for. Within these multiple-redundancy implementations, areas of risk can be difficult to identify, and are often not immediately apparent. Replication across two sites, for example, ensures the loss of one site shouldn’t excessively disrupt your IT systems. But what if a ransomware attack is replicated across both sites? Even in a replicated environment, a backup is still required to mitigate some risks. Further, it’s important to ensure all processes within the system are being followed as documented. Manual tasks such as changing backup tapes and moving them off site will often look good on paper but may not be followed in practice. Automated systems with daily reporting will often prove more efficient and more easily verified. In all cases, regularly testing and challenging the existing business continuity plans is essential. Avoiding, transferring, accepting risk… how can your CFO best mitigate IT risk in the business? Find out by continuing to read on page two.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.