The CFO’s guide to IT risk

Avoiding risk

Avoiding risk in IT will often be achieved by choosing the correct solutions. Before committing to hardware or software projects or expenditure, the changes should be viewed in the light of the existing business continuity plans. In many cases, no changes will be necessary and no additional risks will be introduced. Occasionally a more detailed review will be required.

Moving to cloud software from on-site implementations for the first time may fall under the latter category. This can be a challenging area for both the CFO and the IT manager.

Nobody can ever guarantee a complete removal of risk, however choosing the correct cloud provider can provide comfort in this risk. ISO certification demonstrates that a provider implements appropriate policies and processes to manage risk, and should be seen as desirable in any cloud provider.

In many cases, a cloud provider will have greater resources and expertise than an IT department to provide network and systems security. In this respect, cloud implementations shouldn’t be considered the highest risk option without first scrutinising the alternatives.

Accepting risk

Accepting risk is often a neglected option, particularly within IT implementations. Data breaches, for example, do not have to represent significant risk to the business; sensitive data breaches should be the focus of concern.

It may be appropriate to create separate IT systems with varying degrees of security and risk management, and to segregate company data and processes within these systems. This can be a complex process to initiate, but can provide significant cost savings and improved risk management if correctly implemented.

Transferring risk

Outsourcing systems and processes, or moving to cloud providers, will often result in a transfer of processes and costs, however it will rarely result in a genuine transfer of all risks. In these cases, a detailed assessment of the risks is still required, with particular attention paid to contract terms.

A more effective and robust method of transferring IT risk is in ensuring adequate insurance is in place. Most businesses will already have some form of insurance in place, however it’s important to read the fine print. Some insurers are now excluding cyber attacks from their standard liability insurance, for example, but this can often be covered at extra cost.

The way forward

While risk management in IT is a subject many would prefer to avoid completely, it is an area which will impact almost all businesses. Ignoring the risks that exist, will do nothing to prevent the consequences when things go wrong.

The IT market is dynamic and fast-moving, with many suppliers and products presenting alternative methods to achieve the same end. CFOs must work closely with IT managers in reviewing these products from a cost and risk perspective, which will often result in cost-effective solutions which are suitable for the business.

Gareth Dyson is commercial manager at Redstor.

Share this story

Send this to a friend