|Total Information Risk Management|
Authors: Alexander Borek, Ajith K Parlikad, Jela Webb, Philip Woodall
Managing information risk is increasingly important to large organizations. Does this book help?
Most companies are very dependent on electronic data, but that can be a mixed blessing. Once information has been entered into a database there’s a tendency to treat it as completely reliable even though there’s been little or no quality control at the data gathering stage. What is needed is better management of the initial processes, along with techniques to assess data over its life. This book is about one technique to address this need.
The book is divided into four parts; general concepts, the process of TIRM (Total Information Risk Management); advanced risk assessment techniques and software tools; and a conclusion. Total Information Risk Management in the terms of the book is a set of processes invented by one of the authors, Alexander Borek. It’s essentially a consolidation of other EIM (Enterprise Information Management) techniques along with ways to quantify risk, put together as a framework and set of best practices for information management.
The book opens with a discussion of what data and information assets are, and their importance, along with the dangers of low quality data. EIM is then introduced and the authors discuss the challenges that big data has added to managing data. In these early chapters the book reads rather like an academic paper, with many references to what other authors have said. For example, in a paragraph on ‘is data the new oil’, there were five references to other authors, the publications in which the quotes were made, and the date it appeared. So we find that the question about new oil “was posed by Perry Rotella in an article in Forbes.com, a leading business magazine (Rotella, 2012), referring to a comparison by Clive Humbyat at the ANA Senior Marketer’s Summit 2006 at Kellogg School of Management, and to Michael Palmer’s blog post” – you get the idea. I’m all in favor of referencing the original source, but it does make reading harder going. Add in tips marked IMPORTANT on many pages, and it’s harder again. Chapter 3 looks at how data and information create risk, and while the main thrust is that managing information collection well means you get poor data quality, the authors do discuss the problem clearly. Chapter four introduces Enterprise Risk Management as it is defined in a number of risk management standards.
Part 2 of the book is where the authors really get into their main material, starting with an overview of the Total Information Risk Management process and model. The next three chapters take each of the stages of TIRM in turn, starting with setting the context in terms of the goals, initial scope and responsibilities of the process. The authors correctly point out that a major risk in one organization—for example, due to regulatory requirements, a particular competitive environment, or organizational culture—can be a low risk in another organization that operates in a different context.
Having set out the context, the authors then give a step-by-step guide to implementing the information risk assessment stage of the TIRM process, followed by a step-by-step guide to the risk treatment stage where you hopefully work out how to reduce the risks to your data. The final two chapters in this part of the book show how to make TIRM part of the everyday data management in an organization; and the section ends with a case study showing how TIRM was implemented in an energy utility company.
I found the final part of the book the most interesting as it covers the actual techniques and tools used in TIRM. There’s a good chapter on risk assessment techniques where the authors discuss Delphi questionnaires, Monte Carlo simulations, risk indices and what-if analysis using SWIFT (Structured What If Technique), FN curves, root cause analysis, and fault tree analysis. The chapter on software tools starts with a useful discussion of general techniques such as analysis of data columns, domains and cross domains, lexical analysis and semantic profiling. The rest of the chapter is devoted to a software tool developed by the authors called Inforas that is designed for assessing the information risks in an organization. The book ends with a chapter on getting employee buy-in to TIRM, and a conclusion.
I found it difficult to work out my final thoughts on this book. I’d hoped for a general discussion of risk management for information, and felt a bit cheated when I realized this was actually a book about one specific approach. That said, the authors do explain EIM well, and the techniques they describe would give a structured way to cut down on the problems of poor data quality. My recommendation would be to read the book, but be aware that it majors on is one technique and that others exist.
|Last Updated ( Monday, 05 January 2015 )|