A business risk profile is a rating system that allows management to view -- at a non-technical level -- how the business is currently rated. The data used to develop the rating involves any information available from the critical systems in the business eco-system. All systems provide a plethora of raw data that are usually sent to a Security Incident and Event Management (SIEM) system for collection and analysis by the operations team.
Traditionally, the SIEM data is technical and does not have direct value to the executives charged with ensuring the business environment is as stable and predictable as possible. The visibility and interest of an executive is different than that of a single application owner whose perspective differs from the technical operations team responsible for the core infrastructure. A solid risk profile is one that closes that gap and has specific relevance unique to each business. It should address the following:
- Key risk areas (e.g., strategic, operational, project)
- Strengths and weaknesses of department/agency
- Major opportunities and threats
- Risk tolerance levels
- Capacity to manage risks
- Learning needs and tools
- The organization's risk tolerance, priority setting and ability to mitigate risks
- Linkages between different levels of risks (e.g., operational and overall department priorities, business and program risks, sector specific and department-wide)
- Linkages with management processes of the department
The Bottom Line Impact
The risk profile is critical to differentiating between when backup servers are down, as compared to client production data is inaccessible due to a failure. This gives an executive a holistic view of the business and the financial impact that certain applications and data availability have to the business at certain points in time.
A specific application owner's perspective is one that's interested in the components critical to their environment -- but it may not always directly correlate to the entire business profile and how the stability of that environment weighs into the executive view.
Operational support teams are typically responsible for components the data resides on, with little insight into what the value of the data it supports and how it can impact the bottom line.
A holistic risk profile will leverage the same data, but is able to associate actionable items appropriate for the consumer. Therefore, a risk profile rating that correlates to regulatory or business compliance metrics, allows an executive to see how the overall business fairs -- with the ability to drill down to see which applications or components of applications are the root cause of any issues.
With the same data, actionable steps can be taken by the application owner and/or operational team to isolate specific remediation steps. As items are remediated, the risk profile will be visible by the team to see the impact of the remediation and how it impacts the risk profile.
Profitability is directly correlated to system and resource efficiency. Focusing time and effort on the systems and components that drive profitability to ensure they are operating at maximum efficiency, reinforces the value of investment in those systems.
Patrick Duroseau is the Director of Systems and Infrastructure for CohnReznick, LLP, and has over 20 years of technical and managerial experience as both an entrepreneur and consultant. Download his whitepaper on optimizing application infrastructure delivery at PatrickDuroseau.com.