White Paper: Management Needs Central Role in Risk Assessment

January 4, 2006

Many organizations mistakenly leave the decisionmaking for computer system and edata security up to the IT staff instead of higher level management, warns a new white paper from NetIQ. Instead, company leaders should be actively involved in the process — especially when it comes to assessing risk.

Compliance programs should begin with the executive management and board of directors, NetIQ notes in its white paper, “The Fusion of Compliance and Risk Management.”

These groups should work with others in the company to set the organization’s “risk appetite,” the paper states. Roughly speaking, that appetite is defined by the Committee of Sponsoring Organization Enterprise Risk Management Integrated Framework as “the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style.”

Several factors influence a firm’s risk appetite, NetIQ says. These include the nature of the business, its industry and regulatory oversight. While FDA regulated entities face a myriad of risk requirements generally in direct correlation to the impact an erecord or edata has on patient safety and/or product efficacy, it is most important for a firm to have a clearly outlined risk management program that articulates its rationale for how it prioritizes and manages risk.

A well-crafted risk management program can help to address the inherent limits of any compliance approach. “Specifically, an organization should monitor the threat environment and identify, respond to and resolve threats and incidents quickly and efficiently,” the white paper says.

To download NetIQ’s white paper, access www.netiq.com.