We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Managing Risk with Knowledge Management

Originally published August 15, 2006

The Department of Veterans Affairs (VA) has recently learned some hard lessons on the need for enterprise risk management. The theft of a laptop with personal data from 26 million veterans put that agency’s policies under a microscope and led to Congressional hearings and the departure of a number of senior executives from the VA. Bad things happen, and it is important that we plan ahead to prevent them from happening and to mitigate the consequences if and when they do. This is the essence of risk management.

Risk is broadly defined as the possibility of loss or injury. Peter Kloman, one of the pioneers of risk management, defines it as “a discipline for living with the possibility that future events may cause adverse effects.” Specifically, we can say that risk management is the process of measuring, or assessing, risk and then developing strategies to manage that risk.

The term was not born with, nor is it the preserve of IT. Rather, it has been around for centuries and used in many disciplines and industries. Economists, statisticians, bankers, psychologists, engineers and biologists, among others, have long been working with risk management. And it means different things to different people. To many activists, politicians and academics, it is the management of environmental and nuclear risks; to bankers and financial officers, it is the practice of techniques such as currency hedging and interest rate swaps. The insurance industry sees it as the “coordination of insurable risks and the reduction of insurance costs.” In the safety field, it is the reduction of accidents and injuries.

Insurance, to a large degree, emerged as one of the principal approaches to handle risk as traditional societies evolved and developed modern trade and industry. Insurance reduces risk by distributing it over a larger base, hence making an activity with a real possibility of loss or injury more feasible and affordable. Much of what we have learned from this process has now entered into the broader discipline called risk management, which has arisen as a way of more rigorously measuring and assessing risk in order to develop approaches to manage it. In addition, the key metric that allows us to prioritize our efforts based on assessment is generally accepted to be severity of the threat times the probability of occurrence.

But let’s return to IT. In the context of information technology, it is generally accepted that risk relates to the probability of loss to be incurred by an enterprise as a result of a number of possible events occurring in the life cycle of one or more of its information systems. Hence, we must focus our efforts on three principal areas:

  1. Managing IT security and vulnerabilities
  2. Managing compliance
  3. Managing emergency situations and insuring continuity of operations

This doesn’t mean that risks not specifically in these buckets should be ignored (i.e., losing a key member of the staff, having a system supplier go out of business or getting an unexpected slicing of our budget in half); but for purposes of prioritizing our efforts, the three areas listed constitute the core of what enterprises are currently focusing on within IT risk management.

As we start to analyze what has to be done in each of these areas, we realize that we are direly in need of business intelligence tools and applications specifically to address risk management. For starters, risk management must be considered as part of a knowledge management (KM) environment. If you look at “risk” as a knowledge domain, then many of the KM practices are clearly applicable.

We can use any KM framework to illustrate the process, and for purposes of this exercise I will use (what else) the Barquin framework that I developed years ago.

  1. Capture tacit knowledge and make it explicit. For example, do not let the institutional knowledge associated with certain security risks stay exclusively in the heads of individuals who may be getting ready to retire. Only if it is captured explicitly will the enterprise be able to leverage it.

  2. Identify and nurture communities of practice. Whether it’s Web masters, security analysts or compliance officers, make sure that these groups of individuals are able to share information about what they do and how they do it.

  3. Find and disseminate best practices. Learn what other organizations are doing, vet practices that seem applicable and take advantage of them. Whether it’s using Center for Internet Security templates, or the adoption of CobiT, ISO 17799 or other standards, enterprises need to do outreach and decide what makes sense in their own environment.

  4. Develop locators of both experts and expertise. People most often want to talk to other people when needing to learn or consult. Publish locators of experts and expertise for the different aspects of risk management you are concerned with.

  5. Feature collaboration tools and resources. Assist the process of information sharing around risk management by empowering your team with collaboration tools.

  6. Implement enterprise portals as gateways to corporate knowledge. Rather than having your people spend most of their time searching for documents and gathering data, make it easy for them to reach into relevant knowledge about compliance, security or emergency response through prominently featured links in your enterprise portals.

  7. Have clear taxonomies for major knowledge domains. If we have paid enough attention to taxonomies and naming conventions, finding relevant documents and other content will be easy when we truly need them. The alternative is to invite further risk into our projects and processes.

  8. Have a solid enterprise IT architecture. This may be a part of compliance, but as we gear up to manage risk, our systems and processes must be able to fit smoothly on the enterprise IT architecture, preferably as services to be invoked through a service-oriented architecture.

  9. Build robust data warehousing and business intelligence architectures. Data warehouses are platforms for analysis and serve as reporting frameworks. This can be extremely powerful as you gear up to implement and utilize risk management systems that must operate on alerts, be able to analyze trends and report unusual patterns of behavior from usage and access data (and increasingly from content).

  10. Focus on knowledge about the customer. One dictionary definition of a customer is “anyone you have to deal with.” In risk management, we have many customers. Users of your systems are customers, but so are potential hackers, suppliers, experts, employees, etc. Knowing who they are is essential for authentication and verification, but so is knowing their preferences and other attributes in serving the legitimate ones better and preempting the bad guys from doing harm.

  11. Use storytelling as a springboard to action. Nothing captures attention better than a story. Witness the attention to risk management that the VA incident has generated. We should harness the power of the narrative to move our enterprises to action when and where it is needed in the context of managing risk.

  12. Assure that corporate culture rewards knowledge sharing. If we want good security practices to be disseminated and shared, if we want retiring employees to pass on what they know about emergency response or compliance, we must have a corporate culture that actively rewards such open behavior. The counter side of this is the continuation of “knowledge hoarding” as a common practice for job protection.

  13. Focus the enterprise on learning. Learning is the acquisition of knowledge. Unless we focus on learning, our enterprise may get better at sharing old knowledge and yet be suboptimal at bringing in new knowledge. This is essential in risk management since new threats, as well as new tools to address them, are constantly emerging .

  14. Provide the leadership to make KM a priority. If it makes sense to use knowledge management techniques for assessing and mitigating risk, it is essential that the enterprise’s leadership buy into it and make it a priority. That means that initiatives are launched and programs are funded with support from the top.

Henry Kissinger once said that “an issue ignored is a crisis invited.” Risk management solutions are crucial to avert these potential crises, and putting them in the context of a knowledge management framework will give the agency a robust programmatic base with which to manage them successfully.

  • Dr. Ramon BarquinDr. Ramon Barquin

    Dr. Barquin is the President of Barquin International, a consulting firm, since 1994. He specializes in developing information systems strategies, particularly data warehousing, customer relationship management, business intelligence and knowledge management, for public and private sector enterprises. He has consulted for the U.S. Military, many government agencies and international governments and corporations.

    He had a long career in IBM with over 20 years covering both technical assignments and corporate management, including overseas postings and responsibilities. Afterwards he served as president of the Washington Consulting Group, where he had direct oversight for major U.S. Federal Government contracts.

    Dr. Barquin was elected a National Academy of Public Administration (NAPA) Fellow in 2012. He serves on the Cybersecurity Subcommittee of the Department of Homeland Security’s Data Privacy and Integrity Advisory Committee; is a Board Member of the Center for Internet Security and a member of the Steering Committee for the American Council for Technology-Industry Advisory Council’s (ACT-IAC) Quadrennial Government Technology Review Committee. He was also the co-founder and first president of The Data Warehousing Institute, and president of the Computer Ethics Institute. His PhD is from MIT. 

    Dr. Barquin can be reached at rbarquin@barquin.com.

    Editor's note: More articles from Dr. Barquin are available in the BeyeNETWORK's Government Channel


Recent articles by Dr. Ramon Barquin



Want to post a comment? Login or become a member today!

Be the first to comment!