Risk management in the public sector

Risk management in the public sector has changed considerably and private businesses can learn a great deal from a clearer thinking approach adopted by government. Pete Shillito reports.

Until fairly recently the public sector was perhaps best characterized as avoiding risk, adopting a bastion mentality that delayed adoption of new process and technology and ultimately strangled performance.

This mentality affected departmental IT organizations too, resulting in the rigid adoption of security rules imposed by central government without proper focus on 'business drivers'.

Fortunately, evidence is clearly appearing that the public sector approach to managing risk is maturing, and probably just in time to meet the challenges of shared services with their promises of significant efficiency and cost benefits.

With the increasing drive for efficiencies across the public sector, and the aspiration to deliver shared business services across government, a new strategy for managing information risk was essential. 

Just as in commercial companies, the clear need was to lift the responsibility for managing risk from the security department to the boardroom. HMG InfoSec Standard No. 2 (IS2) v2.0 has done just that, by aligning information risk more closely to business requirements and creating the role of the senior information risk owner (SIRO) in government departments. 

The SIRO is now key to setting the basic policy for accepting information risk in a department, resulting in the potential for the reshaping of the role of the departmental IT security officer (DITSO), enabling them to operate within the SIRO's rules, expressed in the combination of a corporate information assurance (IA) policy and a risk management and accreditation document set (RMADS). 

Only time will tell if the individual departmental SIROs are able to use the specialist staff available to them to create complementary IA policies, the foundation for building sufficient trust between departments, allowing them to share processes and IT services successfully.

Although technology still plays a key part, SIROs need to embed information risk management into the heart of everyone's job.

Changing the mindset in government that information risk is no longer solely the responsibility of the DITSO will not be easy, but the benefits of building information risk management into the routine operating processes of each department will pay real dividends by ensuring that the control frameworks will act as an enabler, rather than an obstacle.

The nature of the new public sector information assurance task will place large demands on managed service partners.

Key to a successful working relationship will be the selection of a partner that understands the culture of the department, or departments, and can work with you to create policies and practices that engender trust between and within organizations. 

With the focus on embedding risk management into routine processes at all levels it is crucial that any managed service partner has solid operational information assurance experience, with a track record of working with public sector bodies throughout the whole lifecycle of engagement. 

Ultimately, the last hurdle must be how to encourage departments to work together in a shared approach to managing information risk.

Few managed service organizations operate shared forums for their customers to meet and exchange best practise on information risk. Could it be that this is the differentiator for partnerships of the future?

Pete Shillito from Fujitsu Services will be one of the invited speakers at the up coming Information Security in the Public Sector conference. BCS are a contributing partner to this event and Professor Collins (BCS vice president) will be chairing day one's proceedings.

May 2006