Risk management relates to procedures for assessing and managing risk that are established by the enterprise, with accompanying directives by management to comply with the procedures. For example, a given manager of a department may be required to establish the level of risk associated with the operation of a particular computer system (e.g., the risk of losing use of such a computer system for some period of time). This manager may formulate a system for evaluating and reporting the risk, that can be used by lower level and project managers. For example, on a periodic basis such as quarterly, the managers for a given department might be required to communicate to upper management the various risk factors and risk evaluations that are related to its computer information systems operations. The risk factor related information can be documented through various forms or questionnaires for evaluating risk and risk factors associated with projects for which they are responsible. These forms and questionnaires can be compiled into reports and other summary data to provide a department manager with a fairly good idea of the level of compliance with various enterprise procedures.
Typically, if a group within the department is not in compliance with the established procedures for the enterprise, this information can be so noted in the summary or compiled data presented to the department manager. In such a case, the department manager can establish plans to bring the group into compliance, and to monitor the status of the group in progressing with the plan.
The impact of evaluating the risk for a given enterprise can have serious consequences with regard to the success or profitability of the enterprise. If the enterprise has established procedures that are designed to protect the enterprise from liability, or otherwise assure that levels of risk within the enterprise are minimized, the enterprise can be exposed to liability if the procedures are not properly followed. For example, in the area of data privacy, most responsible enterprises have policies and procedures for protecting the personal information of their employees and customers. Further more, each state and Federal government has laws regulating the privacy of personal information. Failure to follow these policies, procedures and laws can expose the enterprise to significant liability.
In typical enterprises, the analysis, statuses and reporting to upper management of the procedures with respect to data privacy are often haphazard and inconsistent. For example, some managers may find the requirement of filling out forms and answering questionnaires to be an inefficient use of time, and fail to effectively complete risk assessments. Other managers may have an attitude that protecting data privacy is not an important priority. Furthermore, most departments fail to evaluate the external dependencies that it has, and the impact on its ability to perform its functions should those external entities fail to protect the employees and customer's data.
Where tools for the risk assessments with respect to data privacy do exist., they tend to be form intensive, and inconsistent between various enterprise locations. It is difficult to track and maintain the data that can be obtained from forms related to assessment of data privacy risk, and even more difficult to take an enterprise view of such risk, which is absolutely required for effectively managing the liability of the enterprise. Some computer based systems have been developed to overcome the difficulties with traditional paper based risk assessment systems. It does not appear that any such systems have been developed with respect to assessing and containing the risk associated with data privacy.