Information Risk Management: Valuing, Protecting and Leveraging Business Information

Information Risk Management: Valuing, Protecting and Leveraging Business Information

Information Risk Management: Valuing, Protecting and Leveraging Business Information

Article Type: Professional resources From: Records Management Journal, Volume 20, Issue 3

Robin Smith,Ark Group/Inside Knowledge,London,2010,ISBN:13: 978-1-906355-85-2,£245.00

Keywords: Risk analysis, Information management, Information profession, Records management

Information risk is undoubtedly a phenomenon with potentially tremendous repercussions for the business world, and it is towards this end that Smith’s work seeks to clarify what information risk is, and more significantly, how it can be practically managed within business. The author is currently head of information governance for Northampton General Hospital.

Smith classifies the different types of information risk into a high-level taxonomy – strategic, operational and financial information risks – developed specifically for the identification and assessment of information risks. Risk can be a dualistic force, and the emphasis is to “balance the possible negative consequences against the potential benefits of its associated opportunity” (p. 3).

The content of the book comprises: “Information risk management”, an introduction to the subject where the importance of understanding and identifying corporate information risk is prioritised. “An introduction to the IRM improvement techniques” relates risk strategy discussion in terms of elements, management and an overview of specific techniques for risk management. The remainder is divided between techniques and case studies, which in itself reflects the desire to have concrete practical techniques developed especially for information risk management. Five techniques are detailed: Information Risk Scanning, Information Risk Management Assessment, Information and Intelligence Development, Defining the Value of Information and Improving Information Risk Governance and Assurance. These techniques, drawn from multiple disciplines such as banking and healthcare, are used to provide the professional with tools to assess and bring together practices and information regarding their management of information risks. Their relevance to workplace practices is explored, often with sample checklists and illustrated overviews of criteria of “Information risk valuation”, and structures such as “Information risk governance”.

“Information risk management – the integrated framework” looks at the management of information risk, discussing the role of analysis and the value of risk taking. The “Case studies” are an excellent inclusion. They are comprehensive overviews, rather than the minutiae of risk management, providing sets of work-based examples. Helpfully, they explore the results of each case, where “impact and results” and “lessons learnt” are key areas, giving an important view of the resolution for those who wish to explore examples of beneficial practices.

The appendices are also useful, providing a sample information risk management policy and other relevant tools with which to aid the information professional. References are provided at the end of each chapter, and whilst the index is very helpful, the volume would benefit overall from the inclusion of a bibliography.

The audience for this text is managers with project experience, but it is accessible to others including records management professionals and graduate and postgraduate students exploring the information risk management needs of the business community.

The exploration of risk within corporate information management is a field that has attracted significant interest of late in the light of recent high-profile risk incidents in the UK and elsewhere. The use of techniques that assist in the perception, recognition and management of risk is positive for the corporate sector. As well as pointing towards references, the resources in the appendices describe model forms and policies that could be used by businesses to form their own documentation. Smith’s work concentrates on a company-wide overview that takes an academic, but yet not overly technical angle. The chapters are succinct and direct: a benefit for those who wish to look directly at diagrams and explanations of risk assessment breakdowns. The end-of chapter references are brief but cover key documents, with a range of authoritative sources. However, the inclusion of web-based resources will, inevitably, necessitate some eventual revision in terms of their availability.

The core value of this volume lies within its exploratory view of management techniques for company-wide information risk. The cost, however, may be prohibitive for students at £245.00, but less so as an investment for an organisation.

Naomi Hay-GibsonNorthumbria University, Newcastle-upon-Tyne, UK