Many risk management consultants tell organizations that they must perform a detailed business process mapping and build data flow diagrams of data and users who process data in order to achieve compliance and reduce the operational risk of information security.
This is a very bad idea.
Business process mapping is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why companies like PwC, IBM, EY and KPMG love business process modeling The added value of modeling data flows inside your organization between people doing their job is arguable. There are much better ways to make your organization robust to a major data loss event without writing out a 7 digit check for professional services and a BPM system from Business Objects, Cognos, Kalido, Oracle, Hyperion, Applix, Pilot, SAS or SAP.
There is a simple and effective way of figuring out data value at risk and mitigating data security threats:
- Select the 5 most valuable data assets that your company owns. For example – proprietary designs of products, due diligence reports of a public company being acquired, and details of competitive contracts with large accounts.
- Ask 5 finance, operations, IT, sales and engineering staffers – what is their biggest threat to their most important asset and how badly the threat can damage the asset – on a scale of 1 to 5. Call that “Damage”.
- Ask them how often the threat materializes – once a month, once/year or once a decade. Call that “Probability of occurence”.
- Quantify the asset value. Schedule 1 hour with your CFO and ask her how much each asset is worth in dollars. The dollar value of a digital, reputational, physical or operational asset to a business can be established fairly quickly by the CFO – in terms of replacement cost, or impact on sales and operations. Call that “Asset value”
- Calculate your value at risk = Sum (Asset Value * Damage * Probability of occurrence)
More about bad ideas in 10 steps for protecting customer data