Nov 13, 2020

A three-step plan to IT Risk Management

Risk Management
Daniel Sultana, Asia Pacific D...
4 min
Risk Management
Benjamin Franklin once said: “If you fail to plan, you are planning to fail...

While many smaller companies are guilty of not planning at all, it is equally important for larger businesses to avoid over-planning. For most organisations, IT risk management planning can be a fairly informal, spreadsheet-type exercise but most enterprises should have a risk manager that is assessing the technology risks as this helps them to make better-informed decisions.

Technological advances naturally come with a few risks and it goes without saying that any technology that is incorporated into an operational setup can disrupt any organisation. Both small and large organisations face numerous technology risks, including password theft, information security incidents and service outages. Regardless of the scale of operations, it’s best to have a risk management strategy that not only anticipates but also mitigates potential problems that could cause disruption.

Before risk managers decide on ways of mitigating the technology risks that their organisations face, they often identify the root cause of the identified risks. This entails evaluating how individual technology risks will affect the organisation. Once this is complete, they can devise possible solutions for managing or preventing technology risks.

Step 1: List and rank risks according to business cost

The first step is to identify the main risks. Standard risk lists are available and one of the most complete is part of the IT governance framework CobiT. Whilst this could be overwhelming, it covers a wide range of topics beyond those that an IT department might want to include. Every project involves a range of risks including the possibility that the job is never completed, that it is completed poorly, or runs over-budget and over-schedule. 

While developing a comprehensive list of risks can be fairly easy, rating them according to potential business cost and importance is much more difficult. While lists of risks are universal, business costs can vary widely between organisations. For instance, financial traders cannot tolerate even small delays in the transmission of transactions, but a manufacturer might be tolerant of order processing delays.

This means estimating the total business cost of each risk can be difficult. Planners will want to consult business executives to discover what guidance could be offered from any associations in their industry and from other organisations in the same vertical market. While the estimate does not have to be precise, having one is important. It will be the basis for determining how much should be invested in mitigation. 

Organisations need to determine what focus should be applied to protecting the organisation against basic threats such as viruses and worms. Decisions need to be made about how much should be spent on these basics compared with other risks. Event probability also needs to be factored in. Whilst viruses are a constant issue they only involve a small cost to fix them and don’t cause major disruption. A major disaster has a low probability but it can devastate an organisation.

Step 2: Pricing mitigation

This does not have to be exact and should not involve writing detailed proposals. Estimates based on internet research and past experience are good enough. Planners should keep in mind that costs will include staff availability and time as well as money spent. Some cases are straightforward where mitigation involves buying and installing a hardware or software solution. In others, and particularly in the case of disaster recovery (DR), a variety of strategies with widely varying costs and effectiveness are available. 

Determining which DR approach is best for any organisation depends on the tolerance for long periods of downtime, the availability of resources for problem-solving and the ability to survive a major disaster.

A small business unable to survive a disaster would be wasting money on remote-site data recovery solution. Alternatively, if all the company can afford is tape backup and storage in a vault, then that becomes the company’s DR solution.

More creative solutions such as using a SaaS provider or DR outsourcers are important options to consider. Planners might also find that the cost of mitigating some risks is actually higher than the estimated potential loss. In this case, mitigation might not be worth the investment. 

Step 3: Multi-year planning

Mitigation is an ongoing effort largely because available resources always fall short of needs, making multi-year planning a necessity. The risks change over time, so fresh approaches need to be considered constantly. 

The risk of viruses is constant, and they change often but while an organisation might be a veteran in dealing with virus risks, there is a need to be constantly vigilant. New risks, such as wireless networks and war walkers can appear at any stage and business activities such as expanding into new markets and industry segments or acquisitions will alter the basic risk posture.

Risk management for the entire IT infrastructure

The evolution of ubiquitous computing systems has encouraged many organisations to rely on their entire IT infrastructure for their business operations. Risk management planners need to consider how IT infrastructure functions when developing their mitigation strategies. Often decisions are made on the basis of relative cost, availability of specific skills or internal politics. However, careful IT risk management can be a highly effective way to change the overall risk posture of an organisation and should be carefully considered.

For more information on business topics in Asia Pacific, Australia and New Zealand, please take a look at the latest edition of Business Chief APAC.

Follow Business Chief on LinkedIn and Twitter. 

Share article

Jun 10, 2021

Why Alibaba Cloud is doubling down in Southeast Asia

Kate Birch
4 min
Amid fierce competition, Alibaba announces expansion of its cloud business in Southeast Asia, with plans to upskill developers and launch more datacenters

Alibaba has announced expansion of its cloud business within Southeast Asia, with the introduction of a digital upskilling programme for locals alongside acceleration of its data centre openings.

This doubling down of its cloud business in Southeast Asia comes as the company faces stiff competition at home in China from rivals including Pinduoduo Inc and Tencent and seeks to up its game in a region considered to be the fastest-growing in cloud adoption to compete with leading global cloud providers AWS, Google and Microsoft.

Alibaba Cloud, the cloud computing arm of Chinese e-commerce giant Alibaba and second biggest revenue driver after its core e-commerce business, finally turned profitable for the first time in the December 2020 following 11 years of operation, thanks largely to the pandemic which has spurred businesses and consumers to get online.

Southeast Asia growing demand for cloud

In 2020, there was a noticeable increase in interest towards cloud in SE Asia, with the population embracing digital transformation during the pandemic and SMEs across the region showing increased demand for cloud computing.

Such demand has led to the expectation that Southeast Asia is now the fastest-growing adopter of cloud computing with the cloud market expected to reach US$40.32bn in Southeast Asia by 2025 according to IDC.

And there are plenty of players vying for a slice of the cloud pie. While AWS, the cloud arm of Amazon, is the leading player in Southeast Asia (and across all of APAC apart from China), Microsoft and Google are the next two most dominant players in Southeast Asia with Alibaba coming in fourth.

“There is no doubt that during the past year we have seen the acceleration of digital transformation efforts across all industries,” explains Ahmed Mazhari, President, Microsoft Asia. “Asia now accounts for 60% of the world’s growth and is leading the global recovery with the digitalization of business models and economies. Cloud will continue to be a core foundation empowering the realization of Asia’s ambitions, enabling co-innovation across industries, government and community, to drive inclusive societal progress.”

Alibaba’s commitment to Southeast Asia

At its annual Alibaba Cloud Summit, the Chinese company announced Project AsiaForward, an initiative designed to upskill local developers, small-to-medium-sized companies and connect businesses with venture capital. Alibaba said it would set aside US$1bn over the next three years to develop digital skills in the region, with the aim of helping to develop 100,000 developers and to help grow 100,000 tech startups.

But that’s not all. The company, which recently opened its third data centre in Indonesia, serving customers with offerings across database, security, network, machine learning and data analytics services, also announced it would unveil its first data centre in the Philippines by the end of 2021.

Furthermore, that it would establish its first international innovation centre, located in Malaysia, offering a one-stop shop platform for Malaysian SMEs, startups and developers to innovate in emerging technologies.

“We are seeing a strong demand for cloud-native technologies in emerging verticals across the region, from e-commerce and logistics platforms to FinTech and online entertainment. As the leading cloud service provider and trusted partner in APAC, we are committed to bettering the region’s cloud ecosystem and enhancing its digital infrastructure,” says Jeff Zhang, President, Alibaba Cloud Intelligence.

What other cloud providers are pledging in the region

This pledge by Alibaba to upskill both individuals and businesses follows Microsoft’s announcement in April that it was planning to upskill Malaysia’s population and would invest US$1bn over the next five years to build a new data centre centre in Malaysia.

This is the latest in a long line of pledges to the region by the US tech giant, which is fast accelerating the growth of its cloud datacenter footprint in Asia, expanding form seven 11 markets, and recently adding three new markets across Asia – Malaysia, Indonesia and Taiwan. Back in February, it announced plans to establish its first datacenter region in Indonesia and to skill an additional 3 million Indonesians to achieve its goal of empowering over 24 million Indonesians by the end of 2021.

And recent research by IDC shows that Microsoft’s most recent datacenter expansions in Malaysia, Indonesia and Taiwan alone are set to generate more than US$21bn in new revenues and will create 100,000 new jobs in the next four years.

Also last month, Tencent announced it has launched internet data centres in Bangkok, Hong Kong, Tokyo to add to its second availability zone opened in Korea last year and plans to add an internet data center in Indonesia, and Google has also been pushing into the enterprise space in Southeast Asia for several years now.

Expanding data centers allows cloud providers to boost their capacity in certain countries or regions.



Share article