Asian companies more confident over IT risk assessment

New study finds fewer businesses in Asia believe they will fail in regulatory compliance, compared to those in North America, Europe, the Middle East and Africa.

SINGAPORE--More companies in Asia than in North America and EMEA (Europe, Middle East and Africa) believe they will not have any issues with regulatory non-compliance, according to a new report from Symantec.

Findings from Symantec's IT Risk Management Report Vol. 2 indicate 44 percent of respondents from Asia expect never to fail in regulatory compliance, compared to 29 percent in North America and 35 percent in EMEA.

The survey of 405 professionals from a variety of job functions was carried out by Symantec between February and October 2007. About 28 percent of the respondents were based in Asia, of which the majority came from China and Japan. The first volume of the report, published in February 2007, surveyed over 500 professionals.

Darren Thomson, senior technical director for Symantec Global Services, said the difference in perceptions between Asia and the other regions was surprising. "[Asian businesses] are either deluding themselves or there's been a lack of high-profile cases of non-compliance," he noted during a media briefing here Tuesday.

In addition, the study found that fewer Asian companies expect to experience IT incidents. Only 58 percent of Asian respondents expected at least 10 minor IT incidents a year, compared to 76 percent in EMEA and 74 percent in North America.

Best practices in IT risk management
1. Assess risk and scope--Assess probability and impact of each risk specific to your organization. Not all risks need to be eliminated; sometimes cheap corrections are enough to bring a risk to acceptable levels.
2. Build a risk-aware culture--create a culture that understands organizational objectives, IT risks, mitigation costs and their inter-relationships.
3. Develop people--Research has shown that IT incidents occur due to a lack of proper processes or the failure of people to follow policies.
4. Give it time--IT risk management is a continuous improvement process, and it could take three to five years for IT risk management controls to become completely effective.

Source: Symantec IT Risk Management Report 2

Respondents from Asia also rated their performance in deployment of IT risk management controls higher than their Western counterparts. Symantec categorizes IT risks into the following--availability, security, compliance and performance.

U.K.-based Thomson noted that compared to the last study, where security dominated the IT risk landscape, businesses are beginning to take a broader view. "Organizations are definitely taking a more comprehensive view and therefore a more comprehensive approach to IT risk management," he said.

In the recent survey, explained Thomson, companies in the United States and EMEA rated the areas of availability and compliance as "critical" or "serious" as they recognize those risks when not managed properly can potentially shut down the business. He told ZDNet Asia that while Asian respondents were not asked that question for the study, his observation was that their attitudes were "about the same".

Symantec launches risk management consulting in Singapore
Symantec also launched Tuesday a consulting service to help companies assess their IT risk exposure and take steps to improve their IT risk profile.

The Foundation IT Risk Assessment (FIRA) is a package that helps businesses, particularly small and midsize ones, to first systematically assess their risk profile and comfort level for various risks, and then follow a customized action plan--usually for six months--to tackle problem areas.

FIRA was launched in North America and EMEA last year, and in Australia, India, Japan, Korea and Thailand this year.

According to Thomson, there are companies offering consulting in various areas such as business continuity but not one that looks at a "holistic approach" to managing IT risks.

Globally, Symantec expects to have about 30 to 40 FIRA customers a year, said Thomson.