The 2010 World Cup in South Africa promises worldwide coverage like never before, with the BBC Sport website offering live video streaming of all matches. Though a small number of matches were shown online in 2006, next year the number of matches available across the web includes all matches that the BBC has the rights to. Probably more importantly, the success of the iPlayer and YouTube has led to an assumption on the part of users that the quality will be as good as TV.

At the risk of sounding like a World Cup party pooper, we need to consider the impact on the organisation and the network from the amount of bandwidth that will be eaten up by employees watching live 90-minute matches on their desktop PCs next summer. With no major time zone difference between the UK and South Africa, employees are also likely to be watching in prime office working hours (24 matches scheduled between Monday and Friday afternoons).

As workers turn to the Web for live match coverage during work hours, organisations should certainly be wary about a potential drain on employee performance and productivity, but press forward to protect against a greater threat – the impact on branch offices and applications. Usually individuals are blissfully unaware of the performance implications that continuous live streaming has on the company’s Internet gateway or WAN link that connects their branch office location to a corporate data centre or centralised Internet access point. The IT manager’s Internet gateway—their lifeline to the Internet— can quickly be fouled up by staff accessing live video streaming. In addition, slender WAN links to branch offices can be invaded by football fever so that internal business critical traffic is impaired.

Many organisations’ internet access is centralised and ‘backhauled’ inbound Internet traffic is delivered to branch offices over the WAN that links them to the data centre or headquarters. Therefore, the added load of multiple instances of a live match stream could swamp the WAN links to branch offices, making business-critical applications and communication exceedingly slow or stop completely.

Already these WAN links are under considerable strain, due in part to centralisation of servers and applications away from the branch office. Performance of remotely hosted applications and files is sluggish at best, requiring WAN optimisation solutions to compensate for burgeoning network limitations. Continuous video streaming of live match access will exacerbate this situation.

There are a number of different approaches that IT managers can take in order to ensure that their Internet gateway is fully available for business use of the Internet, rather than overwhelmed by online World Cup fever.

The World Cup only comes around once every four years and should be cherished. However, while we all want to keep abreast of all the latest action, organisations may want to stop and consider the impact next summer could have on their network resources and look at sensible ways in which to manage this down to an acceptable amount. Above all, whether it’s England vs. Brazil on a Wednesday at midday or Denmark vs. Ivory Coast Monday at 3pm, organisations must ensure that non-essential application traffic does not interfere with crucial business operations.

The full story will appear in the January 2010 issue of VitAL Magazine.

Guillaume Lovet, international cybercrime expert, researcher and author has highlighted five fundamental pieces of advice on how to avoid the basic cybercrime tricks at Christmas and ensure you’re not the one facing identify theft and damaged bank balances in the New Year. ..

1) Do not follow links found in unsolicited emails you may receive. Even if some look like fantastic bargains, don’t get tempted. They’re not real shops, they’re scams. They’ll use your credentials to siphon your money, and you will never get the wrist-watch you ordered.

2) Do not either assume that an online shop is ‘real’ (as opposed to a scam) just because you reached it using your own initiative, with a search engine. Over the past two or three years cybercriminals have mastered the so-called ‘SEO attack’ techniques, which consist in fooling the search engines’ ranking algorithms, in order to push their malicious websites in the first results returned for searches such as ‘Xmas gifts’. Of course, search engines anti-fraud teams struggle against this phenomenon, but it’s a cat and mouse game, so it’ll happen during certain time windows.

3) Do not assume that shopping on a website with an established reputation (as opposed to looking for one from Google), is safe. It might be but it might not. Over the past two years, massive SQL injections have been rampant, and even reputed sites were not spared (Canadian Defense, Superbowl site, MTV, etc, for example). SQL injected websites won’t send users to rogue shops, that’s true. But they’ll attempt to silently install Trojan horses, bots, keyloggers and rootkits onto the visitors’ systems; which in turn, are designed to steal the banking or credit card credentials of victims. Have a solid and up-to-date AV solution running on your computer to prevent this in the first place. With thousands of compromised legitimate websites over the past year, you can’t solely rely on your own sagacity to avoid malicious sites anymore; it used to be true, it’s not anymore.

4) What to do if your PC is already loaded with Trojans? It doesn’t only happen to others. After all, over 3.5 million computers are part of the Zeus botnet, why not yours? Zeus is a trojan horse specialised in intercepting banking credentials as they are typed by the infected user. And no, it displays no (easily) visible symptoms.

The good news is, there is a way to shop or bank online from your computer, while being 100 percent sure that kind of critter won’t intercept your credentials: boot up a Live CD (ie an operating system on a CD, such as Ubuntu Linux), and bank from here. Of course you’ll find the OS inconvenient (because you’re not used to it), but it’s no big deal: you only need the browser to bank, right? And it’s probably the same as on your Windows computer, provided you’re a Firefox user.

5) Last but not least, advice very specific to this year, with regard to current trends in social networking: do not blindly trust your friends. I mean, your social network friends. The prevalence of Facebook worms such as Koobface is such that, if you have a (social networking-wise) regular amount of friends (300+), chances are high that at least some of those had their account compromised over the past year. Those compromised accounts are used by cybercriminals to distribute Spam 2.0 (ie spam in the form of user comments or messages on social networking sites) and to seed more malware. So, if you receive a message that says something along the lines of “check this website out, it’s GREAT for Xmas gifts”, you may want to double-check with the friend who sent it.

Happy online Christmas shopping!

VitAL Magazine looks further into the body of the Health Service to find what will make it tick in the future!

You hear it increasingly said these days that IT is no longer a function that works for the organisation but is more often a vital organ of the organisation. What organisation that didn’t have IT in the blood would attempt to make all of its information plus any information that is relevant to its work available to all of its own people and any other users who wish to know? You might as well burn a stick and write the information on a dry cave wall in the hope that passers by might see it.

But what then if that information happened to form one of the largest bodies of knowledge in the world; and was renewing at such a rate that there were 30,000 regular journals dedicated to the latest news plus countless academic papers and the notes of practitioners in the sector, all to be made available in real time? What, also, if your subject was one of the most popular topics ever and your core audience numbered 700,000 while your wider audience numbered nearly sixty million in your home country alone? What if people relied on the knowledge you provided for life and death decisions, not the kind of life and death decisions that fabricate ersatz pressure in a TV Reality show but the kinds of decision which, if wrong, could really end with somebody’s death?

Its easy for journalists, from the comfort of our chairs to create some good ‘shock horror’ copy about the National Health Service and its eye watering IT budget but when one starts to consider the scale of that undertaking and, therefore the scale of everything it does, you begin to realise the awesome challenges that poses for its own Service Managers and the potential value that everybody might gain if it can get it right.

In a previous issue of VitAL, we interviewed Ian McKinnell, Head of Development at the National Library for Health while this article focuses on Sir Muir Gray, Director of the NHS National Knowledge Service. The government is probably the single largest user if IT in the country and the NHS is probably the most extensive user of IT within the public sector; plus, with the much publicised cost of new systems, readers may well be interested to know what is being planned and achieved. We asked the VitAL questions.

VitAL:  What is the NHS National Knowledge Service?

Sir Muir Gray: Our purpose is to first discover what clinicians, patients and managers need then having established what that is, we set out to find it, procure it and deliver its at the point of need. The knowledge service is structured as a network of knowledge providers such as Nice [National Institute for Clinical Excellence] and the Department of Health. Once a piece of knowledge has been is procured, it is placed in the National Library for Health from where users can access it through either a search engine or by email notification [for those who have registered their interest in particular areas]. Essentially the National knowledge Service is a knowledge supply chain.

V: How does the Service fit in to the health service and what does it mean for the ordinary patient?

SMG: We supply our product to the health service wherever it is needed: it’s rather like being an electricity provider but we are delivering knowledge. [In the previous interview we learned the various ways in which clinicians and academics can access knowledge in the health sector] but will also serve patients; and patients can get their knowledge through NHS Choices. Picker Europe surveys of patient experience has shown that patients value knowledge and want more knowledge to help them make decisions related to their own health or procedures that they may be facing.

The fact is that the application of knowledge has a far bigger impact on the quality of health and combating disease than any new drugs or technology.

V: What are the ongoing issues and challenges that the Service faces?

SMG: Because of its considerable size and complexity, infrastructure is a major problem for the NHS and in particular for the distribution of knowledge within the service. There is a major issue in getting knowledge from the source to the point of use and that is being tackled by Connecting for Health, to be found at www.connectingforhealth.nhs.uk . People want more information and knowledge and it is our job to get it to them.

V: What issues, challenges and opportunities has the Service faced as part of the current change climate in the NHS and in particular what have been the IT issues etc?

SMG: The way the IT is going [within all of the other changes] is both a challenge and an opportunity. We are dependent on Web 2.0 and really, on that side of our operation, things can only get easier with the progress of time and change. The enormous opportunity for us is that people always want knowledge and especially in an area such as health which impinges so personally on them. IT makes it possible for us to deliver to our users what they want, when they want it and in a form that suits what they are doing.

V: Who are currently the largest users of the NHS National Knowledge Service and will that change as a result of the current development programme?

SMG: Currently our largest users are General Practitioners, Nurses and Doctors in training. They all use the service for checking clinical evidence and I think that that will remain the case for the foreseeable future.

V: What are the future plans for the Service?

SMG: We want to extend the service on two levels really. In the first case we want to extend the number of people who can access what we’re doing at the moment or whatever new services we are able to offer. Beyond that we want to extend the scope of the service, that is to say the type of services and the type of knowledge that we are able to offer.

V: Are there any other issues concerning this NHS National Knowledge Service and the IT developments that need to be recorded?

SMG: I think that most of those were covered during your interview last time with Ian McKinnell.

In this most recent interview as well as in our last meeting with Ian McKinnell, we have seen a very ambitious vision for what IT can do in terms of making more knowledge more widely available by more means.

Even the most cursory glance at the website NHS Connecting for Health will reveal a facility of considerable ambition. With no less than 27 first level facilities or capabilities, each one of which is simply a portal through which the user can drill further down into the service’s knowledge base, this website alone is already beginning to attain ‘BBC’ dimensions. Just going into the NHS Care Records Service reveals two further knowledge paths for Patients and NHS Staff. Beyond that, patients can access a further level in which more than a dozen alternative information routes become available.

And beyond this technical ambition of leading each user to the appropriate knowledge source for the task they wish to complete today, there lies the overarching ambition of connecting everybody who wants to use it to every piece of health related knowledge that they could conceivably want to use. In any sphere of human activity that would be a daunting undertaking: in the health sector where such massive amounts of knowledge published daily, where progress renders so much information out of date so quickly and where peoples thirst and knowledge is driven by the very human desire to maintain our physical condition at the best possible level, the undertaking is Herculean.

It is to be hoped that as the National Health Library and Knowledge Service both overcome the enormous challenges against which they have set themselves, they will also generate and publish the kind of useful information that every organisation out there will find valuable but which it might find prohibitively expensive to generate for itself.

In our two interviews with the service we have learned of its ambitions and of its current thinking as to how those ambitions might be achieved. Of course all of that will change and evolve as the programmes progress and so we hope that at some stage in the future we will be able to return to this subject and learn what further insights and methodologies have been developed to facilitate what must be one of the most ambitious programmes of its type ever.

Meanwhile our thanks to both Ian McKinnell for the previous interview and to Sir Muir Gray for this current interview and for revealing to us some of the work that is going on to put IT into our Health Service.

The Companies Act 2006 applies to all businesses in England, Wales and Northern Ireland. There will almost certainly be a separate piece of legislation enacted in Scotland which will largely mirror the principal reforms being introduced in the rest of the UK. The Act applies across the board to all companies (whether private or public and, if private, whether limited by share capital or guarantee or community interest companies) regardless of turnover. 

The Companies Act 2006 comprises of 1,300 sections, approximately one third of which are genuinely new, including the following areas:

 Company formation and constitution;

• Company members and directors’ duties and powers;
• Derivative actions and secretaries;
• Company meetings and political donations;
• Company accounts and auditors;
• Private and public companies, share capital and allotments;
• Company takeovers and investigations;
• Companies not formed under the Act and unregistered companies.

What should businesses have done already?

By now all companies should have made sure that order forms and other documents, whether hard copy or electronic, have been amended to include the company’s registered name (as opposed to just the trading name), number, place of registration and registered office. It is easy to overlook the updating of a company’s website in a similar way but such an oversight will make the company liable for a fine. Any officer of the company could also find themselves liable for a fine if they have authorised the issue (albeit innocently) of a non compliant document.

Parts of the legislation relating to public company takeovers and transparency provisions are already in effect and any companies involved in a takeover will need to be aware of and comply with these, particularly in relation to the disclosure of major shareholdings and periodic financial reporting. Again, a failure on the part of the officers of a company to comply with the new disclosure requirements will result in them (as well as the company) being liable for a fine. The officers of a company will undoubtedly be looking to its senior management team to build in appropriate levels of protection by way of checks and balances to ensure compliance.

What do businesses need to do?

Administration is being simplified, particularly with regard to establishing a new business, and the financing of succession or management buyouts will be made easier.  Electronic communication as a valid form is acknowledged with, for example, a company having the right to issue a notice in respect of a general meeting in electronic form or by notice posted on the company’s website.

Such a notice should also indicate the method of communication the company will accept in return and confirm the shareholder’s statutory right to a hard copy of the notice. More time and cost effective communication with shareholders reduces one of the perceived burdens of company legal procedures.

The Institute of Chartered Secretaries and Administrators has published a useful guidance note on electronic communications with shareholders under the Act, which includes recommendations in terms of the approach and best practice that companies may wish to adopt.

In the interests of greater efficiency, it is important for a company to review the communication provisions in its articles of association and consider any appropriate amendments to them to capitalise on the flexibility now offered under the Act.

The majority of the provisions of the Act have now come into force

The key areas covered are:

• The codification (at last) of directors’ duties;
• Improved rights for shareholders; and
• Deregulation for private companies.

With regard to directors’ duties, the Act introduces a new obligation to promote the company’s success. So, in future, when making any decision on behalf of the company, in addition to considering the likely long term consequences, the directors will also be expected to consider the interests of the employees, the need to foster business relationships, the impact on the community and the environment and the need to act fairly between shareholders.

What counts as ‘success’ for these purposes will be for the members to determine.  They will set the objectives of the company and it will be for the directors to promote the success of the company in accordance with those objectives. In many companies, the members will probably not articulate any precise objectives beyond commercial success and therefore value for the shareholders. For companies formed for specific purposes, for example, with charitable aims and objectives, success will be measured against those objectives. Either way, it will be important that a company disseminates information relating to the requirements for success to its directors and senior management team either through its website or via some other appropriate media.

One further contentious issue is whether or not directors and senior managers should keep documentary evidence of the factors which they have taken into account in case of any subsequent legal challenge. There is no statutory requirement for additional record keeping or the active provision of additional information regarding decision making.  However, the approach is likely to vary from company to company and from transaction to transaction depending on the circumstances.

Many decisions of an everyday nature will require no additional documentation. In a public company (especially one that is listed), however, directors may be concerned to ensure that their decisions are challenge proof which may lead to more detailed documentation of board decisions. On controversial matters, a board of directors may also want to bolster its decisions with reports and advice from consultants so as to show, not only that the board has had regard to the statutory factors, but it has also exercised appropriate care and skill in considering them.

These new statutory requirements placed upon directors are conceivably very onerous indeed. While there are no major changes to the existing implied duties that flow from being a company director, the codification will certainly define and reinforce those duties. Businesses should take the opportunity now that this part of the legislation has come into force to ensure that their own house is in order and that the directors are fully aware of their responsibilities.

Shareholders will benefit from improved rights, with indirect shareholders receiving more information and voting rights. Again perhaps the most important aspect of this part of the legislation for directors to be aware of is the right of the shareholders to sue directors individually for negligence or fraud. While any such action would require the permission of the court (which is only likely to be granted if the claim would promote the success of the company) it is imperative that a company’s directors fully understand the implications.

Deregulation for private companies will mean, among other things, that they will no longer be required to have a company secretary or to hold annual general meetings in order to conduct their business. In addition private companies will be able to give financial assistance for the acquisition of their own shares and to reduce their share capital without the need for court approval.

There will be various transitional provisions and guidance published over the next few months and every company should be giving serious consideration now to how it will comply with the new regime.

Tim Polding advises readers on the main considerations in the Companies Act 2006 which includes IT implications including communications and record keeping.

Ori Eisen suggests ten ways to enhance your anti Fraud tactics…

As fraudsters continually educate themselves to circumvent many traditional anti fraud systems there are still possible lines of action that companies can take to detect more fraudulent transactions. Using a combination of tactics is the most effective because it creates a complex net that fraudsters would have to negotiate. Here are ten key approaches to fighting fraud through your organisation:

1. Check for billing and shipping address

Check if the billing and shipping addresses are different. In many cases the crook will send the goods to another address than the billing address. Additionally, if a crook uses a ‘drop shipment’ address, you can spot that many orders are diverted to this address and place it on a negative list.

2. Increase device ID data

Instead of focusing on single data elements, such as the IP address, it is essential to construct a more comprehensive profile to establish the true identity of the device being used to complete a transaction. Visibility of the time that a transaction is made, compared to the time zone and the language settings of the device itself, can highlight inconsistencies. For example, if a device is supposed to be in France, but has Russian language settings and runs a transaction in the Pacific Time Zone, there is cause to investigate that case further.

3. Maintain standard checking systems

Address Verification Systems (AVS), Card Verification Values (CVV2) and Verify are all important security mechanisms. They cut out a lot of low level fraud, especially from one off or unprepared fraudsters. These systems put up an important barrier that legitimate consumers do not find difficult to overcome.

4. Know that IPs can be spoofed

Monitoring IP addresses is not an entirely fraud proof approach. More sophisticated fraudsters are able to appear from anywhere in the world by spoofing the IP address of another computer. Where the IP address of the genuine card holder is available, they are able to make a transaction appear entirely legitimate if the IP address is a key parameter of assessing cases.

5. Check for lazy keystrokes

Flags for suspicious activity should be raised if there are instances where names, email addresses, passwords etc. are entered using keys grouped together on the keyboard. For example, if someone uses combinations of the letters ‘asdf’, it may be because they are saving time to rush through vast amounts of data entry. These small give aways can be another tell tale sign of a suspicious customer profile.

6. Be wary of anonymous email addresses

While many legitimate customers will use popular email clients such as Hotmail, Yahoo and Gmail, these are also an easy way for fraudsters to set up many new addresses. As email platforms, they are open to anyone, which means that you cannot trust a transaction simply because it has an easily created email address that matches the card holder’s name.

7. Check for ‘email tumbling’

A quick and easy way to pick out organised fraud is to spot sequential email addresses – signs of ‘email tumbling’. If you have transactions from joebloggs001@, joebloggs002@, joebloggs003@ etc, then these are signs that a fraudster is automatically generating email addresses.

8. Continue to conduct manual investigations

While automatic analysis tools will pick out links between some transactions based on data that may not be obvious to a fraud investigator, there is an important place for human reviews. While it should not constitute more than around five per cent of all fraud analysis, it is important to establish themes that a computer would not be aware of. For example, would a computer pick out the names David Beckham, Wayne Rooney and Steven Gerrard as all being linked if they were disparate in almost every other way? This is where a human eye can pick out cases that require further investigation.

9. Capitalise on discovering bad transactions

If you uncover a fraudulent transaction, it can be the key to discovering a raft of similar cases. Use every parameter of information relating to the original case that you can find, and search for any others that share the same details – even if that is only in one parameter. The similarity may be small – it could be the email, postal address, phone number, or the time zone – but as these correlations build, you will be able to pinpoint more cases that could be bad.

10. Use free mapping tools

Free to use mapping services, such as Google Maps, can be used to add more weight to an investigation. If someone has given a ‘residential’ address, then you can check that it is residential and not commercial. If someone has different shipping and billing addresses, you can ascertain whether the addresses are close together. If they are miles apart, there is reason to be suspicious.

Many of these approaches will raise red flags on suspicious cases. However, focusing in on only one or two will mean that there are still many transactions that can slip through the net. The parameters that you choose to set as a business will depend on a wide range of factors – from the characteristics of your customer base to the capability of your fraud team – but within these ten steps are approaches that will cut some fraud from your business.

The study’s findings indicate a real risk of privileged user accounts being compromised, mirroring the ongoing case of Gary McKinnon, who gained access to the Pentagon’s IT systems. While many of the 270 medium and large European organisations surveyed claimed to take steps to protect confidential data including highly personal customer information, 41 percent of supposedly ISO27001 compliant organisations admitted non-compliant practices such as sharing privileged user accounts.

Across Europe, 24 percent of organisations rely on forms of manual control for overseeing and controlling the actions of privileged users. Manual control is time-consuming, excessively expensive, unreliable, prone to error and most importantly, un-auditable. In the UK this figure rises to 29 percent. Despite the availability of privileged user management (PUM) systems, only 26 percent of European organisations surveyed have actually deployed them in full.

The research reveals that controlling and monitoring the activities of privileged users is not sufficiently high on the agenda of IT managers, despite the huge amount of trust placed in them. Respondents rank PUM below seven other actual security threats to the organisation (scoring 2.54 out of five on an index of threat), below malware (2.9), the Internet (2.7), internal users (2.7), and Web 2.0 tools (2.6). Budget availability may be a reason for this prevarication (scoring 3.3 out of 5 on the scale of limiting factors), although 85 percent state that the budget spent on IT security is either stable or increasing as a proportion over overall IT spending. Ultimately, it is likely that another main reason for holding back is an under appreciation of the risks presented by privileged users.

Out of the 270 organisations questioned, 45 were based in the UK. While 47 percent of UK organisations have implemented ISO27001, the standard for IT management that explicitly states that “the allocation and use of privileges shall be restricted and controlled”, nearly 30 percent of respondents had not heard of it. Furthermore, only 44 percent of UK organisations could confirm administrator accounts were not shared between individual administrators.

Twenty three percent responded: “Yes our current tools will enable us to keep access available.” While a further 67 percent responded in the affirmative to the question: “We are investing in new tools to enable us to manage virtualised infrastructure.”

“These responses mean that 90 percent of organisations polled for the survey are using or planning to use some form of virtualisation technology with their IT systems,” says Natalie Booth, event director with Storage Expo, the organisation that commissioned the research. “Our research also found that, while security is holding back 30 percent of organisations polled, the majority (60 percent) plan to invest in new technology to tackle the security problems created by the migration to a virtual environment.”

Tony Lock, programme director with Freeform Dynamics, said that virtualisation is adding new challenges all around but the biggest security challenges are matters of process rather than technology fixes. “This, of course, also makes them more difficult to address as one cannot rush out and buy a process fix in the same way one can acquire a new firewall or virus scanner,” he explained.

According to Lock, several issues must be carefully considered in any virtualisation project. In most organisations that have undertaken such projects, he says, the primary approach has centred upon consolidation, which has caused multiple virtual machines – or instances to be run on single server platforms or to create virtualised pools of storage.

“By placing multiple applications on a single server or accessing a single resource pool of storage the resiliency of the physical platforms becomes incredibly important,” he said. “In ‘pre-virtualisation’ days if a single x86 server failed only a single group of users were likely to be affected. If a virtual server dies it can potentially take with it a number of applications and a much higher number of users.”

In the free report, ‘Email marketing: the mobile conundrum’, Experian CheetahMail commissioned YouGov to look at consumers’ attitudes towards reading emails on their mobile phone.

Its research reveals that mobile email usage is rife amongst 18-34 year olds, with around three out of four saying that they either currently read emails on their mobile phones or plan to do so in the near future. A third of all respondents said that a major barrier to reading emails on their mobile was poor email layout, while a further 30 percent would not open an email from a brand they did not recognise. 

The report also found that the growing trend of reading emails on the move challenges the traditional thinking around the best time for brands to engage with customers. While nearly half of the respondents read emails on their phone throughout the day, over half read emails on their phone over the weekend.

“In an era when the mobile phone is now routinely used to check and respond to emails, it is clear that email marketers cannot afford to ignore the mobile channel,” comments Steve Lomax, managing director of Experian. “However, our research shows that only well formatted emails from recognised brands are likely to generate marketing cut through. Brands also need to take into account that consumers have a very different user experience on their mobile and what looks good on a PC can be almost unreadable on a mobile device. For effective permission-based mobile marketing campaigns, best practice techniques such as segmenting messages according to immediacy, optimising subject lines, sending multi-part emails and linking to a mobile version of the email can lead to an uplift in campaign results.”

Beyond Box-ticking: A new era for risk governance,a new report written by the Economist Intelligence Unit and sponsored by ACE and KPMG, finds that a lack of financial resources will be the biggest barrier to effective risk management in the year ahead. Companies everywhere are conserving cash, cutting headcount and reining in expenditure. The report finds that risk functions are no exception, with the result that important improvements to risk management are pushed to the sideline.

Asked about the biggest barriers to effective risk management in their organisation, the 364 risk professionals questioned for this study point to poor data quality, inadequate technology and a lack of expertise. But rather than tackling these issues, risk professionals say they are more likely to concentrate on process improvements and training. This suggests that, rather than addressing the key risk management issues—which also carry the biggest price tag—companies are instead opting for some quick wins, and trying to do more with less. While this will have some limited impact the underlying problems with risk management are likely to remain.

“Companies are facing a difficult dilemma in the current environment,” says Rob Mitchell, editor of the report. “On the one hand, they recognise the need to allocate greater time and resources to risk management so that serious shortcomings with their current approach can be addressed. But, on the other hand, they are facing huge pressures to keep costs under control. Satisfying these competing objectives poses something of a conundrum, and this could prevent necessary fixes to risk management from being made.”

The global study by Axios Systems found that 64 percent of respondents are unable to provide the business and IT executives with quantifiable metrics demonstrating the value of IT services and assets in real-time. Despite huge investments in IT, it appears organisations still lack the systems, processes and best practice approaches (eg ITIL) for IT management that would help overcome these challenges. As budgets come under close scrutiny, over a third of IT professionals claimed that business decision makers still do not understand the value IT brings to the business.

According to the research, 63 percent of respondents are focused on cost reduction as the principal driver for IT projects over the next 12 months, followed by change management and compliance. When these business drivers are considered, the need for a new, more pragmatic and value-orientated approach to IT becomes increasingly important. Consequently, Axios Systems believes that service value management (SVM) will emerge and grow as an approach for IT executives.

The focus on cost reduction and change management is being echoed in the specific technologies under consideration for the next 12 months. The major projects cited by respondents included CMDB (22 percent), change management (19 percent) and service catalogue (18 percent) deployments. In addition, 16 percent of respondents plan service desk upgrades or replacements. When these projects are taken together it emphasises the focus IT is taking in trying to understand the value of their IT assets, as well as finding ways to reduce costs and support business transformation initiatives.

“Today organisations are looking at ways to have more business driven technology and this is why service value management (SVM), with ITIL at its foundation, is such a priority,” comments Sharon Taylor, ITIL v3 chief architect and chief examiner.