RISK MANAGEMENT PRACTICES WITHIN MECO
The risk management program has been in place for the past four years and has been driven by the vice president, who heads up Administrative Area 3 (see Exhibit 20.1) and sees the value in risk management. Each IT department identifies risk, and this forms part of the IT division's risk register. This is then reported up to the administrative area through the IT Risk Committee and eventually to the vice president. This is the most advanced administrative area in MECO with regard to risk
Exhibit 20.1 MECO Corporate Organization Chart
management; it has been improving its risk management capabilities consistently over the years, and continues to make improvements to the program.
Other divisions within Administrative Area 3, such as Law, have not yet started a risk management program. However, due to the success of IT's risk management, the vice president has requested that other divisions take a lead from IT. IT will then work as consultants alongside the risk management project team and will be involved in setting it up throughout the administrative area.
IT has a Steering Committee, which oversees the risk to the division and escalates risks where appropriate (e.g., where they have no control of the risk or a decision needs to be made at a higher level). They ensure there is documentation in place as well as appropriate reporting lines.
The biggest risk that IT has is that of a severe cyber attack. Operations are linked to the main servers, which means that if the main IT system is down, that could affect operations, leading to a shutdown of facilities. This risk was identified and IT security was put in force in order to manage this risk. However, despite best efforts, there are about 150 hacking incidents a day, and not all of them are Successfully stopped.
IT has 10 dedicated staff members, including their business continuity planning team, which is very strong for a division's risk function and shows the support that the program has within Administrative Area 3. The risk management project team is hopeful that once all divisions within the administrative area have risk management in place, other administrative areas will follow suit and replicate their success.