HM Revenue & Customs (HMRC) has developed an in-house risk management tool which it says has greatly improved its decision making.
Speaking at Gartner's Security and Risk Management Summit yesterday, Louise McCarthy, finance director, HMRC information management services (HMRC IMS), explained that the department had been making business decisions without considering risk.
"We used to have multiple spreadsheets, unlinked standalone systems, and the data was prone to error. We spent too much time gathering and chasing data, with little time left for decision making.
"We ended up making business decisions without considering risk, and risk decisions without considering how it would affect performance."
Richard Ryder, head of continuous improvement at HMRC IMS, said that his team aimed to add value to the decision making process.
"Our challenge was to get from just processing information, to being able to display it in new ways, allowing interaction and adding value to the process."
The decision was made to build the tool internally because HMRC believed that it possessed the necessary skills, and this would be cheaper than purchasing an off-the-shelf solution.
Ryder added that building it internally would also help drive cultural change.
"Cultural change is so important to driving risk management, people have to understand their own role in the process. Building the tool ourselves and involving different groups helps drive that change," he said.
However, the group discovered that it needed additional skills, so enlisted Microsoft's help in building the tool.
Ryder explained that there were a number of critical success factors for the project.
"It had to have real-time data to enable quicker and more accurate decision making. We had to have a simple overview at the top, but the ability to drill down into the detail. And it needed to allow self-service, the risks are owned by the people who own the actions and the controls."
Following a six-month build process, the tool was live, and has now been in use by HMRC for three months.
Mick Brown, planning and control, HMRC, explained that although the project is deemed a great success, many lessons have been learned along the way.
"We learned that building a tool is easy, but cultural change is hard. It took three months to get people to understand their responsibilities in managing risk," said Brown.
He advised other organisations intending to build a similar tool themselves to adopt an agile process.
"Build what you want, and build it iteratively. Build something that will start providing benefit tomorrow. That way, if the cash runs out half way through, you've got something that provides value."
The next step for HMRC is to roll the tool out to other departments.
"Other departments are knocking on our door and want to use it themselves," said Brown.
Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes
Focus on cost efficiency, simplicity, performance, scalability and future-readiness when architecting your data protection strategy