Dr John Mitchell FBCS, Chair of the BCS Information Risk Management and Assurance Specialist Group, explores the group’s foundations, formation and early days.
The Information Risk Management and Assurance (IRMA) specialist group (SG) has a remarkable history, highlighting its significance in the domain of risk management and assurance within IT in general and BCS in particular. As a cornerstone in the broader framework of the institute, IRMA has played a significant role in shaping best practices, fostering professional development and driving forward the agenda of information assurance in an increasingly digital world. It is the second oldest SG in BCS and has over a thousand members, many of whom reside overseas.
The origins of IRMA can be traced back to a few far-sighted accountants who, in the early 1960s, realised that many of the financial systems they then audited — such as payroll and accounting — would be replaced with computerised versions, and auditors would need new skills to provide assurance on their accuracy and reliability.
The early days
During the 1960s, computerised systems ran on large single-thread, mainframe computers, so these visionary people decided that any group they created would ideally be associated with BCS, which had been created around 1957 (it would not receive its royal charter until 1964).
They adopted the name Auditing by Computer (ABC) and became the second specialist group affiliated to the BCS (they would not become incorporated until 2008). The adopted name was not their first choice, but at that time (and for many years afterwards) BCS was focused on the use of computers in business and academia rather than managing them. So, Auditing by Computer implied the use of computers for the actual audit activity, rather than auditing the systems which ran on those computers. It would take 25 years before they were able to adopt a name which reflected their initial intentions, which were to cover such areas as:
- Information governance
- Information systems risk management and audit
- Awareness and use of computer auditing
- Control and risk management techniques
The group quickly recognised the need to address the growing governance complexities associated with IT. The technology refused to stand still; by the late 1980s, the proliferation of computers of all sizes, coupled with the advent of interconnected networks, necessitated an expansion in the scope of the group’s coverage and they became the ‘Computer Audit Specialist Group’ (CASG) in 1990.
CASG believed that the proliferation of computing in the business world meant it was becoming difficult to separate computing from business. Indeed, many businesses were so reliant on computing that management of the technology was becoming core to the business. Many IT professionals took exception to this, arguing that technology was for IT to manage (not that they knew how to do it) and certainly not for those with (then) a predominantly financial background. Indeed, this ultimately led to a new group being formed: the ISSG (Information Security Specialist Group) — with whom IRMA retains very cordial relations and often host joint events, due to the overlap between security and governance.
Continuing to grow
CASG attracted many people who were joining the new computer audit profession, and at its zenith it had more than 2,500 members — many of whom subsequently joined BCS, which was slowly beginning to recognise that there was more to the IT profession than just the development and delivery of applications. Being, at that time, the only group in the UK dedicated to computer auditing, control and compliance, the CASG Group were able to run conferences which attracted up to 500 paying attendees. CASG was financially independent at a time when many other groups were reliant on contributions from BCS. Indeed, there were very few groups which were revenue positive. The significance of this will be explained in part two of this series.
Ultimately, a number of significant IT and company failures, coupled with a recognition for the need for a focused approach towards information risk management, led to a more pragmatic understanding of the requirement for good IT governance. So, in 2001, CASG adopted the name it has today: the Information Risk Management and Assurance specialist group, with the objective of providing a dedicated platform for professionals to discuss, develop and disseminate knowledge on managing information systems. The group could now meet the intentions of its founders, which was to bring together practitioners from various fields, including IT security, auditing, risk management and compliance, to collaboratively enhance the understanding and mitigation of IT risks.
For you
Be part of something bigger, join BCS, The Chartered Institute for IT.
Advances in technology raised new risks to the management and control of IT, and IRMA was pressed to tackle these to keep the proverbial lid on an increasingly volatile kettle. The technological advances were often outstripping our ability to manage them, but we were becoming more agile in identifying the problems — even if it took us a bit longer to identify the solutions. We named this the ‘control lag.’ Examples of significant changes that required a change in our approach were:
- The move from batch processing to remote access
- The ability of the user to make direct changes to data in real-time
- The introduction of local area networks (LANs)
- The connection of the LANs to Wide Area Networks (WANs)
- Outsourcing
- The internet and internet of things (IoT)
- The Cloud
- Quantum computing
- Specific artificial intelligence (AI)
These advances in technology led both to the globalisation of business and to increasing regulatory requirements across different jurisdictions, which added layers of complexity to information risk management. IRMA acted to provide guidance that was both globally relevant and locally applicable. At the same time, research into control theory was beginning to yield dividends as to how to approach the control implications in a robust way.
The group's focus changes, due to technological advances, are reflected in its three name changes: ABC to CASG to IRMA. This demonstrates the need for all specialist groups to regularly examine their relevance in the digital world and review their mission and objectives.
The next article in this series will describe how IRMA adapted to the challenges brought about by enhancements in technology in the digital age. If you want to know more about IRMA, go to the IRMA page on the BCS website