IT Risk Management – Considerations and Framework for Risk Management

Risk Management has become one of the key agenda items for Corporate Board lately, particularly IT Risk Management. Senior executives are now paying more and more attention to IT Risks, IT Governance and its importance in Business/IT Strategy and Business-IT alignment.

But wait, what is IT risk? It’s any threat to IT assets (applications, infrastructure, data, and security) and performance impacting business processes or organization. Risk Management is not about avoiding risk. The aim of risk management is not to eliminate risk, rather to manage the risks. Every organization has risk, the only difference is scale.

What is IT Risk Management? IT Risk management is the identification, assessment, and prioritization of IT risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.

CIO Index has an excellent article on Information Technology and Corporate Governance. In it, the author lays out 7 key areas of risk that CIO’s need to discuss, strategize and budget for, as follows:

  1. Business Continuity Planning/Disaster Recovery Planning (BCP/DRP)
  2. Information security and data integrity
  3. Sourcing and outsourcing
  4. Performance measurement
  5. Regulatory non-compliance
  6. IT strategy and spends
  7. IT management infrastructure

These IT risks are not just for CIO’s understanding but its imperative that Managers involved in crafting IT Strategy get a deep understanding about the risks as well as possible risk mitigation strategies.

Why Is It Important to Manage Risk?The principle reason for managing risk in an organization is to protect the mission and assets of the organization. Therefore, risk management must be a management function rather than a technical function.

IT Risk Management – Who’s responsibility is it?
In my mind, anything which impacts the entire organization should be managed from the top (i.e. top-down approach). That way, duties can be segregated amongst the ranks of organization. In case of IT Risk Management, duties can be segregated as follows:

  1. defining the IT Risk Governance structure and providing guidance on formulating risk strategy (Corporate Board, with CIO driving this effort);
  2. translation of strategy to execution i.e., defining risk management approach, and establishing organization-wide consistency in risk management (Steering committee should bear this responsibility);
  3. owning and addressing these risks (individual business and/or IT leads)

Framework for IT Risk Management:
To effectively understand and communicate IT risk, and well-defined consistent framework is absolutely essential. This ensures that everyone’s using the same language and terminology. In general, the following four step framework should suffice for effective IT Risk management.

Step 1: Risk Identification – The purpose of this step is to identify the risks to the IT system. Risks occur in IT systems when vulnerabilities (i.e., flaws or weaknesses) in the IT system or its environment can be exploited by threats (i.e. natural, human, or environmental factors). This phase should identify the vulnerability of IT assets and their threats. A precursor to this is to identify all the IT assets (i.e. scan the entire IT organization) to document how these IT assets correlate with business.

Step 2: Risk Analysis – Risk analysis involves both “Qualitative” and “Quantitative” risk analysis

Step 3: Risk Mitigation – The purpose of identifying and analyzing the risk helps the organization directs the resources and cost. There are few strategies for managing positive risks (also called opportunities) and negative risks, as described below:

  • Negative Risk

    • Avoid – do something to make sure it does not happen
    • Transfer – pay or get someone else to handle the risk
    • Mitigate – take some action to reduce the likelihood of the risk happening
    • Accept – do nothing
  • Positive Risk

    • Exploit – do something to make sure it does happen
    • Share – spread the opportunities
    • Enhance – take some action to increased the likelihood of the risk happening
    • Accept – do nothing

Step 4: Risk Monitoring and Control – Risk monitoring and control is the continuous process of identifying and analyzing new risk, keeping track of these new risks and forming contingency plans incase they arise. 

The results of IT Risk Management should be documented in Risk Assessment Matrix, sample template below:

There are many different frameworks in market for Risk assessment. ISACA, the Information Systems Audit and Control Association has just released an initiative called “Enterprise Risk: Identify, Govern and Manage IT Risk, The Risk IT Framework”, based of COBIT.

In Summary, IT Risk management practices allow the organization to protect information and business process commensurate with their value. To ensure the maximum value of risk management, it must be consistent and repeatable, while focusing on measurable reductions in risk.

Aon just released a study that showed that those organizations that adopted a focus on risk management saw benefits that include enhanced shareholder value, a reduction in their total cost of risk, strengthened business resiliency and increased operational efficiency.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s