Whether benign or malicious, threats to company IT systems are like glitter and microplastics. They get everywhere, they’re hard to clear up, and are difficult to avoid. There’s no question that all organizations are exposed to IT risk. Google “recent IT breaches” and you’ll find cybersecurity monitoring websites listing household name companies that have fallen victim. If you’ve interacted with these companies, your personal data may have been partially compromised.
To convey the enormity of IT risk, Steve Morgan, a cybersecurity specialist says if cybercrime were a world economy, its cost would make it the third largest country after the US and China. And it’s growing by 15% a year – faster than any major economy.
IT is the biggest source of risk for almost all businesses, so we must all understand and manage it.
This summary guide covers the key considerations of IT risk management: what IT risk is, why IT risk management is important to business, and how to effectively identify, assess and control your risks.
You might find this a little different to other guides because we focus getting the fundamentals, your organizational readiness, right at the outset. Many guides fail to emphasise organizational readiness, the lack of which is often the weak link of IT risk management.
By the end of this article, I hope you’ll improve your understanding of best practice frameworks for IT risk management, which you can apply to your organization.
What is IT Risk Management?
IT risk management means identifying, assessing, and responding to risks that can come from a variety of sources such as
- hardware and software vulnerabilities
- errors in system design or implementation, and
- user activity.
The goal is to mitigate or eliminate risks to a level that no longer significantly harms your organization. To achieve this, you and your team must clearly understand potential risks, and how to address them.
The problem is that IT threats come in the form of many headed, shape-shifting monsters. Cyber attackers can be highly creative, and users can be careless.
New technologies such as blockchain and ChatGPT (an OpenAI solution) are used in novel ways. For instance, coders use ChatGPT to improve their code. But what’s the risk? Do you know if OpenAI use commercially sensitive code snippets shared on ChatGPT, as Artificial Intelligence training data?
Since risks are so fast moving and difficult to predict, IT risk managers must work hard on intention, principles and frameworks. Start with an IT risk management policy that spells out how you and your team will:
- Identify and assess risks that could result in significant harm to business goals.
- Determine appropriate responses to assessed risks based on risk level and risk tolerances.
- Ensure senior management are aware of IT risk management frameworks in place.
- Promote risk awareness and risk management practices throughout the business.
Why IT Risk Management benefits your business
It’s worth remembering that IT Risk Management can help your business beyond the most obvious purpose – to prevent or mitigate problems that could arise from your technology.
IT risk management should also make your company more efficient and win trust and loyalty:
- Efficiency: If you effectively manage risks, you’re less likely to suffer data loss or system downtime disruptions. This means your operations will run more efficiently, leading to better operating performance and better financial results.
- Trust and loyalty: When your customers, clients, suppliers, employees, and investors see how seriously you’re managing risks, they should trust you more. Their ongoing trust and loyalty should contribute to your long-term success.
Five steps to manage IT risk at your organization
Many IT risk management guides simply iterate through standard activities of identifying, assessing, and prioritizing the risks to your operations, assets, and individuals.
These are essential steps, but I have been inspired by ISACA’s excellent IT Risk Starter Kit, to include organisational readiness. Without organizational readiness, your IT risk management will be built on sand, and lack solidity. Let me outline the three steps to organizational readiness before you start assessing your risks.
Step 1: Organizational readiness – assemble your team and create your governance structure
First, define two teams that oversee IT Risk Management – The IT Risk Management Board, and The IT Risk Committee.
- The IT Risk Management Board handles the IT risk management program, agreeing the risk appetite at the organization, and handling escalations.
- The IT Risk Committee should set up risk management focus areas and priorities, update the board on material risk exposures and oversee the effectiveness of mitigation activities.
Next, create a governance structure with sub teams of Risk Owners, IT Risk Officers, and Auditors.
- Risk Owners are normally heads of business lines or corporate divisions.
- IT Risk Officers should push the risk management agenda by ensuring compliance, providing toolkits and training, and by positively challenging the status quo if appropriate.
- Auditors should independently and objectively test and convey how effectively the organisation controls risk.
Step 2: Organizational readiness – clarify the team’s purpose and mission
Once you’ve set up teams and roles, create an explicit purpose and mission for your teams to work toward. They must align with your organization’s strategic goals, for example:
- If your organization’s strategy is to increase revenue, the team should prioritise risks that may affect revenue or costs.
- On the other hand, if the organization’s strategy is to improve customer satisfaction and loyalty, then the team should address risks that may affect this, such as quality.
Once your team’s purpose is set, develop your committee charter, a clear statement of who the committee members are, meeting frequency, how decisions are made, communication and escalation procedures, working style, communication, and structure.
Step 3: Organizational readiness – clarify your organization’s attitude to risk
Next, define risk categories, and which areas of your business are exposed to which risk category.
As mentioned, IT risks are hard to predict, and can be caused by oversight, thoughtlessness or malicious cyberattacks. So instead of creating a directory of every IT risk, I suggest you catalogue the risk categories that can affect your IT systems, data, and your organization’s wellbeing – for instance:
- Security risks: viruses, malware, hacking, and phishing which can lead to data breaches, loss or destruction of data, and downtime.
- Operational risks: problems with hardware, software, or people which can cause data loss, corruption, or unauthorized access.
- Compliance risks: when an organization fails to meet regulatory requirements, it can lead to fines or even criminal charges.
- Business continuity risks: when an IT system is unable to meet the needs of the business this can lead to lost revenue, customers, or competitive advantage.
Write a risk appetite statement for each risk category which at a minimum explicitly covers:
- who owns the risk
- agreed attitude to the risk – for instance risk averse, risk neutral or seeking risk
- how this aligns with the business strategy or philosophy
- external factors such as regulations or contractual requirements
- risk / reward trade-offs
- thresholds and escalation protocols.
Once you’ve clarified your organization’s attitude towards risk, you can then develop a plan to manage those risks.
Step 4: Design and create risk management processes and frameworks
It’s time to build a risk register. Your ambition should be to be as comprehensive as possible, to anticipate as many risks as possible. You should aim to track assessed risks with associated plans, decisions, and further details such as owner, status, target date.
Here are the components of your risk register.
- Risk library: Compile a risk library of potential risks and link them to business processes, threat scenarios and potential ways you can control them. The risk and controls library should guide you to prioritise risk areas to assess.
- Risk assessments: These allow you to estimate the future potential of events – how often a loss may occur and the size of the likely loss.
- Risk controls: They apply clear rationale to rate each risk as weak, average, or strong. The loss impact should also be explicit. What constitutes a high, moderate, or low loss for your organization?
Note this is a simplified description of a working template that companies generally outgrow very quickly. When you do, it’s time to invest in a Governance Risk and Compliance (GRC) system.
Scenario building. It’s vital to prepare for unexpected and undefined risks which are inevitable at some point. Of course, you can’t be ready for an unexpected risk, but scenario building will train you for “preparedness”. By analysing how combined risks may affect your business, your team will improve its ability to respond quickly and decisively to unexpected events. Be as creative as you can with scenarios. Here are some examples to start with:
- A fire damages important IT infrastructure
- Failing technology projects are allowed to continue with no management intervention
- A malicious insider deletes all active directory information globally
- You experience a collapse in 3rd party technology that controls your supply chain
Reporting. Finally comes reporting which should typically include:
- A quarterly risk dashboard organised by high level risk types and top risk scenarios.
- Commentary of progress and setbacks in the last quarter
- Broad and comprehensive information – but not in-depth
- Risk accountability
- Changes in regulatory environment
- Supporting information for instance in an appendix that is too detailed for senior leadership
Step 5: Focus on incremental and continuous improvement
It’s never too early to measure and address risk and even initial measures make a disproportionate impact to your risk landscape. But IT Risk Management tends to snowball into massive complexity, so it’s important to start small and simple and improve in deliberate increments.
Incremental and continuous improvement – making small, regular changes to your processes and systems that result in overall improvements – suits IT risk managers particularly well, because it helps identify and address risks early, before they cause major problems.
With each iteration, aim to build from the basics using elements of the framework outlined in this article. Consider risk management as an evolving process:
- The first steps are to record incidents, ands define risk areas.
- Next, outline your tolerance levels and identify issues and actions to take.
- Then, capture risk metrics and rank risks.
- Finally, build scenarios based on aggregated risks.
Apply a Risk Program Maturity Assessment to continually reassess the risk environment, and how effectively your program reflects that. This should clarify the next steps for improvement.
It’s clearly a challenge for IT Risk Mangers to keep up with technology’s pace and pervasiveness. With cybercrime’s annual growth projection of 15%, risk managers can easily get sucked into an accelerating arms race with cybercriminals.
But in the face of huge pressure, it’s important to carefully pick your battles in order to win the war. A clear framework, built around core principles is key. I’ve outlined some of the most important ones in this article, and I urge you to explore the excellent IT Risk Starter Kit by Paul Phillips which you can find on ISACA’s website. It includes:
- Management Policy Templates for Governance Structure and Roles and responsibilities
- Committee Charter Template
- Job Descriptions
- Appetite Statement Template
- Assessment Template
- Scenario Template
- Reporting Template
- Program Maturity Assessment