A three-step plan to IT Risk Management
While many smaller companies are guilty of not planning at all, it is equally important for larger businesses to avoid over-planning. For most organisations, IT risk management planning can be a fairly informal, spreadsheet-type exercise but most enterprises should have a risk manager that is assessing the technology risks as this helps them to make better-informed decisions.
Technological advances naturally come with a few risks and it goes without saying that any technology that is incorporated into an operational setup can disrupt any organisation. Both small and large organisations face numerous technology risks, including password theft, information security incidents and service outages. Regardless of the scale of operations, it’s best to have a risk management strategy that not only anticipates but also mitigates potential problems that could cause disruption.
Before risk managers decide on ways of mitigating the technology risks that their organisations face, they often identify the root cause of the identified risks. This entails evaluating how individual technology risks will affect the organisation. Once this is complete, they can devise possible solutions for managing or preventing technology risks.
Step 1: List and rank risks according to business cost
The first step is to identify the main risks. Standard risk lists are available and one of the most complete is part of the IT governance framework . Whilst this could be overwhelming, it covers a wide range of topics beyond those that an IT department might want to include. Every project involves a range of risks including the possibility that the job is never completed, that it is completed poorly, or runs over-budget and over-schedule.
While developing a comprehensive list of risks can be fairly easy, rating them according to potential business cost and importance is much more difficult. While lists of risks are universal, business costs can vary widely between organisations. For instance, financial traders cannot tolerate even small delays in the transmission of transactions, but a manufacturer might be tolerant of order processing delays.
This means estimating the total business cost of each risk can be difficult. Planners will want to consult business executives to discover what guidance could be offered from any associations in their industry and from other organisations in the same vertical market. While the estimate does not have to be precise, having one is important. It will be the basis for determining how much should be invested in mitigation.
Organisations need to determine what focus should be applied to protecting the organisation against basic threats such as viruses and worms. Decisions need to be made about how much should be spent on these basics compared with other risks. Event probability also needs to be factored in. Whilst viruses are a constant issue they only involve a small cost to fix them and don’t cause major disruption. A major disaster has a low probability but it can devastate an organisation.
Step 2: Pricing mitigation
This does not have to be exact and should not involve writing detailed proposals. Estimates based on internet research and past experience are good enough. Planners should keep in mind that costs will include staff availability and time as well as money spent. Some cases are straightforward where mitigation involves buying and installing a hardware or software solution. In others, and particularly in the case of disaster recovery (DR), a variety of strategies with widely varying costs and effectiveness are available.
Determining which DR approach is best for any organisation depends on the tolerance for long periods of downtime, the availability of resources for problem-solving and the ability to survive a major disaster.
A small business unable to survive a disaster would be wasting money on remote-site data recovery solution. Alternatively, if all the company can afford is tape backup and storage in a vault, then that becomes the company’s DR solution.
More creative solutions such as using a SaaS provider or DR outsourcers are important options to consider. Planners might also find that the cost of mitigating some risks is actually higher than the estimated potential loss. In this case, mitigation might not be worth the investment.
Step 3: Multi-year planning
Mitigation is an ongoing effort largely because available resources always fall short of needs, making multi-year planning a necessity. The risks change over time, so fresh approaches need to be considered constantly.
The risk of viruses is constant, and they change often but while an organisation might be a veteran in dealing with virus risks, there is a need to be constantly vigilant. New risks, such as wireless networks and war walkers can appear at any stage and business activities such as expanding into new markets and industry segments or acquisitions will alter the basic risk posture.
Risk management for the entire IT infrastructure
The evolution of ubiquitous computing systems has encouraged many organisations to rely on their entire IT infrastructure for their business operations. Risk management planners need to consider how IT infrastructure functions when developing their mitigation strategies. Often decisions are made on the basis of relative cost, availability of specific skills or internal politics. However, careful IT risk management can be a highly effective way to change the overall risk posture of an organisation and should be carefully considered.