Chapter IV: Global IT Risk Management Strategies | Information Technology Security. Advice from Experts

Chrisan Herrod
National Defense University, USA

Introduction

This chapter describes why it is important for organizations to develop and implement an IT risk management function and use best practice risk assessment methodologies that provide a standard to measure and assess risk within organizations. Information technology risk management is a significant new function that can help companies achieve world class IT service. IT risk management includes regulatory compliance, information security, disaster recovery, and project risks. IT risk management should be part of a company s risk management strategy on an equal footing with financial risk management and reputational risk management. As the complexity of IT infrastructures increases and as businesses continue to rely upon the Internet as the communication backbone for e-business, the associated risks increase. For these reasons, deciding upon and implementing a risk management process and a standard methodology will greatly reduce the risks associated with the introduction of new technologies that support the mission of the business.

The inherent complexities of developing, deploying and managing IT services on a global scale are obvious. Add to these the legislative and regulatory framework that govern business practices in many industries, and companies are faced with a situation where only constant vigilance can ensure they are operating safely and legally. Peril cannot be eliminated from the business life cycle, and failures can result in loss, injuries, and lawsuits. At the same time, IT is essential to the success of any business. Many opportunities arise from exploiting information technologies in ways that advance business and serve customers.

The goal of an IT risk management organization should be to ensure potential risks are identified and assessed and, where the business considers it necessary, to implement controls that mitigate the potential impact of the risk. This is achieved by:

Creating Policy
Making Process improvements
Defining Procedures or Standards
Instituting controls through Management Practices
Following Guidelines
Building Contracts
Using groups in the Organization
Outsourcing where necessary
Insuring against the consequences

Risk Management Defined

Risk is an uncertain event or condition that, if it occurs, may have a negative effect on activities being performed in the business. Risk management is the systematic process of identifying risk, assessing the likelihood of its occurring and the impact it may have, and taking the action necessary to ensure that the reward from the activities performed will be realized.

Risk management is the balancing of risk and reward to ensure that rewards are maximized and risks are minimized to a degree acceptable to the business.

Key to Risk Management Success

The key for risk management is to identify and manage risks so the reward being sought exceeds the impact of the risks encountered . This task is impossible unless the risks are identified. Those that are not identified and handled appropriately may create the most damage.

Understanding the Dynamics of Risk

Whenever a business introduces change, a dynamic that affects risk is also introduced. Change has the potential for increasing or decreasing risk. Most change has an associated reward, which is why a business is willing to confront risks that might be incurred.

Risk management starts with the monitoring of projects and programs and other external and internal factors that may create risk. A business change will often generate multiple potential risks. Each risk may affect multiple business units or functional areas.

Responses to Risk

The response to the introduction of risk can result in one of the following decisions.

Mitigate a Risk. Where steps are taken to reduce the probability of a risk maturing (occurring), or reducing the impact or loss should that risk mature.
Avoid a Risk. Where the decision is made to avoid taking the risk. Typically, this means the reward/benefit to the company cannot be acquired .
Transfer a Risk. Where the anticipated loss of the maturing risk is transferred to another party. Typically, this would be a third party (e.g., insurance against lawsuit).
Accept a Risk. Where no steps are taken to either mitigate, avoid or transfer the risk. Basically, in accepting a risk, the company has chosen to accept the consequences should the risk mature.

Risk Management Framework

The decision to respond to risk should be based on the use of a standard risk management methodology or framework. Decisions about the way risk is managed should not be made in isolation and definitely not be made without some due diligence. A risk management framework provides a process which if followed results in a logical basis for making decisions. Facts and data are collected and presented in a rational manner.

There are many risk management methodologies in use both in the public and private sector. One is not better than the other; frameworks such as the one proposed in this chapter should be adapted to fit the environment and/or the culture of the business. Typically key principals guide a risk management framework:

Risk and its impact should be viewed holistically ” that is, from the perspective of the entire business. Assessing the impact of risk from a more narrow perspective poses risks in its own right since business needs may outweigh a negative IT impact.
Risks are only significant if they have a business impact or quantifiable loss.
The framework must provide a basis for the evaluation of all kinds of risk, from minor security incidents to potentially catastrophic events.
It may sometimes be necessary to handle incidents before studying the driver that causes them to occur ” treating risks holistically does not mean we let the business collapse before fixing the problem!