People, Processes, Technology and the Hierarchy of Controls

Risk management is about risk mitigation for the most part. This may be done by reducing the impact and/or by reducing the probability of the risk occurring. To do this, various controls defined by a hierarchy of controls are applied. This hierarchy of controls provides a common terminology used to describe risk management. The success of risk management depends on its ability to implement changes across all of IT in the areas of policy, process, management practices, procedures and standards. To do this, establish a common understanding of how terms are used throughout the business.

There are three key elements associated with mitigating risks. Change can occur in people, processes, or technology.

• People. People, or more particularly their actions, can be changed in order to mitigate a risk. An example of this would be the introduction of software licence practices detailing necessary requirements for purchase and distribution of software. Employees must be made aware of the proper procedures associated with buying software and know that downloading software from the Internet constitutes inappropriate use.

• Process. Processes can be changed to mitigate risk. An example of this would be the introduction of access management processes (and attendant software) to reduce the risk of not properly managing access when employees leave a company.

  
  Figure 1

• Technology. Technology can be introduced or revised to ensure that a risk is mitigated. An example of this would be audit monitoring software tools on key systems and applications to preclude unauthorized access.