IT Risk Management Guide: How to Simplify the Process
*This post originally appeared on the Cherwell blog, prior to the acquisition by Ivanti.
The days of a computer with centralized software sitting safely in a locked office are long gone. Consider how many elements and people interact with a company’s Information Technology (IT) today:
- Devices (desktops, laptops, mobile devices; corporate-owned, personal)
- Software and applications (increasingly cloud or SaaS based, meaning outside of an organization’s complete control)
- APIs and integrations
- In-house personnel, remote employees, freelancers, contractors
This growing ecosystem of information and technology has created a massive IT-related risk landscape. Unmitigated IT risk can have a major impact on business finances, functionality, morale, and reputation. The growing number of cybersecurity events in recent years—coupled with the very real impact these risks carry—has made it clear that organizations cannot ignore the need for a robust IT risk management process.
In this brief IT Risk Management Guide, we’ll cover:
- What is IT risk management?
- 5 steps to IT risk management
- What IT risk management strategies you should follow
- Best practices for IT risk management
What Is IT Risk Management?
As IT has become more integrated into the daily operations of an organization, it poses an increasingly growing risk. That’s where IT Risk Management comes in. Techopedia defines IT risk management as, “[T]he application of the principles of risk management to an IT organization in order to manage the risks associated with the field. IT risk management aims to manage the risks that come with the ownership, involvement, operation, influence, adoption and use of IT as part of a larger enterprise.”
Risk management is nothing new to organizations; this is simply those base processes and procedures applied to the growing web of IT engagement. As organizations build out IT risk management plans, the process will often include familiar roles such as a Risk Manager and a Risk Remediation Analyst. In this case, these roles should have a strong understanding of general risk management practices as well as an IT background to ensure risks are properly assessed and approached.
5 Steps to IT Risk Management
IT risk management can be broken into five general steps. As you’ll learn in step five, this is a living process as steps one through three (and step four as needed) should be regularly revisited.
Step 1: Identify the Risk
The most basic element of IT risk management is understanding what risks exist. This should be done by looking at the larger IT risk landscape (key and emerging cybersecurity threats, most common points of failure/breach, etc.) and determining which of those general threats may apply to the organization.
The second aspect of identifying IT risk is evaluating existing internal practices and any potential associated weaknesses (lack of documented security practices and procedures, heavy use of third party contractors or vendors, poor understanding of security and responsibility related to cloud and SaaS solutions, etc.).
This step gives organizations a general understanding of what risks exist, where those risks are, and when they might arise.
Step 2: Analyze the Risk
Not all risk is equal. A piece of paper and a knife can both result in a cut, but the risk and potential severity are vastly different. Analyzing each risk’s likelihood of occurrence and its potential impact will help organizations strategize and prioritize.
When analyzing risk, consider factors such as:
- Likelihood of occurrence
- Financial impact
- Operational impact
- Impact on the organization reputation
- Potential for regulatory ramifications (i.e. fines, outside audits)
These factors will feed into a general risk matrix that pits probability against impact to help organizations evaluate and rank risks. The matrix may be as simple:
Taking time for a thorough analysis of each identified risk will help teams focus and prioritize as they move into step three of IT risk management.
Step 3: Evaluate and Rank the Risk
IT teams have limited time and resources, and with the risk matrix continuously growing, teams simply cannot equally address every risk.
Using the matrix in step two, organizations can map their unique risk landscape and rank which risks they feel are most important to focus on. Keep in mind, highly likely risks won’t always have the biggest business impact. Conversely, risks that have a very slim chance of occuring may require a documented response strategy because if they do occur, the negative impact could be catastrophic.
Once risks are ranked, IT organizations can begin developing strategies to address each risk. When developing IT risk management strategies, it’s wise to put a timeline in place with deadlines mapped to each risk. This helps ensure risk management planning doesn’t get pushed to the side, leaving a company vulnerable.
Step 4: Respond to the Risk
Every company hopes they’ll never encounter step four—responding to an actual event. But in today’s risk landscape that is wishful thinking. Something is bound to happen.
The key to successfully limiting the negative impact of an issue is having a documented, approved, and well-circulated IT risk management process in place before an issue occurs. This creates the company’s “plan of attack” to directly address the issue, prioritize personnel, time, and resources as needed, and ensures everyone is on the same page. In the middle of a crisis—whether big or small—is not the time to form a plan.
With a proper IT risk management process already in place, the organization is poised to quickly, effectively, and efficiently deal with the issue, minimizing its impact.
Step 5: Monitor & Review the Risk
Companies should not consider the task of IT risk management “done” simply because they’ve put some plans in place. Risks are always evolving and emerging, requiring successful IT risk management teams to regularly revisit steps one through three. Risk identification, analysis, and ranking also needs to occur anytime a new vendor, application, or integration is introduced. If a new business practice (such as allowing employees to work remotely or use their own devices) is implemented, a new level of risk emerges and needs to be addressed.
If an issue does occur, that risk and the corresponding strategy should be re-analyzed and evaluated. The organization may opt to maintain its previous assessment and course of action, or changes may need to be made to the strategy.
To ensure this is an ongoing process, it’s best practice to add risk analysis to all onboarding and implementation plans. It’s also wise to set a regularly recurring review schedule for all risks and an identified time for an overall risk landscape reevaluation to ensure no unaddressed risks have emerged.
What IT Risk Management Strategies Should I Follow?
There is not one singular IT risk management strategy organization’s should follow. Instead, it’s a combination of strategies and approaches designed to fit the company’s unique situation and appetite for risk.
Regardless of what mix of strategies a company implements, applying safeguards should always be part of the overall approach to IT risk management. This includes implementing IT security best practices such as strong password requirements, proper data management, regular employee IT security training, etc. These simple practices can go a long way in risk management.
One of the most effective ways to lower general IT risk is with proper IT asset management, ITIL Change Management, and configuration management (CMDB software). These key elements allow IT teams to keep tight control over assets and access, ensuring they know what’s going on in the corporate environment and that no rouge players or outdated elements are increasing IT risk.
If a company has very little appetite for risk, this may be the only strategy they implement. In this case, the organization actively works to avoid all risks by focusing a large amount of resources to risk management.
Transfer the Risk
In some cases, an organization is able to transfer risk management to another entity. This may be an outside risk management service provider, insurance to cover the risk, or it can be shared risk with solution providers. Sharing risk with solution providers is most common when the solution has access to your corporate data. If an issue occurs based on their security, they may be responsible for mitigation.
It’s important to remember that transferring risk doesn’t mean an issue won’t have a real impact on a company. Even with a transference strategy in place, an organization can suffer financial, operational, and reputational ramifications.
Reduce the Impact
Like applying safeguards, this is a proactive approach to IT risk management. In this case, a mitigation plan is put in place using whatever methodology, teams, and resources would be required to fix an issue should it occur. A complete strategy in this style should include:
- Detailed information on the risk (likelihood, potential severity, key sources, and weaknesses)
- The company’s action plan to address an incident (including roles, responsibilities, communication, and response deadlines)
- A recurring timeline for reviewing and updating this risk assessment and response plan
In the best case scenario, these plans won’t be needed. However, having a well documented and communicated plan in place before an issue occurs will allow an organization to respond quickly and mitigate negative impact if something does go wrong.
Accept the Risk
Trying to create an IT risk management strategy for every conceivable risk is a futile exercise for many companies. Doing so would take up an outsized portion of IT’s time and resources, not allowing them to focus on other important responsibilities.
There are some cases where the most logical course of action for a business is accepting that a risk exists but doing little outside of normal security best practices to address it. This is often the case for low risk threats and low impact risks.
When implementing this strategy, it’s important to remember that if an issue occurs it will need to be addressed in a timely manner, despite the lack of formal plan. Acceptance of risk does not mean companies leave occurring issues unaddressed.
What Are the Best Practices for IT Risk Management?
Regardless of where a company is in the IT risk management process or what strategies they’ve chosen to implement, there are a few overarching best practices that all organizations should keep in mind.
Evaluate Early & Often
Don’t wait until an event occurs to start addressing IT risk management. While the process may seem large and daunting, it’s easily divided into attainable milestones when you follow the “5 Steps of IT Risk Management” outlined above. Teams can also focus on different areas, such as data security, assets, and access if they need a more narrow scope to get started.
The risk landscape is not shrinking and its growth is not expected to slow down. Making IT risk management an ongoing part of doing business puts organizations in the best position to mitigate and address risk. Starting small today is better than not starting at all.
The IT ecosystem in an organization has often grown so large that centralized IT teams may not know the full scope of applications and data usage. This is why it’s crucial for IT risk management teams to include internal stakeholders as early as the risk identification step. You cannot assess and mitigate what you don’t know exists. Work with project stakeholders to understand scope and goal, but also department heads to gain insight into potential unidentified risk areas.
Larger stakeholders, such as C-suite executives and the board of directors, are also important to include if possible. Theses groups have the best understanding of current and future business goals and of the organization’s appetite for risk. Understanding this larger business perspective from the beginning will help when it’s time for final sign off.
Don’t wait to present completed plans and strategies for final approval. Getting sign off on each stage of the IT risk management process allows teams to course correct as needed and will shed more light on the company’s overall approach to risk management. This keeps teams form having do go back and rework plans (or scrap complex plans all together) and will also make future IT risk management planning easier.
Including key stakeholder sign off throughout the entire process gives the risk management plan a much higher chance of success when it comes time for final approval and implementation. This is particularly crucial at the department head level, as the proposed risk management strategy might conflict with how they’ve operated in the past. Springing changes on them all at once is bound to result in pushback (or worse, flat out being ignored). However, allowing them input throughout the process makes it a collaborative effort that is more likely to be well received.