Risk management in IT involves the identification, organization, and management of risks in an organization. It is normally done in a way that balances the costs associated with using security solutions to protect the organization and the benefits that they bring. In simpler terms, risk management allows the organization to spend more on the prevalent or more threatening risks and spend little on the insignificant risks.
Risks are an integral part of any organization. There will always be a cyber security risk facing an organization at any given time. Therefore, it is of importance to the organization that all the risks to its IT infrastructure and data are identified and managed. IT risk management should cover a wide scope since risks can arise from many causes. Human error, natural calamities, cyber attackers, and hardware failure are all potential causes of these risks. Risk management is often described as a 5-step process in the organization.
Identification
This is the first step in the risk management cycle. At this point, an organization will focus on uncovering and getting detailed information about the risks that it faces. As said before, risks can emanate from different things thus the responsible persons need to be open-minded when looking for risks. Financial uncertainties, changing regulations, management issues, accidents, and disasters can all be sources of risks. Risks also keep on changing periodically thus risk management should be repeated often. To ensure that most of the risks faced are uncovered, the following are some of the strategies could be used:
- Interviews – interviewing different personnel in the organization could help uncover many potential risks. For instance, an interview with the guards could help uncover the risks to physical security controls. An interview with a normal user could help discover risks associated with system accounts and also the hardware they use. Interviews will yield a wide variety of risks that will be obtained from the users of organizational assets that are protected or from the personnel in charge of enforcing some security controls.
- Checklists – there are some common risks that may have been identified over a long period of time in previous risk identification exercises. Since they are already known, the team identifying risks should just go through them as a checklist. However, this method is limited to organizations that already keep a list of common risks. Additionally, this method cannot uncover new risks.
- Assumptions – assumptions about security risks can be made when there are supporting facts that can be considered true even without proof. For instance, users could be assumed to be creating weak passwords in a system that has no password requirements. The absence of the password requirement can be assumed to lead to the creation of weak passwords even if the user passwords are not known.
Risk analysis
Once the risks have been identified, there needs to be a process of determining the probability of occurrence as well as the impacts. As highlighted earlier, risk management helps the organization spend more resources on the significant risks while spending little on those risks that can hardly happen. Risk analysis is key in ensuring that the nature of a risk and its consequences to the organization are known.
The information obtained at this step is important to the whole process and might determine the success or failure of the risk management exercise. Risk analysis is done through qualitative or quantitative risk analysis. In either way, a risk is analyzed in terms of its impact to the organization across several metrics such as schedule, budget, and resources it takes.
Risk assessment
This is an in-depth evaluation of a risk. This step looks at the probability of the risk occurring and its consequences. From this, it is able to decide whether the risk is acceptable or not. According to this sort of filtration of risks, acceptable risks are just assigned low priority since the organization is ready to take them as they cannot do much damage. They tend to have low impacts and low probability of happening.
Risk mitigation
In this step, the unacceptable risks are mitigated. The organization develops ways to address these risks to ensure that they do not occur and if they occur they have minimal impact on the organization. Therefore, risk mitigation will include the prevention tactics as well as contingency plans. Prevention tactics will curtail the risk from occurring. When the risk does occur, the contingency plans will handle the rest.
Risk monitoring
Risk mitigation is not the end of risk management. Risks change priorities with changes in their severity of impact or possibility of occurrence. Therefore, they should be followed up continuously. Risk monitoring includes the periodic review and updating of the risks. Alongside this, new risks are discovered as well.
There are four approaches that the organization can take on risks. These are:
- Risk avoidance – this is where an organization is focused on the complete elimination of the risk
- Risk reduction – this approach aims to reduce the severity of the impacts that a risk can have once it occurs
- Risk sharing – this is a clever approach whereby the organization distributes the consequences of a risk to other parties such as vendors.
- Risk retaining – organizations can take this approach if they have other business goals that have more priority. Therefore, instead of addressing the risk, the organization can simply retain it at a certain level provided that the resources saved in doing so might lead to more profitable investments.