IT Risk Management

IT Risk management within an organisation is imperative in protecting the mission and assets of that organisation. Thus, it is important for organisations to shift risk management from being a technical function to being a management function. This ensures that risks to systems is managed, which is vital. Understanding IT risk and, particularly, understanding specific risks to a system allows the system owner and organisation to protect the information system corresponding with its value to the organisation. It is important to remember, however, that organisations have limited resources and the risk can never be reduced completely i.e. to zero. This highlights the importance of understanding and managing risk so that organisations are able to prioritise scarce resources and optimise their functionality.

This lecture will focus on the importance of risk management and how this helps organisations manage their resources more efficiently to ensure that maximum value is obtained for its ICT investments. Along with this, the relationships between the risk management principles, frameworks, and processes will be illustrated.

Maximising value for ICT investments

Maximising value for an organisation’s ICT investments involves moving away from an IT-centred approach ensuring optimal alignment between ICT decision-making and Enterprise Risk Management process. By doing this, organisations can guarantee all budget decisions regarding ICT flow between clear business priorities and their associated risks. In turn, this allows compartmentalisation of the ICT budget i.e. the budget is applied when and where it is needed and resources aren’t wasted, improving the overall value of the organisation and safeguarding its vital services.

In order to succeed in aligning ICT decision-making and Enterprise Risk Management, organisations must identify any possible gaps at the stages necessary for successful alignment. This is important because these gaps may hinder the alignment and may not allow for maximised value for the ICT investments. Gaps can be identified by asking the following key questions:

1. Are you confident that full inventory of company assets has been captured?
2. Have you assessed and fully prioritised the organisation’s assets based on their mission importance?
3. Have you identified the most likely risk associated with each asset?
4. Do you have enough information to know whether the actions you’ve taken (such as mitigating, avoiding, transferring, or accepting a risk, etc.) are in the organisation’s best interest?
5. Do you review the inventory, asset value, and prioritisation periodically and use this reassessment to modify your risk mitigation activities accordingly?

If any of the above questions remain unanswered or answered with a ‘no’ then it is very likely that gaps exist within the organisation’s ICT risk management process and re-evaluation and optimisation must be done.

The below diagram illustrates the relationships between risk management principles, frameworks, and processes. It summarises the necessary steps required to move from the principles to the frameworks and, finally, to the implementation of the processes required for sufficient and successful risk assessment and management. This is the flow that must occur in order to ensure successful risk evaluation and management to maximise the value for ICT investment within the organisation.

Conclusion

Risk management is an essential process in increasing an organisation’s value and ensuring successful resource management and distribution. An organisation’s ability to identify gaps within its ICT decision-making/risk management process is imperative because it guarantees optimal evaluation and resource prioritisation. Along with this, organisations must focus on aligning ICT decision-making and Enterprise Risk Management in order to ensure optimal budget flow between business priorities and their associated risks, assisting in successful risk management and increased ICT investment value. All of these factors ensure a clear flow between risk management principles, frameworks, and, finally, processes that ensure efficient and successful risk assessment and management for maximised ICT investment value, ICT-Enterprise Risk Management alignment and, thus, successful risk management.

References

Elky, S. 2006 An introduction to information systems risk management. SANS Institute. Available at: https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204

Lark, J., 2015. ISO31000 Risk Management. Geneva: ISO Copyright Office.

O'Kelly, A., 2010. Closing the gaps between ICT and Enterprise Risk Management. [Online]
Available at: https://www.siliconrepublic.com/partner-content/closing-the-gaps-between-ict-and-enterprise-risk-management
[Accessed 4 May 2017].

What is next

Previous Post	Next post
Continuous Software Engineering	Service Management

For all our Modern IT Management Lectures.

For all our Podcasts.