IT Risk Management: Five Steps to Get from Good to Great
Organizations are experiencing rising incident rates across the areas of security, availability, performance, and compliance, with significant impact to revenue, reputation, productivity, and cost. According to the Computer Security Institute and the FBI, per-incident costs of unauthorized access to information averaged over $85,000 in 2006, and system downtime costs reached tens of thousands of dollars per hour. It doesn’t take long for one to recognize even good IT Risk Management practices may soon reach their limits.
So how can organizations advance from good to great IT Risk Management practice? The challenge lies in understanding their portfolio of IT risks, quantifying and prioritizing them against the organization’s risk profile, and developing an effective program of remediation activities.
The following five-step process can help organizations assess their levels of IT Risk, develop remediation roadmaps, and ultimately build effective, continuous IT Risk Management Programs.
Step 1 – Develop awareness of IT Risks
IT Risk mitigation begins with comprehensive discovery, including:
- establishing the program’s scope (How expansive a view of IT Risk is appropriate?)
- constructing a risk profile for the organization based on its overall priorities
- identifying key areas of IT Risk
Assessment should also consider the organization’s current requirements, capabilities and vulnerabilities. Finally, this stage involves identifying and classifying threats, issues, vulnerabilities, and weaknesses, and assigning each a priority according to risk.
Step 2 – Quantify business impacts
Quantifying business impacts is typically the most challenging step – and the most important. Until they have quantified the impact, positive or negative, of addressing an area of IT Risk, IT leadership may be unable to attract their colleagues’ attention to it, or the funds needed for mitigation.
Quantification of business impacts typically follows a two-phased approach:
1) Prioritize risks based on potential business impacts according to the organization’s risk profile and the ease or difficulty of risk mitigation, measured in time, staff resources, and investment.
2) Build detailed business arguments for only those risks identified as high-impact areas.
Step 3 – Design solution
At this point, the organization knows the scope and components of its IT Risk Management program, its current status, and the priority and quantification of each area of IT Risk.
The next step is to design a set of remediation solutions, across the classic elements of people, process, and technology, each with requirements, specifications, goals, and functions.
This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organizational goals.
Step 4 – Align IT and business value; implement solution
Implementation determines whether risk-mitigation initiatives are deployed successfully across people, process, and technology with close involvement of organizational stakeholders. This phase also requires closed-loop measurement and continuous improvement in order to achieve efficient mitigation across the different risk priorities. With a coherent system of metrics and performance management capabilities, organizations set the stage for collection of baseline data, performance tracking, and assessment of program effectiveness against the original business case.
Step 5 – Build and manage unified capability
Once implementation of the first wave of IT Risk solutions is underway, organizations should institute programs for continuous improvement and ongoing governance of their IT Risk Management program.
By adapting their efforts as their experience and effectiveness grow toward maturity, organizations can avoid or overcome the most common implementation challenges, such as guesswork, reactive projects, and lack of quantifiable progress.
While there is no magic formula for IT Risk Management, this process can help organizations marshal their resources effectively to achieve real, lasting improvements in IT Risk Management, often while reducing the complexity and cost of IT infrastructure.