A quick Google search of the term “risk management’ returns more than 75 million results, revealing a discipline of balancing risks and costs that has been in practice across many industries for decades. Ironically though, the phrase has not become commonly-used in the IT industry until recently.
Traditionally, we’re used to hearing about risk associated with the financial assets (insurance, credit, exchange rates, interest rates). But we are also noticing more focus in operational risk, where the primary driver is information technology.
As consumers and businesses become increasingly dependent on the Internet and IT systems, the risks in this infrastructure have become far more visible and significant. Breaches or failures of information systems cause serious business crises – reputation damage caused by identify theft, business losses stemming from system failures, and regulatory restrictions arising from compliance issues. Recent news coverage has focused on information technology risk, including identity theft, stolen backup tapes, litigation resulting from improper preservation and production of electronic records, and intellectual property breaches.
It is clear to see why corporate executives in boardrooms around the world want answers to the IT risk question: How do we dramatically mitigate the risk and improve the return on investments in information systems?
IT Risk Management as a discipline is fairly new. In the past, IT risk has been limited to security and business continuity issues. The description of IT risk has evolved as it becomes clear that IT risk is not one-dimensional. A comprehensive IT risk management program looks at risks to the security and availability of data, overall availability and performance of information access, and compliance with legal and regulatory demands.
By considering each of the following categories of IT risks, businesses can create a more comprehensive framework to measure against.
Security: This is the risk that internal or external threats may result in unauthorized access to information. This includes such things as data leakage, data privacy, fraud, and endpoint security. It includes broad external threats, such as viruses, as well as more targeted attacks upon specific applications, specific users, and specific information—attack the systems that people are relying on every day.
Availability: This is the risk that information might be inaccessible due to unplanned system outages. Organizations have a responsibility to customers, employees, and stakeholders to keep your business running. As a result, they need to reduce the risk of application or data loss or data corruption. And, in case of a disaster, businesses need to recover in a timely manner.
Performance: This is the risk that information might be inaccessible due to scalability limitations or throughput bottlenecks. Businesses need to accommodate volume and performance requirements—even during peak times. Performance issues need to be identified proactively before end users or applications are impacted. And, to minimize costs, organizations need to optimize resources and avoid unnecessary hardware expenditures.
Compliance: This is the risk of violating regulatory mandates or failing to meet internal policy requirements. Enterprises need to comply with federal and state regulations, such as SOX, ISO 9000, or GLB. Organizations need to retain information and provide a highly efficient search and discovery engine to find content in emails as required. In addition, employees must be accountable to following internal best practices and policies to ensure efficient business operations.
These types of IT risk are increasingly interrelated and important to just about everyone in the organization. Gaining an understanding and prioritization of these elements is an important early step in establishing an effective IT Risk Management program.