IT Risk Management has never been more important internally and externally to all levels of large corporations than it is today. For them, risk management includes securing corporate systems, networks, and data, including corporate smart phones, cloud networks, and social media sites. Jointly, they must ensure accessibility of systems and services while planning for disaster recovery and business continuity.

Moreover, compliance with government regulations and license agreements, while protecting the organization against an increasing array of threats such as viruses, worms, spyware, and other forms of malware, is under their purview.

According to an Accenture survey, more than 80% of companies surveyed, across all industries, consider their risk area to be a key management function that helps them deal with marketplace volatility and organizational complexity. 86% identify the risk management function as a driver to help them deal effectively with the increasing volatility of the economic and financial environment. 83% see the function as driving better management of organization complexity. However, the recognition of risk management as it concerns IT has only recently become an enterprise question, which is not to say that protecting IT networks and communications has been unimportant, but is now being brought into the umbrella of risk management.

Who is Responsible for IT Risk Management Security in a Corporation?

Simple: Risk Management is a management responsibility, and should include the participation of the following individuals:

• Senior Management:  Senior Management has the ultimate responsibility for the success of the business, and must provide the resources necessary to accomplish their goals. In doing so, they must also assess and incorporate results of the risk assessment activity into the decision making process, which includes assessment and mitigation of IT related mission risks.
• Chief Information Officer (CIO):  The CIO is responsible for the agency’s IT planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.
• System and Information Owners: The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own.  Thus, they usually have to approve and sign off on changes to their IT systems, and must, therefore, take part in all IT risk management discussions and processes. They may also be involved in the IT procurement process
• IT Security Practitioners:  IT security program managers and practitioners, which include computer security officers, database administrators, security analysts, and security consultants, are responsible for proper implementation of security requirements in their IT systems and must support all IT risk management policies, and may share input for decision making.
• All System Users – Safe computing with smart phones, social media, tablets, flash drives, use of clouds, and network computing, are everyone’s responsibility, and a company-wide survey may help management understand better how to incorporate risk management for users at all levels.

IT Risk Management Objectives

While security technologies like encryption can go a long way toward mitigating risk, good policy planning and enforcement can do even more. Typically, risk management plans have the following objectives: To eliminate negative risks; to reduce risks to an “acceptable” level if risks cannot be eliminated. This means a risk level the organization can live with, though, when talking computers, Intellectual Property, and internal messages there may not be anything that qualifies as “acceptable;” to transfer risks by means of insurance (general liability, product, professional, commercial property insurances) or to transfer the risk to another organization, such as when a vendor is hired to install a computer network, for instance where they are responsible.

Identifying Risks

The risk assessment process begins with the identification of risk categories. For our discussion we will only consider IT risks, and they include:

• Technical or IT risks.
• Project Management risks.
• Organizational risks.
• Financial risks.
• External risks.
• Compliance risks.

For instance, technical risk mitigation is associated with the operation of applications or programs including computers or perimeter security devices (e.g., a computer that connects directly to the Internet could be at risk if it does not have antivirus software).  Project management oversees the process and processes of all undertakings and how IT is involved. Organizational risks include computing within and without the organization. Financial risks involve risk management project costs, estimates, surveys, data gathering, and implementation of IT risk management program. External risks include malware, spyware, hackers, and stolen passwords and other intellectual property from someone outside your company. Compliance risks involve ongoing execution of business risk management plan.

Outside Risk Management Help

Hiring an outside vendor who specializes in corporate risk management across the entire corporate spectrum is typically advisable so they can incorporate all aspects of risk management into one, sensible program. Costs are less expensive when bringing in one vendor. However, not all risk management companies may be able to integrate an IT solution. The business of risk management is booming, and it is no wonder. Product and service forward thinking must be joined by identifying possible areas of weakness, tragedy, or blind spots when putting together a comprehensive corporate strategy. Combining business insurance with a sound risk management process that includes IT will help mitigate any potential problems and threats inherent to yours and all other corporate entities.

From the writing team at RevenFlo…making the internet a better place.