IT risk management is as an enterprise-wide approach to refining people, processes and systems to achieve the organization's preferred balance of IT costs and risks in order to improve the company's overall performance.
IT risk management is a growing component of total operational risk management. As businesses increasingly depend on IT to automate processes and store information, IT risk management is emerging as a separate practice—one that balances the operational and economic costs of security, availability, performance and compliance measures to achieve organizational missions and gains in innovation capability.
So how can organizations advance from good to great IT risk management practice? The challenge lies in understanding their portfolio of IT risks, quantifying and prioritizing them against the organization's risk profile and developing an effective program of remediation activities.
The following five-step process can help organizations assess their levels of IT risk, develop remediation road maps and ultimately build effective, continuous IT risk management programs.
Phase 1—Develop Awareness of IT Risks
IT risk mitigation begins with comprehensive discovery, including:
- Establishing the program's scope (how expansive a view of IT risk is appropriate?).
- Constructing a risk profile for the organization based on its overall priorities.
- Identifying key areas of IT risk.
Assessment should also consider the organization's current requirements, capabilities and vulnerabilities. Finally, this stage involves identifying and classifying threats, issues, vulnerabilities and weaknesses and assigning each a priority according to risk.
Phase 2—Quantify Business Impacts
Quantifying business impacts is typically the most challenging step—and the most important. Until they have quantified the impact, positive or negative, of addressing an area of IT risk, IT leadership may be unable to attract their colleagues' attention to it or the funds needed for mitigation.
Quantification of business impacts typically follows a two-phased approach:
- Prioritize risks based on potential business impacts according to the organization's risk profile and the ease or difficulty of risk mitigation, measured in time, staff resources and investment.
- Build detailed business arguments for only those risks identified as high-impact areas.
Phase 3—Design Solution
At this point, the organization knows the scope and components of its IT risk management program, its current status and the priority and quantification of each area of IT risk.
The next step is to design a set of remediation solutions, across the classic elements of people, process and technology, each with requirements, specifications, goals and functions.
This phase also includes detailed costing analysis to keep costs and benefits of proposed initiatives aligned to organizational goals.
Phase 4—Align IT and Business Value; Implement Solution
Implementation determines whether risk-mitigation initiatives are deployed successfully across people, process and technology with close involvement of organizational stakeholders. This phase also requires closed-loop measurement and continuous improvement in order to achieve efficient mitigation across the different risk priorities. With a coherent system of metrics and performance management capabilities, organizations set the stage for collection of baseline data, performance tracking and assessment of program effectiveness against the original business case.
Phase 5—Build and Manage Unified Capability
Once implementation of the first wave of IT risk solutions is underway, organizations should institute programs for continuous improvement and ongoing governance of their IT risk management program.
By adapting their efforts as their experience and effectiveness grow toward maturity, organizations can avoid or overcome the most common implementation challenges, such as guesswork, reactive projects and lack of quantifiable progress.
While there is no magic formula for IT risk management, this process can help organizations marshal their resources effectively to achieve real, lasting improvements in IT risk management, often while reducing the complexity and cost of IT infrastructure.
Samir Kapuria is the managing director of Advisory Services at Symantec.