In a competitive business environment, every organisation operates in a climate of risk. It is never possible to remove all risk from a business, but it is important to assess and reduce risk to an acceptable level where possible.
In relation to IT, assessing and minimising risk has become increasingly important, particularly for businesses that rely heavily on technology. Therefore, it’s vital that business owners understand, monitor and control risk – especially as the IT environment changes rapidly and new IT-related risks appear regularly.
Part 1 of this article provides you with some examples of IT-related risks facing your business. This article will show you how to identify and assess the IT-related risks risks facing your business. And Part 3 of this article will provide you with some ideas on how to reduce these risks and their potential impact to your business.
Risk management should be seen as an ongoing process, rather than a one-off procedure that you apply to an individual threat. You should continuously reassess threats and actively search for new ones.
Risk management is a structured way of controlling risk. There are various ways you can do this, but the following steps outline a typical approach:
- Identify risk – to manage risk you have to be able to identify potential threats. This allows you to act before something happens, rather than ‘fire-fighting’ after an event.
- Risk assessment – you might not need to invest time and money in reducing risk, but you need to take a measured approach to it. Assess its importance to your business. If the risk is serious enough, then you may need to take further action. Some risks may not warrant further work.
- Risk mitigation – risk reduction – with many risks you can implement preventative measures that will significantly reduce the probability of the risk occurring.
- Risk mitigation – impact reduction – for some risks, you may not be able to reduce the probability of them occurring to an acceptable level. Therefore, you should think more about reducing the negative consequences of that risk should it actually affect your business.
- Contingency planning – often the best you can do is make plans for how you would survive a problem. Contingency plans are what you would do after the worst has happened. A particularly important form of contingency plan is a disaster recovery plan.
To manage IT risks effectively you have to be able to identify potential threats. In the fast-moving world of IT, this can be difficult. However, there are some effective preventative measures you can take.
A good starting point for identifying risk is the Information Security Breaches Survey, produced by PricewaterhouseCoopers LLP and commissioned by Infosecurity Europe. This is published every two years and contains an excellent analysis of the risks that could affect both large and small businesses.
There are other good resources online, which are updated more frequently. You can find information on the latest vulnerabilities, incidents and fixes on the CERT website – Opens in a new window.
Another technique that can help you to identify threats is a what-if analysis. This works better in a small group using a brainstorming approach.
Start with simple questions and scenarios to see if they can help to identify new risks. For example, ask questions such as ‘what if the telephone line to the building got cut with a digger?’, or ‘what if the same happened to our power?’, and see what plans you need or already have in place to cope with these eventualities.
Another important step in identifying risks is to write them down in a risk register as you assess them, so you have a permanent record. You can record in the register what you do about each risk as well as the probability of the risk occurring and use it as a checklist when you review your risks periodically.
Care should be taken when assessing the risks your business may face. You do not want to spend time and money avoiding or reducing those risks that pose little or no threat to your business.
Once you have identified the risks that do pose a threat to your business, it may be helpful to base your risk assessment on the following factors:
- the probability or likelihood of each risk materialising
- the cost or impact of the problem if it did happen
A quantitative assessment of your risks would be the numerical product of these two factors. For example, if a risk has a high probability and a high cost/impact, then it will get a high risk assessment.
Unfortunately, quantitative measures of risk like this are only meaningful when you have good data. You may not have the necessary historical data to work out probability, and cost estimates on IT-related risks change so quickly that accurate financial data is rarely available.
Therefore, a more practical approach is to use a qualitative assessment. In this case, you use your judgement to decide whether the probability of occurrence is high, medium or low. You do this similarly for cost/impact. You might then take action on risks that are high probability/medium cost, medium/high or high/high, and leave the rest.
Define what you would consider to be low, medium and high cost to your business in whatever terms seem useful, for example:
- low – would lose up to half an hour of production
- medium – would cause complete shutdown for at least three days
- high – would cause irrevocable loss to the business
Use the same principles for probability. For example, you might classify as ‘high probability’ something that you expect to happen several times a year. You might classify as ‘low probability’ something that you expect to happen very infrequently.
CONTINUE TO PART 3
Author: Mawdud Choudhury, Chief Information Officer (CIO) at Universal System Technologies (UST), Brunei Darussalam.