This post discusses information technology risk and information technology risk management. In this post, you will understand the meaning of information technology risk and the management of information technology risks.

The more a business relies on Information Technology (IT), the more critical it is to identify and control its IT systems’ risks. Threats ranging from equipment failure to malicious attacks by hackers can disrupt vital business systems and access confidential data.

WHAT IS INFORMATION TECHNOLOGY (IT) RISK? 

IT risk is any threat to business data, critical systems, and processes. It is the risk associated with IT use, ownership, operation, involvement, influence, and adoption. IT risk is any threat to business data, critical systems, and processes. IT risks can damage business value and often come from poor management of processes and events. 

CATEGORIES OF IT RISKS

IT risk spans a range of business-critical areas, such as: 

1. Security – e.g., compromised business data due to unauthorised access or use; 

2. Availability – such as inability to access IT systems needed for business operations; 

3. Performance – such as reduced productivity due to slow or delayed access to IT systems; and 

4. Compliance – such as failure to follow laws and regulations (e.g., data protection)

IT risks vary in range and nature. It is essential to be aware of all the different types of IT risk potentially affecting a business.

IMPACTS OF INFORMATION TECHNOLOGY FAILURE ON BUSINESS ORGANISATIONS

For businesses relying on technology, events or incidents compromising IT can cause many problems. For example, a security breach can lead to:

1) Identity fraud and theft, 

2) Financial fraud or theft,

3) Damage to reputation, 

4) Damage to the brand, and 

5) Damage to a business physical asset. 

Furthermore, failure of IT systems due to downtime or outages can result in other damaging and severe consequences, such as:

1. Lost sales and customers.
2. Reduced staff or business productivity.
3. Reduced customer loyalty and satisfaction.
4. A damaged relationship with partners and suppliers. 

If IT failure affects a firm’s ability to comply with laws and regulations, then it could also lead to: 

1) Breach of legal duties, 

2) Penalties, fines, and litigation,

3) Reputational damage, and

4) Breach of client confidentiality.

TYPES OF INFORMATION TECHNOLOGY RISKS

Organisations’ IT systems and information are susceptible to various risks. Managers must be aware of IT threats if a business relies on technology for its operations and activities. Threats to a firm’s IT systems can be external, internal, deliberate, and unintentional. 

Most IT risks affect one or more of the following: 

1) Business or project goals, 

2) Service continuity, 

3) Bottom line results, 

4) Business reputation, 

5) Security, and

6) Infrastructure.

EXAMPLES OF INFORMATION TECHNOLOGY RISKS

Based on the nature of risks, it is possible to categorise IT risks into various categories, including physical threats, electronic threats, technical failures, infrastructure failures, and human error.

IT RISK MANAGEMENT PROCESS

Here is the six steps involved in IT risk management: 

1. Identify risks: determine the nature of risks and how they relate to a business. 

2. Assess risks: determine how serious each risk is to the business and prioritise them. 

3. Mitigate risks: Put preventive measures to reduce the likelihood of the risk occurring and limit its impact. 

4. Develop incident response: plan for managing a problem and recovering the company’s operation. 

5. Develop contingency plans: ensure that the company can continue to run after an incident or a crisis. 

6. Review processes and procedures: continue to assess threats and manage new risks.

HOW TO MANAGE INFORMATION TECHNOLOGY RISKS

Managing various types of IT risks begins with identifying precisely: 

1) The type of threats affecting the business,

2) The assets that may be at risk, and 

3) The ways of securing IT systems.

IT RISK ASSESSMENT

IT risk assessment is analysing threats and vulnerabilities to IT systems to establish their potential loss. Its objective is to help achieve optimal security at a reasonable cost. There are two prevailing methodologies for assessing the different types of IT risk: quantitative and qualitative risk analysis.

QUANTITATIVE INFORMATION TECHNOLOGY RISKS ASSESSMENT

Quantitative assessment measures risk using monetary amounts and numeric data. It uses mathematical formulas to give value in terms of:

1) The frequency of risk occurrence,

2) The asset value, and 

3) The probability of associated loss.

QUALITATIVE IT RISKS ASSESSMENT

Qualitative risk assessment is opinion-based. It relies on judgment to categorise risks based on probability and impact and uses a rating scale to describe the risks:

1. Low: means unlikely to occur or impact a business; 

2. Medium: means possible to occur and impact; and

3. High: means likely to occur and impact the business significantly.

It is possible to describe a high-probability risk as events that are likely to happen several times a year. The same can be done for cost and impact in practical terms, for example:

• Low: means that the company would lose up to half an hour of production,
• Medium: indicates that the company would cause a complete shutdown for at least three days, and
• High: indicates that the company would cause irreversible loss to the business.

HOW TO MITIGATE INFORMATION TECHNOLOGY RISK

If the company cannot remove or reduce risks to an acceptable level, it might lessen the impact of potential incidents. The company should consider the following:

(1) Setting procedures for detecting problems, e.g., a virus might infect the company’s system.

2. Getting insurance against the costs of security breaches. 

To mitigate IT risks, the company should: 

1. Regularly review the information it holds and shares. 

2. Install and maintain security controls, such as firewalls, anti-virus software and processes that help prevent intrusion. 

3. Implement security policies and procedures.

4. Use a third-party IT provider if it needs in-house skills.

INCIDENT RESPONSE

Incident response is a way of managing the aftermath of an IT security breach or failure. It is vital to develop a response plan before the occurrence of an event or incident to:

1) Limit the damage caused by the event; and 

2) Reduce recovery time and costs for the business.

IT RISK MANAGEMENT INCIDENT RESPONSE PLAN

An IT incident response plan is a set of pre-written instructions to assist an organisation in responding to IT threats and potential scenarios, such as:

1) Information data breaches, 

2) Denial of service attacks, 

3) Firewall intrusion, 

4) Virus or malware infection,

5) Damage to equipment or premises, 

6) Insider threats, and

7) Loss of power or other technology failures.

IT INCIDENT MANAGEMENT PROCESS

The process of managing an IT incident typically consists of six steps. 

1. Prepare staff and managers on how to handle potential incidents should they arise. 

2. Determine if an event is an IT failure or a security incident. 

3. Contain the incident and prevent further damage to systems and equipment.

4. Find the cause of the incident and remove the affected systems. 

5. Recover those systems after removing the threats. 

6. Document and analyse the situation to update, change or improve procedures.

IT INCIDENT RECOVERY PLANNING

It is essential to plan thoroughly to protect staff, stakeholders, and the organisation from the impact of potential business from IT failure and security breaches. 

A recovery plan includes the following:

1. The recovery period goals,

2. Strategies to recover the business activities within the quickest possible time, and

3. A description of resources, equipment and staff required to recover the company’s operations.

INFORMATION TECHNOLOGY STANDARD

According to International Standards Organisation (ISO), a standard is a document that provides requirements, specifications, guidelines and characteristics that can be used consistently to ensure that materials, products, processes and services fit their purpose. Standards allow technology to work seamlessly and establish trust so markets can operate smoothly. IT standards are beneficial to organisations because they:

1. provide a common language to measure and evaluate performance,
2. make information sharing easy through IT and computer systems, and
3. protect consumers by ensuring safety, durability, and market equity.

ISO 27001 – INTERNATIONAL IT STANDARD

ISO 27001 is an international standard that describes best practices for information security management systems. It belongs to a 27000 family of standards, aiming to help secure a business’s information assets.

The standard specifies controls that are key to maintaining security. ISO 27001 control, amongst others, highlight the following:

1. Security policy: states what an information security policy is, what it should cover and why a company should have a security policy.

2. Organisational security: states how an organisation should manage information security in a business.

3. Asset classification and control describe how to audit and manage a company’s information, computers, software, and services.

4. Staff security focuses on training, responsibilities, vetting procedures, and incident response.

5. Physical and environmental security entails keeping key locations secure and controlling access to information and equipment.

6. Communications and operations management secure the operation of information processing facilities during day-to-day activities, especially computer networks.

7. Access control emphasises the right to use information and systems based on business and security needs, precisely controlling who can do what within an organisation’s information resources.

8. System development and maintenance.

9. Business continuity management ensures that essential business activities are maintained during adverse conditions, thereby coping with major disasters to minor local issues.

IT RISK MANAGEMENT CHECKLIST

Risk management can be relatively simple if its basic principles are understood and applied. Here is a checklist to ensure effective IT risk management:

1. Think about IT security from the start when planning and updating an IT system. 

2. Actively look for IT risks that could affect the business; and identify the likelihood, costs, and impact of those risks. 

3. Think about the opportunity, capability, and motivation behind potential attacks. Understand the reasons for a cyber-attack. 

4. Assess the seriousness of each IT risk and focus on the most significant ones.

5. Understand the relevant laws, legislation, and industry guidelines, especially if the company must comply with the General Data Protection Regulation (GDPR) and other local and international regulations.

6. Configure Computers, servers, firewalls, and other technical elements of the system. Keep software and hardware equipment up to date. 

7. Do not rely on just one technical control (e.g., a password).

8. Develop data recovery and backup processes and consider daily backups to offsite locations.

9. Support technical controls with appropriate policies, procedures, and training.

10. Make sure that the company have a business continuity plan. 

11. Establish effective IT incident response and recovery measures and a recording and management system.

12. Develop and follow specific IT policies and procedures, such as email and internet use, and ensure that the company’s staff know what is acceptable. 

13. Consider certification to the IT security management standards for the business and its partners.

IT RISK MANAGEMENT POLICY

IT policies and procedures explain why managing IT risks in business is essential. A firm’s IT policies and procedures should make them available to its staff and suppliers to endure adequate understanding of the following: 

1. Potential risks to the company’s IT systems and data, 

2. Procedures that are in place to mitigate them, 

3. Processes for handling everyday tasks,

4. Managing changes to IT systems,

5. Ways to respond to IT or data security incidents, and

6. Acceptable behaviours about crucial IT issues, such as data protection and safe email use.

CONTENT OF INFORMATION TECHNOLOGY RISK MANAGEMENT POLICY

An ‘IT Risk Management Policy’ should specify security procedures and standards that will apply in the company and any staff policies the company wishes to enforce, including:

1. IT Security Procedures

2. IT Security Standards

3. IT Staff Policies

See my video on Information Technology (IT) Risk and IT Risk Management: https://youtu.be/cKxxlt14Bpk