Proper Risk Management within IT should help the management being pro-active by anticipating and facing up risks and be aware before the event happens. The ultimate goal is to achieve the right balance of risk and reward for the organization.

“Risk Management involves managing to achieve an appropriate balance between realizing opportunities for gains while minimizing losses. It is an integral part of good management practice and an essential element of good corporate governance” AS/NZS 4360:2004 (Australian/New Zealand standard)

When defining a risk management method, you should take in mind that there might be other departments like Financial Risk Management, Corporate Audit and others in your organization which do already risk management and have tools, methods or metrics available. It helps to coordinate with them, to have a common language across the organization. Also it helps to increase acceptance if you align your timelines and templates for reporting. But keep in mind that there might be different goals for risk management, while you might need it for steering your it organization and therefore need details on risks and measures, financial risk management has the goal to get only risk figures over a certain materiality level.

Aligning terms and methods helps fulfill the overall goal of risk management.

The overall goal of risk management is not to eliminate risk per se, but to recognize, assess and reduce a risk as far as it is practical with due regard to the cost of doing so. Cost should be relative to the potential impact of a risk materializing into an event. Therefore the risk assessment phase is crucial for the overall process as it drives the risk response and the risk reporting processes at the end. An inconsistent risk assessment process can lead to either significant risks being inadequately addressed and reported or to excessive time and money being spent on responding to relatively insignificant risks. The goal of the risk assessment process is to come with the business units to a common understanding of their risks and evaluate all risks in the same way. This not necessarily requires quantitative figures for the risks, but also qualitative descriptions help in discussions of countermeasures. Sometimes the discussion of the possible impacts leads to a change in process, system or behavior.

Every high level risk which was identified within one of the defined input sources need to be further assessed using “ONE” consistent risk assessment methodology. The goal of this assessment methodology is to evaluate the potential impact of a risk should this risk materialize. In addition to the impact we also want to evaluate the likelihood of the risk materializing. Based on this fundamental split we need to run two assessments, the impact assessment and the likelihood assessment.

Either the impact as also the likelihood can be evaluated qualitatively and quantitatively.

Due to the less experience it might be easier to start with the qualitative approach. It is also easier to understand and helps you to avoid discussions about concrete figures. In practice figures are often questioned while ranges or descriptions can be accepted easier by Business units.

The impact assessment can be defined in terms of the impact the risk will have on the organization if it materializes into a specific event. Such an assessment could consider the following perspectives:

·          Loss of reputation

·          Legal and regulatory impact

·          Loss of competitiveness by loss of confidentiality of sensitive information and/or loss of intellectual property

·          Loss of integrity of business critical data

·          Impact on availability of IT services and on business operations

·          Financial exposure

As stated above the impact can be described in figures (easy for financial loss) or via descriptions or ranges. E.g. loss of reputation: bad local press, bad regional press, bad press countrywide, bad press worldwide… Organizations like the ISF provide tables with ranges or descriptions like that.

The same also applies to the likelihood. Especially for young technologies like IT, often we don’t have hard facts about the frequency that an event occurs. Therefore you can use beside statistics also things like vulnerability to approach the likelihood. So if you ask IT department, about the likelihood it might be easier for them to answer the question is there a vulnerability and how easy is it to exploit the vulnerability than to answer the question how often this event  might occur.

Example: if the data center is build up in tower it is not vulnerable to flood, but the exposure for getting hit by air plain increases. On the other hand, it is not very easy to use this vulnerability to damage the data center. Therefore the probability that it is exploited is not very high (only after 9.11 at least the fear of getting hit increased).

The quantitatively likelihood assessment can be defined in terms of how often the risk is likely to materialize into a specific event. Such an assessment could consider the following perspectives:

·          < 1 per 100 years

·          1 per year – 1 per 100 years

·          1 per month – 1 per year

·          1 per day – 1 per month

·          > 1 per day

The likelihood is taken in old insurance business from statistics.

The result of both assessments will then be transferred into a matrix (qualitatively like shown below, or quantitatively) to derive the overall severity rating for the risk identified. To make such a risk rating matrix easy to read color codes should be used. The severity rating could be red, amber or green which corresponds to a high, medium or low risk rating. We have attached an example risk matrix which you can have a look at.