IT Risk Management – Does it enhance the IT Security Programme ?
Every organisation has a mission. In this digital era, as organisations use automated Information Technology (IT) systems and cyber space to process their information for better support of their missions, risk management plays a critical role in protecting an organisation’s information assets, and therefore its mission, from IT-related risk.
An effective risk management process is an important component of a successful IT security program. The principal goal of an organisation’s risk management process should be to protect the organisation and its ability to perform their mission, not just its IT assets. Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organisation.
All activities of an organisation involve risk. Organisations of any kind face internal and external factors and influences that make it uncertain whether, when and to what extent it will achieve or exceed its objectives.
The effect this uncertainty has on the organisation’s objectives is “risk”.
Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence.
Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. Organisations manage risk by anticipating, understanding and deciding whether to modify it.
Throughout this process, it communicates and consults with stakeholders and monitors and reviews the risk and the controls that modify risk.
While all organisations manage risk to some degree, risk management standards establish a number of principles that need to be satisfied before risk management will be effective. The standards recommend that organisations should have a framework that integrates the process for managing risk into the organisation’s overall governance, strategy and planning, management, reporting processes, policies, values and culture.
Risk management can be applied across an entire organisation, to its many areas and levels, as well as to specific functions, projects and activities.
Although the practice of risk management has been developed over time and within many sectors to meet diverse needs, the adoption of consistent processes within a comprehensive framework helps ensure that risk is managed effectively, efficiently and coherently across an organisation. The generic approach described in the standards provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope and context.
This risk management framework will explore each phase of the Information Security Risk Management lifecycle, focusing on techniques that should be used to properly identify, articulate, assess, mitigate, and report on information risk.
Risks can never be entirely removed. Risk management is the ability to qualify and quantify risk elements objectively and reduce them to acceptable levels. A critical aspect of information resource protection to be considered is the need for ongoing management monitoring and review. To be effective, a security program must be a continuous effort. After attempting to come up with an appropriate mechanism to ameliorate the threat, it must be realised that not all risks can be completely overcome.
Risk management is an increasingly important business driver and stakeholders of large corporates and conglomerates, BFSI and IT/ITeS sectors, and other organisations in Sri Lanka are becoming much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organisation or it may simply be embedded in the activities of the organisation. An enterprise-wide approach to risk management enables an organisation to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach will result in an organisation benefiting from what is often referred to as the ‘upside of risk’.
(The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He can be emailed at sujit@layers-7.com).