IT Risk Management Overview

If you would like to stay in touch sign up for our Newletter below!


What is IT Risk Management?

One of the most crucial aspects of an Enterprise Risk Management strategy is IT Risk Management. In a more connected world, Information Security is becoming a critical success factor for organisations.

Organisational revenue is continuing to shift away from traditional bricks and mortar towards Internet generated revenue. With this revenue migration organisation risk profiles also shift’s towards the infrastructure required to support the new revenue sources.

The challenge is that this infrastructure has never been more accessible to external parties, by the nature of connecting it to the internet; you are exposing yourself to nefarious parties. Even if your organisation is not generating revenue directly from Internet sources, it will use webpage’s and email extensively, and it is not improbable that they will also be using it as a data transfer point between branch offices.

It is therefore important that we can establish the organisations risk posture for the Information Technology Infrastructure.

The organisations risk posture can be established by measuring what Residual Risk exists after mitigation steps have been taken, and comparing it to the organisations Risk Appetite. If there is more Residual Risk than the organisations Risk Appetite mandates you have a negative Risk Posture, if the Residual Risk is below the organisational Risk Appetite, then you have a positive Risk Posture.

The goal for most organisations is to maintain a positive Risk Posture.

The question then becomes how do we measure our current risk, and how do we establish the organisations Risk Appetite.

Risk Appetite

Organisational Risk Appetite is a deeply personal thing. It is likely that each organisation will have significantly different Risk Appetite, most likely dependant on their business model. For example, a pension organisation that has to deliver consistent, repeatable, long term returns is likely to have a significantly lower Risk Appetite than a start-up organisation that is trying to break in to a new market, with an ever shifting business model.

As risk is measured in dollars and cents, it is likely that the organisation will establish their Risk Appetite based on the return of investment (ROI). For example, an organisation might choose to spend $1 million dollars on implementing IT Security Controls, when they know that if they do not spend this money they put at Risk $10 million dollars in assets, stock or penalties. A $1 million dollar investment, saves the company from $10 million dollars in losses, is a significant return on investment.

Having said that, if the $1 million dollar investment in IT security controls, stops the organisation from losing $1.2 million dollars the situation might be different. You look at this and think, spend $1 million, save $1.2 million, it would make sense to invest in these security controls. However if the organisation can take the $1 million dollars and invest it in another part of the business, and make, say, $1.4 million dollars, for example in an early stage, fast growing start-up environment, then it would not make sense to invest in these IT Security controls. It is unlikely a mature organisation could make the same type of return for its investment. This is good example of when a start-up organisation and a mature business organisation will have different Risk Appetite’s.

Risk Appetite is therefore likely to be linked to the organisations current Return on Investment, the higher the return on investment the organisation can achieve, the higher the likely Risk Appetite.

Once you have established your organisations Risk Appetite, a percentage of your return on investment, you need to measure your current risks.

| IT Risk Management | IT Risk Measurement | IT Risk Formula | IT Risk Calculations |

Please read our "Terms" before making a comment.

blog comments powered by Disqus
To The Top