Risk management for the IT department isn’t simply limited to ‘keeping the lights on’, it is now underpinning the entire business. Neil Penny explains.
Businesses are now so reliant on technology that many simply couldn’t operate without it. IT has become such an integral part of business that IT risk management is an imperative for all organizations. Gone are the days when risk management was only practiced by a specialist department, now risk management touches every part of the business, especially IT.
Technology is ubiquitous, no business of any size can operate without it. Risk management is also becoming more mainstream as organizations realise that risk needs to be an enterprise-wide concern. Indeed, due out later this year, ISO9001:2015, introduces a new approach to the international quality standard which is soon to be underpinned by ‘risk-based thinking’, bringing the concept of risk management to a much wider audience.
Risk management for the IT department isn’t simply limited to ‘keeping the lights on’, it is now underpinning the entire business. IT risk management is moving much higher up the corporate agenda as there are increasing instances where IT outages can result in loss of reputation, loss of business and in some cases, significant financial penalties from regulators.
There are many inherent risks that the IT department manages every day, probably without even thinking about it. For example:
- Keeping the infrastructure and online services running – rolling out new systems, services and replacing/refreshing existing technology. Ensuring software licenses are kept up to date, and that legacy code and operating systems are maintained. Each of these activities needs to be planned, and all dependencies carefully mapped, so that when one thing is changed, the knock on effects are suitably managed, with no ‘surprises’ that could increase down time.
- Cyber Security - managing threats both external and from within, vulnerability and patch management, controlling and eradicating malware, managing data loss, controlling the perimeter. A key part of security is also educating the user base and enforcing corporate security policies, particularly if sensitive client/citizen data or commercially valuable intellectual property is handled.
- BYOD/CYOD – managing consumer devices that may connect to the network with or without authorisation and the resulting threats. There may be productivity gains to be considered here as well – risk management is also about managing positive opportunities.
- Physical risks to IT equipment and business continuity – power outage, fire, flood, pandemic. What happens if the organization needs to close down, or re-locate at short or no notice? Most organizations have plans for these sort of eventualities and having a formal IT risk management function ensures that they remain visible.
Having looked at internal risk, service providers in particular also need to manage third party and supply chain risk. This is potentially a much larger and more complex area of risk management because while their reputation may well be reliant on good service from third parties, they don’t necessarily have much control over it.
Despite its importance, many organizations still use spreadsheets to manage risk. The dangers of using spreadsheets are well documented, but none the less, they still seem to be the method of choice in many organizations. Disadvantages include:
- It is difficult to collate multiple spreadsheets to assess overall risk;
- There may be no standard template;
- There may be no provenance or audit trail, and no version control.
Importantly, randomly managed spreadsheets are not linked to IT real estate, so it is difficult to equate theoretic IT risk with the actual situation on the ground. Your service management tool already likely has a database of IT assets and users, so it makes a lot of sense to link IT risk management to your service management capabilities.
The benefits of a purpose built IT risk management solution that integrates with your service management tools are wide reaching. It provides a central repository for tracking all IT risk information, including risks and owners, allocation actions, assessing risk scores, details of risk controls and mitigation activities, with full audit trails and history.
A central system provides visibility of risk that could affect the running of the business, and affect service provision to customers. It highlights issues within the supply chain and can identify risks that have a potential impact on other areas of the business. In addition, such an integrated system can be linked to project risk, department operational risk and supply chain risk, rolling up all risk information to an enterprise level (where used).
For the IT department, integration with existing CMDB, asset registers, user information/accounts, through an attractive, easy to use interface that the department is already familiar with shortens learning curves and aids user adoption.
Finally, recognising and quantifying IT risk also helps to identify opportunities. An organization that knows its own risk appetite can choose which opportunities they can take advantage of, in order to grow and develop the business, while keeping within their stated risk parameters.
The author
Neil Penny is product director at Sunrise Software.
